Hi guys
I'm trying to get my first IPv6 tunnel set up and I'm pretty much stuck at square one. I'm trying to build an OpenBSD 5.1 based router running on a soekris 4801. After completing all of the set up steps, when I try to ping any IPv6 address (including the server's ipv6 endpoint address) I get 0 packets received.
My topology:
[ Internet ] ---- [ (71.212.119.174) Qwest DLS modem+router (192.168.0.1) ] ---- [ (192.168.0.2) OpenBSD ]
The Qwest rounter is pretty much an abomination, but it at least has a DMZ mode, so I enabled that for my OpenBSD box. I've also disabled PF just to make sure that's not causing any issues.
Before doing any tunnel configuration:
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c7:37:38
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fec7:3738%sis0 prefixlen 64 scopeid 0x1
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
sis1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c7:37:39
priority: 0
media: Ethernet autoselect (none)
status: no carrier
sis2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c7:37:3a
priority: 0
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
priority: 0
groups: pflog
The example configuration for my tunnel:
ifconfig gif0 tunnel 71.212.119.174 72.52.104.74
ifconfig gif0 inet6 alias 2001:470:1f04:3dd::2 2001:470:1f04:3dd::1 prefixlen 128
route -n add -inet6 default 2001:470:1f04:3dd::1
and after adding the tunnel:
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c7:37:38
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fec7:3738%sis0 prefixlen 64 scopeid 0x1
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
sis1: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c7:37:39
priority: 0
media: Ethernet autoselect (none)
status: no carrier
sis2: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c7:37:3a
priority: 0
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
priority: 0
groups: pflog
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
priority: 0
groups: gif egress
physical address inet 71.212.119.174 --> 72.52.104.74
inet6 fe80::200:24ff:fec7:3738%gif0 -> prefixlen 64 scopeid 0x7
inet6 2001:470:1f04:3dd::2 -> 2001:470:1f04:3dd::1 prefixlen 128
and when I try to ping anything (in this case, tunnel endpoint):
# ping6 2001:470:1f04:3dd::1
PING6(56=40+8+8 bytes) 2001:470:1f04:3dd::2 --> 2001:470:1f04:3dd::1
^C
--- 2001:470:1f04:3dd::1 ping6 statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
I've tried substituting my external ip address for 192.168.0.2 in the tunnel setup commands, with no effect.
I'm not positive, but I think my ICMP packets aren't even leaving the device. I've replicated the above setup in virtualbox on my laptop, and when I watch the traffic through wireshark I'm never seeing any ping requests when I ping ipv6 address (ipv4 ping requests show up fine). Am I missing some crucial step here?
some extra info:
# route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.0.1 UGS 3 311 - 8 sis0
127/8 127.0.0.1 UGRS 0 0 33196 8 lo0
127.0.0.1 127.0.0.1 UH 2 0 33196 4 lo0
192.168.0/24 link#1 UC 2 0 - 4 sis0
192.168.0.1 50:67:f0:ef:88:34 UHLc 1 38 - 4 sis0
192.168.0.2 127.0.0.1 UGHS 0 0 33196 8 lo0
192.168.0.11 00:15:c5:86:cc:a2 UHLc 1 746 - 4 sis0
224/4 127.0.0.1 URS 0 0 33196 8 lo0
Internet6:
Destination Gateway Flags Refs Use Mtu Prio Iface
::/104 ::1 UGRS 0 0 - 8 lo0
::/96 ::1 UGRS 0 0 - 8 lo0
default 2001:470:1f04:3dd::1 UGS 0 0 - 8 gif0
::1 ::1 UH 14 0 33196 4 lo0
::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0
::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0
2001:470:1f04:3dd::1 2001:470:1f04:3dd::2 UH 1 22 - 4 gif0
2001:470:1f04:3dd::2 link#7 UHL 0 0 - 4 lo0
2001:470:1f05:3dd::/64 link#2 C 0 0 - 4 sis1
2001:470:1f05:3dd::10 00:00:24:c7:37:39 HL 0 0 - 4 lo0
2002::/24 ::1 UGRS 0 0 - 8 lo0
2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0
2002:e000::/20 ::1 UGRS 0 0 - 8 lo0
2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0
fe80::/10 ::1 UGRS 0 0 - 8 lo0
fe80::%sis0/64 link#1 UC 0 0 - 4 sis0
fe80::200:24ff:fec7:3738%sis0 00:00:24:c7:37:38 UHL 0 0 - 4 lo0
fe80::%sis1/64 link#2 C 0 0 - 4 sis1
fe80::200:24ff:fec7:3739%sis1 00:00:24:c7:37:39 HL 0 0 - 4 lo0
fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0
fe80::1%lo0 link#5 UHL 0 0 - 4 lo0
fe80::%gif0/64 link#7 UC 0 0 - 4 gif0
fe80::200:24ff:fec7:3738%gif0 link#7 UHL 0 0 - 4 lo0
fec0::/10 ::1 UGRS 0 0 - 8 lo0
ff01::/16 ::1 UGRS 0 0 - 8 lo0
ff01::%sis0/32 link#1 UC 0 0 - 4 sis0
ff01::%sis1/32 link#2 C 0 0 - 4 sis1
ff01::%lo0/32 fe80::1%lo0 UC 0 0 - 4 lo0
ff01::%gif0/32 link#7 UC 0 0 - 4 gif0
ff02::/16 ::1 UGRS 0 0 - 8 lo0
ff02::%sis0/32 link#1 UC 0 0 - 4 sis0
ff02::%sis1/32 link#2 C 0 0 - 4 sis1
ff02::%lo0/32 fe80::1%lo0 UC 0 0 - 4 lo0
ff02::%gif0/32 link#7 UC 0 0 - 4 gif0
# cat /etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
net.inet6.ip6.accept_rtadv=0 # 1=Permit IPv6 autoconf (forwarding must be 0)
any thoughts? I'm up for trying anything at this point...
Since you're behind NAT, did you replace your public ip address with your nat address when you issued the commands in openbsd?
Replace 71.212.119.174 with 192.168.0.2 when creating your tunnel.
still no dice:
# ifconfig gif0 tunnel 192.168.0.2 72.52.104.74
# ifconfig gif0 inet6 alias 2001:470:1f04:3dd::2 2001:470:1f04:3dd::1 prefixlen 128
# route -n add -inet6 default 2001:470:1f04:3dd::1
add net default: gateway 2001:470:1f04:3dd::1
# ping6 2001:470:1f04:3dd::1
PING6(56=40+8+8 bytes) 2001:470:1f04:3dd::2 --> 2001:470:1f04:3dd::1
^C
--- 2001:470:1f04:3dd::1 ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
I think the real question: why would wireshark not see any IMCPv6 requests when running in a virtual machine? is there additional configuration that I need to do that I'm missing?
Another example: if I run 'wget http://ipv6.google.com' I can see the DNS requests in wireshark, but nothing else. wget eventually times out because it can't connect.
so what would cause the IPv6 requests to never leave the machine?
A follow up: I figured out the issue. Even in DMZ mode it appears my modem (a ZyXel PK5000z) wouldn't send proto41 to my DMZ host. My fix was to pick up a cheap actiontec modem that supports transparent bridging and set up openbsd to handle pppoe. This also has the benefit of my tunnel box getting direct access to the WAN IP, making it trivial to have a script that updates the tunnel endpoints if my IP changes.