• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Using tunnelbroker with sophos utm 9

Started by bimmerdriver, March 11, 2013, 08:54:28 PM

Previous topic - Next topic

bimmerdriver

This is my first post. I am a noob, so please excuse my ignorance. I'm using sophos utm (aka, astaro asg) as my home gateway. It's working pretty well, although it's not particularly straight-forward to configure. I allocated an ipv6 tunnel from hurricane and I'm trying to set up utm so I can use the tunnel. My pcs are mostly windows 7, with a couple of ubuntu linux boxes.

The server address of the tunnel is 2001:***:a:487::1/64
The client address of the tunnel is 2001:***:a:487::2/64

I assigned a /48, but I'm not sure if I need it. Is there any reason to subdivide the /48 or should I subdivide the /64?

The routed /64 is 2001:***:b:487::/64
The routed /48 is 2001:***:eb33::/48

I configured utm with the details of the tunnel and it seems to be operating. It shows the following:

Tunnel Broker: 2001:***:a:487::2
Subnet: 2001:***:eb33::/48

I set up dns forwarders, using the two google dns addresses plus the he address.

What should I use for gateway and the start and end dhcp addresses?

utm supports prefix advertisements. Not sure if I need that or if so, how to set it up.

**** Should I take this part to the windows section?

On the windows 7 pc, I disabled the teredo service. The isatap adapter is still running. Do I need to disable it also? Is there anything else I have to do on the windows pc to for it to get an ipv6 address? Currently it's showing no internet access for ipv6.

Thanks for your help and your patience.

cholzhauer

First, don't obfuscate your IP ranges...it makes it harder to help you.

Second, you don't break up a /64 as /64 is the smallest IPv6 subnet; if you have a need for multiple subnets, use your /48.

I am not familiar with the OS you're using for your router, but he's a general overview of what should happen:

Use the ::2 address from your tunnel /64 on your local router; the default gateway is the ::1 address of your tunnel /64.

You can use DHCPv6 to allocate addresses, but you still need SLAAC to give the client a gateway address. (Note that on Windows you need to change a couple of flags so Windows will get an IPv6 address from DHCPv6)

Turn off ISATAP and 6to4.

kasperd

Quote from: bimmerdriver on March 11, 2013, 08:54:28 PMI assigned a /48, but I'm not sure if I need it.
If you only have one router, there isn't a lot of need for the /48.

Quote from: bimmerdriver on March 11, 2013, 08:54:28 PMIs there any reason to subdivide the /48 or should I subdivide the /64?
I recommend you use a /64 on each segment of your network. If you are going to use the /48, you should subdivide it into /64 blocks. You can use a few intermediate levels, if you need it.

A typical setup has two segments. The first segment is the virtual tunnel interface connecting you to HE. The second segment is the physical LAN interface. (Usually the router has a builtin switch allowing that single interface to be turned into four physical LAN ports and a WiFi access point.)

The two /64s allocated by default give you exactly the two /64s you need for the typical setup.

The /48 is only needed if you have multiple routers or your router has some more advanced features.

A more advanced features could be the possibility for the router to created multiple VLANs. For example the different LAN ports could be put on different VLANs. Or you could have one segment for the wired ports and one segment for the WiFi. The wired ports could have multiple VLANs on the same port using tagging. The WiFi could have multiple VLANs by assigning different SSID to them.

Another feature that could benefit from the /48 would be if the router has a builtin caching DNS server, which can be assigned an entire /64 prefix just for DNS lookups. That could give more entropy for the lookups and thus make it a harder target for DNS cache poisoning attacks.

I have no idea if your particular router has any of those features, which could benefit from the /48.

Quote from: bimmerdriver on March 11, 2013, 08:54:28 PMThe routed /48 is 2001:***:eb33::/48
You are using different usernames for registering the tunnel and for posting in the forum?

