MadaMada
@madamada@snac.void.my
SysAdmin with a simple life..interested in FOSS, FreeBSD, Linux, IPv6, cloud stuff and whatever things that come along the way I find interesting..
MadaMada
@madamada@snac.void.my
[root@serv ~]# ndp -na | grep fe80::1Grr...
[root@serv ~]# netstat -rn6 | grep default
default fe80::1%eth0 UGS eth0
[root@serv ~]# ping -6 -c2 -t2 one.one.one.one
PING6(56=40+8+8 bytes) 2a02:c207:xx:xx::1 --> 2606:4700:4700::1001--- one.one.one.one ping6 statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss[root@serv ~]# curl -v6I https://one.one.one.one/
* Host one.one.one.one:443 was resolved.
* IPv6: 2606:4700:4700::1111, 2606:4700:4700::1001
* IPv4: (none)
* Trying [2606:4700:4700::1111]:443...
^C
Update: After trial and error, a static ndp entry is needed to recognize their shitty gateway..
ndp -s fe80::1%eth0 gw:mac:addr
ff02::2%eth0 doesn't return any neighbour routers, ndp -na doesn't show any neighbours .. simply adding fe80::1%eth0 won't work right away, so we have to resort to tricks like this to get IPv6 going.. grr
@madamada If only I would have known about static ndp entries 2 years earlier ... back then I lost IPv6 connectivity on my VPS regulary every 4 weeks or so because the gateway (fe80::1%vmx0) disappeared from the neighbor discovery table...
CC: @TomAoki@bsd.cafe @stefano@bsd.cafe @NebulaTide@bsd.cafe
Added a server-wide Webmention hook; this way, if somebody out there (that supports Webmention) links to a user or post in this instance, a notification is sent (this is the complementary of what was implemented in version 2.76).
Fixed regression while sending email via pipe on OpenBSD.
Fixed Markdown parsing when the URL has parenthesis.
Always show the 'pending follow confirmations' section if there are any (even if the toggle is off).
If a metadata value is an account handler, it's also tried to be validated (rel="me" links).
Another search by URL tweak (this time for Pixelfed links).
Mastodon API: fixed a bug that made some boosts disappear after being shown in apps like Tusky, added followed hashtags maintenance, other minor changes.
Renamed command-line actions create_list to list_create and delete_list to list_remove.
The default favicon URL can be changed from the server configuration.
New command-line option export_posts, to export all posts by a user in a JSON format compatible with the one generated by Mastodon.
The command-line options to send notes also allow an optional -r argument, to set the URL of a Fediverse post this note is a reply to.
If you find #snac useful, please consider buying grunfink a coffee or contributing via LiberaPay.
I've just updated my blog post: Make your own E-Mail server - Part 1 - FreeBSD, OpenSMTPD, Rspamd and Dovecot included
![[?]](https://snac.void.my/madamada/s/avatar-db29b53530cce56ebd89a06f3456f9e4.png){kind=avatar}
![[?]](https://media.bsd.cafe/bsdmmedia01/accounts/avatars/112/333/060/238/284/470/original/1c072481f6f94ff9.png)
![[?]](https://media.bsd.cafe/bsdmmedia01/accounts/avatars/114/619/469/034/785/231/original/12584f88ce171a79.png)
![[?]](https://comam.es/snac/susie.png)
![[?]](https://media.bsd.cafe/bsdmmedia01/accounts/avatars/110/740/169/477/916/693/original/dfa8f1b9beefa405.png)
wblist_admin.py..So using the tool, first blacklist all recipients and then whitelist the one's I trust/allow..this way, I can turn off all the spam features on the mail server as I know the whitelist sources are clean..
So now, the mail server just runs Postfix, Dovecot and Nginx but I have Nginx disabled and only enable it when I want to do administrative tasks from the frontend..
NOTE: This only works on a personal self-hosted email server :>
@stefano If I didn't already have so many unfinished projects, I would love to immediately set up my own mailserver after reading your blog post. 😁
Client messages me: "Login isn't working! Fix it immediately!" - followed by a string of complaints about how it can't just stop working "all of a sudden" on a Saturday morning.
I ask for their login details, immediately notice they're using the wrong username, and point it out.
Their reply: "Ok."
Sometimes a "sorry" would be nice. 😂
@stefano When I ran the mail servers at work I had a sales guy mail me and cc management including the CEO saying delivery from external addresses wasn’t working and I needed to fix it, quoting a bounce message he’d received from a test.
