# Ipv6 on PF



## concept (Sep 27, 2012)

I have just obtained a /64 block of ip from my vps provider, and I have 3 ipv4 on that same box. I have minimal knowledge with networking though so please bare with me..

ifconfig(8):


```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
        ether 00:16:3e:27:da:5f
        inet x.x.x.x netmask 0xfffffff0 broadcast x.x.x.x
        inet6 fe80::216:xxxx:xxxx:da5f%re0 prefixlen 64 scopeid 0x2
        inet6 2001:470:xxxx:x::x prefixlen 64
        inet x.x.x.x netmask 0xfffffff0 broadcast x.x.x.x
        inet x.x.x.x netmask 0xfffffff0 broadcast x.x.x.x
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```

I can already ping6(1) to ipv6.google.com and traceroute6(8)

and this is my *netstat -rn* output: 


```
Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0 =>
default                           2001:470:xxxx:x::x            UGS         re0
::1                               link#4                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2001:470:xxxx:x::/64              link#2                        U           re0
2001:470:xxxx:x::2                link#2                        UHS         lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%re0/64                     link#2                        U           re0
fe80::216:3eff:xxxx:da5f%re0      link#2                        UHS         lo0
fe80::%lo0/64                     link#4                        U           lo0
fe80::1%lo0                       link#4                        UHS         lo0
ff01::%re0/32                     fe80::216:3eff:xxxx:da5f%re0  U           re0
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%re0/32                     fe80::216:3eff:xxxx:da5f%re0  U           re0
ff02::%lo0/32                     ::1                           U           lo0
```

And this is my pf.conf for ipv6 rules, I've cut down my ipv4 rules.


```
# -- ipv6 ranges --
ipv6_add = "2001:470:488d:0001::2"

# -- ipv6 --
pass in quick on $ext_if inet6 proto { tcp, udp } from $ipv6_add to $dns6 port 53 flags S/SA keep state
pass out on $ext_if inet6 proto icmp6 all icmp6-type echoreq keep state
pass in on $ext_if inet6 proto icmp6 all icmp6-type echoreq
pass out quick on $ext_if inet6 from $ext_if:network to any keep state
pass out on $ext_if inet6 proto udp from { ::1, 2001:470:488d:xxxx::x } to any port 53 keep state
```

I got the idea of the ipv6 rules through googling so I'm really not sure about it. My problem is I still can't even lynx to ipv6.google.com or just to connect to an ipv6 irc network even after I set my hostname to use my ipv6. What did I missed here? Thanks.


----------



## SirDice (Sep 27, 2012)

Does your DNS server resolve IPv6 addresses?


```
dice@vps-2417-1:~>dig +short www.google.com AAAA
2a00:1450:400c:c00::93
```


----------



## concept (Sep 27, 2012)

Thanks SirDice, Fortunately, yes i can resolve ipv6 addresses too


```
jm@hex-vps:~> dig +short www.google.com AAAA
2607:f8b0:400e:c02::63
```


----------



## SirDice (Sep 27, 2012)

Oh, right, ping6(8) and traceroute6(8) work so resolving probably isn't the issue.

Have a look at `# pfctl -vvrs rules` and try something. Whatever is being blocked should show up and you can figure out which rule is blocking your traffic.


----------



## concept (Sep 27, 2012)

This is my output, I'm not sure what to look for though..


```
@48 pass out quick on re0 inet6 proto udp from <ntpservers:3> to fe80::216:3eff:fe27:da5f port = ntp keep state (if-bound)
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@49 pass out quick on re0 inet6 proto udp from <ntpservers:3> to 2001:470:xxxx:x::x port = ntp keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@51 pass in quick on re0 inet6 proto udp from 2001:470:xxxx:x::x to 2001:4860:4860::8888 port = domain keep state (if-bound)
  [ Evaluations: 292       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@52 pass in quick on re0 inet6 proto udp from 2001:470:xxxx:x::x to 2001:4860:4860::8844 port = domain keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@53 pass in quick on re0 inet6 proto udp from any to 2001:470:xxxx:x::x port = auth keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@54 pass in quick on re0 inet6 proto tcp from 2001:470:xxxx:x::x to 2001:4860:4860::8888 port = domain flags S/SA keep state (if-bound)
  [ Evaluations: 97        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@55 pass in quick on re0 inet6 proto tcp from 2001:470:xxxx:x::x to 2001:4860:4860::8844 port = domain flags S/SA keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@56 pass in quick on re0 inet6 proto tcp from any to 2001:470:xxxx:x::x port = auth flags S/SA keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@57 pass out quick on re0 inet proto icmp from (re0:3) to any keep state (if-bound)
  [ Evaluations: 378       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@58 pass out on re0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state (if-bound)
  [ Evaluations: 86        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@59 pass in on re0 inet6 proto ipv6-icmp all icmp6-type echoreq keep state (if-bound)
  [ Evaluations: 294       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@60 pass out quick on re0 inet6 from 2001:470:xxxx:x::/64 to any flags S/SA keep state (if-bound)
  [ Evaluations: 13        Packets: 16        Bytes: 944         States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 2     ]

