Date: Sat, 18 Feb 2023 16:42:58 +0100 From: FreeBSD User <freebsd@walstatt-de.de> To: freebsd-net@freebsd.org, FreeBSD CURRENT <freebsd-current@freebsd.org> Subject: IPFW: IPv6 and NPTv6 issues: multiple IPv6 addresses confuses IPFW Message-ID: <20230218164325.3a4c626a@thor.intern.walstatt.dynvpn.de>
next in thread | raw e-mail | index | archive | help
Hello, running a small nanoBSD firewall/router appliance, the WAN interface (tun0) is confugred via SLAAC when it comes to IPv6. The allpliance is running in-kernel compiled IPFW. The OS is FreeBSD 13-STABLE, compiled on a recuurant weekly basis. On a 24 hour basis, the ISP changes the IPv4 and IPv6 on the WAN interface. We use NPTv6 to translate ULA addresses for the inner IPv6 networks. We use IPv6 privacy on the tun0 interface. The router/firewall is operating after a reboot or restart of mpd5 correctly, IPv6 and IPv4 networks have conection to the internet. When the ISP rotates it IPs, the IPv6 address is configured using SLAAC and mpd5 seems to act weird: - the IPv4 address is always set correct, IPFW and in-kernel NAT route/filter traffic correctly - sometimes old IPv6 address is dumped and only a new IPv6 address - in such a case, the old IPv6 is gone, the new pair (temporary and MACified address are the only IPv6 addresses attached to the interface. - sometimes the old IPv6 address set (= temporary) are marked "deprecated" and/or "detached" and a new set is attached to the interface tun0, in some rare occassion also an IPv6 address WITHOUT its "temoprary" sibbling is attached. In any of the cases above, IPFW's NPTv6 gets confused, routing isn't working properly anymore. In any cases of a change of the IPv6 address, IPFW has to be restartet! In cases with marked deprecated and/or detached addresses, IPFW has to be restarted, AND the deprecated and/or detached IPv6 addresses has to be deleted manually. Otherwise - so it seems to me - NPTv6 takes the wrong (outdated) prefix. NPTv6 should not take any deprecated, detached prefix if a valid prefix is available. Even deleting the deprecated IPv6 requires a restart of IPFW. No matter how long I wait, NPTv6 never gets the changed prefix by itself. Kind regards, Oliver -- O. Hartmann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20230218164325.3a4c626a>