From nobody Sun Nov 27 11:55:02 2022
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NKn9X2p5Dz4hgPc;
	Sun, 27 Nov 2022 11:55:44 +0000 (UTC)
	(envelope-from freebsd@walstatt-de.de)
Received: from smtp6.goneo.de (smtp6.goneo.de [IPv6:2001:1640:5::8:31])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NKn9W0bd4z3GN9;
	Sun, 27 Nov 2022 11:55:42 +0000 (UTC)
	(envelope-from freebsd@walstatt-de.de)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=MeNgTvt7;
	spf=none (mx1.freebsd.org: domain of freebsd@walstatt-de.de has no SPF policy when checking 2001:1640:5::8:31) smtp.mailfrom=freebsd@walstatt-de.de;
	dmarc=none
Received: from hub1.goneo.de (hub1.goneo.de [85.220.129.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by smtp6.goneo.de (Postfix) with ESMTPS id 1CB3B10A330D;
	Sun, 27 Nov 2022 12:55:34 +0100 (CET)
Received: from hub1.goneo.de (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by hub1.goneo.de (Postfix) with ESMTPS id 7530110A1EB3;
	Sun, 27 Nov 2022 12:55:32 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de;
	s=DKIM001; t=1669550132;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=8DuoI//lxXsTlW5ikFoe8XRiYFAuSBgS9l9goTnM9+o=;
	b=MeNgTvt7rjSd7hJqcf5na2MjlIv07/gtvNL6Js4GI1WPkg0EjDjvPpcWHAJnf5vW/vUt3Z
	eRcC1MqsXHV3WsfdjZDHFLk28fVAfj+tJqMZf6x34cj7OJSuwnRbeO0Zye+7XKMlCzJOfI
	EpJ7Q5hrw+PDciA15/zH39FWlM9aSf2DRHsDYSLO3m1MsebDhcMPozbLXZD6DgPpgwdK8b
	Lj5fv0n3iCxGV/OHzBx/lLn3Vb40JcM9aQ+Ey/vlByNlqE9mDK4ccFSeVoCQUxYsV0xpPP
	6/DfeKwZA5t1rLxYyD5eMo2bIrNGQPbbF9IPc8zhFpxzLD3KuWiQCFWx0YgriQ==
Received: from thor.intern.walstatt.dynvpn.de (dynamic-078-055-254-063.78.55.pool.telefonica.de [78.55.254.63])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by hub1.goneo.de (Postfix) with ESMTPSA id 4564810A1EA5;
	Sun, 27 Nov 2022 12:55:30 +0100 (CET)
Date: Sun, 27 Nov 2022 12:55:02 +0100
From: FreeBSD User <freebsd@walstatt-de.de>
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org
Subject: Re: NPTv6: prefix doesn't change in IPFW when prefix changes on
 dynamic interface
Message-ID: <20221127125522.0b095dee@thor.intern.walstatt.dynvpn.de>
In-Reply-To: <28091d68-ec5a-8b9d-eb0d-9f8c8728bfa6@yandex.ru>
References: <20221124162745.7589cf29@thor.intern.walstatt.dynvpn.de>
	<28091d68-ec5a-8b9d-eb0d-9f8c8728bfa6@yandex.ru>
Organization: walstatt-de.de
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-UID: 2929e9
X-Rspamd-UID: 91696b
X-Spamd-Result: default: False [-3.28 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.98)[-0.984];
	R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001];
	MIME_GOOD(-0.10)[text/plain];
	DKIM_TRACE(0.00)[walstatt-de.de:+];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-ipfw@freebsd.org,freebsd-net@freebsd.org];
	FREEMAIL_TO(0.00)[yandex.ru];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_COUNT_THREE(0.00)[4];
	R_SPF_NA(0.00)[no SPF record];
	ASN(0.00)[asn:25394, ipnet:2001:1640::/32, country:DE];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	HAS_ORG_HEADER(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	DMARC_NA(0.00)[walstatt-de.de];
	TO_DN_SOME(0.00)[];
	RCVD_TLS_ALL(0.00)[]
X-Rspamd-Queue-Id: 4NKn9W0bd4z3GN9
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N

Am Fri, 25 Nov 2022 10:40:31 +0300
"Andrey V. Elsukov" <bu7cher@yandex.ru> schrieb:

> 24.11.2022 18:27, FreeBSD User =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> > Hello,
> >=20
> > running a small routing/firewall applicance based on 13-STABLE and IPFW=
, I face a problem
> > with NPTv6. The external IPv6 is changing dynamically. While ipfw in-ke=
rnel NAT catch up
> > with dynamical changes of the IPv4, NPTv6 doesn't seem so.
> >=20
> > I'm neither an expert in networking nor IPFW.
> >=20
> > After a couple of days tun0 (the exterior PPP interface, uplink connect=
ion managed via
> > mpd5) has a lot of IPV6 addresses, all but one are marked "deprecated".=
 =20
>=20
> > In case nor mpd5 is restarted or the exterior interface is assigned wit=
h several IPv6
> > addresses of which all but one are marked deprecated, pinging the outsi=
de world via IPv6
> > will take the wrong IPv6 - IPFW doesn't seem to catch up with the chang=
es.
> >=20
> > How to fix this? =20
>=20
> Hi,
>=20
> probably the easiest way to solve your problem is periodically running=20
> some script that will find and delete deprecated addresses from an=20
> interface.
>=20
> Then NPTv6 module will use first global prefix on the interface.
>=20

I realized some strange behaviour and I wasn't able to come along with it.

=46rom the net behind the firewall/router after either the router appliance h=
as been rebooted or
ipfw restarted, "ping -6 freebsd.org" works from any host, but not from the=
 router/firewall
itself.
After my ISP has changed both the IPv4 AND IPv6 and tun0, the exterior-poin=
ting PPP interface
has got at least one deprecated IPV6 address (it is also a "temporary IPv6 =
address" created to
hide the MAC of the exterior interface), the router itself is capable of pi=
nging IPv6
addresses in the outside world. But no host within my LAN is.=20
Simply deleting all "deprecated" marked IPv6 addresses from the tun0 interf=
ace doesn't change
anything.

NPTv6 is configured to use tun0, not an IPv6 prefix.

IPv6 routing on the router done via its link-local fe80... address, if this=
 is of interest.

I think I have to investigate the packet flow within IPFW and would like to=
 ask wheter there
is a kind of monitor?

Thanks and kind regards,

O. Hartmann

--=20
O. Hartmann