• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

only one subnet can work at a time on a 3-leg openbsd gateway

Started by mbettinger, February 01, 2010, 08:48:13 PM

Previous topic - Next topic

mbettinger

Hello,

I have an Openbsd (4.6-current) soekris router/packetfilter with three interfaces consisting of an external vr1 (to comcastic), an internal LAN, vr2  10.22.1.0/24 and an DMZ LAN, vr0 172.18.1.0/24.

I am running rtadvd on the gateway with this configuration which allows the 10.22.1.0/24 to ping6 ipv6.he.net etc.

What must I do to allow my DMZ net systems to utilize the same ip6 tunnel that my internal LAN is using?  As it stand if I start another rtadvd on the DMZ interface then my internal LAN cannot get through the tunnel and the the DMZ systems can.  It's like one or the other.  

My firewall rules should be fine because both nets can talk to the tunnel broker just not at the same time.

Here are the configurations for the router and it's interfaces..  

vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:00:24:c9:58:d0
       priority: 0
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet 172.18.1.1 netmask 0xffffff00 broadcast 172.18.1.255
       inet6 fe80::200:24ff:fec9:58d0%vr0 prefixlen 64 scopeid 0x1
       inet6 2001:470:1f0f:39f:200:24ff:fec9:58d0 prefixlen 64 autoconf pltime 604519 vltime 2591719
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:00:24:c9:58:d1
       priority: 0
       groups: egress
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet6 fe80::200:24ff:fec9:58d1%vr1 prefixlen 64 scopeid 0x2
       inet 98.196.132.150 netmask 0xfffffc00 broadcast 255.255.255.255
vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:00:24:c9:58:d2
       priority: 0
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet 10.22.1.1 netmask 0xffffff00 broadcast 10.22.1.255
       inet6 fe80::200:24ff:fec9:58d2%vr2 prefixlen 64 scopeid 0x3
       inet6 2001:470:1f0f:39f:200:24ff:fec9:58d2 prefixlen 64 autoconf pltime 604519 vltime 2591719




rtadvd.conf

# cat /etc/rtadvd.conf
default:\
       :addr="2001:470:1f0f:39f::2":prefixlen#64:raflags#64:

I start rtadvd by

#rtadvd vr2

When I do this  my internal network behind the vr2 interface (10.22.1.0/24 net) can ping6 yah yah..

I start another rtadvd on interface vr0 (for my DMZ 172.18.1.0/24)  using

#rtadvd vr0    

and then after a little while the vr0 network can ping6 yah yah but not the network behind the vr2 interface.  ying and tang.

What is the correct way to allow two networks to use the tunnel ?  Is this possible?

Thanks

Matt


jimb

You need to request a /48 and use /64 subnets of that for your LANs.  

HE only gives you a single /64 by default which is enough for a single IPv6 LAN (if you follow the /64 longest prefix convention).  For more than one, go into your tunnel properties on the site and click the "Allocate /48" link.  HE will assign one to you, then you can subnet out on that (you can still use the original /64 too).


cholzhauer

jim's right.  after doing that, you would then need to add a second line to your radvd.conf file to advertise that network

bombcar

The only other thing I could see you doing is somehow bridging the interfaces for IPv6 but not for IPv4. Not sure if it is easy to configure.

mbettinger

Hello thanks for the information but I'm still a little confused.  I created an /48 tunnel and have these now

2001:470:1f0f:39f::/64   
2001:470:b84a::/48   

I used the automagic  configuration generator on the site to create this gif interface on the fw

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        priority: 0
        groups: gif egress
        physical address inet 98.196.132.150 --> 216.218.224.42
        inet6 fe80::200:24ff:fec9:58d0%gif0 ->  prefixlen 64 scopeid 0x9
        inet6 2001:470:1f0e:39f::2 -> 2001:470:1f0e:39f::1 prefixlen 128


Do I need to add another gif interface for the /48 somehow as well? 