I replied all to ask if he wanted me to update his account to match the misspelling of his surname he’d used in the test.
@stefano Back when I was freelanding, I sent such clients an invoice about half an hour of support (the minimum time unit) with the line item („memory refreshment“). No, I didn‘t lose these clients, but they thought about calling me on the weekend the next time. 😎 But maybe that was a different world, decades ago.
The scanner is growing up.
There are 3 approaches to this .. the ndproxy approach, the NAT66 approach and the vnet jail approach. They all work depending on scenario..
I'll be doing some more tests just to catch any surprise cases that might pop up.. I'll maybe then write a simple guide to get this done all ways 🙂
Tayga CLAT on FreeBSD 14.3-RELEASE with NDPROXY
CLAT as part of 464xlat as defined in RFC 6877 is meant to be running on an IPv6-only host.
The Setup
pkg install gmake gcc ndproxy-3.2.1403000_1
Get the tayga git repo
mkdir /root/staging ; cd /root/stagingPrepare tayga configuration
git clone https://github.com/apalrd/tayga.git
cd tayga
gmake
cp tayga /usr/local/bin/
mkdir /var/db/tayga
chown nobody:nobody /var/db/tayga
cat /etc/tayga.confReplace 2001:db8:1:1:: with your own IPv6 prefix. I am using my own NKP prefix here for NAT64. You can use one from here
tun-device clat0
ipv4-addr 192.0.0.2
ipv6-addr 2001:db8:1:1::65
#prefix 64:ff9b::/96 # Well-Known Prefix
prefix 2001:db8:64:64::/96 # Network-Known Prefix
data-dir /var/db/tayga
wkpf-strict no
map 192.0.0.1 2001:db8:1:1::64
log drop reject
Write a script to configure the clat0 interface and it's routes and save it as /root/bin/routes-clat.sh
#!/bin/shMake the script executable. Next setup tayga and ndproxy to start on boot..
ifconfig clat0 inet 192.0.0.1/29 192.0.0.1 up
ifconfig clat0 inet6 -ifdisabled
route add default -iface clat0
route -6n add 2001:db8:1:1::64/127 -iface clat0
cat /etc/rc.conf.localDownload the rc script for Tayga
# TAYGA (CLAT)
tayga_enable="YES"
tayga_interfaces="clat0"
# NDPROXY
ndproxy_enable="YES"
ndproxy_uplink_interface="vtnet0" # host interface
ndproxy_downlink_mac_address="xx:xx:xx" # host mac address
ndproxy_uplink_ipv6_addresses="fe80::xx:xx:xx" # gateway link-local address
ndproxyconf_exception_ipv6_addresses=""
curl -O https://buster.xpath.my/tayga/rc.d-tayga.txtNow that everything is in place, time to start and test it..
mv rc.d-tayga.txt /usr/local/etc/rc.d/tayga
chmod +x /usr/local/etc/rc.d/tayga
service tayga startTest with the ping command. Example output will look like this:
service ndproxy start
sysctl net.inet6.ip6.forwarding=1
sysrc ipv6_gateway_enable="YES"
ping -c3 1.1.1.1With curl:
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=37 time=216.021 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=37 time=216.013 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=37 time=215.861 ms--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 215.861/215.965/216.021/0.073 ms
curl -kI https://8.8.8.8/NOTE: If you are using NAT64/PLAT address from nat64.net, some of them might block ICMP. If so test with curl instead. Latency-wise, it is better to run your own NAT64 or use one that is geo closer to you. You can either use #Jool or #Tayga for NAT64.
HTTP/2 302
x-content-type-options: nosniff
location: https://dns.google/
date: Sun, 22 Jun 2025 06:41:58 GMT
content-type: text/html; charset=UTF-8
server: HTTP server (unknown)
content-length: 216
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Please test and provide feedback. Thanks 🙂
@madamada On the translation side everything seems to be working, but on the routing side, I'm completely stuck ... :(
@madamada On a FreeBSD 14.3-RELEASE VM. I think I'm doing something wrong with the networks in rc.conf / tayga.conf / my firewall though. In particular, I don't know where in my network I have to the NKP (FreeBSD VM? Firewall?) and so on.
You setup rc.conf as usual, on the Tayga side, they use a different address under the same IPv6 subnet..
Update:
On the firewall, pass quick on clat0 all or check with tcpdump..
