NAT64 return traffic vanishes after successful de-alias

John W. O'Brien john at
Sat Dec 14 19:54:42 UTC 2019

Hello FreeBSD Networking,

As the subject summarizes, I have a mostly-working NAT64 rig, but return
traffic is disappearing, and I haven't been able to figure out why. I
observe the post-translation (4-to-6) packets via ipfwlog0, but a simple
ipfw counter rule ipfw matches nothing.

My attempt to develop a minimum reproducible example failed in the sense
that I did not reproduce the problem. Of course, this implies that one
of the many differences between the simplified test (EC2 instance, two
jails) and the problem rig (physical server, lagg, vlans, other things
going on) is the cause.

What I am hoping this list can help me with is being smart about what I
try next. Otherwise, I would probably just try to brute force a solution
by thinking of ways to permute the config that would rule each possible
difference in or out.

So far my main troubleshooting tools have been ipfw for its rule
counters and nat64lsn stats output, netstat to look at fibs, and tcpdump
pointed at real and diagnostic interfaces. What debugging tools and
techniques should I employ to do better than brute force?

If it would help, I would gladly share the working, EC2/jail demo
configs on the list. Sharing the non-working configs I would prefer to
do privately or not at all.

This is on 12.1-RELEASE.

Thank you,

John W. O'Brien
OpenPGP keys:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-net mailing list