Hello list,
IPv4 encapsulated traffic always hit rule:
block log (all, to pflog0)
If I set in pf.conf on both tunnel sides:
set skip on {tun0, gif0}
I can ping both IPv4 tunnel ends, but rdr-to rules don't work for IPv4 encapsulated packets this way.
I've tried to allow encap protocol right after 'block log (all, to pflog0)' rule like below:
pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)
pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound)
No effect, IPv4 encapsulated traffic blocked by 'block log (all, to pflog0)' rule all the times according to tcpdump as below:
07:15:54.366210 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap)
07:15:55.366422 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap)
The question is how to allow IPv4 encapsulated traffic for tun0 with gif0 IPv4-in-IPv6?
Configs for both sides of tunnel:
=== Side-a ===
# cat /etc/hostname.gif0
# gif0
up
description 'IPv4 over IPv6 tunnel'
# tunnel [src IPv6] [dst IPv6]
tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503
inet alias 10.190.0.1
dest 10.190.0.2
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c
inet6 dddd:cccc:bbbb:aaaa::18b5 -> prefixlen 48
=== Side-b ===
# cat /etc/hostname.gif0
# gif0
up
description 'IPv4 over IPv6 tunnel'
# tunnel [src IPv6] [dst IPv6]
tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5
inet alias 10.190.0.2
dest 10.190.0.1
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c
inet6 aaaa:bbbb:cccc:dddd::a503 -> prefixlen 48
No comments:
Post a Comment