IPv6 frags dropped by firewall

pf has problems with IPv6 frags

The logs of my pf firewall were showing numerous IPv6 fragmented packets being dropped. I believe the real fix is still in the works from OpenBSD/FreeBSD. Until then, I have to settle for an insecure hack in my firewall.

pass in quick on $ip6_if inet6 proto ipv6-frag all

Traceroute problem

Fixed

I had an issue with traceroute (tracert on Windows). Everything was appearing to be 1 hop away:

galaxy# traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 173.194.73.99
traceroute to www.l.google.com (173.194.73.99), 64 hops max, 52 byte packets
1  vb-in-f99.1e100.net (173.194.73.99)  111.623 ms  88.695 ms  111.914 ms

It then occured to me how traceroute works. A packet is sent with TTL 1, then another packet with TTL 2, then TTL 3, etc... Well, duh, I had in my pf firewall:

scrub log on $ext_if all random-id min-ttl 64 max-mss 1452 reassemble tcp fragment reassemble

I was forcing the TTLs to 64, causing traceroute to no longer work correctly. The theory of adding min-ttl 64 is to help prevent anyone from knowing there are NAT'd computers behind the router. After taking out the min-ttl 64, traceroutes now work again.

galaxy# traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 173.194.73.147
traceroute to www.l.google.com (173.194.73.147), 64 hops max, 52 byte packets
1  10.12.25.1 (10.12.25.1)  33.617 ms  26.609 ms  26.985 ms
2  130.81.135.226 (130.81.135.226)  84.987 ms  31.780 ms  33.028 ms
3  so-7-0-0-0.PITT2-CORE-RTR1.verizon-gni.net (130.81.18.254)  38.038 ms  31.724 ms  31.986 ms
4  as2-0.LCC2-RES-BB-RTR1-RE1.verizon-gni.net (130.81.20.92)  40.988 ms  47.779 ms  36.993 ms
5  0.so-6-0-3.XL3.IAD8.ALTER.NET (152.63.32.133)  38.990 ms
   0.so-6-0-2.XL3.IAD8.ALTER.NET (152.63.36.233)  130.778 ms
   0.xe-7-0-0.XL3.IAD8.ALTER.NET (152.63.34.201)  41.782 ms
6  TenGigE0-6-4-0.GW7.IAD8.ALTER.NET (152.63.37.82)  39.781 ms  39.789 ms  38.992 ms
7  google-gw.customer.alter.net (152.179.50.106)  37.990 ms  37.644 ms  42.973 ms
8  216.239.46.248 (216.239.46.248)  50.983 ms
   72.14.238.212 (72.14.238.212)  37.834 ms  39.827 ms
9  209.85.243.114 (209.85.243.114)  51.988 ms  56.840 ms
   209.85.241.222 (209.85.241.222)  70.987 ms
10  64.233.174.117 (64.233.174.117)  54.831 ms
    64.233.174.87 (64.233.174.87)  49.844 ms  64.839 ms
11  * * *
12  vb-in-f147.1e100.net (173.194.73.147)  49.024 ms  78.763 ms  50.968 ms

IronTux has IPv6!

From HE.NET

I have a couple IPv6 tunnels, but the main tunnel for this website is via tunnelbroker.net (HE.NET). The direct IPv6 address is 2001:470:1f07:94d::80. Happy surfing.