Dan L??dtke(m...@danrl.com) on 2016.06.07 19:14:24 +0200: > Follow-up: > > This rule matches outgoing packets to nat64 well-known prefix 64:ff9b::/96: > pass out quick on $if_wan inet6 from $if_wan:network to 64:ff9b::/96 af-to > inet from ($if_wan)
af-to does not work on pass out rules. Why do you want to use it on the gateway itself? /Benno > Echo requests do leave $if_wan with translated address family, replies show up > in tcpdump on $if_wan: > > 19:09:54.038392 router > 8.8.8.8: icmp: echo request (DF) > 19:09:54.051733 8.8.8.8 > router: icmp: echo reply > > BUT the echo replies do *not* make it through to the ping6 process. It looks > like there is no back-translation taking place. Anyone ideas how to debug or > follow packets on their way through the kernel for this issue? > > Cheers, > > Dan > > > > > On 7 Jun 2016, at 14:48, Dan L??dtke <m...@danrl.com> wrote: > > > > Hi, > > > > my setup: [host]--[router]--[internet] > > > > [Host] can ping legacy internet hosts via NAT64. Works fine. Corresponding > > line in pf.conf reads: > > pass in quick on $if_lan inet6 from $if_lan:network to 64:ff9b::/96 af-to > > inet from ($if_wan) > > > > However, [router] can not ping legacy internet hosts via NAT64. It can, of > > course, reach legacy internet hosts natively. > > > > How to push outgoing traffic addressed to 64:ff9b::/96 through pf's NAT64 > > engine? > > > > Cheers, > > > > Dan > > > > > > > > Some outputs FYI: > > > > router# route get 64:ff9b::/96 > > route: writing to routing socket: No such process > > > > > > router# ping6 64:ff9b::8.8.8.8 > > PING6 64:ff9b::8.8.8.8 (64:ff9b::808:808): 24 data bytes > > ^C--- 64:ff9b::8.8.8.8 ping6 statistics --- > > 3 packets transmitted, 0 packets received, 100.0% packet loss > --