Quote from: bimmerdriver on March 11, 2013, 08:54:28 PMSubnet: 2001:***:eb33::/48
Not sure what the router will do when you give it an entire /48. Maybe it will use only the first /64 of that for the LAN segment. Maybe it will use the entire /48 for the LAN segment, though that would be a waste of addresses.

Quote from: bimmerdriver on March 11, 2013, 08:54:28 PMI set up dns forwarders, using the two google dns addresses plus the he address.
Quite sensible choice.

Quote from: bimmerdriver on March 11, 2013, 08:54:28 PMWhat should I use for gateway and the start and end dhcp addresses?
By gateway address I assume you mean the address the router is using towards the LAN. You are quite free to choose from within your /64. A typical choice would be prefix::1, hence in your case: 2001:470:b:487::1. You might not have any need for a DHCP range, but if you are going to configure it, I suggest you set the range to be for example 2001:470:b:487::1:0/112. Or if you need to specify start and end address you can specify 2001:470:b:487::1:1 to 2001:470:b:487::1:ffff.

Quote from: bimmerdriver on March 11, 2013, 08:54:28 PMutm supports prefix advertisements. Not sure if I need that or if so, how to set it up.
Do you mean router advertisements or prefix delegation?

Router advertisements should be enabled on the LAN.

Prefix delegation could be either upstream from HE, or downstream towards the LAN, or even both. From HE you have a static /48. I don't think HE has any DHCP server, which can tell you, what the prefix is. So you just have to configure that static /48 on your router, if you are going to use it. Prefix delegation towards your LAN is only relevant if you have multiple routers.

Quote from: bimmerdriver on March 11, 2013, 08:54:28 PMOn the windows 7 pc, I disabled the teredo service. The isatap adapter is still running. Do I need to disable it also? Is there anything else I have to do on the windows pc to for it to get an ipv6 address? Currently it's showing no internet access for ipv6.
You shouldn't need to disable any of those. Windows is supposed to do that automatically, if there is native IPv6 support on your LAN. Most likely the reason it shows lack of native IPv6 support is that you didn't configure the router correctly. Maybe you didn't enable router advertisements on the router.

I think Wireshark is the best debugging tool for this sort of situation.

bimmerdriver

Thanks very much cholzhauer and kasperd for your replies. With your help, I was able to get it working.

FYI, sophos utm is linux-based router, is available as a hardware or a software solution. I'm using it as a software-based router, running it as a guest (with a dedicated NIC) on a hyperv2012 server. (It's free for home use.)

Also FYI, I'm wasn't trying to be evasive by obfuscating the ip addresses or my name. Maybe I'm just overly cautious. The tunnelbroker forum provides a mechanism to change the displayed name, which I chose to do because my username is my real name and I already get too much spam.

Okay, enough of that. Here is what I did to get things working.

First, I deassigned the /48. I think utm would be okay with it, but since I have only one router and one lan segment, I have no requirement for a /48. Maybe I'll give it a try to see if it works some other time.

Second, I disabled isatap.

Third, I used 2001:470:a:487::1/64 for the gateway address and DNS server address (it uses the forwarders that I already set up).

Fourth, I used 2001:470:a:487::f000 and 2001:470:a:487::ffff as the DHCP range start and end.

After that, it was working. The computer passes test-ipv6.com with 10/10.

utm supports "prefix advertisements" which consist of two dns server addresses and a domain. I did not need to use this feature to get things working on my windows 7 pc.

Thanks again for your help.

bimmerdriver

I have another question. My ipv4 address changes periodically and I already use dyndns to deal with that. I noticed that tunnelbroker.net has a dyndns mechanism as well. I tried to enable it. I entered the hostname of the tunnel, but what is the api key?

(I also tried using https://www.tunnelbroker.net/forums/index.php?topic=1994.0, but I get notfqdn as the response when I tried to go to https://ipv4.tunnelbroker.net/nic/update.)

Any suggestions?

bimmerdriver

Quote from: bimmerdriver on March 12, 2013, 10:22:30 PM
I have another question. My ipv4 address changes periodically and I already use dyndns to deal with that. I noticed that tunnelbroker.net has a dyndns mechanism as well. I tried to enable it. I entered the hostname of the tunnel, but what is the api key?

