On Tue, Nov 08, 2005 at 03:54:36PM -0500, Steven M. Bellovin wrote:
> Right now, I'm using a 3-interface box to bridge different segments of 
> my home network and connect them to my cable modem.  (The cable modem 
> has its own NAT function.)  That's fine for v4; however, I'd like to 
> pick up v6 packets there and tunnel them somewhere via 6to4.  I suspect 
> that it isn't possible to do that; I'd be happy to find out I'm wrong.  

If you have 2002:xxxx:yyyy: 6to4 prefix, you should be able to configure
a, say, 2002:xxxx:yyyy:0::1 stf interface on the bridging box, assign an
adress (say 2002:xxxx:yyyy:1::1) on one of the bridged interfaces, assign
adresses from the 2002:xxxx:yyyy:1::/64 range to all machines on all
segments of your home network and tell them that default route is
2002:xxxx:yyyy:1::1 . 

Now the problem is probably that you have only a private IPv4 adress (say
aa.bb.cc.dd) on the bridging box and only the cable modem has the public
xx.xx.yy.yy adress, so 6to4 won't work. I solved it with the following
trick:

# cat /etc/ipnat.conf                                               
bimap ex0 xx.xx.yy.yy/32 -> aa.bb.cc.dd/32 ipv6

# ifconfig lo0 inet xx.xx.yy.yy alias

Now outgoing 6to4 should work. For incoming, you will have to convince the
cable modem to forward all incoming packtets which don't match the
established NAT states to aa.bb.cc.dd . Or at least the 6to4 packets.
I haven't tested yet the last step, because in my case, the NAT is a
provider outside my control.

Have I understood the problem correctly?

Pavel Cahyna