Re: IPFW: IPv6 and NPTv6 issues: multiple IPv6 addresses confuses IPFW
- In reply to: Andrey V. Elsukov: "Re: IPFW: IPv6 and NPTv6 issues: multiple IPv6 addresses confuses IPFW"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 19 Feb 2023 11:24:54 UTC
Am Sun, 19 Feb 2023 13:30:13 +0300 "Andrey V. Elsukov" <bu7cher@yandex.ru> schrieb: > 18.02.2023 18:42, FreeBSD User пишет: > > On a 24 hour basis, the ISP changes the IPv4 and IPv6 on the WAN > > interface. We use NPTv6 to translate ULA addresses for the inner > > IPv6 networks. We use IPv6 privacy on the tun0 interface. The > > router/firewall is operating after a reboot or restart of mpd5 > > correctly, IPv6 and IPv4 networks have conection to the internet. > > When the ISP rotates it IPs, the IPv6 address is configured using > > SLAAC and mpd5 seems to act weird: > > > > - the IPv4 address is always set correct, IPFW and in-kernel NAT > > route/filter traffic correctly - sometimes old IPv6 address is dumped > > and only a new IPv6 address - in such a case, the old IPv6 is gone, > > the new pair (temporary and MACified address are the only IPv6 > > addresses attached to the interface. - sometimes the old IPv6 address > > set (= temporary) are marked "deprecated" and/or "detached" and a new > > set is attached to the interface tun0, in some rare occassion also an > > IPv6 address WITHOUT its "temoprary" sibbling is attached. > > > > In any of the cases above, IPFW's NPTv6 gets confused, routing isn't > > working properly anymore. > > > > In any cases of a change of the IPv6 address, IPFW has to be > > restartet! > > Hi, > > I assume you are using ext_if option in your NPTv6 instance configuration. That is correct. > > I think there might be several problems that lead to your situation: > > 1. NPTv6 tracks IPv6 addresses deletion, but since an old IPv6 address > that was used as external prefix kept on the interface, it ignores > appearance of new IPv6 address. > > 2. Then, even if you delete old IPv6 address by hand, NPTv6 won't try to > peak another one until there won't appear new address. > > 3. There should be some logic that takes into account presence of > temporary and deprecated addresses on the interface. > -- O. Hartmann