Project

General

Profile

Actions
Copy link

Bug #16429

open

NAT64 rules using reply-to do not forward packets

Added by Marcos M about 1 month ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

NAT64 rules with reply-to, i.e. WAN rules, do not forward packets e.g. to LAN.

In this example, vmx1 is the WAN and vmx2 is the LAN:

[25.11-DEVELOPMENT][root@router.lab.arpa]/root: ifconfig vmx1
vmx1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN
        options=4e000bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 00:50:56:b2:de:1b
        inet 10.0.50.100 netmask 0xffffff00 broadcast 10.0.50.255
        inet6 fe80::250:56ff:feb2:de1b%vmx1 prefixlen 64 scopeid 0x2
        inet6 2001:db8:0:50:250:56ff:feb2:de1b prefixlen 64 autoconf pltime 14400 vltime 86400
        inet6 2001:db8:0:50:50:ffff:0:3 prefixlen 128 pltime 4500 vltime 7200
        media: Ethernet autoselect
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
[25.11-DEVELOPMENT][root@router.lab.arpa]/root: ifconfig vmx2
vmx2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: SITEA_WAN1
        options=4e000bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 00:50:56:b2:71:1f
        inet 192.0.2.1 netmask 0xfffffff0 broadcast 192.0.2.15
        inet6 fe80::250:56ff:feb2:711f%vmx2 prefixlen 64 scopeid 0x3
        inet6 fc00:192:0:2a::1 prefixlen 64
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I create the NAT64 rule on the WAN, using the LAN's address for the af-to source:

[25.11-DEVELOPMENT][root@router.lab.arpa]/root: pfctl -vsr | grep "test" 
pass in quick on vmx1 reply-to (vmx1 fe80::290:bff:fe7c:5fc) inet6 proto ipv6-icmp from any to 64:ff9b::/96 keep state (if-bound) label "id=1757707177" label "tags=user_rule" label "descr=test" ridentifier 1757707177 af-to inet from 192.0.2.1

I send a ping from an upstream device into WAN:

ping6 -S 2001:db8:0:50:50::1 64:ff9b::c000:202

A state gets created on the LAN:

[25.11-DEVELOPMENT][root@router.lab.arpa]/root: pfctl -vvss | grep -A3 "64:ff9b::c000:202" 
vmx2 ipv6-icmp 192.0.2.1:22620 (2001:db8:0:50:50::1[22620]) -> 192.0.2.2:8 (64:ff9b::c000:202[22620])       NO_TRAFFIC:NO_TRAFFIC
   age 00:00:55, expires in 00:00:10, 55:0 pkts, 3080:0 bytes, anchor 1, rule 114
   id: d859c26800000000 creatorid: 3b644e41 reply-to: fe80::290:bff:fe7c:5fc@vmx1
   origif: vmx1

But the packet seemingly disappears. A tcpdump shows that the packet for e192.0.2.2 never goes out of vmx2 even though a route exists for it:

[25.11-DEVELOPMENT][root@router.lab.arpa]/root: netstat -rn4 | grep 192.0.2.0
192.0.2.0/28       link#3             U              vmx2

No data to display

Actions
Copy link

Also available in: Atom PDF