IPv6 NPt with 6rd tunnel



  • Hi

    We have moved to pfsense 2.1 for testing purposes as our primary ISP (Swisscom) now provides an IPv6 subnet over 6rd.

    For our case this is: 2a02:1205:4fd0:1310::/60

    Internally we'd like to use Unique Local Adresses as of RFC4193. We decided to use an ULA, because we have multiple Internet providers (Multihoming) and pfsense decides dynamically which provider to use for internet access.

    So we gave our LAN interface the address fdbf:100f:912e::1/64.

    To get access to the internet from LAN the ULAs need to be translated to the external valid IPv6 addresses. We set up the following NPt rule:

    Then we created a Gateway group and a firewall rule on LAN for IPv6 traffic just like written in the pfsense docs (http://doc.pfsense.org/index.php/Multi-WAN_for_IPv6):

    Unfortunately Internet access doesn't work for clients in the internal network. I have no idea what I have done wrong.

    So I wonder I anyone has a similar setup with NPt, 6rd and Multihoming.

    Note: IPv6 Internet access works fine if I use IP addresses from the provicer assigned network (2a02:1205:4fd0:1310::/64).

    Thank you very much for any suggestions.

    Silvan


  • Rebel Alliance Developer Netgate

    That looks correct to me. I have NPt setup on just one of my tunnels (I use the IPs from one tunnel directly on LAN, then NPt to the other) as I wrote up here:
    http://doc.pfsense.org/index.php/Multi-WAN_for_IPv6

    That's working for me…

    Check the state table (Diag > States) for states from your fdbf IPs as you try to access the Internet from them. That would show if NPt is getting applied.



  • If I get this right, the SWISSCOM IP 2a02:1205:4fd0:1310:: is in the same net as the net you are NATing to. Will that work? Shouldn't the SWISSCOM Interface have an IP in a transport net where the route to 2a02:1205:4fd0:1310::/64 is pointing to?
    Another possibilty would be that maybe I am getting this all wrong ;)


  • Rebel Alliance Developer Netgate

    I didn't notice that before but arthurdent is correct. You can't do NPt to your interface subnet. You'd need to do NPt to the /64 routed to your firewall from swisscom, not the interconnect subnet.

    For the interconnect subnet to work you'd need to respond to ndp requests for any IPs in that subnet, which isn't feasible for an entire /64.



  • I know, this might break some things, but couldn't you just use old fashioned NAT for this? I just checked my home gateway's ruleset to find that I am still using the test NAT rule I must have created at least half a year ago on my OpenBSD router:

    match out quick on $IPV6INT inet6 from <lanhosts6> nat-to $IPV6EXTIP</lanhosts6>
    

    Looking back, my LAN clients never had any problems with that…


  • Rebel Alliance Developer Netgate

    Not sure if that works in our version of pf, and even if it did, I would not want to encourage that.



  • Hi Jiimp, hi athurdent

    Thank you very much for your fast answers.

    I understand your concerns about a missing transport network. But I think there is no transport network in 6rd.
    Here is how our 6rd is configured:

    In the background a tunnel interface is created then where the public IPv4 address is used to build the IPv6 network address:

    And here a graphic from our provider on how the network can be used:

    Here a document from Cisco about 6rd: http://meetings.apnic.net/__data/assets/file/0005/38651/apnic32-apops-shtsuchi-6rd-final.pdf

    I'm interpreting all this as we are assigned a /60 network through the tunnel where we can use up to 16 /64 subnets for our needs. So I chose 2a02:1205:4fd0:1310::/64 for our LAN net.
    I could also use 2a02:1205:4fd0:1311::/64 for DMZ as an example.

    That's how I interpret it. I hope I am not completely wrong.



  • Can you show your /tmp/rules.debug generated from this config?



  • I tried something:

    If I set the NPt rule tot he WAN interface, 6rd traffic is not translated. Here a trace from WAN interface:

    17:32:00.806102 IP 84.253.1.49 > 193.5.122.254: IP6 fdbf:100f:912e::99 > 2a00:1450:4001:c02::69: ICMP6, echo request, seq 6572, length 40
    

    There is no answer from the pinged host.