My current rtadvd.conf looks like

# cat /etc/rtadvd.conf
default:\
        :addr="2001:470:1f0f:39f::2":prefixlen#64:raflags#64:
vr0:\
        :addr="2001:470:b84a::2":prefixlen#48:raflags#48:


I start rtadvd only once now I guess because my  vr0 interface is defined in the config file right?  I'm sure it's wrong too:

# rtadvd -d -c /etc/rtadvd.conf vr2
Could not parse configuration file for vr2 or the configuration file doesn't exist. Treat it as default
add 2001:470:1f0f:39f::/64 to prefix list on vr2
RA timer on vr2 is set to 16:0
set timer to 15:995402. waiting for inputs or timeout
RA timer on vr2 is expired
send RA on vr2, # of waitings = 0
RA timer on vr2 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RA received from fe80::200:24ff:fec9:58d2 on vr2
set timer to 15:997494. waiting for inputs or timeout
RA timer on vr2 is expired
send RA on vr2, # of waitings = 0
RA timer on vr2 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RA received from fe80::200:24ff:fec9:58d2 on vr2
set timer to 15:997839. waiting for inputs or timeout





Interfaces :

vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:58:d0
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fec9:58d0%vr0 prefixlen 64 scopeid 0x1
        inet6 2001:470:1f0f:39f:200:24ff:fec9:58d0 prefixlen 64 detached autoconf pltime 523068 vltime 2510268
        inet 63.123.155.104 netmask 0xff000000 broadcast 63.123.155.104
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:58:d1
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fec9:58d1%vr1 prefixlen 64 scopeid 0x2
        inet 98.196.132.150 netmask 0xfffffc00 broadcast 255.255.255.255
vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:58:d2
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.22.1.1 netmask 0xffffff00 broadcast 10.22.1.255
        inet6 fe80::200:24ff:fec9:58d2%vr2 prefixlen 64 scopeid 0x3
        inet6 2001:470:1f0f:39f:200:24ff:fec9:58d2 prefixlen 64 autoconf pltime 604759 vltime 2591959


What does it take to allow vr0 network onto  ipv6?  vr2 (10.22.1.0/24)  can talk fine. 

thanks for taking the time to reply.   ???



jimb

You need to break the /48 into separate /64s.



For instance:  

2001:470:1f0f:39f::/64 LAN (If this is the routed /64 ... NOT the client IPv6)
2001:470:b84a::/64 DMZ
2001:470:b84a:1::/64 Some other network
2001:470:b84a:2::/64 Yet another network

(this is presuming the first is your routed /64).

You need to have a basic understanding of IP routing.

cholzhauer

Quote
I used the automagic  configuration generator on the site to create this gif interface on the fw

I haven't seen that....do you have a link?

Jimb...do you ever sleep?  Or are you one of those mechanical beings sent from the future? ;)

jimb

Quote from: cholzhauer on February 05, 2010, 05:10:15 AM
Quote
I used the automagic  configuration generator on the site to create this gif interface on the fw

I haven't seen that....do you have a link?

Jimb...do you ever sleep?  Or are you one of those mechanical beings sent from the future? ;)
He's just talking about the "Show Config" button thingy.  Not sure what you mean about sleeping.  That last message was about 11PM my local time (SF Bay Area, USA).

cholzhauer


jimb

Nope.  That's OK.  Your name had me thinking your were from Europe, not Ohio.  :P

cholzhauer

Haha yeah well.  I haven't run into many people who know what it is, much less can pronounce it correctly.  One took me by surprise...I was checking out at Lowes and the cashier said it like it was nothing...I must have had a surprised look on my face because he said he took four years of German in HS.

