Hello,
I have an Openbsd (4.6-current) soekris router/packetfilter with three interfaces consisting of an external vr1 (to comcastic), an internal LAN, vr2 10.22.1.0/24 and an DMZ LAN, vr0 172.18.1.0/24.
I am running rtadvd on the gateway with this configuration which allows the 10.22.1.0/24 to ping6 ipv6.he.net etc.
What must I do to allow my DMZ net systems to utilize the same ip6 tunnel that my internal LAN is using? As it stand if I start another rtadvd on the DMZ interface then my internal LAN cannot get through the tunnel and the the DMZ systems can. It's like one or the other.
My firewall rules should be fine because both nets can talk to the tunnel broker just not at the same time.
Here are the configurations for the router and it's interfaces..
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d0
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.18.1.1 netmask 0xffffff00 broadcast 172.18.1.255
inet6 fe80::200:24ff:fec9:58d0%vr0 prefixlen 64 scopeid 0x1
inet6 2001:470:1f0f:39f:200:24ff:fec9:58d0 prefixlen 64 autoconf pltime 604519 vltime 2591719
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d1
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fec9:58d1%vr1 prefixlen 64 scopeid 0x2
inet 98.196.132.150 netmask 0xfffffc00 broadcast 255.255.255.255
vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d2
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.22.1.1 netmask 0xffffff00 broadcast 10.22.1.255
inet6 fe80::200:24ff:fec9:58d2%vr2 prefixlen 64 scopeid 0x3
inet6 2001:470:1f0f:39f:200:24ff:fec9:58d2 prefixlen 64 autoconf pltime 604519 vltime 2591719
rtadvd.conf
# cat /etc/rtadvd.conf
default:\
:addr="2001:470:1f0f:39f::2":prefixlen#64:raflags#64:
I start rtadvd by
#rtadvd vr2
When I do this my internal network behind the vr2 interface (10.22.1.0/24 net) can ping6 yah yah..
I start another rtadvd on interface vr0 (for my DMZ 172.18.1.0/24) using
#rtadvd vr0
and then after a little while the vr0 network can ping6 yah yah but not the network behind the vr2 interface. ying and tang.
What is the correct way to allow two networks to use the tunnel ? Is this possible?
Thanks
Matt
You need to request a /48 and use /64 subnets of that for your LANs.
HE only gives you a single /64 by default which is enough for a single IPv6 LAN (if you follow the /64 longest prefix convention). For more than one, go into your tunnel properties on the site and click the "Allocate /48" link. HE will assign one to you, then you can subnet out on that (you can still use the original /64 too).
jim's right. after doing that, you would then need to add a second line to your radvd.conf file to advertise that network
The only other thing I could see you doing is somehow bridging the interfaces for IPv6 but not for IPv4. Not sure if it is easy to configure.
Hello thanks for the information but I'm still a little confused. I created an /48 tunnel and have these now
2001:470:1f0f:39f::/64
2001:470:b84a::/48
I used the automagic configuration generator on the site to create this gif interface on the fw
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
priority: 0
groups: gif egress
physical address inet 98.196.132.150 --> 216.218.224.42
inet6 fe80::200:24ff:fec9:58d0%gif0 -> prefixlen 64 scopeid 0x9
inet6 2001:470:1f0e:39f::2 -> 2001:470:1f0e:39f::1 prefixlen 128
Do I need to add another gif interface for the /48 somehow as well?
My current rtadvd.conf looks like
# cat /etc/rtadvd.conf
default:\
:addr="2001:470:1f0f:39f::2":prefixlen#64:raflags#64:
vr0:\
:addr="2001:470:b84a::2":prefixlen#48:raflags#48:
I start rtadvd only once now I guess because my vr0 interface is defined in the config file right? I'm sure it's wrong too:
# rtadvd -d -c /etc/rtadvd.conf vr2
Could not parse configuration file for vr2 or the configuration file doesn't exist. Treat it as default
add 2001:470:1f0f:39f::/64 to prefix list on vr2
RA timer on vr2 is set to 16:0
set timer to 15:995402. waiting for inputs or timeout
RA timer on vr2 is expired
send RA on vr2, # of waitings = 0
RA timer on vr2 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RA received from fe80::200:24ff:fec9:58d2 on vr2
set timer to 15:997494. waiting for inputs or timeout
RA timer on vr2 is expired
send RA on vr2, # of waitings = 0
RA timer on vr2 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RA received from fe80::200:24ff:fec9:58d2 on vr2
set timer to 15:997839. waiting for inputs or timeout
Interfaces :
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d0
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fec9:58d0%vr0 prefixlen 64 scopeid 0x1
inet6 2001:470:1f0f:39f:200:24ff:fec9:58d0 prefixlen 64 detached autoconf pltime 523068 vltime 2510268
inet 63.123.155.104 netmask 0xff000000 broadcast 63.123.155.104
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d1
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fec9:58d1%vr1 prefixlen 64 scopeid 0x2
inet 98.196.132.150 netmask 0xfffffc00 broadcast 255.255.255.255
vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d2
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.22.1.1 netmask 0xffffff00 broadcast 10.22.1.255
inet6 fe80::200:24ff:fec9:58d2%vr2 prefixlen 64 scopeid 0x3
inet6 2001:470:1f0f:39f:200:24ff:fec9:58d2 prefixlen 64 autoconf pltime 604759 vltime 2591959
What does it take to allow vr0 network onto ipv6? vr2 (10.22.1.0/24) can talk fine.
thanks for taking the time to reply. ???
