Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: FreeBSD 9.2 behind NAT trouble  (Read 3808 times)

saenara

  • Newbie
  • *
  • Posts: 2
FreeBSD 9.2 behind NAT trouble
« on: October 29, 2013, 06:17:54 AM »

Hi!

Really getting stuck what is wrong with my configuration so supply me with a little advice, please.

FreeBSD -- Cisco 3845 -- internet -- he.net

Endpoints:
me: 91.231.188.11
HE: 216.66.80.90

Cisco
Code: [Select]
arnie#show ver
Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
...
arnie#show run | i 91.231.188.11
ip nat inside source static 192.168.167.8 91.231.188.11 extendable
arnie#show ip nat trans | i 91.231.188.11
41  91.231.188.11:0       192.168.167.8:0       216.66.80.90:0        216.66.80.90:0
--- 91.231.188.11         192.168.167.8         ---                   ---

FreeBSD box:
Code: [Select]
root@saenara# uname -a
FreeBSD saenara 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
root@saenara# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 192.168.167.8 --> 216.66.80.90
inet6 fe80::215:17ff:fec9:431e%gif0 prefixlen 64 scopeid 0xd
inet6 2001:470:27:78a::2 --> 2001:470:27:78a::1 prefixlen 128
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
options=1<ACCEPT_REV_ETHIP_VER>

Any firewalling disabled for a while. Now trying ping6
Code: [Select]
root@saenara# ping6 2001:470:27:78a::1
PING6(56=40+8+8 bytes) 2001:470:27:78a::2 --> 2001:470:27:78a::1
^C
--- 2001:470:27:78a::1 ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

Sniffing gif interface:
Code: [Select]
root@saenara# tcpdump -pi gif0 -n
tcpdump: WARNING: gif0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 65535 bytes
17:01:39.013069 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 0, length 16
17:01:40.013318 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 1, length 16
17:01:41.013309 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 2, length 16
17:01:42.013308 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 3, length 16
17:01:43.013312 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 4, length 16
17:01:44.012304 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:45.012291 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:46.012292 IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24

But! Sniffing LAN interface same moment:
Code: [Select]
root@saenara# tcpdump -pi em0 -n -s 0 host 216.66.80.90
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:01:39.013084 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 0, length 16
17:01:39.087578 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 0, length 16
17:01:40.013324 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 1, length 16
17:01:40.087827 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 1, length 16
17:01:41.013314 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 2, length 16
17:01:41.088413 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 2, length 16
17:01:42.013313 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 3, length 16
17:01:42.088519 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 3, length 16
17:01:43.013317 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, echo request, seq 4, length 16
17:01:43.087941 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, echo reply, seq 4, length 16
17:01:44.012312 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:44.087566 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, neighbor advertisement, tgt is 2001:470:27:78a::1, length 24
17:01:45.012299 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:45.088201 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, neighbor advertisement, tgt is 2001:470:27:78a::1, length 24
17:01:46.012298 IP 192.168.167.8 > 216.66.80.90: IP6 2001:470:27:78a::2 > 2001:470:27:78a::1: ICMP6, neighbor solicitation, who has 2001:470:27:78a::1, length 24
17:01:46.086669 IP 216.66.80.90 > 192.168.167.8: IP6 2001:470:27:78a::1 > 2001:470:27:78a::2: ICMP6, neighbor advertisement, tgt is 2001:470:27:78a::1, length 24

BSD box rc.conf fragment:
Code: [Select]
cloned_interfaces="bridge0 vlan100 gif0"
ipv6_network_interfaces="lo0 br0 gif0"
gif_interfaces="gif0"

ipv6_activate_all_interfaces="NO"

ifconfig_bridge0_name="br0"

gifconfig_gif0="192.168.167.8 216.66.80.90"

ifconfig_em0="inet 192.168.167.2/24"
ifconfig_em0_alias0="inet 192.168.167.8/32"
ifconfig_em1="up"
ifconfig_br0="addm em0 addm em1 up"

defaultrouter="192.168.167.1"

ifconfig_gif0_ipv6="inet6 2001:470:27:78a::2 2001:470:27:78a::1 prefixlen 128 up"
ifconfig_br0_ipv6="inet6 2001:470:27:78a::3 prefixlen 64"
ipv6_defaultrouter="2001:470:27:78a::1"
ipv6_gateway_enable="YES"
rtadvd_enable="YES"
rtadvd_interfaces="br0"


So, as it seems to me ipip (Proto#41) NAT passthrough successful, BSD box receives packets back from HE endpoint but completely ignores ones.

Makes me crazy so help, please!
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2737
Re: FreeBSD 9.2 behind NAT trouble
« Reply #1 on: October 29, 2013, 08:30:55 AM »

FWIW, here's my config on FreeBSD 9.  This started on 6.x and I had to adapt it to get it working; I don't know if the changes I'm still using are required or not, but it works great for me

Code: [Select]
ipv6_activate_all_interfaces="YES"
gif_interfaces="gif1"
gifconfig_gif1="205.251.163.10 209.51.181.2"
ipv6_gateway_enable="YES"
ipv6_ifconfig_gif1="2001:470:1f10:2aa::2/64"
ipv6_defaultrouter="-interface gif1"
ipv6_network_interfaces="em0 gif1 lo0"
ipv6_prefix_em0="2001:470:c27d:d000"
ipv6_ifconfig_em0="2001:470:c27d:d000::1"

Logged

saenara

  • Newbie
  • *
  • Posts: 2
Re: FreeBSD 9.2 behind NAT trouble
« Reply #2 on: October 30, 2013, 09:08:53 PM »

Thank you cholzhauer for you advice!
Unfortunately config doesn't matter up to this case cause it's just a way to automagically issue ifconfig commands at system startup.
As far as I dove into the trouble it seems to me be more appropriate to redirect question to FreeBSD team.
Once any advice will arrived I'll post it here.
Logged