ipv6 problem

Wed, 12 Jun 2013 03:13:26 -0700 

hi

my  setup

a multi home openbsd box
a working sixxs tunnel with the endpoint openbsd

forwarding for ipv4 and ipv6 is on

a running rtadvd on re0 lan_if

block rules for all interface exccept re0 ( lan_if )

for testing i use traceroute6.net
outging ping6 and traceroute6 from the openbsd box and from my workstation are ok. 

incoming traceroute6 from outsite to openbsd and workstation ok
incoming icmp6 only to openbsd is working to the workstation failed ( just the first and only this packet work the rest fail ) 

after adding a rule

pass quick on $lan_if inet6 proto ipv6-icmp keep state

work the ping6 also to the workstation as expected.



can someone explain whats happend ?


holger

below my ruleset for re0 , if needed ic can post the whole ruleset.



# pfctl -a '*' -sr | grep re0
block return on re0 inet proto tcp from ! 192.168.132.254 to any port = 25
block return on re0 inet proto tcp from ! 192.168.131.250 to any port = 25
pass in quick on re0 inet proto tcp from 192.168.131.0/24 to any port = 21 flags S/SA divert-to 127.0.0.1 port 8021 pass in quick on re0 inet proto tcp from 192.168.132.0/24 to any port = 21 flags S/SA divert-to 127.0.0.1 port 8021 pass in quick on re0 inet proto tcp from 192.168.131.0/24 to <dns-server-unitymedia> port = 53 flags S/SA route-to 192.168.132.254@re3 pass in quick on re0 inet proto udp from 192.168.131.0/24 to <dns-server-unitymedia> port = 53 route-to 192.168.132.254@re3 pass in quick on re0 inet proto tcp from 192.168.131.0/24 to <dns-server-netcologne> port = 53 flags S/SA route-to (pppoe0)@pppoe0 round-robin pass in quick on re0 inet proto udp from 192.168.131.0/24 to <dns-server-netcologne> port = 53 route-to (pppoe0)@pppoe0 round-robin pass in quick on re0 inet proto tcp from 192.168.131.0/24 to ! 192.168.132.0/24 port = 80 flags S/SA route-to 192.168.132.254@re3 pass in quick on re0 inet proto tcp from 192.168.131.0/24 to ! 192.168.132.0/24 port = 993 flags S/SA route-to 192.168.132.254@re3 pass in quick on re0 inet proto tcp from 192.168.131.0/24 to ! 192.168.132.0/24 port = 443 flags S/SA route-to 192.168.132.254@re3 
  pass quick on re0 inet proto tcp from any to (re0) port = 25 flags S/SA
  pass quick on re0 inet proto tcp from any to (re0) port = 53 flags S/SA
  pass quick on re0 inet proto udp from any to (re0) port = 53
  pass quick on re0 inet6 proto ipv6-icmp all
  pass quick on re0 proto icmp all
  pass in quick on re0 all flags S/SA allow-opts
  pass quick on re0 proto carp all keep state (no-sync)
  pass quick on re0 proto ospf all keep state (no-sync)
  pass quick on re0 proto igmp all keep state (no-sync)

Reply via email to