Hi, i’ve got trouble with nat64 to until i changed the default state policy for the nat64 rule. pf set’s for default „set state-policy if-bound“, so is use for the nat64 rule:
pass in log quick on $int_if inet6 from any to 64:ff9b::/96 af-to inet from $ext_if modulate state (floating) maybe this is a useful hint. > Am 14.11.2014 um 10:25 schrieb Stuart Henderson <st...@openbsd.org>: > > On 2014/11/13 21:55, Kamil Jiwa wrote: >> Hi, I've got an IPv6 network that I'd like to connect to an IPv4 >> network with a NAT64 router. The router has two interfaces with the >> following configurations: >> >> - em0: internal, IPv6 network >> - IPv4 address: 10.0.66.1/24 >> - IPv6 address: fc00::1/64 >> >> - em1: external, IPv4 network >> - IPv4 address: DHCP >> - IPv6 address: none >> >> I've enabled IP forwarding: >> >> # sysctl net.inet.ip.forwarding >> net.inet.ip.forwarding=1 >> # sysctl net.inet6.ip6.forwarding >> net.inet6.ip6.forwarding=1 >> >> Here's my /etc/pf.conf _before_ adding any NAT64 rules. Note that it >> is set up to perform NAT44 and I've verified that part works. >> >> set block-policy return >> set loginterface egress >> set skip on lo >> match out on egress inet from em0:network to any nat-to (egress:0) >> block in log >> pass out quick >> pass in inet proto icmp all icmp-type echoreq >> pass in on em0 >> >> I'd like to translate any requests going to fc00::ffff:0:0/96 into >> IPv4 requests. An example address is 173.194.33.80 (www.google.com). >> This gets mapped to fc00::ffff:adc2:2150. I expected the following >> rule to work: >> >> pass in on em0 inet6 from any to fc00::ffff:0:0/96 af-to inet from (em0) > > These rules are correct, the problem is occurring before packets > reach PF - you need a valid route table entry otherwise they will > be rejected earlier in the stack. > > Not fully tested as I have v6 routes on my machines, but something > like this should be enough: > > route add -inet6 default ::1 -reject > >> When I try to ping Google (with the address above) address from >> another host on the internal network I get these errors: >> >> $ ping6 fc00::ffff:adc2:2150 > > BTW there is another valid address format which saves a manual > hex conversion: > > $ ping6 fc00::ffff:173.194.33.80
