IPFW NAT64 changed 11.2 --> 11.3?

Wed, 26 Jun 2019 01:21:49 -0700 

Hi all,

we have a bit of a problem with some new servers that
use NAT64 to access certain services that offer only
legacy IP - like github.

As far as I found the respective NAT64 gateways (in jails
with VNET) are configured identically except for the
particular addresses, of course.

Yet, 11.2 works, 11.3-RC1 doesn’t.

OK, on to the config …

Working server:

ifconfig inet0
inet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet6 2a00:b580:8000:12:xxxx:xxxx:xxxx:xxxx prefixlen 64

netstat -rn
64:ff9b::/96                      2a00:b580:8000:12:yyyy:yyyy:yyyy:yyyy UGS    
inet0

drill github.map.fastly.net aaaa
github.map.fastly.net.  15      IN      AAAA    64:ff9b::9765:7085

ping6 github.map.fastly.net 
16 bytes from 64:ff9b::9765:7085, icmp_seq=0 hlim=57 time=3.801 ms


Broken server:

ifconfig inet0
inet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet6 2a00:b580:8000:12:xxxx:xxxx:xxxx:xxxx prefixlen 64

netstat -rn
64:ff9b::/96                      2a00:b580:8000:12:yyyy:yyyy:yyyy:yyyy UGS    
inet0

drill github.map.fastly.net aaaa
github.map.fastly.net.  15      IN      AAAA    64:ff9b::9765:7085

So up to the 4-in-6 DNS translation everything is working as it should, but then
when actual traffic is involved:

ping6 github.map.fastly.net
16 bytes from d91d:2891::9765:7085, icmp_seq=0 hlim=57 time=2.324 ms

What the … is this IP address here? All I know is that the block is supposed to 
be
IANA reserved. And TCP connections to github.map.fastly.net of course stall, 
never
receiving an answer packet.

The NAT64 gateways on both servers have these ipfw rules:

root@gate64:~ # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
01100 allow ipv6-icmp from :: to ff02::/16
01200 allow ipv6-icmp from fe80::/10 to fe80::/10
01300 allow ipv6-icmp from fe80::/10 to ff02::/16
01400 allow ipv6-icmp from any to me6 ip6 icmp6types 1,2,3,4
01500 allow ipv6-icmp from any to any ip6 icmp6types 135,136
02000 allow icmp from any to me icmptypes 8
02100 allow ipv6-icmp from any to me6 ip6 icmp6types 128,129
03000 allow tcp from any to 217.29.40.y 80,443
03100 allow tcp from me6 to any 80,443
05000 nat64lsn NAT64 ip from 2a00:b580::/32 to 64:ff9b::/96 in
05100 nat64lsn NAT64 ip from any to 217.29.40.y in
65535 allow ip from any to any

Any hints welcome.

Thanks,
Patrick
-- 
punkt.de GmbH                   Internet - Dienstleistungen - Beratung
Kaiserallee 13a                 Tel.: 0721 9109-0 Fax: -100
76133 Karlsruhe                 i...@punkt.de   http://punkt.de
AG Mannheim 108285              Gf: Juergen Egeling

_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to