    I did now create  pfsense interface on the tunnel stf0

    and changed NPt to the new interface:

    A Packet Capture on the WAN Interface looks much better now:

    17:16:49.310321 IP 84.253.1.49 > 193.5.122.254: IP6 2a02:1205:4fd0:1310::99 > 2a00:1450:4001:c02::69: ICMP6, echo request, seq 6409, length 40
    17:16:49.344290 IP 193.5.122.254 > 84.253.1.49: IP6 2a00:1450:4001:c02::69 > 2a02:1205:4fd0:1310::99: ICMP6, echo reply, seq 6409, length 40
    17:16:54.310373 IP 84.253.1.49 > 193.5.122.254: IP6 2a02:1205:4fd0:1310::99 > 2a00:1450:4001:c02::69: ICMP6, echo request, seq 6410, length 40
    17:16:54.343785 IP 193.5.122.254 > 84.253.1.49: IP6 2a00:1450:4001:c02::69 > 2a02:1205:4fd0:1310::99: ICMP6, echo reply, seq 6410, length 40
    17:16:59.310165 IP 84.253.1.49 > 193.5.122.254: IP6 2a02:1205:4fd0:1310::99 > 2a00:1450:4001:c02::69: ICMP6, echo request, seq 6411, length 40
    17:16:59.344058 IP 193.5.122.254 > 84.253.1.49: IP6 2a00:1450:4001:c02::69 > 2a02:1205:4fd0:1310::99: ICMP6, echo reply, seq 6411, length 40
    

    Outgoing Packets seem to be translated just fine in the 6rd tunnel. The reply is also OK but is for some reason not routed back to LAN.

    That's how the state table looks like.

    At the moment on the WAN interface IPv6 is all open:

    Also IPv6 and IPv4 on the SC6RD interface are open.

    There are no entries in the Firewall log for blocked packets.

    Unfortunately after a reboot of the router there is an error on startup:

    Interface configuration mismatch -- Running interface assignment option.
    

    So my approach doesn't really look like the right solution with creating an interface on stf0 and do NPt over it. I had to reload the old configuration to make the router work again.

    Thank you very much in advance for further advises.

    Silvan



  • Hello ermal

    Here my rules.debug. For security reasons I have changed public IPs in the text.
    As we also use some GRE Tunnels for VPN and OSPF routing, the configuration isn't the smallest.

    
    set limit tables 3000
    set optimization normal
    set limit states 22000
    set limit src-nodes 22000
    
    #System aliases
    
    loopback = "{ lo0 }"
    SWISSCOM = "{ pppoe0 stf0  }"
    LAN = "{ vr0 }"
    CABLECOM = "{ vr1_vlan1003 }"
    GRE1020 = "{ gre0 }"
    DMZ = "{ vr2_vlan1001 }"
    GRE1121 = "{ gre1 }"
    GRE1130 = "{ gre2 }"
    MANAGEMENT = "{ vr0_vlan78 }"
    GRE1031 = "{ gre3 }"
    pptp = "{ pptp }"
    IPsec = "{ enc0 }"
    OpenVPN = "{ openvpn }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot># User Aliases 
    table <easyruleblockhostsopt3>{   84.253.1.51/32 } 
    EasyRuleBlockHostsOPT3 = "<easyruleblockhostsopt3>"
    table <management_network>{   10.78.0.0/16  10.94.0.0/16  10.110.0.0/16 } 
    management_network = "<management_network>"
    table <private_network>{   172.16.0.0/16  10.64.0.0/16  10.80.0.0/16  10.96.0.0/16  10.78.0.0/16  10.94.0.0/16  10.110.0.0/16  192.168.30.0/24 } 
    private_network = "<private_network>"
    table <vpn_gw>{   84.82.22.64  74.53.32.116 } 
    vpn_gw = "<vpn_gw>"
    