@61 pass out on re0 inet6 proto udp from ::1 to 2001:4860:4860::8888 port = domain keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@62 pass out on re0 inet6 proto udp from ::1 to 2001:4860:4860::8844 port = domain keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]

@63 pass out on re0 inet6 proto udp from 2001:470:xxxx:x::x to 2001:4860:4860::8888 port = domain keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]
  
@64 pass out on re0 inet6 proto udp from 2001:470:xxxx:x::x to 2001:4860:4860::8844 port = domain keep state (if-bound)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 0     ]
```

I pasted all those with inet6 output only.


----------



## SirDice (Sep 27, 2012)

None of your rules are evaluated, so traffic never even gets that far. Perhaps there's a rule higher up that's blocking everything.


----------



## concept (Sep 27, 2012)

I edited my last post with the results, which one do i look for?


----------



## SirDice (Sep 27, 2012)

This one:

```
@60 pass out quick on re0 inet6 from 2001:470:xxxx:x::/64 to any flags S/SA keep state (if-bound)
  [ Evaluations: 13        Packets: 16        Bytes: 944         States: 0     ]
  [ Inserted: uid 0 pid 39997 State Creations: 2     ]
```

That's the rule that should be triggered for outgoing IPv6 traffic. The rule was evaluated 13 times and it create 2 states. A state should mean it allows the traffic and the return traffic.


----------



## concept (Sep 27, 2012)

Oh okay, whats the ideal rule to trigger it for outgoing IPV6? Thanks again.


----------



## SirDice (Sep 27, 2012)

The rule should be fine as is. Perhaps the quick keyword could be removed. You want to use quick as little as possible. I only use it at the top of my rules to block certain traffic from known offenders as there's no point in evaluating the rest of the rules. Keep in mind that PF, contrary to traditional firewalls, doesn't stop evaluating rules when it gets a hit on one. 

In your example rule 63 and 64 will never be evaluated because traffic already hits on rule 60 and the quick keyword makes it stop evaluating any other rules.


----------



## OH (Sep 27, 2012)

You can (shortly!) disable pf to see if indeed that is the culprit:
`# pfctl -d`

Use *-e* to re-enable.

Did you specifically configure www/lynx to build with IPv6-support? The default build will not enable IPv6 support. The same question goes of course for other pieces of software that you're trying to use.

Also, not all software supports IPv6 yet.

I can't help but notice that your VPS provider offers you a tunneled connection from tunnelbroker.net (Hurricane Electric). I hope you're aware of this.


----------



## concept (Sep 28, 2012)

How would being tunneled be an issue by the way? Could that be the culprit as to why i can't use ipv6 to connect to irc at least?


----------



## SirDice (Sep 28, 2012)

Tunneling does change things a little as your IPv6 traffic doesn't go out the network interface but out through the tunnel interface. All the network interface sees is IPv6-over-IPv4 traffic.


----------



## OH (Sep 28, 2012)

It *should* not make a difference to your issue.
I've been happily using tunnelbroker myself for years. Your provider probably got a /48 from tunnelbroker and is handing them out in portions of /64 to its customers. Ideally no blocking occurs in that process.

If you're learning about IPv6 you might as well cut out the middleman and get a tunnel yourself (they're free of charge). If you were planning to use IPv6 in production you should probably be looking for a VPS provider that offers IPv6 natively.


----------



## WeDebugYou (Nov 25, 2012)

Hi,

if you are tunnel the interface to use is gif0. Do you have a gif0 interface? If not do you have a gif# ?

Jean


----------

