6to4, stf and shoebox NAT routers

Lapo Luchini lapo at lapo.it
Wed Aug 29 11:37:39 PDT 2007

Hajimu UMEMOTO wrote:
> lapo> Does you patch address incoming packets too?
> Yes, it should address incoming packets.
> [...]
> How do you configure your stf interface?  You need to assign a 6to4
> address which is derived from the IPv4 global address assigned to the
> NAT box.
> And you need to set net.link.stf.no_addr4check to 1.
> Is it okay?

I had prepared a beautiful and very long explanation of the test I did.
But just a few seconds before hitting the "send" button I decided to
cross-check the "sysctl net.inet6.ip6" on the two boxes and have noticed
I have ipfw active in the natted one....

Sometimes, when doing "strange" things such as patching the kernel and
using tunneled IPv6 behind a NAT... one can easily forget to check more
MUNDANE & EASY reasons for things, such as tcpdump shows the incoming
packet BEFORE ipfw happily THROWS THEM AWAY for long-forgotten rules
that someday I did myself write and didn't include protocol 41.

Lesson taken.

Oh well, at least the problem is solved, and I'm back and running on the
IPv6 ;-)

I hope your patch is accepted upstream, because in these times of IPv4
scarcity NAT-ted boxes will be more and more common and unfortunately
not every NAT knows about IPv6, and even if it does, like mine do, it
may only support normal tunnels and not 6to4 configuration, and even a
NAT-ted FreeBSD box can come to the rescue ;-)


More information about the freebsd-hackers mailing list