Not sure what I'm missing, maybe another pair of eyes will help?
ifconfig gif0 create
ifconfig gif0 192.168.102.191 209.51.181.2
ifconfig gif0 inet6 2001:470:1f10:2aa::2 2001:470:1f10:2aa::1 prefixlen 128
route add -inet6 default 2001:470:1f10:2aa::1
ifconfig gif0 up
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:c0:7d:ce
inet6 fe80::20c:29ff:fec0:7dce%em0 prefixlen 64 scopeid 0x1
inet 192.168.102.191 netmask 0xfffffe00 broadcast 192.168.103.255
inet6 2001:470:c27d:2aa::3 prefixlen 64
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
gif0: flags=8011<UP,POINTOPOINT,MULTICAST> metric 0 mtu 1280
inet 192.168.102.191 --> 209.51.181.2 netmask 0xff000000
inet6 fe80::20c:29ff:fec0:7dce%gif0 prefixlen 64 scopeid 0x4
inet6 2001:470:1f10:2aa::2 --> 2001:470:1f10:2aa::1 prefixlen 128
(Passing all IP traffic through the firewall to that NAT address)
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0 =>
default 2001:470:1f10:2aa::1 UGS gif0
::1 ::1 UHL lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
2001:470:1f10:2aa::1 link#4 UHL gif0
2001:470:1f10:2aa::2 link#4 UHL lo0
2001:470:c27d:2aa::/64 link#1 UC em0
2001:470:c27d:2aa::3 00:0c:29:c0:7d:ce UHL lo0
Having not described the problem, hard to say, could you elaborate?
Whoops, sorry.
This is what I get when I try to ping something.
[carl@venus ~]$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:1f10:2aa::2 --> 2001:4860:b002::68
ping6: sendmsg: Network is down
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
ping6: sendmsg: Network is down
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
ping6: sendmsg: Network is down
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
^C
--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
Is your IPv4 endpoint up to date? I can ping it from the tunnelbroker.net machine, not the tserv (guessing an ICMP allow filter). Is ICMPv6 blocked? I ask since the tserv cannot ping6 your side of the tunnel.
no firewall of any sort. you wont be able to ping6 the address because i cant get the tunnel online
Quote from: cholzhauer on October 01, 2009, 06:46:20 PM
no firewall of any sort. you wont be able to ping6 the address because i cant get the tunnel online
so no firewall, but nat, so does the nat pass proto41?
I'm passing all IP traffic to the NAT IP address. I would assume that would include protocol41?
Is tcp/41 the same thing?
I've also tried using the outside IP to create the tunnel, but that hasn't worked either
Quote from: cholzhauer on October 01, 2009, 07:45:49 PM
I'm passing all IP traffic to the NAT IP address. I would assume that would include protocol41?
Is tcp/41 the same thing?
I've also tried using the outside IP to create the tunnel, but that hasn't worked either
no, protocol 41 is not a tcp/udp port, whatever NAT/firewall stuff you are using, needs to pass protocol 41 to hosts behind it. make sure protocols are being passed. Also since you are nat/firewalled, you can't specify the WAN ip when behind that. You could do it if it was being created on the machine with that IP configured on it.
I'm passing all IP traffic to 12.199.185.10; there isn't any traffic that's being blocked.
access-list outside_acl extended permit ip any host 12.199.185.10
Quote from: cholzhauer on October 02, 2009, 05:10:27 AM
I'm passing all IP traffic to 12.199.185.10; there isn't any traffic that's being blocked.
access-list outside_acl extended permit ip any host 12.199.185.10
Are you reserving an entire IP and static NATing the whole thing to your inside BSD router? With IOS I think this is the only way to do it. Also, if you are doing that, might as well hang the BSD router on the outside network. :P
QuoteAre you reserving an entire IP and static NATing the whole thing to your inside BSD router?
Yep, the entire address is reserved for the machine. It's not really IOS based, but it's close enough.
Quote from: cholzhauer on October 03, 2009, 06:52:38 AM
QuoteAre you reserving an entire IP and static NATing the whole thing to your inside BSD router?
Yep, the entire address is reserved for the machine. It's not really IOS based, but it's close enough.
Hm. Well if you can't get that firewall, whatever it is, to do what you want, you could always take that IP out of the NAT, put it on a 2nd interface (presuming it has one) of the BSD box and hang it on the outside with a restrictive PF set up which only allows pings and proto 41. Then you wouldn't have to worry about NAT or the firewall at all.
I managed to get everything working, but now I'm unable to provide access for the rest of my subnet.
I am trying to use an IPv6 range assigned from Sixxs with this He tunnel end point..would that be the source of my problems?
If not...
I have set the default route in my firewall to point to my router
ipv6 route Outside ::/0 2001:4978:1d8:d000:20e:cff:feda:59db
Here is /etc/rc.conf
ipv6_network_interfaces="em0 lo0 gif1"
ipv6_gateway_enable="YES"
ipv6_defaultrouter="2001:470:1f10:2aa::1"
ipv6_ifconfig_em0="2001:4978:1d8:d000::9"
ipv6_prefix_em0="2001:4978:1d8:d000"
gif_interfaces="gif1"
gifconfig_gif1="12.199.185.10 209.51.181.2"
ipv6_ifconfig_gif1="2001:470:1f10:2aa::2/64"
Routing table from freebsd router:
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0 =>
default 2001:470:1f10:2aa::1 UGS gif1
::1 ::1 UHL lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
2001:470:1f10:2aa::/64 link#5 UC gif1
2001:470:1f10:2aa::1 link#5 UHLW gif1
2001:470:1f10:2aa::2 link#5 UHL lo0
2001:4978:1d8:c000::/64 2001:4978:1d8:d000:21d:a2ff:feaf:2ffd UGS em0
2001:4978:1d8:d000:: 00:0e:0c:da:59:db UHL lo0 =>
2001:4978:1d8:d000::/64 link#2 UC em0
2001:4978:1d8:d000::9 00:0e:0c:da:59:db UHL lo0
2001:4978:1d8:d000::10 00:1c:25:20:d2:be UHLW em0
2001:4978:1d8:d000:20e:cff:feda:59db 00:0e:0c:da:59:db UHL lo0
2001:4978:1d8:d000:21d:a2ff:feaf:2ffd 00:1d:a2:af:2f:ff UHLW em0
2001:4978:1d8:e000::/64 2001:4978:1d8:d000:21d:a2ff:feaf:2ffd UGS em0
2001:4978:1d8:f000::/64 2001:4978:1d8:d000:21d:a2ff:feaf:2ffd UGS em0
IPv6 access from the freebsd router works fine.
Thanks
Quote from: cholzhauer on October 13, 2009, 09:51:51 AM
I managed to get everything working, but now I'm unable to provide access for the rest of my subnet.
I am trying to use an IPv6 range assigned from Sixxs with this He tunnel end point..would that be the source of my problems?
Totally your problem, use Sixxs address space with Sixxs tunnels, don't mix the two. If you use our tunnel, use the statically routed /64 subnet we allocate when your tunnel is created.