NAT64 configuration issues

I'm struggling with a NAT64 config for my network and hoping someone
could hit me with a clue bat.

This is going to require a bit of explanation because the IPv6 clients
are not directly behind the OpenBSD server. So bear with me on this one.

+-----------------+
| Router |
| |
| |
| |
+--------+--------+
| | Gi0/1: 38.87.35.97 / 2606:9c80:3:1::/64 eui-64
| |
OSPF |
| | Vio0: 38.87.35.102 / inet6 autoconf
+--------+--------+
| OBSD Server |
| |
| |
| |
+--------+--------+
|
|
|
| Vio1: 2606:9c80:dead:beef::38.87.35.102/96
X

Vio1 isn't actually connected to anything. But it carries an address
with my NAT64 prefix. OSPF is configured to redistributed connected
prefixes.

My pf.conf looks like this:

nat64# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

# NAT64
pass in quick on vio1 inet6 from any to 2606:9c80:dead:beef::/96 \
af-to inet from (egress:0) keep state rtable 0

# Default firewall state
block return # block stateless traffic
pass # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

IP Forwarding is enabled:

nat64# sysctl -a | grep forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=0

From other places on the network, I can ping Vio1:

--- 2606:9c80:dead:beef::38.87.35.102 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.206/0.258/0.316/0.045 ms

And the prefix is in the routing table:

#show ipv6 route 2606:9c80:dead:beef::/96

VRF name: default
Routing entry for 2606:9c80:dead:beef::/96
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R -
RIP, A B - BGP Aggregate, I L1 - ISIS level 1, I L2 - ISIS level 2, NG -
Nexthop Group Static Route

O3 2606:9c80:dead:beef::/96 [110/20]
via fe80::99b8:c8c1:bceb:f98f, Vlan111


But I cannot ping out:

$ ping6 2606:9c80:dead:beef::808:808
PING6(56=40+8+8 bytes) 2606:9c80:3:1:5054:ff:fea3:911b -->
2606:9c80:dead:beef::808:808
^C
--- 2606:9c80:dead:beef::808:808 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

But I do see traffic hitting my OpenBSD box on the NAT64 prefix:

nat64# tshark -i vio0 -f "net 2606:9c80:dead:beef::/96"
Capturing on 'vio0'
1 0.000000 2606:9c80:3:1:5054:ff:fea3:911b ?
2606:9c80:dead:beef::808:808 ICMPv6 70 Echo (ping) request
id=0xd104, seq=226, hop limit=63
2 1.025972 2606:9c80:3:1:5054:ff:fea3:911b ?
2606:9c80:dead:beef::808:808

-Daniel