nat64lsn first hop in traceroute has a source ip of the final host

Marco van Tol marco at tols.org
Fri Oct 25 14:57:27 UTC 2019 

Hi there,

I setup a NAT64 gateway on a FreeBSD 11.3-RELEASE-p3 host using the following config:

-----
#!/bin/sh

fwcmd="/sbin/ipfw"
nat64_v4="193.0.31.240/28"
nat64_pfx_v6="64:ff9b::/96"
icmp6ns=135
icmp6na=136

kldstat -q -m ipfw_nat64 || kldload ipfw_nat64
${fwcmd} -f flush
${fwcmd} nat64lsn NAT64 create prefix4 $nat64_v4
${fwcmd} add allow icmp6 from any to any icmp6types $icmp6ns,$icmp6na
${fwcmd} add nat64lsn NAT64 ip from any to $nat64_pfx_v6 in
${fwcmd} add nat64lsn NAT64 ip from any to $nat64_v4 in
${fwcmd} add allow ip from any to any
-----

This all works great in that the guests have no IPv4 any more, and in their point of view the entire world has migrated to IPv6-only.

There is only one quirck, and that is that the first hop in a traceroute towards a synthesized address reports as being sent from the destination, like this:
-----
[me at mylaptop ~]traceroute6 -w1 -n 64:ff9b::8.8.8.8
traceroute6 to 64:ff9b::8.8.8.8 (64:ff9b::808:808) from 2001:67c:64:49:a421:5045:508d:495a, 64 hops max, 12 byte packets
 1  64:ff9b::808:808  1.732 ms  2.166 ms  2.198 ms
 2  64:ff9b::c100:605  2.131 ms  2.308 ms  3.216 ms
 3  64:ff9b::50f9:d0f7  3.115 ms  4.114 ms  3.657 ms
 4  64:ff9b::6caa:f1c1  3.892 ms
    64:ff9b::6caa:f1a1  4.034 ms  5.465 ms
 5  64:ff9b::6caa:ec87  5.895 ms
    64:ff9b::480e:eef5  4.412 ms
    64:ff9b::d8ef:310d  4.358 ms
 6  64:ff9b::808:808  4.418 ms  3.498 ms  3.247 ms
-----
As you can see the first hop already claims to be from 64:ff9b::808:808 (or 64:ff9b::8.8.8.8).

When I do a traceroute6 to a normal destination, the first hop reports correctly, like this:
-----
[me at mylaptop ~]traceroute6 -w1 -n dns.google
traceroute6 to dns.google (2001:4860:4860::8844) from 2001:67c:64:49:a421:5045:508d:495a, 64 hops max, 12 byte packets
 1  2001:67c:64:49::1:2  2.627 ms  2.053 ms  2.576 ms
 2  2001:67c:2e8:26::5  1.905 ms  3.936 ms  3.472 ms
 3  2001:7f8:1::a501:5169:1  5.384 ms  8.982 ms  3.920 ms
 4  2001:4860:0:f8b::1  11.778 ms
    2001:4860:0:f8c::1  3.224 ms  5.524 ms
 5  2001:4860:0:1::1485  4.232 ms
    2001:4860:0:1::1c7d  21.334 ms  4.589 ms
 6  2001:4860:4860::8844  2.762 ms  2.173 ms  3.222 ms
-----

This does not break traceroute6, but it does break things like mtr.

Is there a way to change this behaviour so that traceroutes to synthesized addresses also report to be coming from the router IP on the first hop?

Thank you very much in advance!

-- 
Marco van Tol

More information about the freebsd-ipfw mailing list