Re: NPTv6: prefix doesn't change in IPFW when prefix changes on dynamic interface

In reply to: Andrey V. Elsukov: "Re: NPTv6: prefix doesn't change in IPFW when prefix changes on dynamic interface"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: FreeBSD User <freebsd_at_walstatt-de.de>
Date: Sun, 27 Nov 2022 11:55:02 UTC

Am Fri, 25 Nov 2022 10:40:31 +0300
"Andrey V. Elsukov" <bu7cher@yandex.ru> schrieb:

> 24.11.2022 18:27, FreeBSD User пишет:
> > Hello,
> > 
> > running a small routing/firewall applicance based on 13-STABLE and IPFW, I face a problem
> > with NPTv6. The external IPv6 is changing dynamically. While ipfw in-kernel NAT catch up
> > with dynamical changes of the IPv4, NPTv6 doesn't seem so.
> > 
> > I'm neither an expert in networking nor IPFW.
> > 
> > After a couple of days tun0 (the exterior PPP interface, uplink connection managed via
> > mpd5) has a lot of IPV6 addresses, all but one are marked "deprecated".  
> 
> > In case nor mpd5 is restarted or the exterior interface is assigned with several IPv6
> > addresses of which all but one are marked deprecated, pinging the outside world via IPv6
> > will take the wrong IPv6 - IPFW doesn't seem to catch up with the changes.
> > 
> > How to fix this?  
> 
> Hi,
> 
> probably the easiest way to solve your problem is periodically running 
> some script that will find and delete deprecated addresses from an 
> interface.
> 
> Then NPTv6 module will use first global prefix on the interface.
> 

I realized some strange behaviour and I wasn't able to come along with it.

From the net behind the firewall/router after either the router appliance has been rebooted or
ipfw restarted, "ping -6 freebsd.org" works from any host, but not from the router/firewall
itself.
After my ISP has changed both the IPv4 AND IPv6 and tun0, the exterior-pointing PPP interface
has got at least one deprecated IPV6 address (it is also a "temporary IPv6 address" created to
hide the MAC of the exterior interface), the router itself is capable of pinging IPv6
addresses in the outside world. But no host within my LAN is. 
Simply deleting all "deprecated" marked IPv6 addresses from the tun0 interface doesn't change
anything.

NPTv6 is configured to use tun0, not an IPv6 prefix.

IPv6 routing on the router done via its link-local fe80... address, if this is of interest.

I think I have to investigate the packet flow within IPFW and would like to ask wheter there
is a kind of monitor?

Thanks and kind regards,

O. Hartmann

-- 
O. Hartmann