Date: Sun, 27 Nov 2022 12:55:02 +0100 From: FreeBSD User <freebsd@walstatt-de.de> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: NPTv6: prefix doesn't change in IPFW when prefix changes on dynamic interface Message-ID: <20221127125522.0b095dee@thor.intern.walstatt.dynvpn.de> In-Reply-To: <28091d68-ec5a-8b9d-eb0d-9f8c8728bfa6@yandex.ru> References: <20221124162745.7589cf29@thor.intern.walstatt.dynvpn.de> <28091d68-ec5a-8b9d-eb0d-9f8c8728bfa6@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Am Fri, 25 Nov 2022 10:40:31 +0300 "Andrey V. Elsukov" <bu7cher@yandex.ru> schrieb: > 24.11.2022 18:27, FreeBSD User =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > Hello, > >=20 > > running a small routing/firewall applicance based on 13-STABLE and IPFW= , I face a problem > > with NPTv6. The external IPv6 is changing dynamically. While ipfw in-ke= rnel NAT catch up > > with dynamical changes of the IPv4, NPTv6 doesn't seem so. > >=20 > > I'm neither an expert in networking nor IPFW. > >=20 > > After a couple of days tun0 (the exterior PPP interface, uplink connect= ion managed via > > mpd5) has a lot of IPV6 addresses, all but one are marked "deprecated".= =20 >=20 > > In case nor mpd5 is restarted or the exterior interface is assigned wit= h several IPv6 > > addresses of which all but one are marked deprecated, pinging the outsi= de world via IPv6 > > will take the wrong IPv6 - IPFW doesn't seem to catch up with the chang= es. > >=20 > > How to fix this? =20 >=20 > Hi, >=20 > probably the easiest way to solve your problem is periodically running=20 > some script that will find and delete deprecated addresses from an=20 > interface. >=20 > Then NPTv6 module will use first global prefix on the interface. >=20 I realized some strange behaviour and I wasn't able to come along with it. =46rom the net behind the firewall/router after either the router appliance h= as been rebooted or ipfw restarted, "ping -6 freebsd.org" works from any host, but not from the= router/firewall itself. After my ISP has changed both the IPv4 AND IPv6 and tun0, the exterior-poin= ting PPP interface has got at least one deprecated IPV6 address (it is also a "temporary IPv6 = address" created to hide the MAC of the exterior interface), the router itself is capable of pi= nging IPv6 addresses in the outside world. But no host within my LAN is.=20 Simply deleting all "deprecated" marked IPv6 addresses from the tun0 interf= ace doesn't change anything. NPTv6 is configured to use tun0, not an IPv6 prefix. IPv6 routing on the router done via its link-local fe80... address, if this= is of interest. I think I have to investigate the packet flow within IPFW and would like to= ask wheter there is a kind of monitor? Thanks and kind regards, O. Hartmann --=20 O. Hartmann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20221127125522.0b095dee>