I have an OpenBSD PF firewall that I have added a IPv6 tunnel to (using HE.net tunnelbroker).
I can ping/traceroute IPv6 addresses from the firewall. Now I want to provide IPv6 services to the servers behind my firewall. They all have public IP addresses (I'm not using any sort of NAT). So I want to be able to give them IPv6 addresses on the routed IPv6 prefix given by the Tunnel and have traffic properly routed through the tunnel (gif0 interface) on OpenBSD.
Some other details. This is basically a transparent firewall, though the external interface does have an IP address for administration. Would I need to add an IPv6 address to the internal interface as well to provide routing or could I just transparently route everything through the tunnel interface? What would PF rules look like for IPv6 traffic and how would they differ from normal IPv4 PF rules?
I've found this page, but it is so old (for OpenBSD 2.9, almost 10 years old). I'm looking for updated instructions that would fit my situation.
Edit: Along with the below accepted answer I needed to add the following PF rule to get incoming traffic to work:
tunnelserveripv4address="xx.xx.xx.xx" # This is the IPv4 HE.net tunnel endpoint
ext_if="em0"
pass in proto 41 from $tunnelserveripv4address to $ext_if keep state
pass out proto 41 from $ext_if to $tunnelserveripv4address keep state
First, you should configure the LAN NIC to an address from the routed(!) /64; the
::1
is an ideal candidate. Then, fire upradvd
on the LAN interface---it should not need any configuration.PF doesn't play any role in it, or rather, make sure that it doesn't get in the way.