tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

IPV6 router works, but clients fail

OK, I'm almost there with IPv6 now. The router is working fine by itself with IPv6. My test site is as it's my ISP and the transport is pure IPv6

wget -6
works fine.

Clients at first appear fine as well, and can connect to, however this fails
wget -6

What is really odd is the traceroute6 from to the client

$ traceroute6 2a01:348:31:2:20e:2eff:fe66:36ec
traceroute6 to 2a01:348:31:2:20e:2eff:fe66:36ec (2a01:348:31:2:20e:2eff:fe66:36ec) from 2001:4f8:3:7:230:48ff:fe31:43f2, 64 hops max, 12 byte packets
 1  2001:4f8:3:7::1  1.363 ms  1.27 ms  0.734 ms
 2  4.614 ms  4.901 ms  5.393 ms
 3  2.274 ms  1.964 ms  1.913 ms
 4  2.35 ms  2.049 ms  2.315 ms
 5  2.257 ms  2.236 ms  2.157 ms
 6  3.763 ms  3.527 ms  3.804 ms
 7  59.208 ms  64.015 ms  64.135 ms
 8  59.49 ms  59.861 ms  64.139 ms
 9  79.759 ms  78.668 ms  78.344 ms
10  83.645 ms  83.981 ms  83.694 ms
11  151.626 ms  155.074 ms  155.082 ms
12  316.029 ms  244.966 ms  350.231 ms
13  2001:728:0:5000::6e  156.617 ms  280.137 ms  153.643 ms
14  152.039 ms  156.782 ms  153.582 ms
15  2a01:348:31:2:209:5bff:fe84:887d  167.777 ms  171.006 ms  165.695 ms

Wtf? The last node is not my client - it's the router!
So I think my router isn't passing packets to the client.
However, can ping6 the client.

I'm not a PF expert by any means so I've attached the pf.conf from my router.

Anyone got an idea?


#       $NetBSD: pf.conf,v 1.4 2008/06/18 09:06:25 yamt Exp $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.


# asterisk needs 5060 (tcp, udp) and 4569 (udp)
# We special case ssh and domain
tcp_services="{ ident, smtp, www, imap, git, svn, \
                ftp, ftp-data, 50000:50100, svn, rsync }"
icmp6_types="{ echoreq, neighbradv, neighbrsol }"

# options
set block-policy return
set loginterface $ext_if
set skip on lo

# scrub
scrub in
scrub out on pppoe0 max-mss 1452

# Schedulers
altq on  $ext_if priq bandwidth 500Kb queue { std_out, ssh_out, dns_out, \
                                            tcp_ack_out }
queue std_out           priq(default)
queue ssh_out           priority 4 priq(red)
queue dns_out           priority 5
queue tcp_ack_out       priority 6

altq on $int_if cbq bandwidth 3.5Mb queue { std_in, ssh_in, dns_in }
queue std_in            cbq(default)
queue ssh_in            priority 4
queue dns_in            priority 5

# nat/rdr
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
nat on rtk0 from !(rtk0) -> (rtk0:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> port 8021

rdr-anchor miniupnpd
anchor miniupnpd

# filter rules
block in
anchor "ftp-proxy/*"
antispoof quick for lo 
# antispoof fails for inet6?
antispoof quick for { $int_if } inet

pass out
pass in quick on $int_if

pass in on $ext_if inet proto tcp from any to ($ext_if) \
        port $tcp_services queue(std_out, tcp_ack_out)
pass in on $ext_if inet6 proto tcp from any to any \
        port $tcp_services queue(std_out, tcp_ack_out)
pass in on $ext_if inet proto {tcp udp} from any to ($ext_if) \
        port domain queue dns_out
pass in on $ext_if inet6 proto {tcp udp} from any to any \
        port domain queue dns_out
pass in on $ext_if inet proto tcp from any to ($ext_if) \
        port ssh queue ssh_out
pass in on $ext_if inet6 proto tcp from any to any \
        port ssh queue ssh_out
pass in inet proto icmp all icmp-type $icmp_types
pass in inet6 proto ipv6-icmp all icmp6-type $icmp6_types

Home | Main Index | Thread Index | Old Index