Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: ngyurov on January 04, 2012, 05:07:44 AM

Title: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 04, 2012, 05:07:44 AM
Hi,

I got an OpenBSD 5.0 router which is used as a NAT box for the internal LAN.
I got a working tunnel to HE.
Now, what rules do I need to be able to use IPv6 from the computers in the internal network?
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: cholzhauer on January 04, 2012, 05:21:52 AM
You don't need to do NAT.

If you have one subnet, use the routed /64 from your tunnel details page and use Router Advertisements to get the information to your other computers
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 04, 2012, 06:36:29 AM
But my internal LAN uses IPv4?
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: k1mu on January 04, 2012, 06:39:38 AM
But my internal LAN uses IPv4?
That doesn't matter. You have a NAT router between the Internet and your internal network; that supports the tunnel. On the internal network, set the IPv6 address of that NAT router to an address in your *routed* /64, and run radvd on that interface. The rest of the systems will autoconfigure themselves using SLAAC and route through the IPv4 NAT router.

Note that when you do this, those systems are on the Internet, exposed for whatever nefarious things people want to do.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 04, 2012, 06:50:11 AM
Maybe I fooled you by using the term 'router'.
It is an usual OpenBSD box installed on a normal amd64 arch. that does NAT for my SOHO network. It's not a router device itself.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: kriteknetworks on January 04, 2012, 07:25:00 AM
That doesn't matter, its still capable of performing the routing function for ipv6 as described above.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: cholzhauer on January 04, 2012, 08:19:10 AM
Quote
Maybe I fooled you by using the term 'router'.

You're talking about two different things...IPv6 can exist without IPv4 and vice versa.  Once you hand out IPv6 addresses with RADVD, all of your hosts are "magically" online and able to pass traffic
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: jrocha on January 04, 2012, 09:38:21 AM
Maybe I fooled you by using the term 'router'.
It is an usual OpenBSD box installed on a normal amd64 arch. that does NAT for my SOHO network. It's not a router device itself.

Its a router because it routes traffic. It doesn't really matter what the hardware and software are. If it routes traffic, its a router.

As has been said before, you don't need to fiddle with NAT for ipv6. With your tunnel you were given a "Routed /64". This is the subnet/prefix you will want to use on your internal LAN. Just configure your OpenBSD machine to run radvd configured with the "Routed /64" prefix on the internal interface, and ensure that the machine will forward ipv6 properly. Then all your internal systems should autoconfigure themselves with an address within that prefix and be able to talk ipv6 to the world.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 12, 2012, 11:56:19 AM
Quote
Maybe I fooled you by using the term 'router'.

You're talking about two different things...IPv6 can exist without IPv4 and vice versa.  Once you hand out IPv6 addresses with RADVD, all of your hosts are "magically" online and able to pass traffic
Well, not exactly.
I start rtadvd and here is what happens when I enable IPv6 on my notebook WiFi interface:
Code: [Select]
add 2001:470:1f0b:1e1::/64 to prefix list on rl0
RA timer on rl0 is set to 16:0
set timer to 15:981483. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
set timer to 8:296603. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:222003. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
set timer to 14:959661. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:395766. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
set timer to 13:879588. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:44002. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 474:0
set timer to 474:0. waiting for inputs or timeout
Any ideas why it doesn't wanna work?

Btw, if I manually configure rl0 and the wifi card with v6 IP addresses I got v6 connectivity on the notebook.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 13, 2012, 05:33:55 AM
You do need to assign a IPv6 address from your routed /64 to your LAN rl0. It would be helpful if you posted what you have in your rtadvd.conf hostname.rl0 and other relevant configuration files. What OS are your WiFi LAN hosts using?

I found this blog post very helpful when configuring OpenBSD as a tunnel endpoint/router for IPv6:
http://canonical.wordpress.com/2008/07/02/ipv6-enabled-home-network-with-openbsd/  (http://canonical.wordpress.com/2008/07/02/ipv6-enabled-home-network-with-openbsd/)
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 13, 2012, 06:02:21 AM
You'd think... :)
I did follow exactly that post :=\
My rtadvd.conf is like from the post but without setting raflags as I wanna try it without DHCP (for v6).
rl0 has an assigned IP from my routed subnet and as I already said - if I configure the internal client with IP from the same route subnet - IPv6 connectivity works.
Client OS is Win7 Ultimate x64.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: Jim Whitby on January 14, 2012, 12:20:40 PM
<snip>
My rtadvd.conf is like from the post but without setting raflags as I wanna try it without DHCP (for v6).
rl0 has an assigned IP from my routed subnet and as I already said - if I configure the internal client with IP from the same route subnet - IPv6 connectivity works.
<snip>.

