• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

The routed/48, the LAN and the DMZ

Started by BrotherAzrael, April 19, 2011, 12:19:55 AM

Previous topic - Next topic

BrotherAzrael

Hello guys,

I'am trying to get an IPv6 connection for a LAN  by creating a tunnel with HE( because european's ISP are so laaazy getting IPv6 on their WAN).
Here's the thing : my internet connection is behind an ASA connected to my DMZ and my LAN. Using a router between the internet connection and the ASA couldn't be done so i created a linux server on my DMZ to act as an ipv6 gateway with the tunnel output.
The IPv6 connection between my server and the ipv6 net is UP, i can ping in IPv6 DMZ <-> LAN plus the default route is configured on the server.
I'm using the /48 gave me for the links in DMZ and in LAN (i created two subnets /64).

My problem : where is the problem ? x')

cholzhauer

we need a bunch more information.  lets see the commands you used to setup the tunnel and the config of the asa.  please dont block out ip addresses.

BrotherAzrael

#2
Ok

Here are the commands for my tunnel on the server (FreeBSD), i paste the one given by HE (replacing my external IP by the internal one with NAT).
Quoteifconfig gif0 create
ifconfig gif0 tunnel 192.168.50.8 216.66.84.42
ifconfig gif0 inet6 2001:470:1f12:34::2 2001:470:1f12:34::1 prefixlen 128
route -n add -inet6 default 2001:470:1f12:34::2
ifconfig gif0 up

Here the interfaces on the server.

Quoteem0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
       ether 00:50:56:b1:00:2e
       inet6 fe80::250:56ff:feb1:2e%em0 prefixlen 64 scopeid 0x1
       inet6 2001:470:cab4:50::8 prefixlen 64
       inet 192.168.50.8 netmask 0xffffff00 broadcast 192.168.50.255
       nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
       media: Ethernet autoselect (1000baseT <full-duplex>)
       status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
       options=3<RXCSUM,TXCSUM>
       inet6 ::1 prefixlen 128
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
       inet 127.0.0.1 netmask 0xff000000
       nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
       tunnel inet 192.168.50.8 --> 216.66.84.42
       inet6 fe80::250:56ff:feb1:2e%gif0 prefixlen 64 scopeid 0x4
       inet6 2001:470:1f12:34::2 --> 2001:470:1f12:34::1 prefixlen 128
       nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
       options=1<ACCEPT_REV_ETHIP_VER>

For the ASA i'm using ASDM and i prefer not to paste the whole conf. I added access list rules for protocol 41 and icmp/icmp6.
On the DMZ interface : 2001:470:cab4:50::1/64
On the inside interface : 2001:470:cab4:3::1/64
RA are disabled everywhere.
I added a default route poiting to the server in the DMZ for ipv6 addresses.

Some ping tests from tunnel :

Quotesrvtunnelv6# ping6 2001:4178:2:1269::2
PING6(56=40+8+8 bytes) 2001:470:1f12:34::2 --> 2001:4178:2:1269::2
16 bytes from 2001:4178:2:1269::2, icmp_seq=0 hlim=58 time=54.833 ms
16 bytes from 2001:4178:2:1269::2, icmp_seq=1 hlim=58 time=127.263 ms
^C
--- 2001:4178:2:1269::2 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 54.833/91.048/127.263/36.215 ms

srvtunnelv6# ping6 2001:470:cab4:3::666
PING6(56=40+8+8 bytes) 2001:470:cab4:50::8 --> 2001:470:cab4:3::666
16 bytes from 2001:470:cab4:3::666, icmp_seq=0 hlim=63 time=1.258 ms
16 bytes from 2001:470:cab4:3::666, icmp_seq=1 hlim=63 time=0.925 ms
^C
--- 2001:470:cab4:3::666 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.925/1.091/1.258/0.167 ms


And the routing table of the server :

Quotesrvtunnelv6# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.50.1       UGS         1     2511    em0
localhost          link#3             UH          0       96    lo0
192.168.50.0       link#1             U           0        0    em0
srvtunnelv6        link#1             UHS         0        0    lo0

Internet6:
Destination        Gateway            Flags      Netif Expire
default            2001:470:1f12:34:: UGS        gif0
localhost          localhost          UH          lo0
2001:470:1f12:34:: 2001:470:1f12:34:: UH         gif0
2001:470:cab4:3::  2001:470:cab4:50:: UGS         em0
2001:470:cab4:50:: link#1             U           em0
2001:470:cab4:50:: link#1             UHS         lo0
fe80::%em0         link#1             U           em0
fe80::250:56ff:feb link#1             UHS         lo0
fe80::%lo0         link#3             U           lo0
fe80::1%lo0        link#3             UHS         lo0
fe80::%gif0        link#4             U          gif0
fe80::250:56ff:feb link#4             UHS         lo0
ff01:1::           fe80::250:56ff:feb U           em0
ff01:3::           localhost          U           lo0
ff01:4::           fe80::250:56ff:feb U          gif0
ff02::%em0         fe80::250:56ff:feb U           em0
ff02::%lo0         localhost          U           lo0
ff02::%gif0        fe80::250:56ff:feb U          gif0




cholzhauer

Here's what I use in /etc/rc.conf on FreeBSD..substitute your values accordingly


gifconfig_gif1="12.199.185.10 209.51.181.2"
ipv6_defaultrouter="-interface gif1"
ipv6_enable="YES"
ipv6_gateway_enable="YES"
ipv6_ifconfig_gif1="2001:470:1f10:2aa::2/64"
ipv6_network_interfaces="nfe0 gif1 lo0"


It looks like your tunnel is up


[carl@ipv6router ~]$ ping6 2001:4178:2:1269::2
PING6(56=40+8+8 bytes) 2001:470:1f10:2aa::2 --> 2001:4178:2:1269::2
16 bytes from 2001:4178:2:1269::2, icmp_seq=0 hlim=56 time=152.984 ms
16 bytes from 2001:4178:2:1269::2, icmp_seq=1 hlim=56 time=176.335 ms
16 bytes from 2001:4178:2:1269::2, icmp_seq=2 hlim=56 time=244.726 ms
^C
--- 2001:4178:2:1269::2 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 152.984/191.348/244.726/38.929 ms


You need to add a routing rule for your /48 on your FreeBSD server.  Route the entire /48 to your eth0 interface



BrotherAzrael

#4
Quotedefaultrouter="192.168.50.1"
gateway_enable="YES"
hostname="srvtunnelv6.ipv6imlovinit.org"
ifconfig_em0="inet 192.168.50.8  netmask 255.255.255.0"
gif_interfaces="gif0"
gifconfig_gif0="192.168.50.8 216.66.84.42 up"
ipv6_enable="YES"
ipv6_defaultrouter="-interface gif0"
ipv6_gateway_enable="YES"
ipv6_ifconfig_gif0="2001:470:1f12:34::2 2001:470:1f12:34::1 prefixlen
128"
ipv6_network_interfaces="em0 gif0 loO"
ipv6_ifconfig_em0="2001:470:cab4:50::8 prefixlen 64"

Here is the rc.conf, thanks to your advice and some modifications.
Still the route to my /48 via the interface on the ASA (not eth0 ) is here but i cant ping external ipv6 address from my LAN.

Was asking myself if its a good idea to have only one "physical" interface.

Edit : The problem is elsewhere, i think the ipv6 default route to get through the ASA is wrong.

Edit2 : Yeah , that was the route on ASA. Thanks anyway for rc.conf cholzhauer.