• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Newbie needing some help setting up routed /64 (debian)

Started by meridian, September 16, 2010, 01:39:01 AM

Previous topic - Next topic

meridian

OK, my network setup is just a *little* odd, but shouldn't be an issue.  I've had IPv6 working within my own network for a while, using the autogenerated link-local addresses, and everything seems to work there.

The relevant parts of the network setup are as follows:

'vengeance' is the main server, connected to the primary ethernet (call it eth0).
'ocypete' is a second machine, also connected to eth0, but also with a virtual network (vmnet0).  Ocypete is set up to bridge vmnet0 and eth0.
'squeezebase' is a virtual machine running on ocypete, connected to vmnet0 (which it locally calls eth0 just for confusion's sake).

vengeance has an IPv4 connection to the outside world via a router also connected to eth0, and has been set up to tunnel IPv6 packets.

Details of the tunnel are as follows:

Server IPv6 address:     2001:470:1f08:e9d::1/64
Client IPv6 address:     2001:470:1f08:e9d::2/64
Routed /64:     2001:470:1f09:e9d::/64
   
Vengeance's eth0 is configured thus:

eth0      Link encap:Ethernet  HWaddr 00:19:db:45:fd:59
         inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
         inet6 addr: 2001:470:1f09:e9d::1/64 Scope:Global
         inet6 addr: fe80::219:dbff:fe45:fd59/64 Scope:Link

Squeezebase's virtual eth0 is also configured similarly:

eth0      Link encap:Ethernet  HWaddr 00:0c:29:b0:57:e6
         inet addr:192.168.1.144  Bcast:192.168.1.255  Mask:255.255.255.0
         inet6 addr: 2001:470:1f09:e9d::2/64 Scope:Global
         inet6 addr: fe80::20c:29ff:feb0:57e6/64 Scope:Link

These addresses work locally:

vengeance:~# ping6 2001:470:1f09:e9d::2
PING 2001:470:1f09:e9d::2(2001:470:1f09:e9d::2) 56 data bytes
64 bytes from 2001:470:1f09:e9d::2: icmp_seq=1 ttl=64 time=2.36 ms

squeezebase:~# ping6 2001:470:1f09:e9d::1
PING 2001:470:1f09:e9d::1(2001:470:1f09:e9d::1) 56 data bytes
64 bytes from 2001:470:1f09:e9d::1: icmp_seq=1 ttl=64 time=2.63 ms

Vengeance is able to talk to the outside world:

vengeance:~# ping6 2001:470:1f08:e9d::1
PING 2001:470:1f08:e9d::1(2001:470:1f08:e9d::1) 56 data bytes
64 bytes from 2001:470:1f08:e9d::1: icmp_seq=1 ttl=64 time=41.7 ms
vengeance:~# ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:8002::68) 56 data bytes
64 bytes from 2a00:1450:8002::68: icmp_seq=1 ttl=57 time=48.8 ms

I've set vengeance up to forward ipv6 packets:

vengeance:~# cat /proc/sys/net/ipv6/conf/eth0/forwarding
1
vengeance:~# cat /proc/sys/net/ipv6/conf/sit1/forwarding
1

Squeezebase has a default route set up:

squeezebase:~# route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2001:470:1f09:e9d::/64         ::                         U    256 0     1 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           2001:470:1f09:e9d::1       UG   1   0    81 eth0
::/0                           ::                         !n   -1  1    92 lo
::1/128                        ::                         Un   0   1     4 lo
2001:470:1f09:e9d::2/128       ::                         Un   0   1    13 lo
fe80::20c:29ff:feb0:57e6/128   ::                         Un   0   1    12 lo
ff00::/8                       ::                         U    256 0     1 eth0
::/0                           ::                         !n   -1  1    92 lo


But squeezebase can't ping externally:

squeezebase:~# ping6 2001:470:1f08:e9d::1
PING 2001:470:1f08:e9d::1(2001:470:1f08:e9d::1) 56 data bytes
^C
--- 2001:470:1f08:e9d::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2007ms

Although it can ping vengeance's tunnel endpoint address:

squeezebase:~# ping6 2001:470:1f08:e9d::2
PING 2001:470:1f08:e9d::2(2001:470:1f08:e9d::2) 56 data bytes
64 bytes from 2001:470:1f08:e9d::2: icmp_seq=1 ttl=64 time=1.84 ms

Can somebody tell me what I've done wrong/missed?

