From owner-freebsd-net@FreeBSD.ORG Wed Jul 11 02:27:05 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A54831065678 for ; Wed, 11 Jul 2012 02:27:05 +0000 (UTC) (envelope-from chris.benesch@gmail.com) Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5E82E8FC0C for ; Wed, 11 Jul 2012 02:27:05 +0000 (UTC) Received: by ghbz22 with SMTP id z22so820860ghb.13 for ; Tue, 10 Jul 2012 19:27:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=wtJrg9zi7+Hccn3mTg/nrjQKTFopRpFsGDHzxj5Ptfg=; b=B/KtNiw7rvLN2ftBvsqnwJ2PWsbkwf57RX2wIj5hHqEgUMGJbLjc7gU+WuOnTmAFb4 zQTsmwCfum69oIO2jKBzxAxXSZn0X2KYcSp7gckNTBJnKutV+kt5qrNjl4H4xDhzXGVU yfYPcQE8SvU8FQX1UH4hnYwsFgfdG38BS7v2Dv9C0wmITL/1c9wUR8tV313tjShoFl3y fsXXlb2eUiqpyWddN7BlopkRtMC5W1Sh9mNnbXY/5wBCNzUxgbZWWftuVt28q6mvY5c3 EP7IEntire/XRS2yVMkdbNTZtlLBDe7UpJO2wwfLUCur1DWIC229GYwL8q/oAEjN3tx0 Q+fQ== MIME-Version: 1.0 Received: by 10.50.187.228 with SMTP id fv4mr13258710igc.10.1341973624391; Tue, 10 Jul 2012 19:27:04 -0700 (PDT) Received: by 10.231.26.150 with HTTP; Tue, 10 Jul 2012 19:27:04 -0700 (PDT) Date: Tue, 10 Jul 2012 19:27:04 -0700 Message-ID: From: Chris Benesch To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: GIF tunnel doesnt like fragmented packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2012 02:27:05 -0000 So I'm trying to set up a tunnel with Hurricane Electric. Works great on OpenBSD BTW, took only a minute or two. So heres rc.conf ipv6_gateway_enable="YES" gif_interfaces="gif0" gifconfig_gif0="198.168.0.2 64.62.134.130" ipv6_network_interfaces="rl0 em0 gif0 lo0" ifconfig_gif0_ipv6="inet6 2001:470:66:3a3::2 2001:470:66:3a3::1 prefixlen 128" ipv6_defaultrouter="2001:470:66:3a3::1" And I am running pf on the box. # macros ext_if="rl0" int_if="em0" if_6="gif0" tcp_services="{ 22,25,80 }" udp_services="{ 500 }" icmp_types="echoreq" workstation="192.168.231.15" # options set optimization normal set block-policy return set skip on { lo gif0 } # scrub scrub in no-df # nat/rdr nat on $ext_if inet from !($ext_if) -> ($ext_if:0) # filter rules block in log on rl0 pass out quick flags S/SA keep state pass in quick on $int_if flags S/SA keep state allow-opts pass in quick from 192.168.231.1 to 192.168.231.1 pass in log from 64.62.134.130 to any antispoof quick for { lo } pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services pass in on $if_6 inet6 proto tcp from any to ($if_6) port $tcp_services pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services pass in on $if_6 inet6 proto udp from any to ($if_6) port $udp_services pass in inet6 proto icmp6 from any to any pass in inet proto icmp from any to any Ok, so now thats out of the way. Basically I see packets going out, but none coming back, and they clearly are coming back on the internet facing interface. I've ran a dump on pflog and nothing its not dropping it. Here is a dump for a couple pings from the outside interface: 18:53:09.462410 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 30, id 35752, offset 0, flags [none], proto IPv6 (41), length 76) 192.168.0.2 > 64.62.134.130: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, echo request, length 16, seq 0 18:53:09.507572 00:24:7b:c8:f1:70 > 00:11:09:01:c8:26, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 248, id 0, offset 0, flags [DF], proto IPv6 (41), length 76) 64.62.134.130 > 192.168.0.2: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6, echo reply, length 16, seq 0 18:53:09.507598 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 247, id 0, offset 0, flags [none], proto IPv6 (41), length 76) 192.168.0.2 > 198.168.0.2: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6, echo reply, length 16, seq 0 18:53:10.462714 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 30, id 35756, offset 0, flags [none], proto IPv6 (41), length 76) 192.168.0.2 > 64.62.134.130: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, echo request, length 16, seq 1 18:53:10.509347 00:24:7b:c8:f1:70 > 00:11:09:01:c8:26, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 248, id 0, offset 0, flags [DF], proto IPv6 (41), length 76) 64.62.134.130 > 192.168.0.2: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6, echo reply, length 16, seq 1 18:53:10.509366 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 247, id 0, offset 0, flags [none], proto IPv6 (41), length 76) 192.168.0.2 > 198.168.0.2: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6, echo reply, length 16, seq 1 You get the picture there is back and forth And here is gif0 [root@maricopacomputer ~]# tcpdump -lenvvvvi gif0 tcpdump: WARNING: gif0: no IPv4 address assigned tcpdump: listening on gif0, link-type NULL (BSD loopback), capture size 65535 bytes 18:52:34.975121 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, echo request, length 16, seq 0 18:52:35.975701 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, echo request, length 16, seq 1 18:52:36.975684 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, echo request, length 16, seq 2 18:52:37.975689 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58) payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, echo request, length 16, seq 3 18:52:39.974653 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1 18:52:40.974653 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1 18:52:41.974652 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1 The only thing I notice is that the ones coming from HE have the DF flag set? Am I on the wrong path? Have no idea how to get this to work.