I currently have an opensuse 11 router with eth0 connected to the internet and eth1 connected to the internal network. I've followed the steps to create the tunnel and it seems to be working just fine. What I'd like to do is allow the clients on the internal network access to this tunnel.
I'm learning as I go so at first I thought the opensuse box would just route traffic over the tunnel without any further configuration. It seems I was wrong. I've since read this thread http://www.tunnelbroker.net/forums/index.php?topic=330.0 which was helpful but I've been having trouble applying it to my situation.
Here's what I've done:
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.38.XX (for privacy)
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:b094::/48
route -A inet6 add ::/0 dev sit1
sysctl -w net.ipv6.conf.all.forwarding=1
ifconfig eth1 inet6 add 2001:470:b094::1/64
I'm hoping what I've done there is assigned the 2001:470:b094::/64 subnet to the eth1 interface. What do I do next? Have I gone wrong already?
If it matters, the Opensuse router is a dhcp server as well.
You're trying to forward using your tunnel /64, use your ROUTED /64 instead, assign ::1 from the routed /64 to eth1, and you should be good to go. Optionally you can configure radvd to advertise the routed /64 to your lan so lan clients can autoconfigure themselves.
I meant to post this in the linux forum, sorry.
I'm not sure I understand what you mean. I've been going over the other thread to which I linked and it looks like this is what I'm supposed to do.
Here are my tunnel details:
Routed /48: 2001:470:b094::/48
Routed /64: 2001:470:1d:7c::/64
So I thought what I'm doing is breaking a /64 out of the /48.
Would this be enough for a radvd config?
interface eth1 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2001:470:b094::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
Well I know I've done something wrong.
My ubuntu 8.04 test bed has received an ipv6 ip, but my Fedora 10 desktop has not. The Ubuntu machine isn't able to ping ipv6.google.com. I'm hoping somebody will tell me it's because I've configured the wrong ip and it won't be an issue like I've read from some people here.
edit:
Posting up some info to more easily pinpoint where I've gone wrong.
This is the eth1 ifconfig on the opensuse router
sit1 Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:b094::/48 Scope:Global
inet6 addr: 2001:470:1c:7c::2/64 Scope:Global
inet6 addr: fe80::c0a8:141/64 Scope:Link
inet6 addr: fe80::45c4:b4b3/64 Scope:Link
inet6 addr: fe80::c0a8:1/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1472 Metric:1
RX packets:90 errors:0 dropped:0 overruns:0 frame:0
TX packets:132 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11016 (10.7 Kb) TX bytes:15760 (15.3 Kb)
This is the ifconfig from my ubuntu test bed.
eth0 Link encap:Ethernet HWaddr 00:11:09:66:24:c2
inet addr:192.168.0.159 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: 2001:470:b094:0:211:9ff:fe66:24c2/64 Scope:Global
inet6 addr: fe80::211:9ff:fe66:24c2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:267083 errors:0 dropped:0 overruns:0 frame:0
TX packets:142234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:397616770 (379.1 MB) TX bytes:9785862 (9.3 MB)
Interrupt:16 Base address:0xec00
...And here is a traceroute from the same computer.
traceroute to ipv6.l.google.com (2001:4860:0:2001::68) from 2001:470:b094:0:211:9ff:fe66:24c2, 30 hops max, 16 byte packets
1 2001:470:b094::1 (2001:470:b094::1) 2.256 ms 0.145 ms 0.116 ms
2 2001:470:b094::1 (2001:470:b094::1) 0.17 ms 1.275 ms 0.142 ms
Here is the ifconfig from my Fedora 10 desktop.
eth0 Link encap:Ethernet HWaddr 00:16:E6:84:AF:D9
inet addr:192.168.0.160 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::216:e6ff:fe84:afd9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3938614 errors:0 dropped:38 overruns:0 frame:0
TX packets:2129853 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5511802395 (5.1 GiB) TX bytes:248889862 (237.3 MiB)
Interrupt:16
As you can see, it isn't taking an ipv6 ip for some reason though that is a different problem.
Get rid of the 2001:470:b094::/48 assignment on sit1 & check again.
