From owner-freebsd-net@FreeBSD.ORG Wed Jul 11 07:14:06 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32E3C106564A for ; Wed, 11 Jul 2012 07:14:06 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id DA6A28FC0A for ; Wed, 11 Jul 2012 07:14:05 +0000 (UTC) Received: by qcsg15 with SMTP id g15so636248qcs.13 for ; Wed, 11 Jul 2012 00:14:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=n7vwEiC474eTFWM9fAP2UhXDxa+Y7OOq7Pxp4inDHpU=; b=hbbnjibgQGlMwJiVD8cjQb1/RdZ6FvnqnUAYCEG8yxIZUeLVuw76hi700K1x4e7OD2 I7BuZhjTtIRYyVmMo1apLjGks57bjVwiF2yfuEB+3neeO6aF9d8+Nu43FENg/H5jrSpf Tl7pxkAbyJ/Nw0RXLn7v68DjaCFGwi+Og1yrY9+vDoRYyDL4U6JPcuXPLIKVLW66fmRB WQuhxM0pZlrkw/TmP+PYNzEvG6J5iSNUglECxzFmfXqkhgQOivIgt80Sn14afqnoloXV yNzbWWcm3/WLn0ajYgP+hqc8tGsKzhHJKnjx256Fs/bJgq3KBBOl3XGdbwSneavqx4Mz MqWw== MIME-Version: 1.0 Received: by 10.229.137.11 with SMTP id u11mr25177644qct.53.1341990845069; Wed, 11 Jul 2012 00:14:05 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.229.222.194 with HTTP; Wed, 11 Jul 2012 00:14:05 -0700 (PDT) In-Reply-To: References: Date: Wed, 11 Jul 2012 09:14:05 +0200 X-Google-Sender-Auth: FTwwQr_GtMKms7EAGq_bSxOake4 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Chris Benesch Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org Subject: Re: GIF tunnel doesnt like fragmented packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2012 07:14:06 -0000 On Wed, Jul 11, 2012 at 4:27 AM, Chris Benesch wr= ote: > So I'm trying to set up a tunnel with Hurricane Electric. =A0Works great = on > OpenBSD BTW, took only a minute or two. > There is no support for fragmented ipv6 packets in pf(4) for FreeBSD. > So heres rc.conf > > ipv6_gateway_enable=3D"YES" > gif_interfaces=3D"gif0" > gifconfig_gif0=3D"198.168.0.2 64.62.134.130" > ipv6_network_interfaces=3D"rl0 em0 gif0 lo0" > ifconfig_gif0_ipv6=3D"inet6 2001:470:66:3a3::2 2001:470:66:3a3::1 prefixl= en > 128" > ipv6_defaultrouter=3D"2001:470:66:3a3::1" > > And I am running pf on the box. > > # macros > ext_if=3D"rl0" > int_if=3D"em0" > if_6=3D"gif0" > > tcp_services=3D"{ 22,25,80 }" > udp_services=3D"{ 500 }" > icmp_types=3D"echoreq" > > workstation=3D"192.168.231.15" > > # options > set optimization normal > set block-policy return > set skip on { lo gif0 } > > # scrub > scrub in no-df > > # nat/rdr > nat on $ext_if inet from !($ext_if) -> ($ext_if:0) > > > # filter rules > block in log on rl0 > pass out quick flags S/SA keep state > pass in quick on $int_if flags S/SA keep state allow-opts > pass in quick from 192.168.231.1 to 192.168.231.1 > pass in log from 64.62.134.130 to any > > antispoof quick for { lo } > > pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_service= s > pass in on $if_6 inet6 proto tcp from any to ($if_6) port $tcp_services > pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service= s > pass in on $if_6 inet6 proto udp from any to ($if_6) port $udp_services > > pass in inet6 proto icmp6 from any to any > pass in inet proto icmp from any to any > > Ok, so now thats out of the way. > > Basically I see packets going out, but none coming back, and they clearly > are coming back on the internet facing interface. =A0I've ran a dump on p= flog > and nothing its not dropping it. > > Here is a dump for a couple pings from the outside interface: > > 18:53:09.462410 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4 > (0x0800), length 90: (tos 0x0, ttl 30, id 35752, offset 0, flags [none], > proto IPv6 (41), length 76) > =A0 =A0 192.168.0.2 > 64.62.134.130: (hlim 64, next-header ICMPv6 (58) pa= yload > length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6= , > echo request, length 16, seq 0 > 18:53:09.507572 00:24:7b:c8:f1:70 > 00:11:09:01:c8:26, ethertype IPv4 > (0x0800), length 90: (tos 0x0, ttl 248, id 0, offset 0, flags [DF], proto > IPv6 (41), length 76) > =A0 =A0 64.62.134.130 > 192.168.0.2: (hlim 64, next-header ICMPv6 (58) pa= yload > length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6= , > echo reply, length 16, seq 0 > 18:53:09.507598 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4 > (0x0800), length 90: (tos 0x0, ttl 247, id 0, offset 0, flags [none], pro= to > IPv6 (41), length 76) > =A0 =A0 192.168.0.2 > 198.168.0.2: (hlim 64, next-header ICMPv6 (58) payl= oad > length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6= , > echo reply, length 16, seq 0 > 18:53:10.462714 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4 > (0x0800), length 90: (tos 0x0, ttl 30, id 35756, offset 0, flags [none], > proto IPv6 (41), length 76) > =A0 =A0 192.168.0.2 > 64.62.134.130: (hlim 64, next-header ICMPv6 (58) pa= yload > length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6= , > echo request, length 16, seq 1 > 18:53:10.509347 00:24:7b:c8:f1:70 > 00:11:09:01:c8:26, ethertype IPv4 > (0x0800), length 90: (tos 0x0, ttl 248, id 0, offset 0, flags [DF], proto > IPv6 (41), length 76) > =A0 =A0 64.62.134.130 > 192.168.0.2: (hlim 64, next-header ICMPv6 (58) pa= yload > length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6= , > echo reply, length 16, seq 1 > 18:53:10.509366 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4 > (0x0800), length 90: (tos 0x0, ttl 247, id 0, offset 0, flags [none], pro= to > IPv6 (41), length 76) > =A0 =A0 192.168.0.2 > 198.168.0.2: (hlim 64, next-header ICMPv6 (58) payl= oad > length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6= , > echo reply, length 16, seq 1 > > You get the picture there is back and forth > > And here is gif0 > > [root@maricopacomputer ~]# tcpdump -lenvvvvi gif0 > tcpdump: WARNING: gif0: no IPv4 address assigned > tcpdump: listening on gif0, link-type NULL (BSD loopback), capture size > 65535 bytes > 18:52:34.975121 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58= ) > payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o= k] > ICMP6, echo request, length 16, seq 0 > 18:52:35.975701 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58= ) > payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o= k] > ICMP6, echo request, length 16, seq 1 > 18:52:36.975684 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58= ) > payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o= k] > ICMP6, echo request, length 16, seq 2 > 18:52:37.975689 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58= ) > payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o= k] > ICMP6, echo request, length 16, seq 3 > 18:52:39.974653 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (5= 8) > payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o= k] > ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1 > 18:52:40.974653 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (5= 8) > payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o= k] > ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1 > 18:52:41.974652 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (5= 8) > payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o= k] > ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1 > > The only thing I notice is that the ones coming from HE have the DF flag > set? =A0Am I on the wrong path? =A0Have no idea how to get this to work. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --=20 Ermal