Contributed by sean on from the dept.
Some time ago daemon news published a paper I wrote about using ipv6 behind a NAT. I have updated it to be current to Freenet6's latest software. You can find it here.
(Comments are closed)
OpenBSD Journal
Contributed by sean on from the dept.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Anonymous Coward (12.108.192.181) on
Now that I've been a six-boner for a long enough period of time, this stuff is all old hat. In the boner circles, we've considered this article to be the prime example of how not to accomplish a successful boning from behind a NAT.
Comments
By krh (207.75.180.45) on
Comments
By Anonymous Coward (162.40.115.62) on
By Anonymous Coward (12.108.192.181) on
Comments
By kris (66.236.9.30) on
By Hugo Villeneuve (24.202.244.230) hugo@EINTR.net on http://EINTR.net
Comments
By Anonymous Coward (67.70.164.207) on
Comments
By Anonymous Cheese (68.124.163.80) on
"pf.conf from insomnia.benzedrine.cx"
http://www.benzedrine.cx/pf.conf
"How to setup an IPv6 tunnel in 5 minutes..."
http://www.benzedrine.cx/gif.txt
"My 6bone router using OpenBSD"
http://rollcage.bl.echidna.id.au/IPv6/openbsd.html
"Simple IPv6 tunnel broker"
http://www.tunnelbroker.com
"IPv6 protocol stack and IPsec"
http://www.kame.net/
By jose (204.181.64.2) on http://monkey.org/~jose/
By Jim (216.229.12.133) jameso@elwood.net on
By mirabile (212.185.103.56) on
By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity
Comments
By kcg (3ffe:bc0:8000::4181) on
Comments
By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity
If I had a USB DSL modem I wouldn't have this problem, agreed wholeheartedly. That's why I called my box a router.
Comments
By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on
With a dynamic routable address, you'll need a way to update the nat rule on the pf box when the Zyxel gets a new routable address, but once you have that, the setup will be more flexible than using Zyxel's NAT/SUA in forwarding mode. The Zyxel can syslog over UDP to the pf box, maybe it logs address changes. Or you can query the current address through ZyXEL's telnet interface.
I'm doing just that (with a 642R), though with a static routable address.
Comments
By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity
For when I change DSL provider: do you bridge everything (i.e. this is the case where you have your internal host doing PPPoE negotiation and everything) or do you just bridge a given protocol using "SUA"?
Last time the "engineer" configured SUA on the ZyXEL to forward the external port 80 to a suitable internal host the ZyXEL hung and needed a cold reboot and return to NAT only before it was usable again!
Comments
By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on
In bridge mode, the modem does just PPPoE, bridging the descapsulated IP traffic to the LAN interface. So what you see there is IP traffic to your external routable address. You assign that address to the pf box behind it (which will then do ARP for that address), and the modem sends all traffic for the external address to it.
For the pf box, this makes things very simple and elegant, it doesn't know about the PPPoE happening upstream, it looks like it is directly connected to the Internet with the assigned routable address on its external interface. Doing NAT for other local hosts with private address space is dead simple, then.
I have never done that with dynamic addresses, a smart trick would be to watch for ARP requests for the new address from the modem, then change the IP address on the external interface of the pf box accordingly. With a 'nat on $extif -> ($extif)' rule, you wouldn't even need to reload the ruleset, in that case.
Comments
By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity
I don't think that getting the DHCP lease renewal over syslog is going to work unless it is the last message sent to the old IP address before the change... but listening to the ARP might. I'll look into it. If it works, I'll post a summary.
Perhaps what is needed is an extension to pf in which the IP address is determined by the interface name when the rule is evaluated? Big performance hit since you'd have to do it on a per-packet basis (you'd have to make it atomic at that level otherwise you could have a nice hole!) but it would make DHCP users happy (and performance is not really an issue on home DSL lines with dynamic IPs).
Comments
By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on
By kcg (3ffe:bc0:8000::4181) on
By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on
We're not talking about NATing IPv6 traffic (I've yet to see someone doing that for any reasonable purpose ;), but NATing the IPv6-in-IPv4 encapsulated traffic, which is inet proto ipv6 (not inet6!) in pf context. The local endpoint then serves as IPv6 default gateway for local hosts, which get assigned real IPv6 addresses from the netblock as usual.
Comments
By Arrigo Triulzi (212.152.5.64) on http://obi-wan.kenobi.it/cynicalsecurity
With respect to the discussion I understand the idea - that's why I asked my question which was marginally off-topic. In the examples you assume that you have control over the host doing NAT and hence the issue is getting your 6-in-4 through whereas my question extended this to "what if I don't actually control the NAT box?".
In any case, thanks again for the pointer to HE.Net.