Hey guys. Networking/Firewalling problem, it seems.
I'm running FreeBSD 9. I followed the example configuration that the HE website gave me, creating gif0, setting the tunnel endpoints, setting the IPv6 addresses, then bringing the interface up. That worked successfully. However, I can't seem to ping6 anyone (I've been trying google).
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 68.82.223.225 --> 216.66.22.2
inet6 2001:470:7:509::2 --> 2001:470:7:509::1 prefixlen 128 tentative
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
options=1<ACCEPT_REV_ETHIP_VER>
Note, that gif0 says "tentative." I'm not sure what that means...
ping6 google.com
ping6: UDP connect: Can't assign requested address
I'm also running PF as my firewall. I have a pretty advanced script, it's a default deny. It also handles queuing, prioritization, and port forwarding for my LAN (yeah, this FreeBSD system is also my router). I'll past the "relevant" parts:
ext_if="em0"
ext6_if="gif0"
set block-policy drop
set state-policy if-bound
block in log from any to any
block out log from any to any
# ICMP for IPv6 Tunnel
pass in on $ext_if inet proto icmp from 66.220.2.74 to $ext_if
# Allow all the IPv6 packets encapsulated in IPv4
pass in on $ext_if inet from 216.66.22.2 to $ext_if synproxy state
# IPv6 Tunnel
pass out on $ext_if inet from $ext_if to 216.66.22.2 modulate state
# icmp out
pass out on $ext_if inet proto icmp from $ext_if to any icmp-type echoreq modulate state queue high
pass out on $ext6_if inet6 proto icmp6 from $ext6_if to any icmp6-type echoreq modulate state queue high
# IPv6
pass out on $ext6_if inet6 proto {tcp, udp} from $ext6_if to any modulate state
I also tried even commenting out my two "block in" and "block out" default deny lines, but it did the same thing.
I also tried running `tcpdump -t -n -i pflog0 ip6` to see what it's blocking, but absolutely nothing is showing up there when I ping6 google.
Any ideas?
Thanks!
Yay obfuscated IPs, that is always really helpful.
The *.*.*.225, is that your real-world IP? Is the machine actually configured with it?
Can you ping6 HE's side of the tunnel?
I don't know PF's syntax, but where is the rule that allows Protocol 41? And I mean specifically Protocol 41 traffic, which is IPv6 encapsulated in IPv4.
68.82.223.225 is my real world IP from my ISP. It's on em0 on my freebsd box. I have it running NAT for my LAN, forwarding over em1 (10.x.x.x).
I cannot ping6 HE's IPv6 endpoint. I can ping the IPv4 endpoint.
I was talking on IRC at the same time as posting here, and I made some progress in my rules (but not in terms of allowing traffic yet)
# ICMP for HE's IPv6 Tunnel - This is the check done when requesting the tunnel
pass in on $ext_if inet proto icmp from 66.220.2.74 to $ext_if icmp-type echoreq
# Allow all the IPv6 packets encapsulated in IPv4
pass in on $ext_if inet proto 41 from 216.66.22.2 to $ext_if synproxy state
pass out on $ext_if inet proto 41 from $ext_if to 216.66.22.2 modulate state
# Allow all traffic on gif0
pass in on $ext6_if inet6 from any to any
pass out on $ext6_if inet6 from any to any
I reloaded the rules, but still get the same exact error with ping6: UDP connect: Can't assign requested address
I tried ping6 -I gif0 google.com too, to no avail.
That error above makes it seem like I'm not using the properly assigned addresses or something? I literally copied and pasted from the tunnelbroker.net "example configurations" page.
I found slightly different PF rules from 2011 (google cache), and also not certain why the protocol 43 since IPv6 anything would be encapsulated in p41 packets.
http://webcache.googleusercontent.com/search?q=cache:GOjXWRitME4J:https://johan.pp.se/2011/06/06/freebsd-pf-and-ipv6+&cd=2&hl=en&ct=clnk&gl=us
Got it working! I somehow lost my IPv6 address assignment on gif0 and the default route - I had to reset these.
/etc/pf.conf:
# ICMP for HE's IPv6 Tunnel
pass in on $ext_if inet proto icmp from 66.220.2.74 to $ext_if icmp-type echoreq
# Allow all the IPv6 packets encapsulated in IPv4
pass in on $ext_if inet proto 41 from 216.66.22.2 to $ext_if synproxy state
pass out on $ext_if inet proto 41 from $ext_if to 216.66.22.2 modulate state
# Pass all on gif0
pass in on $ext6_if from any to any
pass out on $ext6_if from any to any
Then just follow TunnelBroker.net's "Example Configurations" for setting up gif0 and the default IPv6 route.