From nobody Sun Feb 19 11:24:54 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PKNWw0zbRz3knLK; Sun, 19 Feb 2023 11:25:32 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp052.goneo.de (smtp052.goneo.de [85.220.129.60]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4PKNWv4BVWz4FL3; Sun, 19 Feb 2023 11:25:31 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Authentication-Results: mx1.freebsd.org; none Received: from hub2.goneo.de (hub2.goneo.de [85.220.129.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by smtp5.goneo.de (Postfix) with ESMTPS id B7E4E10A1E8B; Sun, 19 Feb 2023 12:25:29 +0100 (CET) Received: from hub2.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by hub2.goneo.de (Postfix) with ESMTPS id 2901910A3312; Sun, 19 Feb 2023 12:25:28 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1676805928; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/ofD534/T83ekiMN0IPQWj0yDOeMdqyAoSjlD1nEYkI=; b=a1nCOicH6q+/08df5VwB6Nk46Olccbkj/0jR6SNBMzcMSCXUFMlRlW2ngA9JUfxgt4oQss HTewF1o0S2NAKvEeXySdSm8SpQWNjrZ3kfWFNrWfvtvH+Due5b3a9C7mSTvYIVG9MQ3796 hoyTbNfo7sQFGHk4dCIRdng+k+O3iI7nK6BqgqWs7/HLgjkAl3lAAGuhznRw2G89DkwROK IJMOLszZ/vr6ZQxAiMIDwcmuN11B4zkslL5u4fJQRKUvigtsWlEvC7kaSw5or1ZqX5NYTQ hQHZ+4nSMeuSmURgAiHeH6CPjIi5dhFhVvFMayVY6vZ3/mpdveYK9GwVGZ2NkQ== Received: from thor.intern.walstatt.dynvpn.de (dynamic-078-054-146-144.78.54.pool.telefonica.de [78.54.146.144]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by hub2.goneo.de (Postfix) with ESMTPSA id E3FC110A3308; Sun, 19 Feb 2023 12:25:27 +0100 (CET) Date: Sun, 19 Feb 2023 12:24:54 +0100 From: FreeBSD User To: "Andrey V. Elsukov" Cc: freebsd-net@freebsd.org, FreeBSD CURRENT Subject: Re: IPFW: IPv6 and NPTv6 issues: multiple IPv6 addresses confuses IPFW Message-ID: <20230219122521.6c3d5bdb@thor.intern.walstatt.dynvpn.de> In-Reply-To: <40222458-bae1-bff3-b65c-2c3f26705f10@yandex.ru> References: <20230218164325.3a4c626a@thor.intern.walstatt.dynvpn.de> <40222458-bae1-bff3-b65c-2c3f26705f10@yandex.ru> Organization: walstatt-de.de List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/IIvB9JOlsSxvOY+u_seJ6.M"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Rspamd-UID: 57f406 X-Rspamd-UID: 8f7237 X-Rspamd-Queue-Id: 4PKNWv4BVWz4FL3 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --Sig_/IIvB9JOlsSxvOY+u_seJ6.M Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am Sun, 19 Feb 2023 13:30:13 +0300 "Andrey V. Elsukov" schrieb: > 18.02.2023 18:42, FreeBSD User =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > On a 24 hour basis, the ISP changes the IPv4 and IPv6 on the WAN > > interface. We use NPTv6 to translate ULA addresses for the inner > > IPv6 networks. We use IPv6 privacy on the tun0 interface. The > > router/firewall is operating after a reboot or restart of mpd5 > > correctly, IPv6 and IPv4 networks have conection to the internet. > > When the ISP rotates it IPs, the IPv6 address is configured using > > SLAAC and mpd5 seems to act weird: > >=20 > > - the IPv4 address is always set correct, IPFW and in-kernel NAT > > route/filter traffic correctly - sometimes old IPv6 address is dumped > > and only a new IPv6 address - in such a case, the old IPv6 is gone, > > the new pair (temporary and MACified address are the only IPv6 > > addresses attached to the interface. - sometimes the old IPv6 address > > set (=3D temporary) are marked "deprecated" and/or "detached" and a new > > set is attached to the interface tun0, in some rare occassion also an > > IPv6 address WITHOUT its "temoprary" sibbling is attached. > >=20 > > In any of the cases above, IPFW's NPTv6 gets confused, routing isn't > > working properly anymore. > >=20 > > In any cases of a change of the IPv6 address, IPFW has to be > > restartet! =20 >=20 > Hi, >=20 > I assume you are using ext_if option in your NPTv6 instance configuration. That is correct. >=20 > I think there might be several problems that lead to your situation: >=20 > 1. NPTv6 tracks IPv6 addresses deletion, but since an old IPv6 address=20 > that was used as external prefix kept on the interface, it ignores=20 > appearance of new IPv6 address. >=20 > 2. Then, even if you delete old IPv6 address by hand, NPTv6 won't try to= =20 > peak another one until there won't appear new address. >=20 > 3. There should be some logic that takes into account presence of=20 > temporary and deprecated addresses on the interface. >=20 --=20 O. Hartmann --Sig_/IIvB9JOlsSxvOY+u_seJ6.M Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRQheDybVktG5eW/1Kxzvs8OqokrwUCY/IHIQAKCRCxzvs8Oqok r7mGAP9DbwB6FVttlEO1dP+u+jF90RdRAzICGtQ04hZqwypBLAEAwzXi3soPKKAs 8QS6nM1Gt6zK6ssNwEwBdwQPhENllgM= =Zt7F -----END PGP SIGNATURE----- --Sig_/IIvB9JOlsSxvOY+u_seJ6.M--