can't route traffic from lan out via the aiccu connection

Tue, 04 Jan 2011 07:50:22 -0800 

Hi all,

  I've been trying for a few days to get my ipv6 tunnel to work from my
lan. I've got a sixxs.net tunnel with a /48 assigned for my lan. I can
connect from the router to irc networks over ipv6 but I'm unable to run
traffic out via the gif0 for anything originating from the lan. I can
also connect to the router over ipv6 for ssh stuff for ex. I'm
completely out of ideas on what to do to get this to work, hope someone
will have a suggestion. Here's my pf.conf (I'm running  openbsd 4.8 with
a generic kernel, patched to latest release):

ext_if="bge0"

ipv6_if="gif0"
ipv6_ip="2001:1620:f00:56::2"
ipv6_gw="2001:1620:f00:56::1"
ipv6_lan="2001:1620:f2e1::/64"
ipv6_lan2="2001:1620:f2e3::/64"

int_if="dc0"
vpn1_if="tun1"
vpn2_if="tun2"
vpn3_if="tun3"
tcp_services="{ 179, 2027:2037, 5002, 7777, 8296, 46411 }"
udp_services="{ 1194, 5003, 5501, 7777, 30000, 46411 }"
icmp_types="echoreq"
ssh_ports="{ ssh , 1194 }"
im_ports="{ icq, msn, ircd, ircd-ssl }"

table <ssh-violations> persist file "/etc/ssh-violations"
table <spamd-white> persist
set block-policy drop
set loginterface $ipv6_if
set skip on lo
set state-policy if-bound

match out on $ext_if inet from !($ext_if) nat-to ($ext_if)

match in on $int_if proto tcp to ($int_if) port ftp rdr-to 127.0.0.1
port 8021
match in on $int_if proto tcp to ($int_if) port http rdr-to 127.0.0.1
port 3128
match in on $ext_if proto tcp to ($ext_if) port smtp rdr-to 127.0.0.1
port spamd
block in log
pass out keep state

block drop in log on $ext_if from <ssh-violations> to any
block drop in log on $ipv6_if from <ssh-violations> to any

#try ipv6 routing
pass quick on $ipv6_if proto {ipencap, ipv6}
pass quick on $ext_if proto {ipencap, ipv6}
pass quick on $ext_if inet6
pass quick on $ipv6_if inet6

pass in on $ext_if proto udp from any to any port 1194
pass in inet proto icmp all icmp-type $icmp_types keep state
pass proto 41 from any to any keep state
pass quick on $int_if no state
pass quick on $vpn1_if no state
pass quick on $vpn2_if no state
pass quick on $vpn3_if no state

#pass quick on $vpn_if inet proto gre any
pass quick from 224/7 to any keep state


Cheers,

Noth

Reply via email to