• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How to NAT IPv6 traffic to internal LAN?

Started by ngyurov, January 04, 2012, 05:07:44 AM

Previous topic - Next topic

nickbeee

Quote from: Jim  Whitby on January 20, 2012, 05:29:50 PM
I can't say if your radvd.conf is correct or not.
I can say its different from mine.

Jim, Am I correct in thinking yours is a Linux system? this looks completely different to the OpenBSD version (radvd versus rtadvd) which the OP is using.
Quote
Is forwarding enabled for ipv6?
It must be as OP said connectivity works if he configures his client manually with ipv6 address.

Quote
If you haven't done so. Read the man page for radvd and radvd.conf.
I can recommend the most excellent FreeBSD Man pages server which covers all flavours of BSD and a few Linux distros too  ;D
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

ngyurov

nickbee, by reading the man page for that option I highly doubted it will change anything and unfortunately - I was right:
# /usr/sbin/rtadvd -ds rl0
RA timer on rl0 is set to 16:0
set timer to 15:998952. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 0
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 1:161148. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:272443. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 281:0
set timer to 281:0. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:46983. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 286:0
set timer to 286:0. waiting for inputs or timeout


Any other ideas?

nickbeee

Quote from: ngyurov on January 21, 2012, 09:36:56 AM
nickbee, by reading the man page for that option I highly doubted it will change anything and unfortunately - I was right:
Still no RA's shown there...
Quote
Any other ideas?

You're using NAT for IPv4 so presumably you have PF enabled and configured to do this. Maybe PF is blocking outgoing icmp6 traffic?

Can you repeat the above test with PF disabled (pfctl -d) and see whether any RAs appear in the debug output?
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

ngyurov

Still not working but requests seem to be received...
This is with PF disabled:
# /usr/sbin/rtadvd -ds rl0
RA timer on rl0 is set to 16:0
set timer to 15:991587. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:378644. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RA received from fe80::224:1ff:fef1:b7e on rl0
set timer to 15:999779. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:170898. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 16:0
set timer to 16:0. waiting for inputs or timeout
RA received from fe80::224:1ff:fef1:b7e on rl0
set timer to 15:999791. waiting for inputs or timeout
RS received from fe80::1164:73c5:825b:a0e9 on rl0
set timer to 0:463185. waiting for inputs or timeout
RA timer on rl0 is expired
send RA on rl0, # of waitings = 1
RA timer on rl0 is set to 236:0
set timer to 236:0. waiting for inputs or timeout
RA received from fe80::224:1ff:fef1:b7e on rl0
set timer to 235:999793. waiting for inputs or timeout


I wonder why is that so, cause otherwise in PF I have:
pass out quick inet6
pass in quick inet6

nickbeee

So now we have RAs going out  ;D. Looks like you need to review your pf.conf.

Does your W7 host configure itself with an EUI-64 ipv6 address? If not then I would be looking at traffic by running tcpdump on your firewall - tcpdump -vv -i rl0 ip6 - just to double-check those RAs and RSs. I would then look for similar on the W7 host with Wireshark.

I believe there are some issues with W7 and SLAAC. I don't have much experience with W7's ipv6 so maybe someone else can help here  ???. It looks as if you are making progress on the BSD side though.
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

cholzhauer

Nick do you have any more specifics on those issues? We've been running windows 7 with router advertisements for a couple of years now and haven't had any issues.

ngyurov

I think I'll try to configure DHCPv6 to give the internal hosts addresses. I'm gonna need it to do the same with the DNS servers anyway.
When I have more time I'll play again with rtadvdt and check why is it not working.
Thanks for the help though.

nickbeee

Quote from: ngyurov on January 22, 2012, 12:28:37 PM
I think I'll try to configure DHCPv6 to give the internal hosts addresses. I'm gonna need it to do the same with the DNS servers anyway.
When I have more time I'll play again with rtadvdt and check why is it not working.
Thanks for the help though.
Please post back when you have it working - I would be most interested to know what solution works for you!
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

nickbeee

Quote from: cholzhauer on January 22, 2012, 11:29:54 AM
Nick do you have any more specifics on those issues? We've been running windows 7 with router advertisements for a couple of years now and haven't had any issues.

I've got one W7 (Pro, 64bit, SP1) test machine at the office so my (IPv6) experiences of this OS are very limited compared to yours.

The router is a Cisco 871 which is configured for SLAAC and uses DHCPv6 to provide the DNS server. The W7 client configures itself correctly for EUI-64 address, sets it's gateway correctly and picks up the DNS server. However, it suffers from intermittent ipv6 connectivity. Other (FreeBSD and Linux) hosts on the same router work correctly.

What are you using for your router?
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

cholzhauer

We have an ASA 5520 that's doing SLAAC.  The only changes I make on the clients are to disabled ISATAP, Teredo, and 6to4.

The ASA line won't do DHCPv6, otherwise, I would be using it to hand out DNS info too.

nickbeee

Quote from: cholzhauer on January 23, 2012, 06:11:41 AM
We have an ASA 5520 that's doing SLAAC.  The only changes I make on the clients are to disabled ISATAP, Teredo, and 6to4.
Yes - did that. I also disabled the privacy address in case that was part of the problem.

Quote from: cholzhauer
The ASA line won't do DHCPv6, otherwise, I would be using it to hand out DNS info too.
Have you manually configured IPv6 DNS on the clients or are they relying on your IPv4 DNS server to get AAAA records?
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

cholzhauer

Quote
Have you manually configured IPv6 DNS on the clients or are they relying on your IPv4 DNS server to get AAAA records?

Unfortunately I've manually configured them...I have a small batch script that I created that disables the stuff I mentioned earlier, disabled privacy addresses (those really throw off DNS), and assign a couple of IPv6 addresses to use as DNS servers.  It works really well; the only problem is if I swap out DNS servers, I have to change the IPv6 address on them to match what I used in my batch file.  I'd really like to use that ASA, but like I said, they don't support it. I've suggested it to my account manager, but she tells me things like that are market driven; the more people that ask for it, the more likely they are to implement it.

Jim Whitby

Quote from: nickbeee on January 20, 2012, 05:59:28 PM
Quote from: Jim  Whitby on January 20, 2012, 05:29:50 PM
I can't say if your radvd.conf is correct or not.
I can say its different from mine.

Jim, Am I correct in thinking yours is a Linux system? this looks completely different to the OpenBSD version (radvd versus rtadvd) which the OP is using.

Yes, it is Linux.
Sorry for the confusion.

nickbeee

Quote from: cholzhauer on January 23, 2012, 06:26:32 AM
Quote
Have you manually configured IPv6 DNS on the clients or are they relying on your IPv4 DNS server to get AAAA records?

Unfortunately I've manually configured them...I have a small batch script that I created that disables the stuff I mentioned earlier, disabled privacy addresses (those really throw off DNS), and assign a couple of IPv6 addresses to use as DNS servers.  It works really well; the only problem is if I swap out DNS servers, I have to change the IPv6 address on them to match what I used in my batch file.  I'd really like to use that ASA, but like I said, they don't support it. I've suggested it to my account manager, but she tells me things like that are market driven; the more people that ask for it, the more likely they are to implement it.

Solved my W7 issue - details here: http://www.tunnelbroker.net/forums/index.php?topic=2246.0
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.