Benno, all, The gateway is running unbound with dns64 module enabled. The gateway does use the resolver for it's own resolving of names. I found a better solution by running two instances of unbound on the gateway. One instance for the client networks with dns64 module enabled, and one instance for the gateway itself which validates but does not translate.
Thanks for the clarification regarding pass out rules and af-to. Dan > On 19 Jun 2016, at 22:53, Sebastian Benoit <benoit-li...@fb12.de> wrote: > > Dan L??dtke(m...@danrl.com) on 2016.06.07 19:14:24 +0200: >> Follow-up: >> >> This rule matches outgoing packets to nat64 well-known prefix 64:ff9b::/96: >> pass out quick on $if_wan inet6 from $if_wan:network to 64:ff9b::/96 af-to >> inet from ($if_wan) > > af-to does not work on pass out rules. > > Why do you want to use it on the gateway itself? > > /Benno > > >> Echo requests do leave $if_wan with translated address family, replies show up >> in tcpdump on $if_wan: >> >> 19:09:54.038392 router > 8.8.8.8: icmp: echo request (DF) >> 19:09:54.051733 8.8.8.8 > router: icmp: echo reply >> >> BUT the echo replies do *not* make it through to the ping6 process. It looks >> like there is no back-translation taking place. Anyone ideas how to debug or >> follow packets on their way through the kernel for this issue? >> >> Cheers, >> >> Dan >> >> >> >>> On 7 Jun 2016, at 14:48, Dan L??dtke <m...@danrl.com> wrote: >>> >>> Hi, >>> >>> my setup: [host]--[router]--[internet] >>> >>> [Host] can ping legacy internet hosts via NAT64. Works fine. Corresponding >>> line in pf.conf reads: >>> pass in quick on $if_lan inet6 from $if_lan:network to 64:ff9b::/96 af-to >>> inet from ($if_wan) >>> >>> However, [router] can not ping legacy internet hosts via NAT64. It can, of >>> course, reach legacy internet hosts natively. >>> >>> How to push outgoing traffic addressed to 64:ff9b::/96 through pf's NAT64 >>> engine? >>> >>> Cheers, >>> >>> Dan >>> >>> >>> >>> Some outputs FYI: >>> >>> router# route get 64:ff9b::/96 >>> route: writing to routing socket: No such process >>> >>> >>> router# ping6 64:ff9b::8.8.8.8 >>> PING6 64:ff9b::8.8.8.8 (64:ff9b::808:808): 24 data bytes >>> ^C--- 64:ff9b::8.8.8.8 ping6 statistics --- >>> 3 packets transmitted, 0 packets received, 100.0% packet loss >> > > --
