Tunnel Seems To Be Up - But No Traffic

[srg]

Hey guys. Networking/Firewalling problem, it seems.

I'm running FreeBSD 9. I followed the example configuration that the HE website gave me, creating gif0, setting the tunnel endpoints, setting the IPv6 addresses, then bringing the interface up. That worked successfully. However, I can't seem to ping6 anyone (I've been trying google).

Code Select Expand

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet 68.82.223.225 --> 216.66.22.2
        inet6 2001:470:7:509::2 --> 2001:470:7:509::1 prefixlen 128 tentative
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        options=1<ACCEPT_REV_ETHIP_VER>

Note, that gif0 says "tentative." I'm not sure what that means...

Code Select Expand

ping6 google.com
ping6: UDP connect: Can't assign requested address

I'm also running PF as my firewall. I have a pretty advanced script, it's a default deny. It also handles queuing, prioritization, and port forwarding for my LAN (yeah, this FreeBSD system is also my router). I'll past the "relevant" parts:

Code Select Expand

ext_if="em0"
ext6_if="gif0"
set block-policy drop
set state-policy if-bound

block in log from any to any
block out log from any to any

# ICMP for IPv6 Tunnel
pass in on $ext_if inet proto icmp from 66.220.2.74 to $ext_if

# Allow all the IPv6 packets encapsulated in IPv4
pass in on $ext_if inet from 216.66.22.2 to $ext_if synproxy state

# IPv6 Tunnel
pass out on $ext_if inet from $ext_if to 216.66.22.2 modulate state

# icmp out
pass out on $ext_if inet proto icmp from $ext_if to any icmp-type echoreq modulate state queue high
pass out on $ext6_if inet6 proto icmp6 from $ext6_if to any icmp6-type echoreq modulate state queue high

# IPv6
pass out on $ext6_if inet6 proto {tcp, udp} from $ext6_if to any modulate state

I also tried even commenting out my two "block in" and "block out" default deny lines, but it did the same thing.

I also tried running `tcpdump -t -n -i pflog0 ip6` to see what it's blocking, but absolutely nothing is showing up there when I ping6 google.

Any ideas?

Thanks!

[broquea]

Yay obfuscated IPs, that is always really helpful.

The *.*.*.225, is that your real-world IP? Is the machine actually configured with it?
Can you ping6 HE's side of the tunnel?
I don't know PF's syntax, but where is the rule that allows Protocol 41? And I mean specifically Protocol 41 traffic, which is IPv6 encapsulated in IPv4.

[srg]

68.82.223.225 is my real world IP from my ISP. It's on em0 on my freebsd box. I have it running NAT for my LAN, forwarding over em1 (10.x.x.x).

I cannot ping6 HE's IPv6 endpoint. I can ping the IPv4 endpoint.

I was talking on IRC at the same time as posting here, and I made some progress in my rules (but not in terms of allowing traffic yet)

Code Select Expand

# ICMP for HE's IPv6 Tunnel - This is the check done when requesting the tunnel
pass in on $ext_if inet proto icmp from 66.220.2.74 to $ext_if icmp-type echoreq

# Allow all the IPv6 packets encapsulated in IPv4
pass in on $ext_if inet proto 41 from 216.66.22.2 to $ext_if synproxy state
pass out on $ext_if inet proto 41 from $ext_if to 216.66.22.2 modulate state

# Allow all traffic on gif0
pass in on $ext6_if inet6 from any to any
pass out on $ext6_if inet6 from any to any

I reloaded the rules, but still get the same exact error with ping6: UDP connect: Can't assign requested address
I tried ping6 -I gif0 google.com too, to no avail.

That error above makes it seem like I'm not using the properly assigned addresses or something? I literally copied and pasted from the tunnelbroker.net "example configurations" page.

[broquea]

I found slightly different PF rules from 2011 (google cache), and also not certain why the protocol 43 since IPv6 anything would be encapsulated in p41 packets.

http://webcache.googleusercontent.com/search?q=cache:GOjXWRitME4J:https://johan.pp.se/2011/06/06/freebsd-pf-and-ipv6+&cd=2&hl=en&ct=clnk&gl=us

[srg]

Got it working! I somehow lost my IPv6 address assignment on gif0 and the default route - I had to reset these.

/etc/pf.conf:

Code Select Expand

# ICMP for HE's IPv6 Tunnel
pass in on $ext_if inet proto icmp from 66.220.2.74 to $ext_if icmp-type echoreq

# Allow all the IPv6 packets encapsulated in IPv4
pass in on $ext_if inet proto 41 from 216.66.22.2 to $ext_if synproxy state
pass out on $ext_if inet proto 41 from $ext_if to 216.66.22.2 modulate state

# Pass all on gif0
pass in on $ext6_if from any to any
pass out on $ext6_if from any to any


Then just follow TunnelBroker.net's "Example Configurations" for setting up gif0 and the default IPv6 route.