    # Gateways
    GWGW_WAN = " route-to ( pppoe0 213.3.242.151 ) "
    GWCABLECOMGW = " route-to ( vr1_vlan1003 62.2.214.161 ) "
    GWSWISSCOM_6RD = " route-to ( stf0 2a02:120c:1057:afe0:: ) "
    GWCLIENTSWAN = "  route-to { ( vr1_vlan1003 62.2.214.161 )  }  "
    GWCLIENTSWAN6 = "  route-to { ( stf0 2a02:120c:1057:afe0:: )  }  "
    
    set loginterface vr0
    
    set skip on pfsync0
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    binat on $SWISSCOM from fdbf:100f:912e::/64 to any -> 2a02:1205:4fd0:1310::/64
    binat on $SWISSCOM from any to 2a02:1205:4fd0:1310::/64 -> fdbf:100f:912e::/64
    
    # Outbound NAT rules
    nat on $CABLECOM  from 10.64.0.0/16 to any port 500 -> 60.4.213.62/32  static-port
    nat on $SWISSCOM  from 10.64.0.0/16 to any port 500 -> 82.223.1.33/32  static-port
    nat on $SWISSCOM  from 10.64.0.0/16 to !10.0.0.0/8 -> 82.223.1.33/32 port 1024:65535  
    nat on $CABLECOM  from 10.64.0.0/16 to !10.0.0.0/8 -> 60.4.213.62/32 port 1024:65535  
    no nat on $SWISSCOM  from any to 172.16.0.0/16   
    no nat on $CABLECOM  from any to 172.16.0.0/16   
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    table <vpn_networks>{ 172.16.0.0/24 10.96.0.0/16 172.20.1.0/24 }
    table <negate_networks>{ 172.16.0.0/24 10.96.0.0/16 172.20.1.0/24 }
    # NAT Inbound Redirects
    rdr on vr0 proto tcp from any to 84.253.1.50 port 25 -> 84.253.1.50 port 225
    rdr on pppoe0 proto tcp from any to 84.253.1.50 port 443 -> 10.64.32.2
    rdr on pppoe0 proto tcp from any to 82.223.1.33 port 20443 -> 10.64.16.34
    rdr on pppoe0 proto tcp from any to 82.223.1.33 port 3299 -> 10.64.16.18
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all label "Default deny rule IPv4"
    block out log inet all label "Default deny rule IPv4"
    block in log inet6 all label "Default deny rule IPv6"
    block out log inet6 all label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1    unreach         Destination unreachable
    # 2    toobig          Packet too big
    # 128  echoreq         Echo service request
    # 129  echorep         Echo service reply
    # 133  routersol       Router solicitation
    # 134  routeradv       Router advertisement
    # 135  neighbrsol      Neighbor solicitation
    # 136  neighbradv      Neighbor advertisement
    pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
    
    # We use the mighty pf, we cannot be fooled.
    block quick inet proto { tcp, udp } from any port = 0 to any
    block quick inet proto { tcp, udp } from any to any port = 0
    block quick inet6 proto { tcp, udp } from any port = 0 to any
    block quick inet6 proto { tcp, udp } from any to any port = 0
    
    # Snort package
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 22225 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    antispoof for pppoe0
    
    # allow our proto 41 traffic from the 6RD border relay in
    pass in on $SWISSCOM proto 41 from 193.5.122.254 to any label "Allow 6in4 traffic in for 6rd on SWISSCOM"
    pass out on $SWISSCOM proto 41 from any to 193.5.122.254 label "Allow 6in4 traffic out for 6rd on SWISSCOM"
    antispoof for vr0
    antispoof for vr1_vlan1003
    antispoof for gre0
    antispoof for vr2_vlan1001
    antispoof for gre1
    antispoof for gre2
    antispoof for vr0_vlan78
    antispoof for gre3
    
