• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Using routed /64 or /48 as source IP

Started by jrowens, December 12, 2008, 01:58:19 AM

Previous topic - Next topic

jrowens

So, I have my tunnel, my /64, and two subnets out of the /48 hooked up now.  But whenever I go to one of the show-your-IP sites, like http://www.data.jp/ipv6/ipv6check.php, while browsing from the tunneler, it shows the IP of the tunnel endpoint.  Which is as it should be, as a default, I suppose; after all, sit1 is the interface from which the traffic originates.  But, I'm sure there's a way to trick it into using one of the Ethernet addresses, or the /64 which I have on lo for the moment.  Some convoluted routing statements come to mind, but I'd rather not try them out until I at least see if anyone has better ideas.

So, any takers?

Oh, while showing that IP on a web page is a trivial nuisance, there are of course more serious possibilities, like getting a particular source address for outgoing SMTP connections, and such.  Preferably without using packet mangling, or configuring the addresses in conf files for each application.

kristiankrohn

For me putting a /48 address on the tunnel interface and using the src parameter for the default route works:

ip -6 addr add <IPv6_from_the_routed_/48> dev he-ipv6
ip -6 route add ::/0 via <Tunnel_server_IPv6_address> dev he-ipv6 src <The_same_IPv6_from_the_routed_/48>


jrowens

Thanks for the tip!  I didn't know about the src parameter; I'm more of an ifconfig user, and src doesn't seem to be listed on the man page syntax listing (the brief stuff at the top, I see it now in the details below) (but it is in the `ip route help` output, too).

piojan

Quote from: kristiankrohn on December 12, 2008, 03:32:02 AM
For me putting a /48 address on the tunnel interface and using the src parameter for the default route works:

ip -6 addr add <IPv6_from_the_routed_/48> dev he-ipv6
ip -6 route add ::/0 via <Tunnel_server_IPv6_address> dev he-ipv6 src <The_same_IPv6_from_the_routed_/48>



I was trying to get the same effect.
Did add the "routed" ip some time ago. And as far as I can remember it was partyly working (with out playing with src/route). I checked it today and it wasn't working.

Tryed the src option - wthout change.

However I have removed the link ipv6 address leaving only the "routed" from /48 (part of it) and now it works.
Somehow it didn't broke anything.

uneedus

I am using ifconfig, and route instead of ip to establish my tunnel.

What do I need to do differently to have one of my routed IPs show up as my source IP?


snarked

#5
I too use ifconfig and route.  However, I have found that "ip" needs to be used for certain things.

Picking the address to be a source is a complicated process (it has an RFC all to itself - 3484).  However, the implementation comes down to the "ip addrlabel" command.  The default table is like this:
Quote# ip addrlabel show
prefix ::1/128 label 0
prefix ::/96 label 3
prefix ::ffff:0.0.0.0/96 label 4
prefix 2001::/32 label 6
prefix 2001:10::/28 label 7
prefix 2002::/16 label 2
prefix fc00::/7 label 5
prefix ::/0 label 1
Adding two more entries usually does the trick:
Quoteprefix XXXX::YYYY/128 label 1
prefix XXXX::/64 label 99
What that does is prevent all addresses in your prefix ("XXXX") from having a matching label with any other address, but then exempts address "YYYY" to match the default route.  This selects that "YYYY" address to always be the outgoing address unless you have an address that fits one of the other patterns AND the destination also fits that same pattern.

Configuration - I use this:
Quoteip addrlabel add prefix $IP6ADDR::2/64 label 99
ip addrlabel add prefix $IP6ADDR::2/128 label 1
Where $IP6ADDR is my IPv6 prefix.  The rest of the table is provided by the OS (as the default).

Removing your link address could break the ability of HE to ping the tunnel and thus take it down, thinking it's not in use.

uneedus

#6
it does not work for me, I get the following error:

'Object "addrlabel" is unknown, try "ip help".'

Am I doing something wrong.  Like the first poster, whenever I go to a site that shows my IPv6 address, it shows the ::2 end of the tunnel link, instead of my routed /64 or /48

I am running Centos 5.


uneedus

Any idea where I can find an RPM package for updating my Centos5.  I have been unable to locate it at either the Centos or the Redhat site.

snarked

I gave you the source tarball.  You can't compile from source?  They don't provide precompiled packages.


andylyon

Apologies for replying to such an old thread but I found this thread while searching for a solution and have since found a better way so decided to document it, when adding the tunnel endpoint address mark it as preferred_lft 0 / preferred 0 which will result in the address being marked deprecated which means it will not be used as source address if alternatives exist.

e.g.

ip addr add [Your IPv6 Endpoint]/64 dev he-ipv6 preferred_lft 0

ip -6 addr list dev he-ipv6
11: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1448
    inet6 [Your IPv6 Endpoint]/64 scope global deprecated
       valid_lft forever preferred_lft forever


Andy

patrickdk

I am doing this in many setups, including for lvs, have to always set the preferred_lft

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
    address 2001:470:7:xxxx::2
    netmask 64
    local x.x.x.x
    endpoint 216.66.22.2
    gateway 2001:470:7:xxxx::1
    ttl 255
    mtu 1480
    up ip -6 addr add 2001:470:xxxx::1/128 dev he-ipv6
    up ip -6 addr change 2001:470:7:xxxx::2 dev he-ipv6 preferred_lft 0

rm

#12
If you use a routed /48 or /64, you may simply not assign the tunnel v6 endpoint address on your end, this is what I do now.

 ip tunnel add he-ipv6 mode sit remote $TSERV local any ttl 255
 ip link set he-ipv6 up
 ip route add ::/0 dev he-ipv6

That's all for setting up he-ipv6, all the IPv6 addresses I use (on this router) get added to eth0, etc. And to choose among *them*, use the preferred_lft method described above.

phipac

Does anyone have a link or information on making a network script, either commands to add to ifcfg-eth0 or a separate script, to accomplish the "forced source" address on boot up?  I have been searching the 'net for some time and have not found anything to use to make a script - only command line references.

Thanks!

Ninho

Not what the OP asked, but somewhat related, I've just noticed that the IPv6 address of the
tunnel (user side) does NOT need to be xxxx::2. Can be changed to xxxx::666, or I guess, pretty much anything except xxxx::1 which is assigned server-side.

So here we have another easy way  for controlling source addresses even with the less cooperative
of OSes and software! Tested on Windows 2k (sorry, sorry)... this should work in an OS agnostic fashion.

Thought some might like to know FWIW

OTOH I'm unable to have software clients like the browser source IPv6 from an interface other than the tunnel (on Win 2k again, which has no customisable prefix policies).

--
Ninho