NAT64 configuration issues

Daniel Corbe Sat, 02 Jun 2018 13:01:04 -0700

I'm struggling with a NAT64 config for my network and hoping someone
could hit me with a clue bat.


This is going to require a bit of explanation because the IPv6 clients
are not directly behind the OpenBSD server.   So bear with me on this one.

            +-----------------+
            |      Router     |
            |                 |
            |                 |
            |                 |
            +--------+--------+
                |    | Gi0/1: 38.87.35.97 / 2606:9c80:3:1::/64 eui-64
                |    |
              OSPF   |
                |    | Vio0: 38.87.35.102 / inet6 autoconf
            +--------+--------+
            |   OBSD Server   |
            |                 |
            |                 |
            |                 |
            +--------+--------+
                     |
                     |
                     |
                     | Vio1: 2606:9c80:dead:beef::38.87.35.102/96
                     X

Vio1 isn't actually connected to anything.   But it carries an address
with my NAT64 prefix.   OSPF is configured to redistributed connected
prefixes.

My pf.conf looks like this:

nat64# cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

# NAT64
pass in quick on vio1 inet6 from any to 2606:9c80:dead:beef::/96 \
  af-to inet from (egress:0) keep state rtable 0

# Default firewall state
block return    # block stateless traffic
pass            # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

IP Forwarding is enabled:

nat64# sysctl -a | grep forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=0

>From other places on the network, I can ping Vio1:

--- 2606:9c80:dead:beef::38.87.35.102 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.206/0.258/0.316/0.045 ms

And the prefix is in the routing table:

#show ipv6 route 2606:9c80:dead:beef::/96

VRF name: default
Routing entry for 2606:9c80:dead:beef::/96
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R -
RIP, A B - BGP Aggregate, I L1 - ISIS level 1, I L2 - ISIS level 2, NG -
Nexthop Group Static Route

 O3   2606:9c80:dead:beef::/96 [110/20]
       via fe80::99b8:c8c1:bceb:f98f, Vlan111


But I cannot ping out:

$ ping6 2606:9c80:dead:beef::808:808
PING6(56=40+8+8 bytes) 2606:9c80:3:1:5054:ff:fea3:911b -->
2606:9c80:dead:beef::808:808
^C
--- 2606:9c80:dead:beef::808:808 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

But I do see traffic hitting my OpenBSD box on the NAT64 prefix:

nat64# tshark -i vio0 -f "net 2606:9c80:dead:beef::/96"
Capturing on 'vio0'
    1   0.000000 2606:9c80:3:1:5054:ff:fea3:911b ?
2606:9c80:dead:beef::808:808         ICMPv6 70 Echo (ping) request
id=0xd104, seq=226, hop limit=63
    2   1.025972 2606:9c80:3:1:5054:ff:fea3:911b ?
2606:9c80:dead:beef::808:808

-Daniel

NAT64 configuration issues

Reply via email to