I really hate showing my ignorance, but.
I don't understand what you are trying to do. You have ( turned off , unset,, not used ) raflags?

You don't want to use DHCP, OK. Got that.

If static assignment works, then I would expect it to be a radvd config problem or radvd isn't really running.

Two things:

Show the complete radvd.conf file.
Show the output of radvdump.

Please, help educate me.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 20, 2012, 03:32:41 PM
Code: [Select]
# cat /etc/rtadvd.conf
rl0:\
        :addr="2001:470:1f0b:1e1::":prefixlen#64:
#

I don't have radvdump on OpenBSD. But here is part of what happens. Here I'm running rtadvd in no-daemonize mode:

# /usr/sbin/rtadvd -d rl0
RA timer on rl0 is set to 16:0
set timer to 15:998913. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 0
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:228039. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:382903. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 495:0
set timer to 495:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:292628. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 533:0
set timer to 533:0. waiting for inputs or timeout

If I remember correctly - with rtadvd working, I don't need to assign IPv6 IPs on the machines in the subnet, they will get one automatically, right?
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 20, 2012, 04:26:09 PM
There don't appear to be any RA (router advertisement) messages in your debug. I am seeing RS (router solicitation) messages from your host though. You don't appear to be calling rtadvd with the -s paramater so it will only send RAs based on what is present in the routing table. Adding the -s flag will cause it to advertise what you have configured in rtadvd.conf.

Here is a sample of mine - NetBSD router with OSX host. NetBSD's rtadvd has slightly different command line arguments but the -s works the same.

Code: [Select]
wapak$ sudo rtadvd -Dfs vr1

rtadvd[1595]: <main> set timer to 15:999155. waiting for inputs or timeout
rtadvd[1595]: <ra_timeout> RA timer on vr1 is expired
rtadvd[1595]: <ra_output> send RA on vr1, # of waitings = 0
rtadvd[1595]: <ra_timer_update> RA timer on vr1 is set to 16:0
rtadvd[1595]: <main> set timer to 16:0. waiting for inputs or timeout
rtadvd[1595]: <ra_input> RA received from fe80::211:d8ff:fe5a:7c49 on vr1  <------------------ RA from router
rtadvd[1595]: <main> set timer to 15:998567. waiting for inputs or timeout
rtadvd[1595]: <ra_timeout> RA timer on vr1 is expired
rtadvd[1595]: <ra_output> send RA on vr1, # of waitings = 0
rtadvd[1595]: <ra_timer_update> RA timer on vr1 is set to 16:0
rtadvd[1595]: <main> set timer to 16:0. waiting for inputs or timeout
rtadvd[1595]: <ra_input> RA received from fe80::211:d8ff:fe5a:7c49 on vr1
rtadvd[1595]: <main> set timer to 15:998796. waiting for inputs or timeout
rtadvd[1595]: <rs_input> RS received from fe80::219:e3ff:fe06:dc19 on vr1 <------------------- RS from host
rtadvd[1595]: <main> set timer to 0:58329. waiting for inputs or timeout
rtadvd[1595]: <ra_timeout> RA timer on vr1 is expired
rtadvd[1595]: <ra_output> send RA on vr1, # of waitings = 1
rtadvd[1595]: <ra_timer_update> RA timer on vr1 is set to 495:0
rtadvd[1595]: <main> set timer to 495:0. waiting for inputs or timeout
rtadvd[1595]: <ra_input> RA received from fe80::211:d8ff:fe5a:7c49 on vr1
rtadvd[1595]: <main> set timer to 494:998925. waiting for inputs or timeout

Here is rtadvd.conf

Code: [Select]
#
# Interface vr1 has the "other stateful configuration" flag bit set.
# This is to allow DNS server to be assigned via dhcp6.
vr1:\
        :addr="2001:db8:1f11:1111::":prefixlen#64:raflags#64:

When you solve the RA issue then your W7 host should statelessly configure itself with the EUI-64 address plus additional random privacy addresses in the same /64. Then you need to consider what to do about assigning DNS servers.

