On 23/09/2015 16:16, Marios Makassikis wrote: > On 23 September 2015 at 15:34, Giancarlo Razzolini <grazzol...@gmail.com> > wrote: >> Em 23-09-2015 04:40, Stuart Henderson escreveu: >>> Saves messing about with DHCPv6-PD >> >> I see. So you translate from what exactly? Wouldn't it be better to use >> af-to instead of nat? > > Hello, > > Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix > from fd00::/8 and announce that on your network. > It is the equivalent to RFC1918 addresses, except it is for IPv6. > Therefore, it is > not routable and you need to perform NAT on it. The global address is the one > the router obtained via static configuration/SLAAC/DHCPv6, which will then be > used by all your clients. > >> But I can relate to that, given that my CPE will >> give me a PD, but won't route packets back because it thinks the prefix >> is reachable using NDP. Hence the need for a proxy, which OpenBSD >> currently doesn't have. >> >> Cheers, >> Giancarlo Razzolini >> > > Your CPE will see only the OpenBSD router's address so it should work. > > Marios >
And that's exactly what I am doing. Well, I don't use DHCP but rather assign the fd00::/8 addresses statically, but for the rest, it's the same. Why NAT? I'm using pppoe to establish a connection to my ISP. And for every new connection, I get new IPv4 and IPv6 addresses. This is at home and I don't want my machines being accessible from the internet (except for some specific ports to some specific machines). As the addresses change all the time, firewalling would be quite difficult. SO NAT is very useful here :) But with that configuration, the problem is that all outgoing traffic (after the NAT) will use the main IPv6 address of the external interface (auto configured) or will pick one dynamically (auto configured / privacy address) (depending on the match statement in pf.conf). I think I will try to write a script to periodically check if the privacy address has changed and then update my pf.conf for now. But it would be a nice feature to be able to use something like egress:privacy for example or make pf automagically prefer the privacy addresses when natting:) Daniel