mbettinger

Hi,

Still having some problems with using ipv6 tunnel on two subnets.  This is what I have so far from interfaces on my firewall:

vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:58:d0
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fec9:58d0%vr0 prefixlen 64 scopeid 0x1
        inet6 2001:470:1f0f:39f:200:24ff:fec9:58d0 prefixlen 64 detached autoconf pltime 180920 vltime 2168120
        inet 172.18.1.1 netmask 0xffffff00 broadcast 172.18.1.255
        inet6 2001:470:b84a::1 prefixlen 64
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:58:d1
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fec9:58d1%vr1 prefixlen 64 scopeid 0x2
        inet 98.196.132.150 netmask 0xfffffc00 broadcast 255.255.255.255
vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:58:d2
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.22.1.1 netmask 0xffffff00 broadcast 10.22.1.255
        inet6 fe80::200:24ff:fec9:58d2%vr2 prefixlen 64 scopeid 0x3
        inet6 2001:470:1f0f:39f:200:24ff:fec9:58d2 prefixlen 64 autoconf pltime 604515 vltime 2591715


# cat /etc/rtadvd.conf
default:\
        :addr="2001:470:1f0f:39f::2":prefixlen#64:raflags#64:
vr0:\
        :addr="2001:470:b84a::1":prefixlen#48:raflags#48:



For some reason my DMZ interface looks like it is getting assigned two ip's  Anyway  the systems behind the vr2 (10.22.1.0/24) can use the tunnel just fine.  The DMZ (172.18.1.0/24) lan still cannot.  As a matter of fact they do not appear to even get assigned an ip address.

Here is an rtsol output from an box on the DMZ.

# rtsol em0
get_llflag() failed, anyway I'll try
sendmsg on em0: Can't assign requested address
sendmsg on em0: Can't assign requested address
sendmsg on em0: Can't assign requested address



I launced rtadvd from firewall  and use the internal LAN interface  which starts up but apepars to have some error however internal LAN systems get ip address and can ping out fine.  Something not quite right i more than one place   in rtadvd.conf and the ip assignment on the DMZ interface I'm sure.... just not sure WHAT. 

# rtadvd -d vr2
Could not parse configuration file for vr2 or the configuration file doesn't exist. Treat it as default
add 2001:470:1f0f:39f::/64 to prefix list on vr2
RA timer on vr2 is set to 16:0
set timer to 15:977300. waiting for inputs or timeout
RA timer on vr2 is expired
send RA on vr2, # of waitings = 0
RA received from fe80::200:24ff:fec9:58d2 on vr2


Thanks for any nudge. ugh.

jimb

First, for whatever reason, you are getting a two IPv6s on your DMZ interface (vr0).  It looks like it's being autoconfigured, so either you have another router advertising the prefix on that LAN, or the rtadvd running on the box itself is actually causing an address to be autoconfed on that interface.  Or it's left over from before (maybe you haven't rebooted).

Set a static IPv6 /64 address from your /48 (looks like you did that already).  You need to advertise a /64 out of your /48 on the vr0 interface.  Advertise the prefix 2001:470:b84a::/64 not the whole /48.

On your LAN interface (vr2 presumably), set a static IPv6 from your routed /64.  Advertise your routed /64 on the vr2 interface only ("default" might mean all interfaces, but I don't know rtadvd conf file syntax since I don't run a BSD IPv6 router at the moment).

For example, set the IPv6 "2001:470:1f0f:39f::1/64" on vr2, but advertise "2001:470:1f0f:39f::/64".  Set "2001:470:b84a::1/64" on vr0 (you may have already done this), but advertise "2001:470:b84a::/64" (this is /64 subnet-zero of your /48, if you had a 4th LAN, you could use, say 2001:470:b84a:1::/64 on it, :2:: on a 5th, etc, etc.  You have 65,536 subnets to work with on your /48).

Ensure that your router interfaces don't autoconfigure by doing whatever is needed in rtadvd.conf file.  Use statics.  I suppose there might be a way to have them autoconfig and have rtadvd still announcing on them, but that seems a bit of an "unnatural act" to me.