nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out

Michael Grimm trashcan at odo.in-berlin.de
Fri Dec 28 12:04:19 UTC 2012 

Hi --

I do run both my primary and secondary nameservers (distinct servers) in FreeBSD jails1 and jail2 as outlined below:

(jail1/a:a:a:a::1:1)                         <--WAN-->                          (jail2/b:b:b:b::1:1)
(jail1/10.10.10.1) <--NAT--> (host 1.2.3.4)  <--WAN--> (host 5.6.7.8) <--NAT--> (jail2/10.10.10.1)

Here's the relevant part of my pf.conf (server1):

| nat on em0 inet from 10.10.10.1 to any -> 1.2.3.4
| rdr on em0 inet proto tcp from any to 1.2.3.4 port = domain -> 10.10.10.1 port 53
| rdr on em0 inet proto udp from any to 1.2.3.4 port = domain -> 10.10.10.1 port 53
| pass in log on em0 inet proto tcp from any to 10.10.10.1 port = domain flags S/SA keep state tag ip4domain
| pass in log on em0 inet proto udp from any to 10.10.10.1 port = domain keep state tag ip4domain
| pass in log on em0 inet6 proto tcp from any to a:a:a:a::1:1 port = domain flags S/SA keep state tag ip6domain
| pass in log on em0 inet6 proto udp from any to a:a:a:a::1:1 port = domain keep state tag ip6domain

This is at server2:

| nat on em0 inet from 10.10.10.1 to any -> 5.6.7.8
| rdr on em0 inet proto tcp from any to 5.6.7.8 port = domain -> 10.10.10.1 port 53
| rdr on em0 inet proto udp from any to 5.6.7.8 port = domain -> 10.10.10.1 port 53
| pass in log on em0 inet proto tcp from any to 10.10.10.1 port = domain flags S/SA keep state tag ip4domain
| pass in log on em0 inet proto udp from any to 10.10.10.1 port = domain keep state tag ip4domain
| pass in log on em0 inet6 proto tcp from any to b:b:b:b::1:1 port = domain flags S/SA keep state tag ip6domain
| pass in log on em0 inet6 proto udp from any to b:b:b:b::1:1 port = domain keep state tag ip6domain

tcp4 and upd4 connections between both namesevers are served as expected, as well as upd6. 

But tcp6 doesn't work:

| jail1>
| nc -6vw 1 b:b:b:b::1:1 53
| nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out

I do see using tcpdump at server1:

| 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S], cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0

The same happens the other way around. And, that lack of tcp6 connectivity stands true for all my other service jails as well. I cannot reach any distinct IPv6 service from my jails :-(

JFTR: both nameservers are listening to the given IPv6 addresses, as checked by "sockstat -6".

What I did try so far:

- Setting of "flags any" and/or "no state" to tcp6 rules
- Adding private IPv6 addresses to my jails and implement nat66
- Activating rtadvd 

But without any success, so, what's going wrong here:
- Is it my setup regarding pf?
- Is it my setup in general?
- Is it a screwed IPv6 routing?
- Or something else?

Any help is highly appreciated.

Thanks and with kind regards,
Michael

More information about the freebsd-pf mailing list