[IPv6] Something I don't understand

[BERTRAND Joël <joel.bertrand%systella.fr@localhost>]

	Hello,

	I use IPv6 for a while on a NetBSD server but I have replaced my old
ADSL connection for a new fiber connection.

	With my old ISP, my IPv6 access was done through a VPN (OpenVPN/TAP) to
a Linux server I have installed in a datacenter. Now, my new ISP
provides IPv6 and I try to route IPv6 through NetBSD. And, of course, it
doesn't run as expected.

	My IPv6 network is PREFIX:a00::/56

	Network configuration:

ISP
PREFIX:a00::1/56
 |
 +--------------------------------------------+
 |                                            |
wm2                                          wlan0
PREFIX:a00::3/64                             PREFIX:a00::2/64
legendre (NetBSD-10)                         rayleigh (Linux 6.4)
lagg0               re0                      lan0
PREFIX:a10::128/64  PREFIX:a01::2/64         PREFIX:a01::1/64
 |                   |                        |
 |                   +------------------------+
 |                              DMZ
LAN

	Legendre has other network interfaces, but without IPv6.

Rayleigh's IPv6 routes:
Destination                    Next Hop                   Flag Met Ref
Use If
PREFIX:a00::/64        [::]                       U    256 8      0 wan0
PREFIX:a01::/64        [::]                       U    256 9      0 lan0
PREFIX:a10::/64        PREFIX:a01::2              UG   1   4      0 lan0
...
[::]/0                 PREFIX:a00::1              UGH  1024 9     0 wan0

Legendre's IPv6 routes:
default                         PREFIX:a00::1          UGS         -
    -      -  wm2
PREFIX:a00::/64                 link#3                         UC
   -        -      -  wm2
PREFIX:a00::3                   link#3                         UHl
   -        -      -  lo0
PREFIX:a01::/64                 link#4                         UC
   -        -      -  re0
PREFIX:a01::2                   link#4                         UHl
   -        -      -  lo0
PREFIX:a10::/64                 link#12                        UC
   -        -      -  lagg0
PREFIX:a10::128                 link#12                        UHl
   -        -      -  lo0
PREFIX:a10:d65d:64ff:feb4:9a3b  d4:5d:64:b4:9a:3b              UHL
   -        -      -  lagg0
PREFIX:a01::1                   00:60:cf:21:a9:5a              UHL
   -        -      -  re0
PREFIX:a00::1                   24:d7:9c:a5:0c:74              UHL
   -        -      -  wm2
PREFIX:a00::2                   50:46:5d:72:ef:a2              UHL
   -        -      -  wm2

	I have configured rtadvd on legendre and all workstations on LAN side
have taken a new IPv6 autoconfigured address. For example :
- pythagore (FreeBSD) : PREFIX:a10:3a2c:4aff:fe70:14d1
- hilbert (Linux) : PREFIX:a10:d65d:64ff:feb4:9a3b

	All workstations on LAN can ping another workstation on LAN, legendre
/and/ rayleigh. Thus NetBSD is able to route IPv6 from LAN to rayleigh.

Successfully pings:
- from legendre to rayleigh;
- from rayleigh to legendre;
- from a lan workstation to rayleigh;
- from rayleigh to a lan workstation;
- from rayleigh to public gateway;
- from legendre to public gateway.

But from LAN, IPv6 public network is unreachable. For example:
hilbert:[~] > ping6 www.google.fr
PING www.google.fr(par10s39-in-x03.1e100.net (2a00:1450:4007:807::2003))
56 data bytes

	On legendre (NetBSD server), tcpdump on wm2 (public interface) shows:
legendre# tcpdump -i wm2 -p ip6
09:28:19.696443 IP6 PREFIX:a10:d65d:64ff:feb4:9a3b >
par10s39-in-x03.1e100.net: ICMP6, echo request, seq 16, length 64
09:28:20.720469 IP6 PREFIX:a10:d65d:64ff:feb4:9a3b >
par10s39-in-x03.1e100.net: ICMP6, echo request, seq 17, length 64
	
	Thus, icmp packets received from lan side are sent to public interface,
but there is no answer.

	Legendre uses npf. I can post here npf.conf, but I'm not sure that this
trouble comes from npf. I have tested without npf and results are similar.

	Best regards,

	JB