    # loopback
    pass in on $loopback inet all label "pass IPv4 loopback"
    pass out on $loopback inet all label "pass IPv4 loopback"
    pass in on $loopback inet6 all label "pass IPv6 loopback"
    pass out on $loopback inet6 all label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to ( pppoe0 213.3.242.151 ) from 82.223.1.33 to !82.223.1.33/32 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( stf0 2a02:120c:1057:afe0:: ) inet6 from 2a02:1205:4fd0:1310:: to !2a02:1205:4fd0:1310::/60 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( vr1_vlan1003 62.2.214.161 ) from 60.4.213.62 to !62.2.214.160/29 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( gre0 172.16.0.2 ) from 172.16.0.1 to !172.16.0.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( gre1 172.16.1.2 ) from 172.16.1.1 to !172.16.1.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( gre2 172.16.2.2 ) from 172.16.2.1 to !172.16.2.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( gre3 172.16.3.2 ) from 172.16.3.1 to !172.16.3.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out on $IPsec all keep state label "IPsec internal host to host"
    # PPTPd rules
    pass in on $SWISSCOM proto tcp from any to 82.223.1.33 port = 1723 modulate state label "allow pptpd 82.223.1.33"
    pass in on $SWISSCOM proto gre from any to any keep state label "allow gre pptpd"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    pass  from   $private_network to   $private_network  no state  label "USER_RULE: Disable State Tracking for internal traffic"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to 82.223.1.33 port 22225  flags S/SA keep state  label "USER_RULE: Remote SSH"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to 82.223.1.33 port 443  flags S/SA keep state  label "USER_RULE: HTTPS Firewall Access"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto icmp  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto { tcp udp }  from any to 82.223.1.33 port 29999 >< 30021  keep state  label "USER_RULE: OpenVPN"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to   84.253.1.50 port 25  flags S/SA keep state  label "USER_RULE: SMTP to 10mail "
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto gre  from any to any keep state  label "USER_RULE: GRE"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to 82.223.1.33 port 1723  flags S/SA keep state  label "USER_RULE: PPTP"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto udp  from any to any port 123  keep state  label "USER_RULE: NTP Time Syncronization"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to   84.253.1.51 port 443  flags S/SA keep state  label "USER_RULE: 10b2b HTTPS Access"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to 82.223.1.33 port 51  flags S/SA keep state  label "USER_RULE: IPSEC Authenticated Headers"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto udp  from any to any port 500  keep state  label "USER_RULE: IPSEC ISAKMP"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto esp  from any to any keep state  label "USER_RULE: IPSEC ESP"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to   10.64.32.2 port 443  flags S/SA keep state  label "USER_RULE: NAT Exchange HTTPS"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to   10.64.16.34 port 20443  flags S/SA keep state  label "USER_RULE: NAT Nagios"
