stf(4) / 6to4 encapsulation behind (!) ipnat router / firewall

[Markus W Kilbinger <mk%kilbi.de@localhost>]

Hi!

Is it possible to run a stf(4) interface behind a firewall (different
machines)?

Till now I'm running stf(4) / pkgsrc/net/hf6to4 on the same machine
which is handling the internet connection (pppoe) itself.

I'm considering to let the internet connection be handled by a
separate router (fritz!box in my case), so the stf(4)-machine will no
longer have direkt internet access.

Now my/the question: Should a stf(4) interface still be functional if
the corresponding ipv4 address is not directly available on the same
host (now routed to the new / separate internet router)?

I tried to set up such a config.:

  ifconfig stf0 inet6 2002:xxxx:xxxx:1::1 prefixlen 16 alias
  route add -inet6 default 2002:c058:6301::

, where 'xxxx:xxxx' is the external ipv4 address of the separate
router.

ipv4 ping works flawlessly:

  # ping www.netbsd.org                       
  PING www.netbsd.org (204.152.190.12): 56 data bytes
  64 bytes from 204.152.190.12: icmp_seq=0 ttl=244 time=177.768 ms

but ipv6's does not:

  # ping6 www.netbsd.org
  PING6(56=40+8+8 bytes) 2002:xxxx:xxxx:1::1 --> 2001:4f8:4:7:2e0:81ff:fe52:9a6b
  ping6: sendmsg: Network is down
  ping6: wrote www.netbsd.org 16 chars, ret=-1

So, these packets are not even tried to be sent via stf0.

-> Is this a (wanted) limitation of stf(4) implementation?

   Did I miss something in this config.?

   Any other (easy) way to get ipv6 connectivity behind an ipv4
   router / firewall?

Thanks,

Markus.