On 2014/03/12 22:15, Stéphane Guedon wrote: > Le mercredi 12 mars 2014 21:10:01, vous avez écrit : > > On 2014/03/12 22:03, Stéphane Guedon wrote: > > > Hello ! > > > > > > I am trying to setup a nat64 using my openbsd server as router. > > > > > > This server has one physical network card (re0). > > > I connect it to native ipv6 world with a sixxs tunnel, and my > > > local > > > network get ipv6 connectivity. So, no problem connerning that. > > > > > > I would like to finish the damn thing (like said previously) by > > > furnishing a nat64 on this system. I tried to find the good pf > > > rule, but can't understand how to build it. > > > > > > here is what I would like to write (or close) : > > > > > > pass in on re0 inet6 from any to 64:ff9b::/96 af-to inet from > > > (re0) > > > > I have pretty much the same, the only difference is that I use a > > fixed address rather than (re0), but I don't *think* that matters > > here. > > > > Do you have v4 and v6 forwarding sysctl's enabled? > > v6, sure, cause I need it to use the server as a router on his current > status (tunnelling to native ipv6 world). For exemple, I reach > facebook and google on ipv6 now using that way (without thinking of it > really). > > v4... it seems. > > here is sysctl result : > > # sysctl|grep forw > net.inet.ip.forwarding=1 > net.inet.ip.mforwarding=0 > net.inet6.ip6.forwarding=1 > net.inet6.ip6.mforwarding=0 > > > > > You'll probably want DNS64 to go with that, the one that is part of > > newer versions of BIND (in ports) works fine. > > Yes I know ! It works perfectly fine ! The nat 64 part is the one that > don't for now.
I suggest general PF rule debugging then, make sure that the rule is hit (check it with "log" or "match log (matches)" and watch tcpdump -nettipflog0, etc) and that it isn't hidden by another rule or "set skip", etc. $ ftp -V -o- http://[2001:8b0:648e:6464::129.128.5.194]/|grep Exp $OpenBSD: index.html,v 1.302 2014/02/28 02:20:54 nick Exp $ Note that traceroute6 will look a bit odd: $ traceroute6 2001:8b0:648e:6464::129.128.5.194 traceroute6 to 2001:8b0:648e:6464::129.128.5.194 (2001:8b0:648e:6464::8180:5c2) from 2001:8b0:648e:cc01:f2de:f1ff:fef9:a752, 64 hops max, 12 byte packets 1 2001:8b0:648e:6464::8180:5c2 15.21 ms 33.176 ms 17.477 ms 2 2001:8b0:648e:6464::8180:5c2 13.95 ms 14.503 ms 14.726 ms 3 2001:8b0:648e:6464::8180:5c2 14.491 ms 14.187 ms 15.787 ms 4 2001:8b0:648e:6464::8180:5c2 17.888 ms 19.384 ms 20.193 ms 5 2001:8b0:648e:6464::8180:5c2 125.817 ms 125.296 ms 126.097 ms 6 2001:8b0:648e:6464::8180:5c2 149.012 ms 143.149 ms 143.907 ms 7 2001:8b0:648e:6464::8180:5c2 143.28 ms 143.636 ms 143.629 ms 8 2001:8b0:648e:6464::8180:5c2 144.288 ms 143.456 ms 143.483 ms 9 2001:8b0:648e:6464::8180:5c2 144.488 ms 143.657 ms 144.682 ms 10 2001:8b0:648e:6464::8180:5c2 144.796 ms 143.947 ms 150.969 ms 11 2001:8b0:648e:6464::8180:5c2 144.345 ms 144.027 ms 144.346 ms Also in case you missed it, since this is a "pass in" rule for inbound traffic coming in on a network interface, if you're testing from the af-to router itself that won't hit the rule.
