Thanks Stuart. I set the default route on my host and I can see it in
my route table but I'm still not able to send out pings. Is there a
way I can verify that the packets are making it to PF? Does the order
of that command in /etc/pf.conf make a difference?


On Fri, Nov 14, 2014 at 1:25 AM, Stuart Henderson <> wrote:
> On 2014/11/13 21:55, Kamil Jiwa wrote:
>> Hi, I've got an IPv6 network that I'd like to connect to an IPv4
>> network with a NAT64 router. The router has two interfaces with the
>> following configurations:
>>     - em0: internal, IPv6 network
>>         - IPv4 address:
>>         - IPv6 address: fc00::1/64
>>     - em1: external, IPv4 network
>>         - IPv4 address: DHCP
>>         - IPv6 address: none
>> I've enabled IP forwarding:
>>     # sysctl net.inet.ip.forwarding
>>     net.inet.ip.forwarding=1
>>     # sysctl net.inet6.ip6.forwarding
>>     net.inet6.ip6.forwarding=1
>> Here's my /etc/pf.conf _before_ adding any NAT64 rules. Note that it
>> is set up to perform NAT44 and I've verified that part works.
>>     set block-policy return
>>     set loginterface egress
>>     set skip on lo
>>     match out on egress inet from em0:network to any nat-to (egress:0)
>>     block in log
>>     pass out quick
>>     pass in inet proto icmp all icmp-type echoreq
>>     pass in on em0
>> I'd like to translate any requests going to fc00::ffff:0:0/96 into
>> IPv4 requests. An example address is (
>> This gets mapped to fc00::ffff:adc2:2150. I expected the following
>> rule to work:
>>     pass in on em0 inet6 from any to fc00::ffff:0:0/96 af-to inet from (em0)
> These rules are correct, the problem is occurring before packets
> reach PF - you need a valid route table entry otherwise they will
> be rejected earlier in the stack.
> Not fully tested as I have v6 routes on my machines, but something
> like this should be enough:
>         route add -inet6 default ::1 -reject
>> When I try to ping Google (with the address above) address from
>> another host on the internal network I get these errors:
>>     $ ping6 fc00::ffff:adc2:2150
> BTW there is another valid address format which saves a manual
> hex conversion:
>         $ ping6 fc00::ffff:

Reply via email to