IPFW NAT64 changed 11.2 --> 11.3?

Patrick M. Hausen hausen at punkt.de
Wed Jun 26 08:20:44 UTC 2019 

Hi all,

we have a bit of a problem with some new servers that
use NAT64 to access certain services that offer only
legacy IP - like github.

As far as I found the respective NAT64 gateways (in jails
with VNET) are configured identically except for the
particular addresses, of course.

Yet, 11.2 works, 11.3-RC1 doesn’t.

OK, on to the config …

Working server:

ifconfig inet0
inet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	inet6 2a00:b580:8000:12:xxxx:xxxx:xxxx:xxxx prefixlen 64

netstat -rn
64:ff9b::/96                      2a00:b580:8000:12:yyyy:yyyy:yyyy:yyyy UGS    inet0

drill github.map.fastly.net aaaa
github.map.fastly.net.	15	IN	AAAA	64:ff9b::9765:7085

ping6 github.map.fastly.net 
16 bytes from 64:ff9b::9765:7085, icmp_seq=0 hlim=57 time=3.801 ms


Broken server:

ifconfig inet0
inet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	inet6 2a00:b580:8000:12:xxxx:xxxx:xxxx:xxxx prefixlen 64

netstat -rn
64:ff9b::/96                      2a00:b580:8000:12:yyyy:yyyy:yyyy:yyyy UGS    inet0

drill github.map.fastly.net aaaa
github.map.fastly.net.	15	IN	AAAA	64:ff9b::9765:7085

So up to the 4-in-6 DNS translation everything is working as it should, but then
when actual traffic is involved:

ping6 github.map.fastly.net
16 bytes from d91d:2891::9765:7085, icmp_seq=0 hlim=57 time=2.324 ms

What the … is this IP address here? All I know is that the block is supposed to be
IANA reserved. And TCP connections to github.map.fastly.net of course stall, never
receiving an answer packet.

The NAT64 gateways on both servers have these ipfw rules:

root at gate64:~ # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
01100 allow ipv6-icmp from :: to ff02::/16
01200 allow ipv6-icmp from fe80::/10 to fe80::/10
01300 allow ipv6-icmp from fe80::/10 to ff02::/16
01400 allow ipv6-icmp from any to me6 ip6 icmp6types 1,2,3,4
01500 allow ipv6-icmp from any to any ip6 icmp6types 135,136
02000 allow icmp from any to me icmptypes 8
02100 allow ipv6-icmp from any to me6 ip6 icmp6types 128,129
03000 allow tcp from any to 217.29.40.y 80,443
03100 allow tcp from me6 to any 80,443
05000 nat64lsn NAT64 ip from 2a00:b580::/32 to 64:ff9b::/96 in
05100 nat64lsn NAT64 ip from any to 217.29.40.y in
65535 allow ip from any to any

Any hints welcome.

Thanks,
Patrick
-- 
punkt.de GmbH			Internet - Dienstleistungen - Beratung
Kaiserallee 13a			Tel.: 0721 9109-0 Fax: -100
76133 Karlsruhe			info at punkt.de	http://punkt.de
AG Mannheim 108285		Gf: Juergen Egeling

More information about the freebsd-net mailing list