Follow-up: This rule matches outgoing packets to nat64 well-known prefix 64:ff9b::/96: pass out quick on $if_wan inet6 from $if_wan:network to 64:ff9b::/96 af-to inet from ($if_wan)
Echo requests do leave $if_wan with translated address family, replies show up in tcpdump on $if_wan: 19:09:54.038392 router > 8.8.8.8: icmp: echo request (DF) 19:09:54.051733 8.8.8.8 > router: icmp: echo reply BUT the echo replies do *not* make it through to the ping6 process. It looks like there is no back-translation taking place. Anyone ideas how to debug or follow packets on their way through the kernel for this issue? Cheers, Dan > On 7 Jun 2016, at 14:48, Dan Lüdtke <m...@danrl.com> wrote: > > Hi, > > my setup: [host]--[router]--[internet] > > [Host] can ping legacy internet hosts via NAT64. Works fine. Corresponding > line in pf.conf reads: > pass in quick on $if_lan inet6 from $if_lan:network to 64:ff9b::/96 af-to > inet from ($if_wan) > > However, [router] can not ping legacy internet hosts via NAT64. It can, of > course, reach legacy internet hosts natively. > > How to push outgoing traffic addressed to 64:ff9b::/96 through pf's NAT64 > engine? > > Cheers, > > Dan > > > > Some outputs FYI: > > router# route get 64:ff9b::/96 > route: writing to routing socket: No such process > > > router# ping6 64:ff9b::8.8.8.8 > PING6 64:ff9b::8.8.8.8 (64:ff9b::808:808): 24 data bytes > ^C--- 64:ff9b::8.8.8.8 ping6 statistics --- > 3 packets transmitted, 0 packets received, 100.0% packet loss
