NAT64 problems on 13.0-RELEASE

Hello,

I have just been testing 13.0-RELEASE and have come across a problem with my NAT64 configuration (which did work on 12.2-RELEASE) not now working.

On 13.0-RELEASE:
Code:
# ping6 -c 1 64:ff9b::1.1.1.1
PING6(56=40+8+8 bytes) 2001:470:1d41:1::55 --> 64:ff9b::101:101

--- 64:ff9b::1.1.1.1 ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

The same NAT64 configuration works fine on 12.2-RELEASE:
Code:
#  ping6 -c 1 64:ff9b::1.1.1.1
PING6(56=40+8+8 bytes) 2001:470:1d41:1::50 --> 64:ff9b::101:101
16 bytes from 64:ff9b::101:101, icmp_seq=0 hlim=57 time=20.635 ms

--- 64:ff9b::1.1.1.1 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 20.635/20.635/20.635/0.000 ms

The problem seems to be that 13.0 generates an ICMP redirect for the NAT64 traffic which doesn't happen on 12.2 (the NAT64 seems to be working ok otherwise - you can see the ping6 translated into a ping4 and the reply making it back to the server but it doesn't get translated back into an icmp6 reply)

On 13.0-RELEASE (note ipfw is logging in/out):
Code:
# tcpdump -nqi ipfw0 icmp or icmp6
21:58:01.787493 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16
21:58:01.787509 IP6 2001:470:1d41:1::55 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16
21:58:01.787524 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq 0, length 16
21:58:01.787527 IP 192.168.1.55 > 1.1.1.1: ICMP echo request, id 1025, seq 0, length 16
21:58:01.787567 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44
21:58:01.787569 IP 127.0.0.1 > 192.168.1.55: ICMP redirect 1.1.1.1 to host 0.0.0.0, length 44
21:58:01.806376 IP 1.1.1.1 > 192.168.1.55: ICMP echo reply, id 1025, seq 0, length 16

On 12.2-RELEASE:
Code:
# tcpdump -nqi ipfw0 icmp or icmp6
21:58:21.308304 IP6 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16
21:58:21.308357 IP6 2001:470:1d41:1::50 > 64:ff9b::101:101: ICMP6, echo request, seq 0, length 16
21:58:21.328708 IP 1.1.1.1 > 192.168.1.50: ICMP echo reply, id 1027, seq 0, length 16
21:58:21.328790 IP6 64:ff9b::101:101 > 2001:470:1d41:1::50: ICMP6, echo reply, seq 0, length 16

The configurations between the systems are identical:

For 13.0-RELEASE:
Code:
# ifconfig -a
vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
    ether 58:9c:fc:08:4f:d0
    inet 192.168.1.55 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::5a9c:fcff:fe08:4fd0%vtnet0 prefixlen 64 scopeid 0x1
    inet6 2001:470:1d41:1::55 prefixlen 64
    media: Ethernet autoselect (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 58:9c:fc:10:ff:96
    inet6 fe80::5a9c:fcff:fe10:ff96%bridge0 prefixlen 64 scopeid 0x3
    inet6 2001:470:1d41:55::1 prefixlen 64
    inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    groups: bridge
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
    groups: ipfw

Code:
# ipfw show
00100     0        0 check-state :default
00200   178    12104 allow log ipv6-icmp from any to any icmp6types 135,136
00300     0        0 allow log icmp from any to 192.168.1.55 icmptypes 8 keep-state :default
00400     0        0 allow log ip4 from any to 192.168.1.55 22
00500     0        0 allow log ip4 from any to 192.168.1.55 53
00600     0        0 nat64lsn NAT64 log ip6 from ::1 to 64:ff9b::/96 in
00700    13      728 nat64lsn NAT64 log ip6 from 2001:470:1d41:1::55 to 64:ff9b::/96 in
00800     0        0 nat64lsn NAT64 log ip6 from 2001:470:1d41:55::/64 to 64:ff9b::/96 in
00900    13      832 nat64lsn NAT64 log ip4 from any to 192.168.1.55 in
01000    41     1544 allow log ip4 from 192.168.1.55 to any keep-state :default
01100  2365   307419 allow log ip from any to any
65535 44913 12728705 allow ip from any to any

For 12.2-RELEASE:
Code:
# ifconfig -a
vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
    ether 58:9c:fc:01:71:9d
    inet 192.168.1.50 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::5a9c:fcff:fe01:719d%vtnet0 prefixlen 64 scopeid 0x1
    inet6 2001:470:1d41:1::50 prefixlen 64
    media: Ethernet 10Gbase-T <full-duplex>
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:dd:a6:3d:7b:00
    inet6 fe80::dd:a6ff:fe3d:7b00%bridge0 prefixlen 64 scopeid 0x3
    inet6 2001:470:1d41:50::1 prefixlen 64
    inet6 fe80::1%bridge0 prefixlen 64 scopeid 0x3
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    groups: bridge
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
    groups: ipfw
Code:
# ipfw show
00100     0        0 check-state :default
00200   214    14552 allow log ipv6-icmp from any to any icmp6types 135,136
00300     0        0 allow log icmp from any to 192.168.1.50 icmptypes 8 keep-state :default
00400     0        0 allow log ip4 from any to 192.168.1.50 22
00500     0        0 allow log ip4 from any to 192.168.1.50 53
00600     0        0 nat64lsn NAT64 log ip6 from ::1 to 64:ff9b::/96 in
00700     8      448 nat64lsn NAT64 log ip6 from 2001:470:1d41:1::50 to 64:ff9b::/96 in
00800     0        0 nat64lsn NAT64 log ip6 from 2001:470:1d41:50::/64 to 64:ff9b::/96 in
00900     8      288 nat64lsn NAT64 log ip4 from any to 192.168.1.50 in
01000     0        0 allow log ip4 from 192.168.1.50 to any keep-state :default
01100  1148   170393 allow log ip from any to any
65535 50033 28662388 allow ip from any to any

Any ideas (and more generally does anyone have NAT64 working on 13.0-RELEASE)

Regards, Paul
 
Back
Top