[support] passing MIPv6 traffic through pf firewall

[Romain KUNTZ]

Hi,

I'm not a PF expert, so I won't be of much help here. Just one quick  
question: did you try to remove some of the rules and identify the  
exact one that drops your BA?

romain

On 2008/09/09, at 15:50, harland s.j. (sjh706) wrote:

> Hello,
>
> Currently I'm running Homeguy on a laptop, talking to another box  
> running the HA.
>
> The topology of the network here is quite complex, but as far as  
> passing traffic *inside* the firewall goes, everything works fine.
>
> However we have a wireless DMZ in place, and run the BSD pf as the  
> firewall. When the MN is on the Wireless DMZ, BU packets appear to  
> pass quite nicelly through the firewall, and the HA sends a BuA  
> back. However the firewall drops the packet marking it as matching  
> ip-option.
>
> The pf rules that we have for it are as follows:
>
> pass out quick on inet6 from $HA to any flags S/SA keep state
> pass out quick on inet6 from any to $HA flags S/SA keep state
>
> pass in quick on $int_iface all flags S/SA keep state tag INT_NET
> pass in quick on $wlan_iface all flags S/SA keep state tag WLAN_NET
>
> pass out quick on $wlan_iface all flags keep state tagged INT_NET
>
>
> (of course the last rule in theory shouldn't be matched as the first  
> should apply in this instance due to the 'quick' keyword).
>
>
> My main request here is to ask if anyone has any experience of  
> debugging this, and if it actually a fault in the BSD pf (which I  
> have a nasty feeling that it might be.)
>
>
> Kind Regards
>
>
> Stuart Harland
>
>
> _______________________________________________
> Support mailing list
> Support at ml.nautilus6.org
> http://ml.nautilus6.org/mailman/listinfo/support
>

-- 
Romain KUNTZ
kuntz at lsiit.u-strasbg.fr
LSIIT - Networks and Protocols Team
http://clarinet.u-strasbg.fr/~kuntz/