Redirect IPv6 packets to IPv4 and vice versa

[nyg]

Hello,

I have a Java web server that I can't get to listen on ::1 (even when compiling with the with_ipv6 flavor). So I'm thinking maybe I can try to redirect all external traffic that comes on the IPv6 address port 8080 to the internal IPv4 address same port. My machine has both an IPv6 and IPv4 address on the nfe0 interface. Can I even do this with PF? I have tried many different rules without results...

Code:

# tried this
pass in on nfe0 proto tcp from $ipv6 port 8080 to 192.168.0.101 port 8080
pass out on nfe0 proto tcp from 192.168.0.101 port 8080 to $ipv6 port 8080

# or this
pass in on egress proto tcp from any to any port 8080 rdr-to 192.168.0.101

# or this
rdr pass on nfe0 from any to $ipv6 port 8080 -> 192.168.0.101 port 8080

I've read a lot of docs but I don't understand half of it because my network knowledge is well very low...

Thanks for your help!

[jggimi]

Hello and welcome!

This is a multi-part answer.

First, redirection isn't possible, because it's a redirection of the entire IP packet, and the headers are quite different. You cannot redirect -- or even forward -- between address families.

Second, while IPv6 has the ability to map the IPv4 address space, this is not permitted with OpenBSD. The inet6(4) man page states:

Quote:

For security reasons, OpenBSD does not route IPv4 traffic to an AF_INET6 socket, and does not support IPv4 mapped addresses, where IPv4 traffic is seen as if it comes from an IPv6 address like ::ffff:10.1.1.1. Where both IPv4 and IPv6 traffic need to be accepted, listen on two sockets.

Third, tunneling is the usual solution we use when we need to move TCP or UDP between IPv4 and IPv6 networks. It's a form of routing, that lets us encapsulate IPv4 in IPv6, or IPv6 in IPv4. The typical mechanism is to use the gif(4) psuedo-nic, configured with ifconfig(8).

[jggimi]

For clarity, here are two examples, from one of the two endpoints.

Tunneling IPv6 inside IPv4:

# ifconfig gif0 tunnel 10.9.0.51 10.9.0.50
# ifconfig gif0 inet6 fd00::5/64

Tunneling IPv4 inside IPv6:

# ifconfig gif0 tunnel fd00::99 fd00::100
# ifconfig gif0 192.168.99.5/24

[jggimi]

Ooops. I have just tested these tunnels, and gif(4) seems to require point-to-point connections for an inner IPv4 connection, not the /24 I posted above.

Here is a correction, then, for IPv4 within IPv6:

# ifconfig gif0 tunnel fd00::1 fd00::2
# ifconfig gif0 192.168.99.1 192.168.99.2

[nyg]

Thanks a lot for you answers and for directing me in the correct direction .

So... I have external IPv6 packets coming in to specific IPv6 address on one interface. The first example is to encapsulate v6 packets into v4 ones so my guess is that the inet6 address is my "public" v6 address, and the destination v4 address is that on which my web server is listening, what's the first one (10.9.0.51) for though?

[jggimi]

Quote:

Originally Posted by nyg

Thanks a lot for you answers and for directing me in the correct direction .

I was interested, as I have not tunneled IPv6 since my first tests with it many years ago. And I hadn't deployed IPv6 again until a few weeks ago. But I am not tunneling it.

Quote:

So... I have external IPv6 packets coming in to specific IPv6 address on one interface. The first example is to encapsulate v6 packets into v4 ones so my guess is that the inet6 address is my "public" v6 address, and the destination v4 address is that on which my web server is listening, what's the first one (10.9.0.51) for though?

I'm not sure if tunneling is the right answer, because it permits the infrastructure to transmit/receive those alternate-protocol packets without needing to process them. We can tunnel IPv6 packets inside of IPv4 to move the packets over an IPv4 network, or we can do the opposite, and tunnel IPv4 packets inside of IPv6 to move them over an IPv6 network.

Let me restate the problem, and see if I've captured it correctly.

You have an application which cannot (at the moment) open an IPv6 socket, yet you have a requirement to have that application send and receive IPv6 packets.

If that's the case, then tunneling won't avail you either, because the packets are IPv6 packets, and while they can be tunneled over an IPv4 network, they need an IPv6 socket at the terminating end in order to process them.

If you cannot repair your application, perhaps you can insert a transparent proxy in front of it? The relayd(8) tool looks like a possible fit for this. See the discussion of the inet and inet6 instructions in relayd.conf(5).

---

While looking for options for you, I discovered that PF can translate between address families. The translation option is called "af-to." I've never used it, and my brief reading in the pf.conf(5) man page it leads me to believe it might not fit your use-case, as it requires /96 or greater prefix lengths, and is for inbound-only translation.

[jggimi]

Looking at those inet/inet6 forwarders -- it appears they're not a good fit either, but it may be that a simple redirection proxy might work.

[nyg]

HOLY COW!

It works! Amazing!

Using an unbelievable simple relayd.conf:

Code:

relay tcp6to4 {
        listen on my_ipv6 port 8080
        forward to 0:0:0:0:0:ffff:c0a8:65 port 8080 inet
}

The forward to v6 address is actually 192.168.0.101 (maybe I could have used 127.0.0.1?) converted to an v6.

Small detail but the man page says that if port xxx is not specified (in forward to) then the one from listen to will be used. I've tried without it but then relayd -n fails:

Code:

# relayd -n                                                                                             
/etc/relayd.conf:3: syntax error
no actions, nothing to do

It doesn't matter to me but maybe it's a bug?


Anyway, thank you so much for suggesting so many solutions!

[jggimi]

I am very glad you got it working!

I'm unsure regarding the syntax error, because I'm not very familiar with relayd(), as I don't use it. I set up some layer 7 load balancers in a lab several years ago, and then set it aside.

Michael W Lucas has a new book soon to-be-published which covers both httpd(8) and relayd(). I haven't seen any of it yet (other than the occasional clause that got tweeted during its development), but I'll get it ... if only because the cover art is so nice:

https://twitter.com/mwlauthor/status/820414929534652416

[nyg]

Aha, interesting. I have his Absolute OpenBSD but there no how-to on relayd(8). He just refers to The Book of PF for those interested in loadbalancing...

Quote:

Originally Posted by jggimi

Let me restate the problem, and see if I've captured it correctly.

You have an application which cannot (at the moment) open an IPv6 socket, yet you have a requirement to have that application send and receive IPv6 packets.

Yes, that was the issue.

[jggimi]

And..

I got my lab version working just now with a slightly simpler configuration, because I didn't use inet and selected an IPv4 address.

My test webserver was httpd(), listening to 127.0.0.1:

Code:

server "default" {
        listen on 127.0.0.1 port 80
        directory auto index
}

And relayd was relaying the http traffic to the IPv4 loopback address. The fd00::/64 address is a site unique address I used to reach the test machine.

Quote:

relay 6-to-4 {
forward to 127.0.0.1 port 80
listen on fd00::1 port 80
}