• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Configuring macOS 10.12.5 as an IPv6 gateway.

Started by majortom, June 18, 2017, 08:17:29 PM

Previous topic - Next topic

majortom

My router is a mac running 10.12.5. I have it working using the tunnel broker for locally originating IPv6 traffic. It is also able to ping6 one of the other Macs on the local network (and that machine can ping6 it) using my /64. The other mac cannot ping either endpoint on the gif0, nor can it get IPv6 traffic off the local network. I presume I have a setting in PF wrong (or do not have a setting I need), or I do not have the IPv6 gateway enabled. I have searched the net for answers with no luck.

cholzhauer


majortom

Quote from: cholzhauer on June 19, 2017, 06:22:04 AM
Is your firewall blocking protocol 41?

Nope. The Mac that hosts the tunnel works fine, and any downstream system would not use 6in4 (protocol 41), but instead regular IP forwarding. Your question did lead me to the right answer, however, which was sysctl net.inet6.ip.forwarding was false, not true. I corrected that and now it all works. (I was going to add a PF rule to explicitly allow IPv6 6in4 traffic bound for the local /64 and in looking up the syntax I found the sysctl I needed).

Thanks for your help (both direct and inadvertent). :-)

Having been through this now, I think I have all the items I need:

The sample configuration the tunnel broker suggests for Mac OS X is this:

ifconfig gif0 create
ifconfig gif0 tunnel CLIENT_IPv4_ADDRESS TUNNEL_SERVER_IPv4_ADDRESS
ifconfig gif0 inet6 CLIENT_IPv6_ADDRESS TUNNEL_SERVER_IPv6_ADDRESS prefixlen 128
route -n add -inet6 default TUNNEL_SERVER_IPv6_ADDRESS

These lines might need to be added to PF (it does not hurt to have them even if they might not be needed):

icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, neighbradv, neighbrsol, routeradv, routersol }"   
pass inet6 proto ipv6-frag   
pass in on EXT_INTERFACE proto 41 from TUNNEL_SERVER_IPv4_ADDRESS   
pass out on EXT_INTERFACE proto 41 to TUNNEL_SERVER_IPv4_ADDRESS   
pass in on gif0 inet6 proto icmp6 all icmp6-type $icmp6_types allow-opts   

Finally, if the machine is going to gateway IPv6 traffic:

sysctl net.inet6.ip6.forwading=1