GIF tunnel doesnt like fragmented packets?
    Chris Benesch 
    chris.benesch at gmail.com
       
    Wed Jul 11 02:27:05 UTC 2012
    
    
  
So I'm trying to set up a tunnel with Hurricane Electric.  Works great on
OpenBSD BTW, took only a minute or two.
So heres rc.conf
ipv6_gateway_enable="YES"
gif_interfaces="gif0"
gifconfig_gif0="198.168.0.2 64.62.134.130"
ipv6_network_interfaces="rl0 em0 gif0 lo0"
ifconfig_gif0_ipv6="inet6 2001:470:66:3a3::2 2001:470:66:3a3::1 prefixlen
128"
ipv6_defaultrouter="2001:470:66:3a3::1"
And I am running pf on the box.
# macros
ext_if="rl0"
int_if="em0"
if_6="gif0"
tcp_services="{ 22,25,80 }"
udp_services="{ 500 }"
icmp_types="echoreq"
workstation="192.168.231.15"
# options
set optimization normal
set block-policy return
set skip on { lo gif0 }
# scrub
scrub in no-df
# nat/rdr
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
# filter rules
block in log on rl0
pass out quick flags S/SA keep state
pass in quick on $int_if flags S/SA keep state allow-opts
pass in quick from 192.168.231.1 to 192.168.231.1
pass in log from 64.62.134.130 to any
antispoof quick for { lo }
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
pass in on $if_6 inet6 proto tcp from any to ($if_6) port $tcp_services
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services
pass in on $if_6 inet6 proto udp from any to ($if_6) port $udp_services
pass in inet6 proto icmp6 from any to any
pass in inet proto icmp from any to any
Ok, so now thats out of the way.
Basically I see packets going out, but none coming back, and they clearly
are coming back on the internet facing interface.  I've ran a dump on pflog
and nothing its not dropping it.
Here is a dump for a couple pings from the outside interface:
18:53:09.462410 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4
(0x0800), length 90: (tos 0x0, ttl 30, id 35752, offset 0, flags [none],
proto IPv6 (41), length 76)
    192.168.0.2 > 64.62.134.130: (hlim 64, next-header ICMPv6 (58) payload
length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6,
echo request, length 16, seq 0
18:53:09.507572 00:24:7b:c8:f1:70 > 00:11:09:01:c8:26, ethertype IPv4
(0x0800), length 90: (tos 0x0, ttl 248, id 0, offset 0, flags [DF], proto
IPv6 (41), length 76)
    64.62.134.130 > 192.168.0.2: (hlim 64, next-header ICMPv6 (58) payload
length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6,
echo reply, length 16, seq 0
18:53:09.507598 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4
(0x0800), length 90: (tos 0x0, ttl 247, id 0, offset 0, flags [none], proto
IPv6 (41), length 76)
    192.168.0.2 > 198.168.0.2: (hlim 64, next-header ICMPv6 (58) payload
length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6,
echo reply, length 16, seq 0
18:53:10.462714 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4
(0x0800), length 90: (tos 0x0, ttl 30, id 35756, offset 0, flags [none],
proto IPv6 (41), length 76)
    192.168.0.2 > 64.62.134.130: (hlim 64, next-header ICMPv6 (58) payload
length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6,
echo request, length 16, seq 1
18:53:10.509347 00:24:7b:c8:f1:70 > 00:11:09:01:c8:26, ethertype IPv4
(0x0800), length 90: (tos 0x0, ttl 248, id 0, offset 0, flags [DF], proto
IPv6 (41), length 76)
    64.62.134.130 > 192.168.0.2: (hlim 64, next-header ICMPv6 (58) payload
length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6,
echo reply, length 16, seq 1
18:53:10.509366 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4
(0x0800), length 90: (tos 0x0, ttl 247, id 0, offset 0, flags [none], proto
IPv6 (41), length 76)
    192.168.0.2 > 198.168.0.2: (hlim 64, next-header ICMPv6 (58) payload
length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6,
echo reply, length 16, seq 1
You get the picture there is back and forth
And here is gif0
[root at maricopacomputer ~]# tcpdump -lenvvvvi gif0
tcpdump: WARNING: gif0: no IPv4 address assigned
tcpdump: listening on gif0, link-type NULL (BSD loopback), capture size
65535 bytes
18:52:34.975121 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58)
payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok]
ICMP6, echo request, length 16, seq 0
18:52:35.975701 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58)
payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok]
ICMP6, echo request, length 16, seq 1
18:52:36.975684 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58)
payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok]
ICMP6, echo request, length 16, seq 2
18:52:37.975689 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58)
payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok]
ICMP6, echo request, length 16, seq 3
18:52:39.974653 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (58)
payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok]
ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1
18:52:40.974653 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (58)
payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok]
ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1
18:52:41.974652 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (58)
payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok]
ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1
The only thing I notice is that the ones coming from HE have the DF flag
set?  Am I on the wrong path?  Have no idea how to get this to work.
    
    
More information about the freebsd-net
mailing list