Arrite, fellow OpenBSDers, here’s the skinny: I have native IPv6 from Comcast (one of the few good things about Comcast, but I digress). I was assigned a /56 block as you will see below.
I have a three-legged firewall running OpenBSD 6.1. I have static IPv4 and IPv6 addresses configured on the external interface (fxp0) and both internal interfaces (sis0, my internal network) and sis1 (an interface that is connected to my cheap Netgear wifi router and which blocks traffic to the internal network from that interface. I’m paranoid and I don’t trust Netgear’s implementation of anything. Deal.) The supplied IPv6 default gateway is configured in /etc/mygate. I can ping IPv6 addresses from the firewall, but not from my Mac Mini which is behind the firewall on sis0 - for love or money. The only way I have been able to get it to work briefly was when I did not have any IPv6 rules configured in /etc/pf.conf and it NATted traffic through the external IPv6 address on fxp0. This isn’t how IPv6 is supposed to work, though, as each IPv6 device is supposed to use its own global unicast address, so pf should forward this traffic as such, amirite? Some output: [Thu Jun 29 15:19:26] j...@firewall.hylkema.org:~ $ sudo cat /etc/sysctl.conf Password: net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 [Thu Jun 29 15:42:17] j...@firewall.hylkema.org:~ $ ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 index 6 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff000000 sis0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:02:e3:1f:05:a6 index 2 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::202:e3ff:fe1f:5a6%sis0 prefixlen 64 scopeid 0x2 inet6 2603:x:x:3e01::1 prefixlen 64 inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255 sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:02:e3:05:60:66 index 3 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::202:e3ff:fe05:6066%sis1 prefixlen 64 scopeid 0x3 inet6 2603:x:x:3e02::1 prefixlen 64 inet 172.20.0.1 netmask 0xffffff00 broadcast 172.20.0.255 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:11:11:5d:a1:56 index 4 priority 0 llprio 3 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::211:11ff:fe5d:a156%fxp0 prefixlen 64 scopeid 0x4 inet6 2603:x:x:3e00::1 prefixlen 64 inet 96.x.x.x netmask 0xfffffffc broadcast 96.93.109.111 enc0: flags=0<> index 5 priority 0 llprio 3 groups: enc status: active tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr fe:e1:ba:d0:1f:41 index 7 priority 0 llprio 3 groups: tap status: active bridge0: flags=41<UP,RUNNING> index 8 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sis0 flags=3<LEARNING,DISCOVER> port 2 ifpriority 0 ifcost 0 tap0 flags=3<LEARNING,DISCOVER> port 7 ifpriority 0 ifcost 0 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33188 index 9 priority 0 llprio 3 groups: pflog [Thu Jun 29 15:44:01] j...@firewall.hylkema.org:~ $ sudo cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="fxp0" int_if="sis0" wifi_if="sis1" bt_ports=“x" icmp6_types="{ 2, 128 }" # packet too big, echo request (ping6) icmp6_types_ext_if="{ 128, 133, 134, 135, 136, 137 }" set skip on {lo, tap0} match all scrub (no-df random-id) match out on egress inet nat-to egress table <spamhaus_drop> persist table <fullbogons-ipv4> persist table <fullbogons-ipv6> persist block log block in log on $ext_if from {<spamhaus_drop>, <fullbogons-ipv4>, <fullbogons-ipv6>} block out log on $ext_if to {<spamhaus_drop>, <fullbogons-ipv4>, <fullbogons-ipv6>} block log quick on $wifi_if to $int_if:network pass inet6 proto ipv6-icmp from any to { ($ext_if ), ff02::1/16 } keep state pass inet6 proto ipv6-icmp keep state pass in on $ext_if proto {tcp,udp} to port $bt_ports keep state rdr-to 10.1.0.10 port $bt_ports pass proto udp to port 1194 keep state pass on {$int_if, $wifi_if} keep state pass on egress keep state [Thu Jun 29 15:46:17] j...@firewall.hylkema.org:~ $ sudo cat /etc/mygate 96.x.x.x 2603:x:x:3e00:f44b:2aff:fe70:877e [Thu Jun 29 15:47:32] j...@firewall.hylkema.org:~ $ sudo cat /etc/rtadvd.conf sis0:\ :addr=“2603:x:x:3e01::":\ :prefixlen#64:\ :raflags#64:\ :rdnss="2001:558:feed::1,2001:558:feed::2": sis1:\ :addr=“2603:x:x:3e02::":\ :prefixlen#64:\ :raflags#64:\ :rdnss="2001:558:feed::1,2001:558:feed::2”: [Thu Jun 29 15:48:02] j...@firewall.hylkema.org:~ $ ping6 google.ca PING google.ca (2607:f8b0:400a:807::2003): 56 data bytes 64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=0 hlim=54 time=39.239 ms 64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=1 hlim=54 time=27.031 ms 64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=2 hlim=54 time=27.114 ms 64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=3 hlim=54 time=36.269 ms 64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=4 hlim=54 time=27.490 ms ^C --- google.ca ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 27.031/31.429/39.239/5.252 ms Any help would be greatly appreciated. I am absolutely at my wit’s end. Thank you. -- "Far better it is to dare mighty things, to win glorious triumphs, even though checkered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the gray twilight that knows neither victory nor defeat." -- Theodore Roosevelt, "The Strenuous Life."