You need to break the /48 into separate /64s.
For instance:
2001:470:1f0f:39f::/64 LAN (If this is the routed /64 ... NOT the client IPv6)
2001:470:b84a::/64 DMZ
2001:470:b84a:1::/64 Some other network
2001:470:b84a:2::/64 Yet another network
(this is presuming the first is your routed /64).
You need to have a basic understanding of IP routing.
Quote
I used the automagic configuration generator on the site to create this gif interface on the fw
I haven't seen that....do you have a link?
Jimb...do you ever sleep? Or are you one of those mechanical beings sent from the future? ;)
Quote from: cholzhauer on February 05, 2010, 05:10:15 AM
Quote
I used the automagic configuration generator on the site to create this gif interface on the fw
I haven't seen that....do you have a link?
Jimb...do you ever sleep? Or are you one of those mechanical beings sent from the future? ;)
He's just talking about the "Show Config" button thingy. Not sure what you mean about sleeping. That last message was about 11PM my local time (SF Bay Area, USA).
oh, for some reason i thought you were on the east coast
Nope. That's OK. Your name had me thinking your were from Europe, not Ohio. :P
Haha yeah well. I haven't run into many people who know what it is, much less can pronounce it correctly. One took me by surprise...I was checking out at Lowes and the cashier said it like it was nothing...I must have had a surprised look on my face because he said he took four years of German in HS.
Hi,
Still having some problems with using ipv6 tunnel on two subnets. This is what I have so far from interfaces on my firewall:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d0
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fec9:58d0%vr0 prefixlen 64 scopeid 0x1
inet6 2001:470:1f0f:39f:200:24ff:fec9:58d0 prefixlen 64 detached autoconf pltime 180920 vltime 2168120
inet 172.18.1.1 netmask 0xffffff00 broadcast 172.18.1.255
inet6 2001:470:b84a::1 prefixlen 64
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d1
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fec9:58d1%vr1 prefixlen 64 scopeid 0x2
inet 98.196.132.150 netmask 0xfffffc00 broadcast 255.255.255.255
vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:58:d2
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.22.1.1 netmask 0xffffff00 broadcast 10.22.1.255
inet6 fe80::200:24ff:fec9:58d2%vr2 prefixlen 64 scopeid 0x3
inet6 2001:470:1f0f:39f:200:24ff:fec9:58d2 prefixlen 64 autoconf pltime 604515 vltime 2591715
# cat /etc/rtadvd.conf
default:\
:addr="2001:470:1f0f:39f::2":prefixlen#64:raflags#64:
vr0:\
:addr="2001:470:b84a::1":prefixlen#48:raflags#48:
For some reason my DMZ interface looks like it is getting assigned two ip's Anyway the systems behind the vr2 (10.22.1.0/24) can use the tunnel just fine. The DMZ (172.18.1.0/24) lan still cannot. As a matter of fact they do not appear to even get assigned an ip address.
Here is an rtsol output from an box on the DMZ.
# rtsol em0
get_llflag() failed, anyway I'll try
sendmsg on em0: Can't assign requested address
sendmsg on em0: Can't assign requested address
sendmsg on em0: Can't assign requested address
I launced rtadvd from firewall and use the internal LAN interface which starts up but apepars to have some error however internal LAN systems get ip address and can ping out fine. Something not quite right i more than one place in rtadvd.conf and the ip assignment on the DMZ interface I'm sure.... just not sure WHAT.
# rtadvd -d vr2
Could not parse configuration file for vr2 or the configuration file doesn't exist. Treat it as default
add 2001:470:1f0f:39f::/64 to prefix list on vr2
RA timer on vr2 is set to 16:0
set timer to 15:977300. waiting for inputs or timeout
RA timer on vr2 is expired
send RA on vr2, # of waitings = 0
RA received from fe80::200:24ff:fec9:58d2 on vr2
Thanks for any nudge. ugh.
First, for whatever reason, you are getting a two IPv6s on your DMZ interface (vr0). It looks like it's being autoconfigured, so either you have another router advertising the prefix on that LAN, or the rtadvd running on the box itself is actually causing an address to be autoconfed on that interface. Or it's left over from before (maybe you haven't rebooted).
Set a static IPv6 /64 address from your /48 (looks like you did that already). You need to advertise a /64 out of your /48 on the vr0 interface. Advertise the prefix 2001:470:b84a::/64 not the whole /48.
On your LAN interface (vr2 presumably), set a static IPv6 from your routed /64. Advertise your routed /64 on the vr2 interface only ("default" might mean all interfaces, but I don't know rtadvd conf file syntax since I don't run a BSD IPv6 router at the moment).
For example, set the IPv6 "2001:470:1f0f:39f::1/64" on vr2, but advertise "2001:470:1f0f:39f::/64". Set "2001:470:b84a::1/64" on vr0 (you may have already done this), but advertise "2001:470:b84a::/64" (this is /64 subnet-zero of your /48, if you had a 4th LAN, you could use, say 2001:470:b84a:1::/64 on it, :2:: on a 5th, etc, etc. You have 65,536 subnets to work with on your /48).
Ensure that your router interfaces don't autoconfigure by doing whatever is needed in rtadvd.conf file. Use statics. I suppose there might be a way to have them autoconfig and have rtadvd still announcing on them, but that seems a bit of an "unnatural act" to me.