On 2014/11/13 21:55, Kamil Jiwa wrote:
> Hi, I've got an IPv6 network that I'd like to connect to an IPv4
> network with a NAT64 router. The router has two interfaces with the
> following configurations:
>     - em0: internal, IPv6 network
>         - IPv4 address:
>         - IPv6 address: fc00::1/64
>     - em1: external, IPv4 network
>         - IPv4 address: DHCP
>         - IPv6 address: none
> I've enabled IP forwarding:
>     # sysctl net.inet.ip.forwarding
>     net.inet.ip.forwarding=1
>     # sysctl net.inet6.ip6.forwarding
>     net.inet6.ip6.forwarding=1
> Here's my /etc/pf.conf _before_ adding any NAT64 rules. Note that it
> is set up to perform NAT44 and I've verified that part works.
>     set block-policy return
>     set loginterface egress
>     set skip on lo
>     match out on egress inet from em0:network to any nat-to (egress:0)
>     block in log
>     pass out quick
>     pass in inet proto icmp all icmp-type echoreq
>     pass in on em0
> I'd like to translate any requests going to fc00::ffff:0:0/96 into
> IPv4 requests. An example address is (www.google.com).
> This gets mapped to fc00::ffff:adc2:2150. I expected the following
> rule to work:
>     pass in on em0 inet6 from any to fc00::ffff:0:0/96 af-to inet from (em0)

These rules are correct, the problem is occurring before packets
reach PF - you need a valid route table entry otherwise they will
be rejected earlier in the stack.

Not fully tested as I have v6 routes on my machines, but something
like this should be enough:

        route add -inet6 default ::1 -reject

> When I try to ping Google (with the address above) address from
> another host on the internal network I get these errors:
>     $ ping6 fc00::ffff:adc2:2150

BTW there is another valid address format which saves a manual
hex conversion:

        $ ping6 fc00::ffff:

Reply via email to