nat64clat anyone?

[ctr]

Did anyone play around with nat64clat (for 464XLAT) yet?
I know there is tayga, but that is for a different use case and it is in userspace and not ideally suited as simple CLAT.

ipfw-integrated nat64clat however has the capability of just prepending an ipv6 address (default prefix or custom) and stateless in-kernel NAT (supported by ipfw_nat64).

I used what I could find https://forums.freebsd.org/threads/nat64-464xlat.73741/ and apart from some prefix issues (the command doesnt really like every /96 prefix for some reason) it seems to work out of the box to a certain degree. I see CLATed traffic leaving the outbound interface and I can also see in on my (own) PLAT. There the IPv4 traffic leaves and receives a response, which results in the return packet being sent to my IPv6 address. However, I receive an ICMP-unreachable from OPNsense outside interface as result. There is no deny/reject about this in the log and I can see the outbound session in the session table, which leads to my assumption that the return traffic should match the existing sessions and should be allowed as result.

Any thoughts or suggestions?

[ctr]

Some more info: with direct_output=1 I can't see the outbound sessions in PF anymore and as result the return packets are rejected on the outside interface. With direct_output=0 (which is what I wan't and is the base for the first post) I can see the IPv6 session in the PF table, can't see rejects for the return traffic, but the return traffic is not coming through.