I use DHCP in stateless mode - purely to assign the DNS server. You may already assigning DNS manually on your W7 host (I've had varied success in my limited experience with W7).

HTH,
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: Jim Whitby on January 20, 2012, 05:29:50 PM
I can't say if your radvd.conf is correct or not.
I can say its different from mine.

This is what mine looks like and works.


interface eth0
{
  AdvSendAdvert on;
  AdvLinkMTU 1280;
  prefix 2001:470:5:6cd::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
  };
};

I would suggest you change the interface name and prefix to be what yours are and give it a try.

Is forwarding enabled for ipv6?

From "man radvd":

Note  that  if debugging is not enabled, radvd will not start if IPv6 for‐
       warding is disabled.  IPv6 forwarding can  be  controlled  via  sysctl(8),
       net.ipv6.conf.all.forwarding on Linux or net.inet6.ip6.forwarding on BSD.

       Similarly,  the  configuration file must not be writable by others, and if
       non-root operation is requested, not even by self/own group.

If you haven't done so. Read the man page for radvd and radvd.conf.

Hope some of this helps.

Jim

Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 20, 2012, 05:59:28 PM
I can't say if your radvd.conf is correct or not.
I can say its different from mine.

Jim, Am I correct in thinking yours is a Linux system? this looks completely different to the OpenBSD version (radvd versus rtadvd) which the OP is using.
Quote
Is forwarding enabled for ipv6?
It must be as OP said connectivity works if he configures his client manually with ipv6 address.

Quote
If you haven't done so. Read the man page for radvd and radvd.conf.
I can recommend the most excellent FreeBSD Man pages server (http://www.freebsd.org/cgi/man.cgi) which covers all flavours of BSD and a few Linux distros too  ;D
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 21, 2012, 09:36:56 AM
nickbee, by reading the man page for that option I highly doubted it will change anything and unfortunately - I was right:
Code: [Select]
# /usr/sbin/rtadvd -ds rl0
RA timer on rl0 is set to 16:0
set timer to 15:998952. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 0
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 1:161148. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:272443. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 281:0
set timer to 281:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:46983. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 286:0
set timer to 286:0. waiting for inputs or timeout

Any other ideas?
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 21, 2012, 11:06:03 AM
nickbee, by reading the man page for that option I highly doubted it will change anything and unfortunately - I was right:
Still no RA's shown there...
Quote
Any other ideas?

You're using NAT for IPv4 so presumably you have PF enabled and configured to do this. Maybe PF is blocking outgoing icmp6 traffic?

Can you repeat the above test with PF disabled (pfctl -d) and see whether any RAs appear in the debug output?
 
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 22, 2012, 06:56:02 AM
Still not working but requests seem to be received...
This is with PF disabled:
Code: [Select]
# /usr/sbin/rtadvd -ds rl0
RA timer on rl0 is set to 16:0
set timer to 15:991587. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:378644. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RA received from fe80::224:1ff:fef1:b7e on rl0
set timer to 15:999779. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:170898. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RA received from fe80::224:1ff:fef1:b7e on rl0
set timer to 15:999791. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:463185. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 236:0
set timer to 236:0. waiting for inputs or timeout
RA received from fe80::224:1ff:fef1:b7e on rl0
set timer to 235:999793. waiting for inputs or timeout

I wonder why is that so, cause otherwise in PF I have:
Code: [Select]
pass out quick inet6
pass in quick inet6
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 22, 2012, 11:23:52 AM
So now we have RAs going out  ;D. Looks like you need to review your pf.conf.

Does your W7 host configure itself with an EUI-64 ipv6 address? If not then I would be looking at traffic by running tcpdump on your firewall - tcpdump -vv -i rl0 ip6 - just to double-check those RAs and RSs. I would then look for similar on the W7 host with Wireshark.

