Date: Fri, 25 Oct 2019 16:57:15 +0200 From: Marco van Tol <marco@tols.org> To: freebsd-ipfw@freebsd.org Cc: Marco van Tol <marco@tols.org> Subject: nat64lsn first hop in traceroute has a source ip of the final host Message-ID: <898BCDF8-EA5C-49C1-B159-7FCEEBD47B4F@tols.org>
next in thread | raw e-mail | index | archive | help
Hi there,
I setup a NAT64 gateway on a FreeBSD 11.3-RELEASE-p3 host using the =
following config:
-----
#!/bin/sh
fwcmd=3D"/sbin/ipfw"
nat64_v4=3D"193.0.31.240/28"
nat64_pfx_v6=3D"64:ff9b::/96"
icmp6ns=3D135
icmp6na=3D136
kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
${fwcmd} -f flush
${fwcmd} nat64lsn NAT64 create prefix4 $nat64_v4
${fwcmd} add allow icmp6 from any to any icmp6types $icmp6ns,$icmp6na
${fwcmd} add nat64lsn NAT64 ip from any to $nat64_pfx_v6 in
${fwcmd} add nat64lsn NAT64 ip from any to $nat64_v4 in
${fwcmd} add allow ip from any to any
-----
This all works great in that the guests have no IPv4 any more, and in =
their point of view the entire world has migrated to IPv6-only.
There is only one quirck, and that is that the first hop in a traceroute =
towards a synthesized address reports as being sent from the =
destination, like this:
-----
[me@mylaptop ~]traceroute6 -w1 -n 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from =
2001:67c:64:49:a421:5045:508d:495a, 64 hops max, 12 byte packets
1 64:ff9b::808:808 1.732 ms 2.166 ms 2.198 ms
2 64:ff9b::c100:605 2.131 ms 2.308 ms 3.216 ms
3 64:ff9b::50f9:d0f7 3.115 ms 4.114 ms 3.657 ms
4 64:ff9b::6caa:f1c1 3.892 ms
64:ff9b::6caa:f1a1 4.034 ms 5.465 ms
5 64:ff9b::6caa:ec87 5.895 ms
64:ff9b::480e:eef5 4.412 ms
64:ff9b::d8ef:310d 4.358 ms
6 64:ff9b::808:808 4.418 ms 3.498 ms 3.247 ms
-----
As you can see the first hop already claims to be from 64:ff9b::808:808 =
(or 64:ff9b::8.8.8.8).
When I do a traceroute6 to a normal destination, the first hop reports =
correctly, like this:
-----
[me@mylaptop ~]traceroute6 -w1 -n dns.google
traceroute6 to dns.google (2001:4860:4860::8844) from =
2001:67c:64:49:a421:5045:508d:495a, 64 hops max, 12 byte packets
1 2001:67c:64:49::1:2 2.627 ms 2.053 ms 2.576 ms
2 2001:67c:2e8:26::5 1.905 ms 3.936 ms 3.472 ms
3 2001:7f8:1::a501:5169:1 5.384 ms 8.982 ms 3.920 ms
4 2001:4860:0:f8b::1 11.778 ms
2001:4860:0:f8c::1 3.224 ms 5.524 ms
5 2001:4860:0:1::1485 4.232 ms
2001:4860:0:1::1c7d 21.334 ms 4.589 ms
6 2001:4860:4860::8844 2.762 ms 2.173 ms 3.222 ms
-----
This does not break traceroute6, but it does break things like mtr.
Is there a way to change this behaviour so that traceroutes to =
synthesized addresses also report to be coming from the router IP on the =
first hop?
Thank you very much in advance!
--=20
Marco van Tol=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?898BCDF8-EA5C-49C1-B159-7FCEEBD47B4F>