pf: af-to across rdomains, responses not translated back to source rdomain

Wed, 10 Dec 2025 22:17:15 -0800 

Hi,
I'm currently playing around with the af-to functionality of pf to build a NAT64 gateway. When trying to combine this with rdomains, I'm running into a problem I don't understand, where response packets, after being translated back to IPv6, are sent in the rdomain used on the IPv4 side. 


The system in question is OpenBSD 7.8 GENERIC#1 amd64. My goal is to 
have a WireGuard interface where I can send IPv6 packets to be NAT64-ed 
from an arbitrary source (hence the use of rdomains as I have an IPv6 
default route via both vio0 (the external interface of the machine) and 
wg64).


The wg64 interface uses the following configuration:

# cat /etc/hostname.wg64
descr "NAT64 WireGuard"
rdomain 64
wgport 51820
wgkey [...]
wgpeer [...] wgaip ::/0
inet6 fe80::1 64
!route -T 64 add -inet6 default fe80::1%\$if

For testing purposes, the af-to pf rule is currently the only active rule:

# pfctl -sr

pass in on rdomain 64 inet6 from any to 64:ff9b::/96 flags S/SA rtable 0 
af-to inet from (egress:0) round-robin



If I now send pings to 64:ff9b::808:808 from 2001:db8::42 (a different 
machine connected through the wg64 interface), I can see them being 
received on the OpenBSD machine:


# tcpdump -n -i wg64 icmp or icmp6
tcpdump: listening on wg64, link-type LOOP

22:33:15.837362 2001:db8::42 > 64:ff9b::808:808: icmp6: echo request 
[flowlabel 0x2027a]



And they are also successfully translated to IPv6 (198.51.100.1 is the 
address on vio0 of the OpenBSD machine) and a response is received:


# tcpdump -n -i vio0 icmp or icmp6
tcpdump: listening on vio0, link-type EN10MB
22:33:15.837390 198.51.100.1 > 8.8.8.8: icmp: echo request (DF)
22:33:15.847450 8.8.8.8 > 198.51.100.1: icmp: echo reply
22:33:15.847480 64:ff9b::808:808 > 2001:db8::42: icmp6: echo reply


As shown by the last line, the response is also translated back to IPv6. 
However, it's sent out on the vio0 interface in rdomain 0, not on wg64 
in rdomain 64 as I'd expect.



The connection state seems to be tracked properly, I presume (64) refers 
to the rdomain the address is from:


# pfctl -ss

all ipv6-icmp 198.51.100.1:17182 ((64) 2001:db8::42[15]) -> 8.8.8.8:8 
((64) 64:ff9b::808:808[17182])       0:0



I don't know if this is expected behavior. Am I missing something to get 
the replies sent out on the wg64 interface? Any help is appreciated. As 
I'm fairly new to OpenBSD, it's entirely possible that I'm missing 
something obvious.


Thanks,
Julian















    











					Reply via email to