Date: Wed, 11 Jul 2012 09:14:05 +0200 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: Chris Benesch <chris.benesch@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: GIF tunnel doesnt like fragmented packets? Message-ID: <CAPBZQG0SAs8HRj7XPxRmx5CL18qH8-SN0wnUm5Ef9OKbnSj63w@mail.gmail.com> In-Reply-To: <CAPKwmM0ymOebO0WsJqNRuRJ4sT09uikj9b-5x4BDe-eFJYyKFA@mail.gmail.com> References: <CAPKwmM0ymOebO0WsJqNRuRJ4sT09uikj9b-5x4BDe-eFJYyKFA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 11, 2012 at 4:27 AM, Chris Benesch <chris.benesch@gmail.com> wr=
ote:
> So I'm trying to set up a tunnel with Hurricane Electric. =A0Works great =
on
> OpenBSD BTW, took only a minute or two.
>
There is no support for fragmented ipv6 packets in pf(4) for FreeBSD.
> So heres rc.conf
>
> ipv6_gateway_enable=3D"YES"
> gif_interfaces=3D"gif0"
> gifconfig_gif0=3D"198.168.0.2 64.62.134.130"
> ipv6_network_interfaces=3D"rl0 em0 gif0 lo0"
> ifconfig_gif0_ipv6=3D"inet6 2001:470:66:3a3::2 2001:470:66:3a3::1 prefixl=
en
> 128"
> ipv6_defaultrouter=3D"2001:470:66:3a3::1"
>
> And I am running pf on the box.
>
> # macros
> ext_if=3D"rl0"
> int_if=3D"em0"
> if_6=3D"gif0"
>
> tcp_services=3D"{ 22,25,80 }"
> udp_services=3D"{ 500 }"
> icmp_types=3D"echoreq"
>
> workstation=3D"192.168.231.15"
>
> # options
> set optimization normal
> set block-policy return
> set skip on { lo gif0 }
>
> # scrub
> scrub in no-df
>
> # nat/rdr
> nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
>
>
> # filter rules
> block in log on rl0
> pass out quick flags S/SA keep state
> pass in quick on $int_if flags S/SA keep state allow-opts
> pass in quick from 192.168.231.1 to 192.168.231.1
> pass in log from 64.62.134.130 to any
>
> antispoof quick for { lo }
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_service=
s
> pass in on $if_6 inet6 proto tcp from any to ($if_6) port $tcp_services
> pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service=
s
> pass in on $if_6 inet6 proto udp from any to ($if_6) port $udp_services
>
> pass in inet6 proto icmp6 from any to any
> pass in inet proto icmp from any to any
>
> Ok, so now thats out of the way.
>
> Basically I see packets going out, but none coming back, and they clearly
> are coming back on the internet facing interface. =A0I've ran a dump on p=
flog
> and nothing its not dropping it.
>
> Here is a dump for a couple pings from the outside interface:
>
> 18:53:09.462410 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4
> (0x0800), length 90: (tos 0x0, ttl 30, id 35752, offset 0, flags [none],
> proto IPv6 (41), length 76)
> =A0 =A0 192.168.0.2 > 64.62.134.130: (hlim 64, next-header ICMPv6 (58) pa=
yload
> length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6=
,
> echo request, length 16, seq 0
> 18:53:09.507572 00:24:7b:c8:f1:70 > 00:11:09:01:c8:26, ethertype IPv4
> (0x0800), length 90: (tos 0x0, ttl 248, id 0, offset 0, flags [DF], proto
> IPv6 (41), length 76)
> =A0 =A0 64.62.134.130 > 192.168.0.2: (hlim 64, next-header ICMPv6 (58) pa=
yload
> length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6=
,
> echo reply, length 16, seq 0
> 18:53:09.507598 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4
> (0x0800), length 90: (tos 0x0, ttl 247, id 0, offset 0, flags [none], pro=
to
> IPv6 (41), length 76)
> =A0 =A0 192.168.0.2 > 198.168.0.2: (hlim 64, next-header ICMPv6 (58) payl=
oad
> length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6=
,
> echo reply, length 16, seq 0
> 18:53:10.462714 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4
> (0x0800), length 90: (tos 0x0, ttl 30, id 35756, offset 0, flags [none],
> proto IPv6 (41), length 76)
> =A0 =A0 192.168.0.2 > 64.62.134.130: (hlim 64, next-header ICMPv6 (58) pa=
yload
> length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum ok] ICMP6=
,
> echo request, length 16, seq 1
> 18:53:10.509347 00:24:7b:c8:f1:70 > 00:11:09:01:c8:26, ethertype IPv4
> (0x0800), length 90: (tos 0x0, ttl 248, id 0, offset 0, flags [DF], proto
> IPv6 (41), length 76)
> =A0 =A0 64.62.134.130 > 192.168.0.2: (hlim 64, next-header ICMPv6 (58) pa=
yload
> length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6=
,
> echo reply, length 16, seq 1
> 18:53:10.509366 00:11:09:01:c8:26 > 00:24:7b:c8:f1:70, ethertype IPv4
> (0x0800), length 90: (tos 0x0, ttl 247, id 0, offset 0, flags [none], pro=
to
> IPv6 (41), length 76)
> =A0 =A0 192.168.0.2 > 198.168.0.2: (hlim 64, next-header ICMPv6 (58) payl=
oad
> length: 16) 2001:470:66:3a3::1 > 2001:470:66:3a3::2: [icmp6 sum ok] ICMP6=
,
> echo reply, length 16, seq 1
>
> You get the picture there is back and forth
>
> And here is gif0
>
> [root@maricopacomputer ~]# tcpdump -lenvvvvi gif0
> tcpdump: WARNING: gif0: no IPv4 address assigned
> tcpdump: listening on gif0, link-type NULL (BSD loopback), capture size
> 65535 bytes
> 18:52:34.975121 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58=
)
> payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o=
k]
> ICMP6, echo request, length 16, seq 0
> 18:52:35.975701 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58=
)
> payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o=
k]
> ICMP6, echo request, length 16, seq 1
> 18:52:36.975684 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58=
)
> payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o=
k]
> ICMP6, echo request, length 16, seq 2
> 18:52:37.975689 AF IPv6 (28), length 60: (hlim 64, next-header ICMPv6 (58=
)
> payload length: 16) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o=
k]
> ICMP6, echo request, length 16, seq 3
> 18:52:39.974653 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (5=
8)
> payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o=
k]
> ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1
> 18:52:40.974653 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (5=
8)
> payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o=
k]
> ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1
> 18:52:41.974652 AF IPv6 (28), length 68: (hlim 255, next-header ICMPv6 (5=
8)
> payload length: 24) 2001:470:66:3a3::2 > 2001:470:66:3a3::1: [icmp6 sum o=
k]
> ICMP6, neighbor solicitation, length 24, who has 2001:470:66:3a3::1
>
> The only thing I notice is that the ones coming from HE have the DF flag
> set? =A0Am I on the wrong path? =A0Have no idea how to get this to work.
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
--=20
Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG0SAs8HRj7XPxRmx5CL18qH8-SN0wnUm5Ef9OKbnSj63w>