• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How to NAT IPv6 traffic to internal LAN?

Started by ngyurov, January 04, 2012, 05:07:44 AM

Previous topic - Next topic

ngyurov

Hi,

I got an OpenBSD 5.0 router which is used as a NAT box for the internal LAN.
I got a working tunnel to HE.
Now, what rules do I need to be able to use IPv6 from the computers in the internal network?

cholzhauer

You don't need to do NAT.

If you have one subnet, use the routed /64 from your tunnel details page and use Router Advertisements to get the information to your other computers

ngyurov


k1mu

Quote from: ngyurov on January 04, 2012, 06:36:29 AM
But my internal LAN uses IPv4?
That doesn't matter. You have a NAT router between the Internet and your internal network; that supports the tunnel. On the internal network, set the IPv6 address of that NAT router to an address in your *routed* /64, and run radvd on that interface. The rest of the systems will autoconfigure themselves using SLAAC and route through the IPv4 NAT router.

Note that when you do this, those systems are on the Internet, exposed for whatever nefarious things people want to do.

ngyurov

Maybe I fooled you by using the term 'router'.
It is an usual OpenBSD box installed on a normal amd64 arch. that does NAT for my SOHO network. It's not a router device itself.

kriteknetworks

That doesn't matter, its still capable of performing the routing function for ipv6 as described above.

cholzhauer

Quote
Maybe I fooled you by using the term 'router'.

You're talking about two different things...IPv6 can exist without IPv4 and vice versa.  Once you hand out IPv6 addresses with RADVD, all of your hosts are "magically" online and able to pass traffic

jrocha

#7
Quote from: ngyurov on January 04, 2012, 06:50:11 AM
Maybe I fooled you by using the term 'router'.
It is an usual OpenBSD box installed on a normal amd64 arch. that does NAT for my SOHO network. It's not a router device itself.

Its a router because it routes traffic. It doesn't really matter what the hardware and software are. If it routes traffic, its a router.

As has been said before, you don't need to fiddle with NAT for ipv6. With your tunnel you were given a "Routed /64". This is the subnet/prefix you will want to use on your internal LAN. Just configure your OpenBSD machine to run radvd configured with the "Routed /64" prefix on the internal interface, and ensure that the machine will forward ipv6 properly. Then all your internal systems should autoconfigure themselves with an address within that prefix and be able to talk ipv6 to the world.

ngyurov

Quote from: cholzhauer on January 04, 2012, 08:19:10 AM
Quote
Maybe I fooled you by using the term 'router'.

You're talking about two different things...IPv6 can exist without IPv4 and vice versa.  Once you hand out IPv6 addresses with RADVD, all of your hosts are "magically" online and able to pass traffic
Well, not exactly.
I start rtadvd and here is what happens when I enable IPv6 on my notebook WiFi interface:
add 2001:470:1f0b:1e1::/64 to prefix list on rl0
RA timer on rl0 is set to 16:0
set timer to 15:981483. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
set timer to 8:296603. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:222003. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
set timer to 14:959661. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:395766. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
set timer to 13:879588. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:44002. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 474:0
set timer to 474:0. waiting for inputs or timeout

Any ideas why it doesn't wanna work?

Btw, if I manually configure rl0 and the wifi card with v6 IP addresses I got v6 connectivity on the notebook.

nickbeee

You do need to assign a IPv6 address from your routed /64 to your LAN rl0. It would be helpful if you posted what you have in your rtadvd.conf hostname.rl0 and other relevant configuration files. What OS are your WiFi LAN hosts using?

I found this blog post very helpful when configuring OpenBSD as a tunnel endpoint/router for IPv6:
http://canonical.wordpress.com/2008/07/02/ipv6-enabled-home-network-with-openbsd/
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

ngyurov

You'd think... :)
I did follow exactly that post :=\
My rtadvd.conf is like from the post but without setting raflags as I wanna try it without DHCP (for v6).
rl0 has an assigned IP from my routed subnet and as I already said - if I configure the internal client with IP from the same route subnet - IPv6 connectivity works.
Client OS is Win7 Ultimate x64.

Jim Whitby

Quote from: ngyurov on January 13, 2012, 06:02:21 AM
<snip>
My rtadvd.conf is like from the post but without setting raflags as I wanna try it without DHCP (for v6).
rl0 has an assigned IP from my routed subnet and as I already said - if I configure the internal client with IP from the same route subnet - IPv6 connectivity works.
<snip>.

I really hate showing my ignorance, but.
I don't understand what you are trying to do. You have ( turned off , unset,, not used ) raflags?

You don't want to use DHCP, OK. Got that.

If static assignment works, then I would expect it to be a radvd config problem or radvd isn't really running.

