Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: gdmbweil42 on February 12, 2018, 04:51:39 AM

Title: Clients not in "Routed /64" subnet
Post by: gdmbweil42 on February 12, 2018, 04:51:39 AM
Hi,

I have a router and a Hardware Firewall behind said Router. Router manages the HE Tunnel.

HE Server IPv6 is 2001:x:A:y::1
Router Address is 2001:x:A:y::2
Routed /64 is      2001:x:B:y::/64

Router address is fd00::something. Router is exposed IPv4 & IPv6 for Firewall.
Firewall address is first address from "Routed /64", 2001:x:B:y::1

What I don't understand are the addresses for my clients behind the firewall. I would expect those to be something from my "Routed /64", but they are not. In fact, they all have a different prefix, meaning 2001:x:C:y::/64 (the third group is "C", not "B" as I would expect it. Also the "y" is identical in all addresses). This prefix is not shown in my HE Account nor anywhere else. Can someone elaborate on that?

Thanks
Martin
Title: Re: Clients not in "Routed /64" subnet
Post by: cholzhauer on February 12, 2018, 04:53:50 AM
Obfuscating makes it hard to help and is not needed, can you please post the real ranges?

With that being said, you're supposed to use the routed /64 for hosts behind your firewall.  If you have multiple subnets, you need to request a /48.

The outside interface of your router has an ip from your tunnel /64 and the inside interface has an IP from the routed /64
Title: Re: Clients not in "Routed /64" subnet
Post by: gdmbweil42 on February 12, 2018, 05:27:36 AM
Sorry for that, here are the real values:

2001:470:1f0a:160d::1 is HE Server
2001:470:1f0a:160d::2 is Router

2001:470:1f0b:160d::/64 is "routed /64"

So my router gives out this subnet and clients should generate any address beginning with "2001:470:1f0b:160d:", correct?

My firewall has 2001:470:1f0b:160d::1

But every client has an address with prefix 2001:470:1f0c:160d:: (there is a "c" in the third group, not a "b"). Why? Am I even "allowed" to use that prefix since Tunnelbroker does not provide this one to me?

Hope this explains it better
Title: Re: Clients not in "Routed /64" subnet
Post by: cholzhauer on February 12, 2018, 05:34:52 AM
Quote
So my router gives out this subnet and clients should generate any address beginning with "2001:470:1f0b:160d:", correct?

That's correct.

Quote
My firewall has 2001:470:1f0b:160d::1.  But every client has an address with prefix 2001:470:1f0c:160d:: (there is a "c" in the third group, not a "b"). Why? Am I even "allowed" to use that prefix since Tunnelbroker does not provide this one to me?


This has to be a misconfiguration on your router.  As you pointed out, this isn't one of your ranges, but since you're getting addresses in that range and your router is the one handing out addresses, your router has to be wrong.  Check for a typo in the config, or if you want, post a screenshot.
Title: Re: Clients not in "Routed /64" subnet
Post by: gdmbweil42 on February 12, 2018, 05:59:44 AM
And - of course - a typo was the culprit. Thank you for pointing that out.

The internal interface of my firewall had a static IPv6 and this one had the "c" error

Thanks