PF vs. ping6

Christopher Cowart ccowart at
Fri Feb 22 00:36:01 UTC 2008

On Fri, Feb 22, 2008 at 01:14:55AM +0100, Colin Brace wrote:
> Hi all,
> I am trying to set up a IPv6 tunnel following the instructions in the
> handbook <>.
> aiccu starts ok:
> # sixxs-aiccu start
> Tunnel Information for T14342:
> POP Id      : nlams05
> IPv6 Local  : xxxxxxxxxxxxxxxxx2/64
> IPv6 Remote : xxxxxxxxxxxxxxxxx1/64
> Tunnel Type : 6in4-heartbeat
> Adminstate  : enabled
> Userstate   : enabled
> I can ping6 localhost, I can ping6 the tunnel begin point (local), but
> I can't ping6 the (remote) end point. Firing up tcpdump, I see that
> the firewall is blocking the ping packets.
> I have these (provisional) rules at the top of the filter section in PF:
> pass quick on fxp0 inet6 # ext if

I don't use pf, but I'm guessing from the man page that you may need to
pass quick on fxp0 proto 41

You might be able to substitue 41 with the symbolic name in
/etc/protocols (ipv6).

Note that you're trying to match the "protocol" field of an IPv4 address
which, for the majority of internet traffic, is tcp, udp, or icmp; in
this case its ipv6, because the contents of your IPv4 packets are the
tunneled v6 packets.

I think 'pass quick on fxp0 inet6' is checking against the type of the
outer packet, which is actually an IPv4 packet.

Good luck,

Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 825 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list