(Edit: I also have permissive firewall settings:

vengeance:~# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

so that shouldn't be the problem, right?)

cholzhauer

Seems like the firewall isn't an issue because it resides on your router, and one of your other computers can access the outside world.

Can ocypete access the outside world via V6?

meridian

I had wanted to avoid setting ocypete up with IPv6 access until I had everything working, including a slightly more useful firewall :), but as nothing seems to be working anyway I figure it's worth a try.  But no luck there either, same results as on squeezebox: can ping internally, including the local tunnel endpoint (so routing must be working), but nothing external.

broquea

Silly Q but what distro is ocypete using? There were some with 2.6.18 kernels (RHEL and it's clones) that couldn't properly use ::/0 for the default route, and needed 2000::/3. Also, any ip6tables rules on either machine?

meridian

All are on Debian Lenny, except squeezebase which is (of course) on Squeeze.  Vengeance has a custom kernel build, the others are standard.  No machines have any ip6tables rules.

vengeance:~# uname -a
Linux vengeance 2.6.26-2-686 #1 SMP Wed Feb 10 08:59:21 UTC 2010 i686 GNU/Linux
ocypete:~# uname -a
Linux ocypete 2.6.26-1-amd64 #1 SMP Sat Jan 10 17:57:00 UTC 2009 x86_64 GNU/Linux
squeezebase:~# uname -a
Linux squeezebase 2.6.32-5-amd64 #1 SMP Thu Aug 12 13:01:50 UTC 2010 x86_64 GNU/Linux

meridian

OK, experiment two: I decided that enabling IPv6 forwarding on just the interfaces I expected to be using might not be enough, so did:

vengeance:~# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

This seems to have had some effect (not sure why, though).  I can now use a web-based ping6 interface I found to ping my internal hosts:

http://www.berkom.blazing.de/tools/ping.cgi?STR=2001%3A470%3A1f09%3Ae9d%3A%3A2
PING 2001:470:1f09:e9d::2: 56 data bytes
64 bytes from 2001:470:1f09:e9d::2: icmp_seq=0. time=87.5 ms
64 bytes from 2001:470:1f09:e9d::2: icmp_seq=1. time=87.0 ms
64 bytes from 2001:470:1f09:e9d::2: icmp_seq=2. time=88.1 ms
64 bytes from 2001:470:1f09:e9d::2: icmp_seq=3. time=88.0 ms
64 bytes from 2001:470:1f09:e9d::2: icmp_seq=4. time=87.9 ms

----2001:470:1f09:e9d::2 PING Statistics----
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 87.0/87.7/88.1/0.44


*But* using ping6 from those hosts to attempt to ping external addresses fails with a new error message:

ocypete:~# ping6 ipv6.google.com
PING ipv6.google.com(2a00:1450:8002::67) 56 data bytes
From fe80::219:dbff:fe45:fd59 icmp_seq=1 Destination unreachable: Beyond scope of source address
^C
--- ipv6.google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

fe80::219:dbff:fe45:fd59 is vengeance's link local address.

I'm guessing that for some reason ocypete is attaching its link-local address to the outgoing packets rather than its global one.

ifconfig shows:

eth0      Link encap:Ethernet  HWaddr 00:1f:e2:38:c6:ab
          inet addr:192.168.1.105  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21f:e2ff:fe38:c6ab/64 Scope:Link
          inet6 addr: 2001:470:1f09:e9d::2/64 Scope:Global

So how do I persuade it to use the global address?

ocypete:~# route -A inet6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2001:470:1f09:e9d::/64         ::                         U    256 0     1 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           2001:470:1f09:e9d::1       UG   1   0    43 eth0
::/0                           ::                         !n   -1  1    72 lo
::1/128                        ::                         Un   0   3    19 lo
fe80::21f:e2ff:fe38:c6ab/128   ::                         Un   0   1    67 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1    72 lo


The gateway appears to be set appropriately (I'd guess it should use the link local address iff I had configured a link local gateway, right?), so I'm not sure what else to do.

meridian

OK. Got it working :)

Removing the address from the interface and readding it worked.  Now, on to making this work permanently. :)