Date: Sun, 19 Feb 2023 12:24:54 +0100 From: FreeBSD User <freebsd@walstatt-de.de> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: freebsd-net@freebsd.org, FreeBSD CURRENT <freebsd-current@freebsd.org> Subject: Re: IPFW: IPv6 and NPTv6 issues: multiple IPv6 addresses confuses IPFW Message-ID: <20230219122521.6c3d5bdb@thor.intern.walstatt.dynvpn.de> In-Reply-To: <40222458-bae1-bff3-b65c-2c3f26705f10@yandex.ru> References: <20230218164325.3a4c626a@thor.intern.walstatt.dynvpn.de> <40222458-bae1-bff3-b65c-2c3f26705f10@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/IIvB9JOlsSxvOY+u_seJ6.M Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am Sun, 19 Feb 2023 13:30:13 +0300 "Andrey V. Elsukov" <bu7cher@yandex.ru> schrieb: > 18.02.2023 18:42, FreeBSD User =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > > On a 24 hour basis, the ISP changes the IPv4 and IPv6 on the WAN > > interface. We use NPTv6 to translate ULA addresses for the inner > > IPv6 networks. We use IPv6 privacy on the tun0 interface. The > > router/firewall is operating after a reboot or restart of mpd5 > > correctly, IPv6 and IPv4 networks have conection to the internet. > > When the ISP rotates it IPs, the IPv6 address is configured using > > SLAAC and mpd5 seems to act weird: > >=20 > > - the IPv4 address is always set correct, IPFW and in-kernel NAT > > route/filter traffic correctly - sometimes old IPv6 address is dumped > > and only a new IPv6 address - in such a case, the old IPv6 is gone, > > the new pair (temporary and MACified address are the only IPv6 > > addresses attached to the interface. - sometimes the old IPv6 address > > set (=3D temporary) are marked "deprecated" and/or "detached" and a new > > set is attached to the interface tun0, in some rare occassion also an > > IPv6 address WITHOUT its "temoprary" sibbling is attached. > >=20 > > In any of the cases above, IPFW's NPTv6 gets confused, routing isn't > > working properly anymore. > >=20 > > In any cases of a change of the IPv6 address, IPFW has to be > > restartet! =20 >=20 > Hi, >=20 > I assume you are using ext_if option in your NPTv6 instance configuration. That is correct. >=20 > I think there might be several problems that lead to your situation: >=20 > 1. NPTv6 tracks IPv6 addresses deletion, but since an old IPv6 address=20 > that was used as external prefix kept on the interface, it ignores=20 > appearance of new IPv6 address. >=20 > 2. Then, even if you delete old IPv6 address by hand, NPTv6 won't try to= =20 > peak another one until there won't appear new address. >=20 > 3. There should be some logic that takes into account presence of=20 > temporary and deprecated addresses on the interface. >=20 --=20 O. Hartmann --Sig_/IIvB9JOlsSxvOY+u_seJ6.M Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRQheDybVktG5eW/1Kxzvs8OqokrwUCY/IHIQAKCRCxzvs8Oqok r7mGAP9DbwB6FVttlEO1dP+u+jF90RdRAzICGtQ04hZqwypBLAEAwzXi3soPKKAs 8QS6nM1Gt6zK6ssNwEwBdwQPhENllgM= =Zt7F -----END PGP SIGNATURE----- --Sig_/IIvB9JOlsSxvOY+u_seJ6.M--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20230219122521.6c3d5bdb>