Two things:

Show the complete radvd.conf file.
Show the output of radvdump.

Please, help educate me.

ngyurov

# cat /etc/rtadvd.conf
rl0:\
        :addr="2001:470:1f0b:1e1::":prefixlen#64:
#


I don't have radvdump on OpenBSD. But here is part of what happens. Here I'm running rtadvd in no-daemonize mode:

# /usr/sbin/rtadvd -d rl0
RA timer on rl0 is set to 16:0
set timer to 15:998913. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 0
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
received a routing message (type = 1, len = 216)
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:228039. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:382903. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 495:0
set timer to 495:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:292628. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 533:0
set timer to 533:0. waiting for inputs or timeout

If I remember correctly - with rtadvd working, I don't need to assign IPv6 IPs on the machines in the subnet, they will get one automatically, right?

nickbeee

There don't appear to be any RA (router advertisement) messages in your debug. I am seeing RS (router solicitation) messages from your host though. You don't appear to be calling rtadvd with the -s paramater so it will only send RAs based on what is present in the routing table. Adding the -s flag will cause it to advertise what you have configured in rtadvd.conf.

Here is a sample of mine - NetBSD router with OSX host. NetBSD's rtadvd has slightly different command line arguments but the -s works the same.


wapak$ sudo rtadvd -Dfs vr1

rtadvd[1595]: <main> set timer to 15:999155. waiting for inputs or timeout
rtadvd[1595]: <ra_timeout> RA timer on vr1 is expired
rtadvd[1595]: <ra_output> send RA on vr1, # of waitings = 0
rtadvd[1595]: <ra_timer_update> RA timer on vr1 is set to 16:0
rtadvd[1595]: <main> set timer to 16:0. waiting for inputs or timeout
rtadvd[1595]: <ra_input> RA received from fe80::211:d8ff:fe5a:7c49 on vr1  <------------------ RA from router
rtadvd[1595]: <main> set timer to 15:998567. waiting for inputs or timeout
rtadvd[1595]: <ra_timeout> RA timer on vr1 is expired
rtadvd[1595]: <ra_output> send RA on vr1, # of waitings = 0
rtadvd[1595]: <ra_timer_update> RA timer on vr1 is set to 16:0
rtadvd[1595]: <main> set timer to 16:0. waiting for inputs or timeout
rtadvd[1595]: <ra_input> RA received from fe80::211:d8ff:fe5a:7c49 on vr1
rtadvd[1595]: <main> set timer to 15:998796. waiting for inputs or timeout
rtadvd[1595]: <rs_input> RS received from fe80::219:e3ff:fe06:dc19 on vr1 <------------------- RS from host
rtadvd[1595]: <main> set timer to 0:58329. waiting for inputs or timeout
rtadvd[1595]: <ra_timeout> RA timer on vr1 is expired
rtadvd[1595]: <ra_output> send RA on vr1, # of waitings = 1
rtadvd[1595]: <ra_timer_update> RA timer on vr1 is set to 495:0
rtadvd[1595]: <main> set timer to 495:0. waiting for inputs or timeout
rtadvd[1595]: <ra_input> RA received from fe80::211:d8ff:fe5a:7c49 on vr1
rtadvd[1595]: <main> set timer to 494:998925. waiting for inputs or timeout


Here is rtadvd.conf


#
# Interface vr1 has the "other stateful configuration" flag bit set.
# This is to allow DNS server to be assigned via dhcp6.
vr1:\
        :addr="2001:db8:1f11:1111::":prefixlen#64:raflags#64:


When you solve the RA issue then your W7 host should statelessly configure itself with the EUI-64 address plus additional random privacy addresses in the same /64. Then you need to consider what to do about assigning DNS servers.

I use DHCP in stateless mode - purely to assign the DNS server. You may already assigning DNS manually on your W7 host (I've had varied success in my limited experience with W7).

HTH,
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

Jim Whitby

I can't say if your radvd.conf is correct or not.
I can say its different from mine.

This is what mine looks like and works.


interface eth0
{
  AdvSendAdvert on;
  AdvLinkMTU 1280;
  prefix 2001:470:5:6cd::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
  };
};

I would suggest you change the interface name and prefix to be what yours are and give it a try.

Is forwarding enabled for ipv6?

From "man radvd":

Note  that  if debugging is not enabled, radvd will not start if IPv6 for‐
       warding is disabled.  IPv6 forwarding can  be  controlled  via  sysctl(8),
       net.ipv6.conf.all.forwarding on Linux or net.inet6.ip6.forwarding on BSD.

       Similarly,  the  configuration file must not be writable by others, and if
       non-root operation is requested, not even by self/own group.

If you haven't done so. Read the man page for radvd and radvd.conf.

Hope some of this helps.

Jim