我的路由器的 IP 地址布局如下,为了保护我的网络隐私而进行了匿名处理:
11.22.33.44 IPv4 WAN address
192.168.42.1 IPv4 LAN address
2001:db8:aaaa:bbbb:cccc:dddd:eeee:ffff IPv6 IA_NA address on egress
2001:db8:cccc:cccc::1 IPv6 IA_PD address on same interface as remote host
fdaa:aaaa:aaaa:aaaa::1 IPv6 ULA on same interface
fdaa:aaaa:aaaa:bbbb::1 IPv6 ULA on different interface
在这些地址中,除了两个全局地址(DHCPv6 IA_NA 和 IA_PD)之外,所有这些地址都可以从网络上的远程主机执行 ping 操作。远程主机具有私有 IPv4 地址以及来自前缀委托(不幸的是,我的 ISP 限制为 /64)和带有子网 ID 的 ULA 的 IPv6 地址aaaa
,并且它可以很好地到达网络外部的公共可路由地址。为什么路由器的 ULA 地址可达,但前缀委派地址却无法可达?我的pf.conf
如下(主要是基于https://lipidity.com/openbsd/router/#pf):
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 100.64.0.0/10 192.88.99.0/24 \
255.255.255.255/32 ::/128 ::/96 ::1/128 \
::ffff:0:0/96 100::/64 2001:10::/28 2001:2::/48 \
2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 }
set block-policy drop
set loginterface egress
set skip on lo
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress lan }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick
pass in on lan
pass in on lan inet6 from any to 64:ff9b::/96 af-to inet from (egress:0)
# above was me experimenting with NAT64. it worked at one point, now it's not. could it be related?
pass in on egress inet proto icmp all icmp-type echoreq
pass in on egress inet6 proto icmp6 all icmp6-type { echoreq routeradv neighbrsol neighbradv }
pass in on egress proto tcp from any to (egress) port ssh
pass in on egress proto { tcp udp } from any to (egress) port domain
pass in on egress proto tcp from any to (egress) port smtp
pass in on egress inet6 proto udp \
from fe80::/10 port dhcpv6-server \
to fe80::/10 port dhcpv6-client \
no state