    pass  in  quick  on $SWISSCOM reply-to ( pppoe0 213.3.242.151 )  proto tcp  from any to   10.64.16.18 port 3299  flags S/SA keep state  label "USER_RULE: NAT SAProuter on 10qas"
    pass  in  quick  on $LAN  $GWGW_WAN inet from 10.64.0.0/16 to   81.151.32.71 keep state  label "USER_RULE: VPN Site 1 nur über Swisscom"
    pass  in  quick  on $LAN  from 10.64.0.0/16 to   84.253.1.51 keep state ( sloppy  )  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $LAN  from 10.64.0.0/16 to 82.223.1.33/29 keep state  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $LAN  from   $private_network to   $private_network keep state  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $LAN  from 10.64.0.0/16  to <negate_networks>keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in  quick  on $LAN  $GWCLIENTSWAN  from 10.64.0.0/16 to any keep state  label "USER_RULE"
    pass  in log  quick  on $LAN inet6 from fdbf:100f:912e:0:0:0:0:0/64  to <negate_networks>keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in log  quick  on $LAN  $GWCLIENTSWAN6 inet6 from fdbf:100f:912e:0:0:0:0:0/64 to any keep state  label "USER_RULE"
    pass  in  quick  on $LAN  proto tcp  from any to   84.253.1.50 port 225  flags S/SA keep state  label "USER_RULE: NAT LAN SMTP Redirect to Port 225"
    pass  in  quick  on $LAN  from any to 10.78.0.1/16 keep state  label "USER_RULE: Management VLAN"
    pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE"
    # SWISSCOMLANCABLECOMGRE1020DMZGRE1121GRE1130MANAGEMENTGRE1031pptpIPsecOpenVPN l2tp array key does not exist for  label "USER_RULE"
    pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: enable all"
    pass  in  quick  on $CABLECOM reply-to ( vr1_vlan1003 62.2.214.161 )  proto tcp  from any to 60.4.213.62 port 443  flags S/SA keep state  label "USER_RULE: HTTPS Firewall Access  "
    pass  in  quick  on $CABLECOM reply-to ( vr1_vlan1003 62.2.214.161 )  proto icmp  from any to 60.4.213.62 keep state  label "USER_RULE"
    pass  in  quick  on $CABLECOM reply-to ( vr1_vlan1003 62.2.214.161 )  proto tcp  from any to 60.4.213.62 port 51  flags S/SA keep state  label "USER_RULE: IPSEC Authenticated Headers  "
    pass  in  quick  on $CABLECOM reply-to ( vr1_vlan1003 62.2.214.161 )  proto udp  from any to 60.4.213.62 port 500  keep state  label "USER_RULE: IPSEC ISAKMP "
    pass  in  quick  on $CABLECOM reply-to ( vr1_vlan1003 62.2.214.161 )  proto esp  from any to 60.4.213.62 keep state  label "USER_RULE: IPSEC ESP"
    pass  in  quick  on $CABLECOM reply-to ( vr1_vlan1003 62.2.214.161 )  proto tcp  from any to 60.4.213.62 port 22225  flags S/SA keep state  label "USER_RULE: SSH Remote Administration"
    pass  in  quick  on $CABLECOM reply-to ( vr1_vlan1003 62.2.214.161 )  proto gre  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $GRE1020  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $DMZ  proto tcp  from 10.64.0.0/16 to   84.253.1.51 flags S/SA keep state ( sloppy tcp.established 600  )  label "USER_RULE: TCP Timeout SAP RFC"
    pass  in  quick  on $DMZ  from any to any keep state  label "USER_RULE: DMZ pass all"
    pass  in  quick  on $GRE1121  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $GRE1130  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $MANAGEMENT  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $GRE1031  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $pptp  from   10.0.0.0/8 to any keep state  label "USER_RULE"
    block  in log  quick  on $pptp  from any to any  label "USER_RULE"
    
    # Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients
    # Add rules to bypass firewall rules for static routes
    pass quick on $CABLECOM proto tcp from 62.2.214.160/29 to 84.82.22.64/32 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
    pass quick on $CABLECOM from 62.2.214.160/29 to 84.82.22.64/32 keep state(sloppy) label "pass traffic between statically routed subnets"
    pass quick on $CABLECOM proto tcp from 84.82.22.64/32 to 62.2.214.160/29 flags any keep state(sloppy) label "pass traffic between statically routed subnets"
    pass quick on $CABLECOM from 84.82.22.64/32 to 62.2.214.160/29 keep state(sloppy) label "pass traffic between statically routed subnets"
    
    # VPN Rules
    pass out on $SWISSCOM  route-to ( pppoe0 213.3.242.151 )  proto udp from any to 81.151.32.71 port = 500 keep state label "IPsec: Site 1 - outbound isakmp"
    pass in on $SWISSCOM  reply-to ( pppoe0 213.3.242.151 )  proto udp from 81.151.32.71 to any port = 500 keep state label "IPsec: Site 1 - inbound isakmp"
    pass out on $SWISSCOM  route-to ( pppoe0 213.3.242.151 )  proto esp from any to 81.151.32.71 keep state label "IPsec: Site 1 - outbound esp proto"
    pass in on $SWISSCOM  reply-to ( pppoe0 213.3.242.151 )  proto esp from 81.151.32.71 to any keep state label "IPsec: Site 1 - inbound esp proto"
    pass out on $SWISSCOM  route-to ( pppoe0 213.3.242.151 )  proto udp from any to 74.53.32.116 port = 500 keep state label "IPsec: Site 2 DSL - outbound isakmp"
    pass in on $SWISSCOM  reply-to ( pppoe0 213.3.242.151 )  proto udp from 74.53.32.116 to any port = 500 keep state label "IPsec: Site 2 DSL - inbound isakmp"
    pass out on $SWISSCOM  route-to ( pppoe0 213.3.242.151 )  proto esp from any to 74.53.32.116 keep state label "IPsec: Site 2 DSL - outbound esp proto"
    pass in on $SWISSCOM  reply-to ( pppoe0 213.3.242.151 )  proto esp from 74.53.32.116 to any keep state label "IPsec: Site 2 DSL - inbound esp proto"
    pass out on $CABLECOM  route-to ( vr1_vlan1003 62.2.214.161 )  proto udp from any to 84.82.22.64 port = 500 keep state label "IPsec: Site 2 Cable - outbound isakmp"
    pass in on $CABLECOM  reply-to ( vr1_vlan1003 62.2.214.161 )  proto udp from 84.82.22.64 to any port = 500 keep state label "IPsec: Site 2 Cable - inbound isakmp"
    pass out on $CABLECOM  route-to ( vr1_vlan1003 62.2.214.161 )  proto esp from any to 84.82.22.64 keep state label "IPsec: Site 2 Cable - outbound esp proto"
    pass in on $CABLECOM  reply-to ( vr1_vlan1003 62.2.214.161 )  proto esp from 84.82.22.64 to any keep state label "IPsec: Site 2 Cable - inbound esp proto"
    pass out on $CABLECOM  route-to ( vr1_vlan1003 62.2.214.161 )  proto udp from any to 217.191.11.142 port = 500 keep state label "IPsec: Site 3g Cable - outbound isakmp"
    pass in on $CABLECOM  reply-to ( vr1_vlan1003 62.2.214.161 )  proto udp from 217.191.11.142 to any port = 500 keep state label "IPsec: Site 3g Cable - inbound isakmp"
    pass out on $CABLECOM  route-to ( vr1_vlan1003 62.2.214.161 )  proto esp from any to 217.191.11.142 keep state label "IPsec: Site 3g Cable - outbound esp proto"
    pass in on $CABLECOM  reply-to ( vr1_vlan1003 62.2.214.161 )  proto esp from 217.191.11.142 to any keep state label "IPsec: Site 3g Cable - inbound esp proto"
    pass out on $SWISSCOM  route-to ( pppoe0 213.3.242.151 )  proto udp from any to 217.92.81.173 port = 500 keep state label "IPsec: Site 3g DSL - outbound isakmp"
    pass in on $SWISSCOM  reply-to ( pppoe0 213.3.242.151 )  proto udp from 217.92.81.173 to any port = 500 keep state label "IPsec: Site 3g DSL - inbound isakmp"
    pass out on $SWISSCOM  route-to ( pppoe0 213.3.242.151 )  proto esp from any to 217.92.81.173 keep state label "IPsec: Site 3g DSL - outbound esp proto"
    pass in on $SWISSCOM  reply-to ( pppoe0 213.3.242.151 )  proto esp from 217.92.81.173 to any keep state label "IPsec: Site 3g DSL - inbound esp proto"
    anchor "tftp-proxy/*"</negate_networks></negate_networks></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></vpn_gw></vpn_gw></private_network></private_network></management_network></management_network></easyruleblockhostsopt3></easyruleblockhostsopt3></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    


  • Me again

    The main problem seems, that the IPv6 NAT ist done on the pppoe0 interface (Provider DSL) instead of the 6rd tunnel Interface stf0.

    Reading out the NAT rules with "pfctl -sn" gives:

    binat on pppoe0 inet6 from fdbf:100f:912e::/64 to any -> 2a02:1205:4fd0:1310::/64
    binat on pppoe0 inet6 from any to 2a02:1205:4fd0:1310::/64 -> fdbf:100f:912e::/64

    For a temporary solution I changed that to stf0.

    1. Write the NAT rules out to a file:

    pfctl -sn > /var/tmp/tempfile
    

    2. Change ppp0e in /var/tmp/tempfile to stf0

    3. Read back in the NAT rules

    pfctl -Nf /var/tmp/tempfile
    

    NAT works now. But the returning packets are not redirected to the LAN interface. As athurdent mentioned there was no such network 2a02:1205:4fd0:1310::/64. Thank you for the hint.
    I had to create a dummy interface with an unused VLAN and interface tracking set to the SWISSCOM (DSL Provider) interface.


    An IPv6 Network is then assigned to the dummy interface:


    Internet IPv6 access is now possible for clients in LAN.

    What do you think about this "workaround"? Should NPt not take in consideration to apply the rules on the tunnel interface (stf0) when 6rd is used?




  • No one having the same problem with 6rd in conjunction with NPt?


Locked