From owner-freebsd-pf@FreeBSD.ORG Fri Dec 28 12:04:19 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6E65FEC6 for ; Fri, 28 Dec 2012 12:04:19 +0000 (UTC) (envelope-from trashcan@odo.in-berlin.de) Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [91.121.60.26]) by mx1.freebsd.org (Postfix) with ESMTP id 33D1B8FC08 for ; Fri, 28 Dec 2012 12:04:18 +0000 (UTC) From: Michael Grimm Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out Message-Id: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de> Date: Fri, 28 Dec 2012 12:59:32 +0100 To: freebsd-pf@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) X-Mailer: Apple Mail (2.1499) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2012 12:04:19 -0000 Hi -- I do run both my primary and secondary nameservers (distinct servers) in = FreeBSD jails1 and jail2 as outlined below: (jail1/a:a:a:a::1:1) <--WAN--> = (jail2/b:b:b:b::1:1) (jail1/10.10.10.1) <--NAT--> (host 1.2.3.4) <--WAN--> (host 5.6.7.8) = <--NAT--> (jail2/10.10.10.1) Here's the relevant part of my pf.conf (server1): | nat on em0 inet from 10.10.10.1 to any -> 1.2.3.4 | rdr on em0 inet proto tcp from any to 1.2.3.4 port =3D domain -> = 10.10.10.1 port 53 | rdr on em0 inet proto udp from any to 1.2.3.4 port =3D domain -> = 10.10.10.1 port 53 | pass in log on em0 inet proto tcp from any to 10.10.10.1 port =3D = domain flags S/SA keep state tag ip4domain | pass in log on em0 inet proto udp from any to 10.10.10.1 port =3D = domain keep state tag ip4domain | pass in log on em0 inet6 proto tcp from any to a:a:a:a::1:1 port =3D = domain flags S/SA keep state tag ip6domain | pass in log on em0 inet6 proto udp from any to a:a:a:a::1:1 port =3D = domain keep state tag ip6domain This is at server2: | nat on em0 inet from 10.10.10.1 to any -> 5.6.7.8 | rdr on em0 inet proto tcp from any to 5.6.7.8 port =3D domain -> = 10.10.10.1 port 53 | rdr on em0 inet proto udp from any to 5.6.7.8 port =3D domain -> = 10.10.10.1 port 53 | pass in log on em0 inet proto tcp from any to 10.10.10.1 port =3D = domain flags S/SA keep state tag ip4domain | pass in log on em0 inet proto udp from any to 10.10.10.1 port =3D = domain keep state tag ip4domain | pass in log on em0 inet6 proto tcp from any to b:b:b:b::1:1 port =3D = domain flags S/SA keep state tag ip6domain | pass in log on em0 inet6 proto udp from any to b:b:b:b::1:1 port =3D = domain keep state tag ip6domain tcp4 and upd4 connections between both namesevers are served as = expected, as well as upd6.=20 But tcp6 doesn't work: | jail1> | nc -6vw 1 b:b:b:b::1:1 53 | nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out I do see using tcpdump at server1: | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 = (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) = payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S], cksum = 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss = 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0 The same happens the other way around. And, that lack of tcp6 = connectivity stands true for all my other service jails as well. I = cannot reach any distinct IPv6 service from my jails :-( JFTR: both nameservers are listening to the given IPv6 addresses, as = checked by "sockstat -6". What I did try so far: - Setting of "flags any" and/or "no state" to tcp6 rules - Adding private IPv6 addresses to my jails and implement nat66 - Activating rtadvd=20 But without any success, so, what's going wrong here: - Is it my setup regarding pf? - Is it my setup in general? - Is it a screwed IPv6 routing? - Or something else? Any help is highly appreciated. Thanks and with kind regards, Michael