Going from your radvd config you should have 2001:470:b094::1/64 on your eth1. (I assume this is allready configured. Just wanted to make sure.)
Yes, sorry. eth1 is configured as such. I got rid of the /48 on sit1.
eth1 Link encap:Ethernet HWaddr 00:04:AC:CB:72:9F
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: 2001:470:b094::1/64 Scope:Global
inet6 addr: fe80::204:acff:fecb:729f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1270276 errors:0 dropped:0 overruns:0 frame:0
TX packets:1856048 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:106493257 (101.5 Mb) TX bytes:2465189204 (2350.9 Mb)
ipv6 forwarding is also enabled.
cat /proc/sys/net/ipv6/conf/all/forwarding
1
I'm still getting the same traceroute result from the ubuntu client.
traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2001:4860:0:2001::68) from 2001:470:b094:0:211:9ff:fe66:24c2, 30 hops max, 16 byte packets
1 2001:470:b094::1 (2001:470:b094::1) 4.125 ms 0.163 ms 0.104 ms
2 2001:470:b094::1 (2001:470:b094::1) 0.168 ms 1.27 ms 0.148 ms
Is this helpful? My routing.
ip -6 route show
::/96 via :: dev sit0 metric 256 expires 21268356sec mtu 1480 advmss 1420 hoplimit 4294967295
2001:470:1c:7c::/64 via :: dev sit1 metric 256 expires 21268385sec mtu 1472 advmss 1412 hoplimit 4294967295
2001:470:b094::/64 dev eth1 metric 256 expires 21326712sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 metric 256 expires 21266244sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 metric 256 expires 21266245sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev sit1 metric 256 expires 21268360sec mtu 1472 advmss 1412 hoplimit 4294967295
default dev sit1 metric 1 expires 21268386sec mtu 1472 advmss 1412 hoplimit 4294967295
Hmm .. strange.
Can you paste both a "ip -6 addr show" and a "ip -6 route show" from both the router & client?
EDIT: had "-4" instead of "-6" for the route show command .. which is of course wrong
router "ip -6 addr show"
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::250:baff:fe83:cb09/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:b094::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::204:acff:fecb:729f/64 scope link
valid_lft forever preferred_lft forever
5: sit0: <NOARP,UP,LOWER_UP> mtu 1480
inet6 ::69.196.180.179/96 scope global
valid_lft forever preferred_lft forever
inet6 ::192.168.0.1/96 scope global
valid_lft forever preferred_lft forever
inet6 ::192.168.1.65/96 scope global
valid_lft forever preferred_lft forever
inet6 ::127.0.0.2/96 scope host
valid_lft forever preferred_lft forever
inet6 ::127.0.0.1/96 scope host
valid_lft forever preferred_lft forever
6: sit1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472
inet6 2001:470:1c:7c::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::45c4:b4b3/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::c0a8:1/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::c0a8:141/64 scope link
valid_lft forever preferred_lft forever
router "ip -6 route show"
::/96 via :: dev sit0 metric 256 expires 21266876sec mtu 1480 advmss 1420 hoplimit 4294967295
2001:470:1c:7c::/64 via :: dev sit1 metric 256 expires 21266905sec mtu 1472 advmss 1412 hoplimit 4294967295
2001:470:b094::/64 dev eth1 metric 256 expires 21325232sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 metric 256 expires 21264763sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 metric 256 expires 21264765sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev sit1 metric 256 expires 21266879sec mtu 1472 advmss 1412 hoplimit 4294967295
default dev sit1 metric 1 expires 21266906sec mtu 1472 advmss 1412 hoplimit 4294967295
client "ip -6 addr show"
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:470:b094:0:211:9ff:fe66:24c2/64 scope global dynamic
valid_lft 2591993sec preferred_lft 604793sec
inet6 fe80::211:9ff:fe66:24c2/64 scope link
valid_lft forever preferred_lft forever
client "ip -6 route show"
2001:470:b094::/64 dev eth0 proto kernel metric 256 expires 2591998sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 metric 256 expires -64704sec mtu 1500 advmss 1440 hoplimit 4294967295
default via fe80::204:acff:fecb:729f dev eth0 proto kernel metric 1024 expires 28sec mtu 1500 advmss 1440 hoplimit 64
Thanks for outputs. I'm afraid I still can't help you since everything looks alright to me. :(
The 2001:470:b094:1::/64 route on the client seems unnecessary -- but shouldn't cause your symptoms.
