Thanks Stuart. I set the default route on my host and I can see it in
my route table but I'm still not able to send out pings. Is there a
way I can verify that the packets are making it to PF? Does the order
of that command in /etc/pf.conf make a difference?
Kamil
On Fri, Nov 14, 2014 at 1:25 AM, Stuart Henderson st...@openbsd.org wrote:
On 2014/11/13 21:55, Kamil Jiwa wrote:
Hi, I've got an IPv6 network that I'd like to connect to an IPv4
network with a NAT64 router. The router has two interfaces with the
following configurations:
- em0: internal, IPv6 network
- IPv4 address: 10.0.66.1/24
- IPv6 address: fc00::1/64
- em1: external, IPv4 network
- IPv4 address: DHCP
- IPv6 address: none
I've enabled IP forwarding:
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
# sysctl net.inet6.ip6.forwarding
net.inet6.ip6.forwarding=1
Here's my /etc/pf.conf _before_ adding any NAT64 rules. Note that it
is set up to perform NAT44 and I've verified that part works.
set block-policy return
set loginterface egress
set skip on lo
match out on egress inet from em0:network to any nat-to (egress:0)
block in log
pass out quick
pass in inet proto icmp all icmp-type echoreq
pass in on em0
I'd like to translate any requests going to fc00:::0:0/96 into
IPv4 requests. An example address is 173.194.33.80 (www.google.com).
This gets mapped to fc00:::adc2:2150. I expected the following
rule to work:
pass in on em0 inet6 from any to fc00:::0:0/96 af-to inet from (em0)
These rules are correct, the problem is occurring before packets
reach PF - you need a valid route table entry otherwise they will
be rejected earlier in the stack.
Not fully tested as I have v6 routes on my machines, but something
like this should be enough:
route add -inet6 default ::1 -reject
When I try to ping Google (with the address above) address from
another host on the internal network I get these errors:
$ ping6 fc00:::adc2:2150
BTW there is another valid address format which saves a manual
hex conversion:
$ ping6 fc00:::173.194.33.80
