Re: NAT64 configuration issues

So I fixed this configuration simply by removing the /64 from Vio0. I
guess the IPv4 LAN segment can't have any preexisting IPv6 on it.

Thanks.

-Daniel

On 6/2/2018 15:51, Daniel Corbe wrote:
> I'm struggling with a NAT64 config for my network and hoping someone
> could hit me with a clue bat.
>
> This is going to require a bit of explanation because the IPv6 clients
> are not directly behind the OpenBSD server. So bear with me on this one.
>
> +-----------------+
> | Router |
> | |
> | |
> | |
> +--------+--------+
> | | Gi0/1: 38.87.35.97 / 2606:9c80:3:1::/64 eui-64
> | |
> OSPF |
> | | Vio0: 38.87.35.102 / inet6 autoconf
> +--------+--------+
> | OBSD Server |
> | |
> | |
> | |
> +--------+--------+
> |
> |
> |
> | Vio1: 2606:9c80:dead:beef::38.87.35.102/96
> X
>
> Vio1 isn't actually connected to anything. But it carries an address
> with my NAT64 prefix. OSPF is configured to redistributed connected
> prefixes.
>
> My pf.conf looks like this:
>
> nat64# cat /etc/pf.conf
> # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
>
> set skip on lo
>
> # NAT64
> pass in quick on vio1 inet6 from any to 2606:9c80:dead:beef::/96 \
> af-to inet from (egress:0) keep state rtable 0
>
> # Default firewall state
> block return # block stateless traffic
> pass # establish keep-state
>
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> # Port build user does not need network
> block return out log proto {tcp udp} user _pbuild
>
> IP Forwarding is enabled:
>
> nat64# sysctl -a | grep forwarding
> net.inet.ip.forwarding=1
> net.inet.ip.mforwarding=0
> net.inet6.ip6.forwarding=1
> net.inet6.ip6.mforwarding=0
>
> From other places on the network, I can ping Vio1:
>
> --- 2606:9c80:dead:beef::38.87.35.102 ping6 statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.206/0.258/0.316/0.045 ms
>
> And the prefix is in the routing table:
>
> #show ipv6 route 2606:9c80:dead:beef::/96
>
> VRF name: default
> Routing entry for 2606:9c80:dead:beef::/96
> Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R -
> RIP, A B - BGP Aggregate, I L1 - ISIS level 1, I L2 - ISIS level 2, NG -
> Nexthop Group Static Route
>
> O3 2606:9c80:dead:beef::/96 [110/20]
> via fe80::99b8:c8c1:bceb:f98f, Vlan111
>
>
> But I cannot ping out:
>
> $ ping6 2606:9c80:dead:beef::808:808
> PING6(56=40+8+8 bytes) 2606:9c80:3:1:5054:ff:fea3:911b -->
> 2606:9c80:dead:beef::808:808
> ^C
> --- 2606:9c80:dead:beef::808:808 ping6 statistics ---
> 3 packets transmitted, 0 packets received, 100.0% packet loss
>
> But I do see traffic hitting my OpenBSD box on the NAT64 prefix:
>
> nat64# tshark -i vio0 -f "net 2606:9c80:dead:beef::/96"
> Capturing on 'vio0'
> 1 0.000000 2606:9c80:3:1:5054:ff:fea3:911b ?
> 2606:9c80:dead:beef::808:808 ICMPv6 70 Echo (ping) request
> id=0xd104, seq=226, hop limit=63
> 2 1.025972 2606:9c80:3:1:5054:ff:fea3:911b ?
> 2606:9c80:dead:beef::808:808
>
> -Daniel
>