Re: IPFW: IPv6 and NPTv6 issues: multiple IPv6 addresses confuses IPFW

18.02.2023 18:42, FreeBSD User пишет:
> On a 24 hour basis, the ISP changes the IPv4 and IPv6 on the WAN
> interface. We use NPTv6 to translate  ULA addresses for the inner
> IPv6 networks. We use IPv6 privacy on the tun0 interface. The
> router/firewall is operating after a reboot or restart of mpd5
> correctly, IPv6 and IPv4 networks have conection to the internet.
> When the ISP rotates it IPs, the IPv6 address is configured using
> SLAAC and mpd5 seems to act weird:
> 
> - the IPv4 address is always set correct, IPFW and in-kernel NAT
> route/filter traffic correctly - sometimes old IPv6 address is dumped
> and only a new IPv6 address - in such a case, the old IPv6 is gone,
> the new pair (temporary and MACified address are the only IPv6
> addresses attached to the interface. - sometimes the old IPv6 address
> set (= temporary) are marked "deprecated" and/or "detached" and a new
> set is attached to the interface tun0, in some rare occassion also an
> IPv6 address WITHOUT its "temoprary" sibbling is attached.
> 
> In any of the cases above, IPFW's NPTv6 gets confused, routing isn't
> working properly anymore.
> 
> In any cases of a change of the IPv6 address, IPFW has to be
> restartet!

Hi,

I assume you are using ext_if option in your NPTv6 instance configuration.

I think there might be several problems that lead to your situation:

1. NPTv6 tracks IPv6 addresses deletion, but since an old IPv6 address 
that was used as external prefix  kept on the interface, it ignores 
appearance of new IPv6 address.

2. Then, even if you delete old IPv6 address by hand, NPTv6 won't try to 
peak another one until there won't appear new address.

3. There should be some logic that takes into account presence of 
temporary and deprecated addresses on the interface.

-- 
WBR, Andrey V. Elsukov