So I've verified the tunnel is configured correctly on the tunnel-server. A few questions:
1) can the opensuse router reach the ipv6 internet? (ping6, traceroute6, etc to remote sites like google or kame?)
2) are you running any kind of ip6tables rules? (if so what happens when you drop/stop using ip6tables?)
Otherwise it does look like your client machines are autoconfiguring, which means at least radvd is working. What happens on the client if you try ping6/traceroute6 to the tunnel-server's side of the v6 tunnel, anything? Have you tried a static ipv6 assignment to the client, and manually setting the default ipv6 route?
1) Yes, the router has no problem reaching ipv6 addresses.
2)Here is an output of my ip6tables. I didn't specifically add anything.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere state ESTABLISHED
ACCEPT ipv6-icmp anywhere anywhere state RELATED
input_int all anywhere anywhere
input_ext all anywhere anywhere
input_ext all anywhere anywhere
input_ext all anywhere anywhere
input_ext all anywhere anywhere
LOG all anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
forward_int all anywhere anywhere
forward_ext all anywhere anywhere
forward_ext all anywhere anywhere
forward_ext all anywhere anywhere
LOG all anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_ext (3 references)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp echo-reply
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp parameter-problem
LOG tcp anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG ipv6-icmp anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG all anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV '
DROP all anywhere anywhere
Chain forward_int (1 references)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp echo-reply
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp parameter-problem
LOG tcp anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG ipv6-icmp anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG all anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV '
reject_func all anywhere anywhere
Chain input_ext (4 references)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp redirect
LOG tcp anywhere anywhere limit: avg 3/min burst 5 tcp dpt:msnp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp anywhere anywhere tcp dpt:msnp
LOG tcp anywhere anywhere limit: avg 3/min burst 5 tcp dpt:36784 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp anywhere anywhere tcp dpt:36784
LOG tcp anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp anywhere anywhere tcp dpt:ssh
ACCEPT udp anywhere anywhere udp dpt:msnp
ACCEPT udp anywhere anywhere udp dpt:36784
LOG tcp anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG ipv6-icmp anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG all anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all anywhere anywhere
Chain input_int (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp anywhere anywhere reject-with tcp-reset
REJECT udp anywhere anywhere reject-with icmp6-port-unreachable
REJECT all anywhere anywhere reject-with icmp6-addr-unreachable
DROP all anywhere anywhere
I can't actually find the command to stop ip6tables in opensuse. None of the regular commands work. (service ip6tables stop, /etc/init.d/ip6tables stop)
Trying to traceroute to the tunnel server endpoint from a client.
traceroute6 2001:470:1c:7c::1
traceroute to 2001:470:1c:7c::1 (2001:470:1c:7c::1) from 2001:470:b094:0:211:9ff:fe66:24c2, 30 hops max, 16 byte packets
1 2001:470:b094::1 (2001:470:b094::1) 3.658 ms 0.197 ms 1.17 ms
2 2001:470:b094::1 (2001:470:b094::1) 0.162 ms 0.212 ms 1.266 ms
What would be the proper command to set the default route? "ip route add 2000::/3 dev eth0"?
edit:
No, "ip route add 2000::/3 dev eth0" wasn't correct. That gave me this traceroute result...
traceroute6 2001:470:1c:7c::1
traceroute to 2001:470:1c:7c::1 (2001:470:1c:7c::1) from 2001:470:b094:0:211:9ff:fe66:24c2, 30 hops max, 16 byte packets
1 2001:470:b094:0:211:9ff:fe66:24c2 (2001:470:b094:0:211:9ff:fe66:24c2) 3007.74 ms !H 3001.41 ms !H 3009.91 ms !H