(I also tried using https://www.tunnelbroker.net/forums/index.php?topic=1994.0, but I get notfqdn as the response when I tried to go to https://ipv4.tunnelbroker.net/nic/update.)

Any suggestions?
I managed to get this working. Operator problem.

bimmerdriver

Last night, everything was working. This morning, it was no longer working. Although the PC still reported that it had ipv4 and  ipv6 connectivity and the tunnel appeared to be operational (non-zero traffic), both http://test-ipv6.com/ and http://ipv6-test.com/ were reporting that there was no ipv6 connectivity. Tried ipconfig /release and /renew, as well as disabling and enabling the adapter, but made no difference. Tried restarting router, but made no difference. It started working again for a while, then stopped, then started again. No obvious reason why this is happening. Any suggestions on how to troubleshoot this?

bimmerdriver

#7
I just noticed something that I missed before.

The server address is 2001:470:a:487::1/64
The routed /64 is 2001:470:b:487::/64

I never noticed the a and the b until just now.

I used 2001:470:a:487::f000 and 2001:470:a:487::ffff as the start and end ranges for my dhcp. If my /64 is 2001:470:b:487::/64, should it even work?

bimmerdriver

In the tunnel broker configuration on my router, it shows the following:

Tunnel Broker: 2001:470:a:487::2
Subnet: 2001:470:b:487::/64

In the DHCP server configuration, it shows the following:

Range start:   2001:470:a:487::f000   
Range end:      2001:470:a:487::ffff
DNS Server 1:   2001:470:a:487::1

If I understand correctly, I should be allocating addresses in 2001:470:b:487::/64, but I am doing so in 2001:470:a:487::/64. I tried changing the range to b, but then it wasn't happy with the dns server address being in a. I understood that the dns server should be the server end of the tunnel, which it is.

I am definitely confused. I don't understand why it's working at all and I don't understand why the subnet is b, not a.

bimmerdriver

Just to see what would happen, I switched the gateway and dhcp ranges over to the /64. It seems to be working properly now. I must have been tromping on someone else's subnet. Hopefully it will still be working in the morning.

kasperd

Quote from: bimmerdriver on March 13, 2013, 10:28:29 PMI never noticed the a and the b until just now.
That's why they are written bold on the tunnel details page  ;)

Quote from: bimmerdriver on March 13, 2013, 10:43:48 PMTunnel Broker: 2001:470:a:487::2
What does that description even mean? There are three values to be configured on the tunnel interface. But only one of them is critical, the other two can be misconfigured, and things will still be working for the most part.

Server IPv4 address is critical. If that is not configured correctly, the tunnel will not work at all. Client IPv6 is only of minor importance. It will show up in traceroute to your network, and HE will periodically ping it to see if you are still using the tunnel. I can't think of anything the server IPv6 address would be used for from the router configuration. You can ping it to see if your tunnel is up, but when you do that, you give the address explicitly, so the configured address isn't used there.

Quote from: bimmerdriver on March 13, 2013, 10:43:48 PMIf I understand correctly, I should be allocating addresses in 2001:470:b:487::/64, but I am doing so in 2001:470:a:487::/64.
You might not need the DHCPv6 server at all. If nothing on your LAN is using the DHCPv6 server, then misconfiguring the DHCPv6 server doesn't do much harm. You are supposed to be using a range of addresses which is part of the LAN segment, that is the routed /64.

Quote from: bimmerdriver on March 13, 2013, 10:43:48 PMI tried changing the range to b, but then it wasn't happy with the dns server address being in a. I understood that the dns server should be the server end of the tunnel, which it is.
The server end of the tunnel is not a DNS server, so specifying that as DNS server address is not correct.

There is at least three possibilities for what that DNS server address means, and what is the correct value depends on which of the three, the router is expecting.


