Hurricane Electric's IPv6 Tunnel Broker Forums
General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: mijedk on February 15, 2017, 04:13:23 AM
I'm still really new to all this, but have run in to a problem that I'm not sure how to handle.
Got one firewall (Palo Alto, shame on them, for not supporting 6in4 tunnels) where our public lab IPv4 subnet is terminated.
Since I can't create the tunnel on the firewall, I was thinking about just adding a small linux VM behind that FW, that creates the tunnel to he.net (that part works fine), but I really want the main firewall to handle all network related rules (ipv4/6), my initial ideas would be to just route the /48 to an IPv6 client address assigned to the Palo Alto firewall from the /64 net, but it seems to be hard coded to route it to ::2 (the "Client IPv6 Address" on the tunnel details), which is on the linux VM, so that wont help me much, unless I'm missing something completely.
Does anyone, have any ideas how I can achieve this, or got any pointers for stuff to search for, if its possible at all.
I do something like this; my firewall is an ASA and you can't create a tunnel on there. I stood up a FreeBSD VM outside of the firewall and terminated my tunnel on it. Then, all traffic that comes through my firewall and I can filter it as needed.
Finally got my head around it, ended up with:
1 Linux VM (ubuntu 16.10) with a plain normal HE tunnel setup (sitting on a public IPv4 address (184.108.40.206)):
iface he-ipv6 inet6 v4tunnel
Then added a site-local address ( fde4:8dba:82e1::/64) on ens160 on the same linux box:
iface ens160 inet6 static
Then enabled IPv6 routing on the Linux VM (/etc/sysctl.conf)
Finally adding a route on the Linux VM: ip route add 2001:470:xxxx::/48 dev ens160
Then on the Palo Alto firewall:
1) Adding fde4:8dba:82e1::2/64 to an interface
2) Adding a address (2001:470:xxxx::1/48) from the /48 routed network on the same interface (will be split up later)
3) Adding a static route for ::/0 -> fde4:8dba:82e1::1 (the linux VM)
Then connected a client on the same vlan/interface as the Palo Alto FW, and assigned it 2001:470:xxxx::2/48 with 2001:470:xxxx::1/48 as GW, and it can connect to 2600:: / google etc.
In case someone needs something similar, there is likely some things i haven't considered with doing it this way, but was a small success on the road to get this working at least.
Turns out the above worked pretty badly for what i wanted, so went with ospfv3 instead, that however is working exactly like I wanted it now.
Still using the same Linux VM as above, with the same tunnel conf, but installed quagga with a simple zebra/ospf6d conf (ens192 is what's connected to the palo alto interface/vlan, ens160 is only used for ipv4 for the tunnel), moved the fde4:8dba:82e1::1 to ens192 instead, this is main parts of the quagga conf:
ip address 10.10.90.1/24
ipv6 nd suppress-ra
ipv6 ospf6 network broadcast
ipv6 nd suppress-ra
ipv6 ospf6 network point-to-point
ipv6 ospf6 passive
interface ens192 area 0.0.0.0
interface he-ipv6 area 0.0.0.0
ipv6 route 2001:470:xxxx::/48 ens192
I wanted to use different /56 on varies different interfaces/vlans on the palo alto fw, so this is how i configured it:
On the Palo Alto firewall, created a new (sub)interface on the same vlan as ens192 on the Linux VM, gave it an fde4:8dba:82e1::2 address, added 10.10.90.2/24, enabled ipv6 on the interface (L3), assigned the default virtual router to the interface, then went to ospfv3 on the default virtual router config, set the router id to 10.10.90.2, ticked enable, added a new 0.0.0.0 area, added the interfaces i wanted to use the different /56 networks on (default settings), on the main ospfv3 settings page, unticked "Reject default route", then went to "Static routes" -> IPv6, added a new default route for IPv6, dest = ::/0, interface = the interface the linux vm is connected to, next hop, IPv6 address = fde4:8dba:82e1::1.
Added firewall rules as needed (looked at the monitor tab).
Just posting in case anyone else is having issues getting it to work on the palo alto fws, it's not the easiest thing to find help on, and this is in no way best practices for anything, just pushing different things until it works :P