Discussion:
Working with encapsulated traffic using PF (pass incoming IPv4 from IPv6 gif tunnel)
Martin
2021-04-09 08:55:34 UTC
Permalink
Hello list,

I have working IPv4 OpenBSD router. There are no problems with native IPv4 and IPv6 traffic filtering/redirecting at all.

Now stuck with filtering IPv4 traffic encapsulated in IPv6 tunnel using gif interface.

IPv6 interface is tun0 which has assigned unique IPv6 address, and gif0 has the same unique IPv6 as tun0 with wrapped IPv4 into IPv6 as shows in configs.

The same configuration from the opposite side, except IPv4 and IPv6 source and destination addresses reversed to make a tunnel.

I'm not sure if I needed to use a bridge between tun0 and gif0 to have it working.

Looking for appropriate PF filtering rule to pass IPv4 encapsulated traffic appearing on tun0 and blocks by "block all" PF rule for some reason.

Any ideas welcome.

=== Side-a ===

# cat /etc/hostname.gif0
# gif0
up
description 'IPv4 over IPv6 tunnel'
# tunnel [src IPv6] [dst IPv6]
tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503
inet alias 10.190.0.1
dest 10.190.0.2

# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c
inet6 dddd:cccc:bbbb:aaaa::18b5 -> prefixlen 48

=== Side-b ===

# cat /etc/hostname.gif0
# gif0
up
description 'IPv4 over IPv6 tunnel'
# tunnel [src IPv6] [dst IPv6]
tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5
inet alias 10.190.0.2
dest 10.190.0.1

# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c
inet6 aaaa:bbbb:cccc:dddd::a503 -> prefixlen 48
David Gwynne
2021-04-15 01:25:06 UTC
Permalink
Post by Martin
Hello list,
I have working IPv4 OpenBSD router. There are no problems with native IPv4 and IPv6 traffic filtering/redirecting at all.
Now stuck with filtering IPv4 traffic encapsulated in IPv6 tunnel using gif interface.
IPv6 interface is tun0 which has assigned unique IPv6 address, and gif0 has the same unique IPv6 as tun0 with wrapped IPv4 into IPv6 as shows in configs.
The same configuration from the opposite side, except IPv4 and IPv6 source and destination addresses reversed to make a tunnel.
I'm not sure if I needed to use a bridge between tun0 and gif0 to have it working.
Looking for appropriate PF filtering rule to pass IPv4 encapsulated traffic appearing on tun0 and blocks by "block all" PF rule for some reason.
Any ideas welcome.
=== Side-a ===
# cat /etc/hostname.gif0
# gif0
up
description 'IPv4 over IPv6 tunnel'
# tunnel [src IPv6] [dst IPv6]
tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503
inet alias 10.190.0.1
dest 10.190.0.2
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c
inet6 dddd:cccc:bbbb:aaaa::18b5 -> prefixlen 48
=== Side-b ===
# cat /etc/hostname.gif0
# gif0
up
description 'IPv4 over IPv6 tunnel'
# tunnel [src IPv6] [dst IPv6]
tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5
inet alias 10.190.0.2
dest 10.190.0.1
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c
inet6 aaaa:bbbb:cccc:dddd::a503 -> prefixlen 48
Hi Martin,

bridge(4) only works with Ethernet interfaces, there is no equivalent to bridge(4) for tunnels. I don't think that's related or necessary for solving your problem though.

Without a look at your ipv6 routing table it's hard to tell what could be happening here. My first impression is that your routers don't have routes for the IPv6 endpoints over the tun0 interfaces. For this to work, I'd expect to see something like this in your tun0 output:

=== Side-a ===

# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c
inet6 dddd:cccc:bbbb:aaaa::18b5 -> aaaa:bbbb:cccc:dddd::a503 prefixlen 128

and:

=== Side-b ===

# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c
inet6 aaaa:bbbb:cccc:dddd::a503 -> dddd:cccc:bbbb:aaaa::18b5 prefixlen 128

This isn't strictly necessary though, the important thing is that the route to the dst IPv6 endpoint is over tun0. You should be able to check if that is the case with "route get [dst IPv6]" and looking for tun0 in the "interface:" line. You could also be able to ping6 between the IPv6 tunnel endpoints too. If ping6 isn't working, then I wouldn't expect gif traffic to work either.

Cheers,
dlg

Loading...