Arrite, fellow OpenBSDers, here's the skinny:
I have native IPv6 from Comcast (one of the few good things about Comcast, but I digress). I was assigned a /56 block as you will see below.
I have a three-legged firewall running OpenBSD 6.1. I have static IPv4 and IPv6 addresses configured on the external interface (fxp0) and both internal interfaces (sis0, my internal network) and sis1 (an interface that is connected to my cheap Netgear wifi router and which blocks traffic to the internal network from that interface. I'm paranoid and I don't trust Netgear's implementation of anything. Deal.) The supplied IPv6 default gateway is configured in /etc/mygate. I can ping IPv6 addresses from the firewall, but not from my Mac Mini which is behind the firewall on sis0 - for love or money. The only way I have been able to get it to work briefly was when I did not have any IPv6 rules configured in /etc/pf.conf and it NATted traffic through the external IPv6 address on fxp0. This isn't how IPv6 is supposed to work, though, as each IPv6 device is supposed to use its own global unicast address, so pf should forward this traffic as such, amirite?
Some output:
[Thu Jun 29 15:19:26] joe@firewall.hylkema.org:~ $ sudo cat /etc/sysctl.conf
Password:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
[Thu Jun 29 15:42:17] joe@firewall.hylkema.org:~ $ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 6 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
sis0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:02:e3:1f:05:a6
index 2 priority 0 llprio 3
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::202:e3ff:fe1f:5a6%sis0 prefixlen 64 scopeid 0x2
inet6 2603:x:x:3e01::1 prefixlen 64
inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255
sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:02:e3:05:60:66
index 3 priority 0 llprio 3
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::202:e3ff:fe05:6066%sis1 prefixlen 64 scopeid 0x3
inet6 2603:x:x:3e02::1 prefixlen 64
inet 172.20.0.1 netmask 0xffffff00 broadcast 172.20.0.255
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:11:11:5d:a1:56
index 4 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::211:11ff:fe5d:a156%fxp0 prefixlen 64 scopeid 0x4
inet6 2603:x:x:3e00::1 prefixlen 64
inet 96.x.x.x netmask 0xfffffffc broadcast 96.93.109.111
enc0: flags=0<>
index 5 priority 0 llprio 3
groups: enc
status: active
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d0:1f:41
index 7 priority 0 llprio 3
groups: tap
status: active
bridge0: flags=41<UP,RUNNING>
index 8 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
sis0 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 0 ifcost 0
tap0 flags=3<LEARNING,DISCOVER>
port 7 ifpriority 0 ifcost 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33188
index 9 priority 0 llprio 3
groups: pflog
[Thu Jun 29 15:44:01] joe@firewall.hylkema.org:~ $ sudo cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="fxp0"
int_if="sis0"
wifi_if="sis1"
bt_ports="x"
icmp6_types="{ 2, 128 }" # packet too big, echo request (ping6)
icmp6_types_ext_if="{ 128, 133, 134, 135, 136, 137 }"
set skip on {lo, tap0}
match all scrub (no-df random-id)
match out on egress inet nat-to egress
table <spamhaus_drop> persist
table <fullbogons-ipv4> persist
table <fullbogons-ipv6> persist
block log
block in log on $ext_if from {<spamhaus_drop>, <fullbogons-ipv4>, <fullbogons-ipv6>}
block out log on $ext_if to {<spamhaus_drop>, <fullbogons-ipv4>, <fullbogons-ipv6>}
block log quick on $wifi_if to $int_if:network
pass inet6 proto ipv6-icmp from any to { ($ext_if ), ff02::1/16 } keep state
pass inet6 proto ipv6-icmp keep state
pass in on $ext_if proto {tcp,udp} to port $bt_ports keep state rdr-to 10.1.0.10 port $bt_ports
pass proto udp to port 1194 keep state
pass on {$int_if, $wifi_if} keep state
pass on egress keep state
[Thu Jun 29 15:46:17] joe@firewall.hylkema.org:~ $ sudo cat /etc/mygate
96.x.x.x
2603:x:x:3e00:f44b:2aff:fe70:877e
[Thu Jun 29 15:47:32] joe@firewall.hylkema.org:~ $ sudo cat /etc/rtadvd.conf
sis0:\
:addr="2603:x:x:3e01::":\
:prefixlen#64:\
:raflags#64:\
:rdnss="2001:558:feed::1,2001:558:feed::2":
sis1:\
:addr="2603:x:x:3e02::":\
:prefixlen#64:\
:raflags#64:\
:rdnss="2001:558:feed::1,2001:558:feed::2":
[Thu Jun 29 15:48:02] joe@firewall.hylkema.org:~ $ ping6 google.ca
PING google.ca (2607:f8b0:400a:807::2003): 56 data bytes
64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=0 hlim=54 time=39.239 ms
64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=1 hlim=54 time=27.031 ms
64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=2 hlim=54 time=27.114 ms
64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=3 hlim=54 time=36.269 ms
64 bytes from 2607:f8b0:400a:807::2003: icmp_seq=4 hlim=54 time=27.490 ms
^C
--- google.ca ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 27.031/31.429/39.239/5.252 ms
Any help would be greatly appreciated. I am absolutely at my wit's end.
Thank you.
--
"Far better it is to dare mighty things, to win glorious triumphs, even though checkered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the gray twilight that knows neither victory nor defeat."
-- Theodore Roosevelt, "The Strenuous Life."
No comments:
Post a Comment