  • It could be the IPv6 address the router's builtin DNS server is listening on. If that's the case, then any otherwise unused address in the routed or tunnel prefix will work. But usually you don't need to configure that at all, as the router will automatically pick the gateway address it has on the LAN side.
  • It could be a recursive resolver that the router's builtin DNS server will forward all requests to. In that case using 2001:470:20::2 is one option. But if that's the purpose, then it should be asking for two or three different addresses, and not just one.
  • It could be the address to be told to clients on the LAN (through RA, DHCPv6, or both). In that case it should also be asking for two or three addresses, and you should specify the router's address as the first and some recursive resolvers for the others (could be the same as above).

Quote from: bimmerdriver on March 13, 2013, 10:43:48 PMI am definitely confused. I don't understand why it's working at all and I don't understand why the subnet is b, not a.
There are two subnets, one for each side of the router.

bimmerdriver

Quote from: kasperd on March 14, 2013, 02:46:32 AM
Quote from: bimmerdriver on March 13, 2013, 10:28:29 PMI never noticed the a and the b until just now.
That's why they are written bold on the tunnel details page  ;)

Quote from: bimmerdriver on March 13, 2013, 10:43:48 PMTunnel Broker: 2001:470:a:487::2
What does that description even mean? There are three values to be configured on the tunnel interface. But only one of them is critical, the other two can be misconfigured, and things will still be working for the most part.

Server IPv4 address is critical. If that is not configured correctly, the tunnel will not work at all. Client IPv6 is only of minor importance. It will show up in traceroute to your network, and HE will periodically ping it to see if you are still using the tunnel. I can't think of anything the server IPv6 address would be used for from the router configuration. You can ping it to see if your tunnel is up, but when you do that, you give the address explicitly, so the configured address isn't used there.

Quote from: bimmerdriver on March 13, 2013, 10:43:48 PMIf I understand correctly, I should be allocating addresses in 2001:470:b:487::/64, but I am doing so in 2001:470:a:487::/64.
You might not need the DHCPv6 server at all. If nothing on your LAN is using the DHCPv6 server, then misconfiguring the DHCPv6 server doesn't do much harm. You are supposed to be using a range of addresses which is part of the LAN segment, that is the routed /64.

Quote from: bimmerdriver on March 13, 2013, 10:43:48 PMI tried changing the range to b, but then it wasn't happy with the dns server address being in a. I understood that the dns server should be the server end of the tunnel, which it is.
The server end of the tunnel is not a DNS server, so specifying that as DNS server address is not correct.

There is at least three possibilities for what that DNS server address means, and what is the correct value depends on which of the three, the router is expecting.


  • It could be the IPv6 address the router's builtin DNS server is listening on. If that's the case, then any otherwise unused address in the routed or tunnel prefix will work. But usually you don't need to configure that at all, as the router will automatically pick the gateway address it has on the LAN side.
  • It could be a recursive resolver that the router's builtin DNS server will forward all requests to. In that case using 2001:470:20::2 is one option. But if that's the purpose, then it should be asking for two or three different addresses, and not just one.
  • It could be the address to be told to clients on the LAN (through RA, DHCPv6, or both). In that case it should also be asking for two or three addresses, and you should specify the router's address as the first and some recursive resolvers for the others (could be the same as above).

Quote from: bimmerdriver on March 13, 2013, 10:43:48 PMI am definitely confused. I don't understand why it's working at all and I don't understand why the subnet is b, not a.
There are two subnets, one for each side of the router.
Thanks for your post.

Regarding the bold font, my bad.

Regarding DHCP, based on the fact that the addresses being allocated are in the range I configured, I believe it is being used.

Regarding the two subnets, now I understand.

The connection stayed up overnight, so I think it's configured properly now. The only concern is that there are still a lot of packets being dropped from an address in the subnet that I previously mistakenly configured (i.e., with the "a"). When I turned off the tunnel, the packets stopped. Hopefully it will stay that way.

Thanks again for your help.