Hello,
I have a tunnel set up at home on my OpenBSD 4.5 router with clients running various OS's. While everything appears to work well, when I traceroute from an outside server to one of my clients behind my router, the traceroute ends on the router instead of the actual machine.
Traceroute to my router, 'bert':
% traceroute6 bert.v6.staticky.com
traceroute6 to bert.v6.staticky.com (2001:470:8:75b::1) from 2001:470:4:2a5::2, 64 hops max, 12 byte packets
1 devious-1.tunnel.tserv12.mia1.ipv6.he.net 16.905 ms 17.21 ms 16.861 ms
2 gige-g2-3.core1.mia1.he.net 16.457 ms 16.35 ms 16.106 ms
3 10gigabitethernet4-3.core1.atl1.he.net 32.324 ms 40.706 ms 30.826 ms
4 10gigabitethernet6-4.core1.ash1.he.net 63.08 ms 51.06 ms 51.273 ms
5 gige-gbge0.tserv13.ash1.ipv6.he.net 52.422 ms 52.204 ms 51.818 ms
6 bert.v6.staticky.com 63.714 ms 63.734 ms 62.904 ms
%
Traceroute to another machine, 'wouter':
% traceroute6 wouter.v6.staticky.com
traceroute6 to wouter.v6.staticky.com (2001:470:8:75b:21e:52ff:fe74:d4b3) from 2001:470:4:2a5::2, 64 hops max, 12 byte packets
1 devious-1.tunnel.tserv12.mia1.ipv6.he.net 17.218 ms 17.459 ms 16.839 ms
2 gige-g2-3.core1.mia1.he.net 19.347 ms 16.357 ms 16.449 ms
3 10gigabitethernet4-3.core1.atl1.he.net 39.456 ms 40.068 ms 30.953 ms
4 10gigabitethernet6-4.core1.ash1.he.net 50.962 ms 51.979 ms 51.052 ms
5 gige-gbge0.tserv13.ash1.ipv6.he.net 52.318 ms 52.159 ms 52.489 ms
6 leitec-1-pt.tunnel.tserv13.ash1.ipv6.he.net 63.805 ms 62.199 ms 61.837 ms
%
I'm not sure if this is a problem with my pf rules or if it's something else. I wasn't sure exactly how to map the /64 onto my router, i.e. where I should assign the (prefix)::1 IP I gave the router. I ended up putting it on the local network interface. This is only a minor worry of mine since the network actually works quite well. The only issue I had was MTU-related, where certain clients would randomly halt ssh sessions and the like. I use rtadvd to set the MTU to 1480 on my v6 clients, which has worked well.
As far as pf is concerned, I allow only a few inbound TCP ports and all ICMP6 to the v6 clients behind the router/firewall.
Relevant ifconfig data:
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c7:b6:b0
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.2.3.1 netmask 0xffffff00 broadcast 10.2.3.255
inet6 fe80::200:24ff:fec7:b6b0%sis0 prefixlen 64 scopeid 0x1
inet6 2001:470:8:75b::1 prefixlen 64
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1480
priority: 0
groups: gif egress
physical address inet 66.44.61.162 --> 216.66.22.2
inet6 fe80::200:24ff:fec7:b6b0%gif0 -> prefixlen 64 scopeid 0x6
inet6 2001:470:7:75b::2 -> 2001:470:7:75b::1 prefixlen 128
Any ideas?
Thanks!
Hmm... answered my own question. I didn't realize traceroute depended on UDP; I thought it was ICMP only. Now that I'm passing UDP it works.