I believe there are some issues with W7 and SLAAC. I don't have much experience with W7's ipv6 so maybe someone else can help here  ???. It looks as if you are making progress on the BSD side though.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: cholzhauer on January 22, 2012, 11:29:54 AM
Nick do you have any more specifics on those issues? We've been running windows 7 with router advertisements for a couple of years now and haven't had any issues.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: ngyurov on January 22, 2012, 12:28:37 PM
I think I'll try to configure DHCPv6 to give the internal hosts addresses. I'm gonna need it to do the same with the DNS servers anyway.
When I have more time I'll play again with rtadvdt and check why is it not working.
Thanks for the help though.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 23, 2012, 05:52:05 AM
I think I'll try to configure DHCPv6 to give the internal hosts addresses. I'm gonna need it to do the same with the DNS servers anyway.
When I have more time I'll play again with rtadvdt and check why is it not working.
Thanks for the help though.
Please post back when you have it working - I would be most interested to know what solution works for you!
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 23, 2012, 06:07:36 AM
Nick do you have any more specifics on those issues? We've been running windows 7 with router advertisements for a couple of years now and haven't had any issues.

I've got one W7 (Pro, 64bit, SP1) test machine at the office so my (IPv6) experiences of this OS are very limited compared to yours.

The router is a Cisco 871 which is configured for SLAAC and uses DHCPv6 to provide the DNS server. The W7 client configures itself correctly for EUI-64 address, sets it's gateway correctly and picks up the DNS server. However, it suffers from intermittent ipv6 connectivity. Other (FreeBSD and Linux) hosts on the same router work correctly.

What are you using for your router?
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: cholzhauer on January 23, 2012, 06:11:41 AM
We have an ASA 5520 that's doing SLAAC.  The only changes I make on the clients are to disabled ISATAP, Teredo, and 6to4.

The ASA line won't do DHCPv6, otherwise, I would be using it to hand out DNS info too.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 23, 2012, 06:20:43 AM
We have an ASA 5520 that's doing SLAAC.  The only changes I make on the clients are to disabled ISATAP, Teredo, and 6to4.
Yes - did that. I also disabled the privacy address in case that was part of the problem.

Quote from: cholzhauer

The ASA line won't do DHCPv6, otherwise, I would be using it to hand out DNS info too.
Have you manually configured IPv6 DNS on the clients or are they relying on your IPv4 DNS server to get AAAA records?
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: cholzhauer on January 23, 2012, 06:26:32 AM
Quote
Have you manually configured IPv6 DNS on the clients or are they relying on your IPv4 DNS server to get AAAA records?

Unfortunately I've manually configured them...I have a small batch script that I created that disables the stuff I mentioned earlier, disabled privacy addresses (those really throw off DNS), and assign a couple of IPv6 addresses to use as DNS servers.  It works really well; the only problem is if I swap out DNS servers, I have to change the IPv6 address on them to match what I used in my batch file.  I'd really like to use that ASA, but like I said, they don't support it. I've suggested it to my account manager, but she tells me things like that are market driven; the more people that ask for it, the more likely they are to implement it.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: Jim Whitby on January 25, 2012, 11:27:11 AM
I can't say if your radvd.conf is correct or not.
I can say its different from mine.

Jim, Am I correct in thinking yours is a Linux system? this looks completely different to the OpenBSD version (radvd versus rtadvd) which the OP is using.

Yes, it is Linux.
Sorry for the confusion.
Title: Re: How to NAT IPv6 traffic to internal LAN?
Post by: nickbeee on January 25, 2012, 01:29:46 PM
Quote
Have you manually configured IPv6 DNS on the clients or are they relying on your IPv4 DNS server to get AAAA records?

Unfortunately I've manually configured them...I have a small batch script that I created that disables the stuff I mentioned earlier, disabled privacy addresses (those really throw off DNS), and assign a couple of IPv6 addresses to use as DNS servers.  It works really well; the only problem is if I swap out DNS servers, I have to change the IPv6 address on them to match what I used in my batch file.  I'd really like to use that ASA, but like I said, they don't support it. I've suggested it to my account manager, but she tells me things like that are market driven; the more people that ask for it, the more likely they are to implement it.

Solved my W7 issue - details here: http://www.tunnelbroker.net/forums/index.php?topic=2246.0 (http://www.tunnelbroker.net/forums/index.php?topic=2246.0)