I would suggest being more specific with your nat rule. If you have a default v6 route on gre, this is in group egress too, and might get picked as the interface to try and nat packets to, but it doesn't have a v4 address so the nat can't work. Because you're using (egress:0) rather than just egress:0 to track address changes, you won't be able to see what's going on using the standard tools (pfctl -vf /etc/pf.conf, pfctl -sr, etc) which might otherwise clarify things.
You probably want sth like this, match out on pppoe0 inet from !(pppoe0:network) nat-to (pppoe0:0) On 2011-06-08, Benjamin Kiessling <mittages...@l.unchti.me> wrote: > Hi again, > > I've got an issue related to my earlier problems with GRE tunnels and OSPF. > My OpenBSD box acts > as a (NAT) router between my local network and the IPv4 Internet. > Additionally there is a GRE tunnel > between the box and a server over which I route into the IPv6 internet. What > happens is that > after I add the IPv6 default route on gre0 I loose IPv4 connectivity on the > local network. The > whole setup looks like this: > > GRE (fe80::acfa:ffa0) > GRE (fe80...) _________________________ ______ IPv6 Router --- > IPv6 Internet > / \ / > LAN -------------- OpenBSD ----- Modem --- IPv4 Internet > (172.22.94.64/27) 172.22.94.1 > 2001:470:9ed3:1423:: > > The GRE tunnel endpoints don't have public IPv6 addresses and I add the > default route on the > Router via "route -n add -inet6 default fe80::acfa:ffa0%gre0". ICMPv4 still > works on LAN but > establishing TCP connections fails initially, hinting that my firewall config > is somewhat skewed. > On the first connection request to an IPV4 host on the Internet the router > doesn't NAT the > packets, forwarding them with the LAN IPv4 address to the modem. Subsequent > requests get NATed > correctly. My pf.conf looks like this: > > set skip on lo > set skip on enc0 > set skip on gre0 > pass > match out on egress inet from !(egress:network) to any nat-to (egress:0) > pass out quick > > I'm still not that familiar with OpenBSD, but I've read all relevant man > pages and couldn't find > an explanation for this behavior. > > Regards, > Benjamin Kiessling > > [demime 1.01d removed an attachment of type application/pgp-signature which > had a name of signature.asc]