During my tests, I disabled the firewall just to rule out if there was an issue, the firewall isn't at fault and something else was..
@madamada Oh wait, I think I know what I've done wrong - Tayga is only converting IPv4 to IPv6 here, I still have to convert it back to IPv4 on with NAT64 the router / firewall... 🤦♂️ (because CLAT = NAT46)
It assumes you already have a local NAT64 in place which makes things a little easier to set up..
These steps are rather brief, assuming you already have Tayga installed..
CLAT on Host
Tayga configuration
> cat /etc/tayga.confRoutes
tun-device clat0
ipv4-addr 192.0.0.2
ipv6-addr 2001:db8:64:a::65
prefix 64:ff9b::/96
data-dir /var/db/tayga
wkpf-strict no
map 192.0.0.1 2001:db8:64:a::64
log drop reject
> cat /root/bin/routes-clat.shStart CLAT and run the script..
#!/bin/shifconfig tun11 create name clat0
ifconfig clat0 inet 192.0.0.1/29 192.0.0.1 up
ifconfig clat0 inet6 -ifdisabled
route -n add default -iface clat0
route -6n add 2001:db8:64:a::64/127 -iface clat0
service tayga startNAT64/PLAT
/root/bin/routes-clat.sh
sysctl net.inet6.ip6.forwarding=1
Tayga configuration
> cat /etc/tayga.confRoutes
tun-device nat64
ipv4-addr 10.64.64.1
prefix 64:ff9b::/96
wkpf-strict no
dynamic-pool 10.64.0.0/16
data-dir /var/db/tayga
log drop reject
> cat /root/bin/routes-nat64.shStart NAT64 and run the script..
#!/bin/sh
net4='10.64.0.0/16'
pref6='64:ff9b::/96'ifconfig tun11 create name nat64
ifconfig nat64 inet6 2001:db8:64:a::8200/128 up
route -n add -net $net4 -iface nat64
route -6n add -net $pref6 -iface nat64
service tayga startDNS64 - DNS64 with BIND9 or Unbound
/root/bin/routes-nat64.sh
sysctl net.inet.ip.forwarding=1
sysctl net.inet6.ip6.forwarding=1
BIND9
![[?]](https://mastodon-media.jamesoff.net/accounts/avatars/000/000/002/original/04c4fb79d590f4d8.png)
![[?]](https://storage.gra.cloud.ovh.net/v1/AUTH_91eb37814936490c95da7b85993cc2ff/bildungsocial/accounts/avatars/109/252/430/547/005/270/original/0d8fade3c722f707.png)
![[?]](https://media.bsd.cafe/bsdmmedia01/accounts/avatars/111/861/252/987/458/799/original/e72e943243b2a512.png)
![[?]](https://eigenmagic.net/system/accounts/avatars/109/390/362/420/663/973/original/99c35790715fe114.png)
![[?]](https://cdn.soc.feditime.com/uploadsocfeditime/865e07be-5fe6-456f-baf5-c18426a5f672/Jason-2.jpg)
dns64 64:ff9b::/96 {
clients { localhost; localnets; trusted-nets; };
mapped { !10/8; !192.168/16; !172.16/12; any; };
exclude { 0::/3; 4000::/2; 8000::/1; 2001:db8::/32; };
recursive-only yes;
break-dnssec yes;
};
Unboundmodule-config: "respip dns64 validator iterator"This guide is based on my tests running on a FreeBSD VPS. The host acted as a CLAT client
dns64-prefix: 64:ff9b::/96
Update: Forgot to add the pf rules for NAT64..
ext_if="em0"
nat on $ext_if from 10.64.0.0/16 to any -> ($ext_if:0)
There has been quite a bit of buzz lately about Linux distros wanting to drop 32-bit support.
I would also like to drop 32-bit support. 32-bit IPv4 addresses that is.
The IT-Notes blog is now served by the 1 euro/month #NetBSD VPS, too.
@stefano Pretty amazing that your blog on a 1€/month VPS has so much faster loading times than almost all of the websites I usually visit, but then I guess that's a given, because my browser doesn't have to download hundreds of megabytes of JavaScript and run hundreds of trackers in the background. 😁
I should also mention a lot of work is currently being done in Tayga by the new maintainer apalrd so expect new features and performance improvements soon 🙂
![[?]](https://cdn.tenforward.social/accounts/avatars/113/478/419/701/443/766/original/67e87677e8793fa1.png)