Hurricane Electric's IPv6 Tunnel Broker Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: [1] 2

Author Topic: Linux based router (Mini-PC)  (Read 1093 times)

Walter H.

  • Newbie
  • *
  • Posts: 11
    • View Profile
Linux based router (Mini-PC)
« on: September 14, 2016, 05:14:46 AM »

Hello,

the situation: the Mini-PC (2 RJ45-interfaces and a WLAN antenna) is between the IPv4only NAT-router from my ISP and my own LAN;
eth0 and wlan0 is connected to a bridge (br0) and is the LAN "interface"
eth1 is the WAN interface
sit1 is the IPv6 tunnel end at my side (IPv6 address: 2001:470:1f0a:9c4::2/64)

the br0 has the following two addresses
2001:470:747b::1/48 (one IPv6 address from the routed /48)
2001:470:1f0b:9c8::1/64 (one IPv6 address from the routed /64)

my home LAN is for me and my roommate;
the time before I've been using this Mini-PC I used IPv6 only myself;

on my virtual machines (mostly Linux) I use fixed IPv6 addresses from the routed /64,
so there is as gateway the one IPv6 address from the routed /64 from above;
this works: the virtual machines to each other and also internet;

but: my roommate uses on his windows IPv6 addresses from the routed /48 like this:
IPV6 address: 2001:470:747b:13::10
Subnet prefix length: 48
Default gateway: 2001:470:747b::1

Preferred DNS server: 2001:470:747b::1

one of the virtual machines (mentioned above) has the
inet6 addr 2001:470:1f0b:9c8::17/64 with default gateway 2001:470:1f0b:9c8::1

and now the question that sounds really strange:

why can the mate's computer (has /48 routed IPv6 address) ping the virtual machine (has /64 routed IPv6 address)
but not the other way round?
except the only Linux is the mini-pc itself that can ping computers with /48 routed IPv6 addresses ...
(this is not specific to this two, every computer/virtual machine that has a /48 routed IPv6 address
can ping another one with /64 routed IPv6 address and not the other way round)

is there missing a routing between these to prefixes on my mini pc router?

I did run tcpdump -n icmpv6 on the mini-pc router while I ran ping6 on the virtual machine with a /64 routed IPv6 address

Code: [Select]
14:04:19.827501 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 7, length 64
14:04:19.827544 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:19.827552 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 7, length 64
14:04:20.827554 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 8, length 64
14:04:20.827664 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:20.827698 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 8, length 64
14:04:21.826572 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 9, length 64
14:04:21.826669 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:21.826701 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 9, length 64
14:04:22.825612 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 10, length 64
14:04:22.825717 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:22.825748 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 10, length 64
14:04:23.823205 IP6 fe80::264c:4eff:fe58:3124 > fe80::2646:57ff:fe30:3124: ICMP6, neighbor solicitation, who has fe80::2646:57ff:fe30:3124, length 32
14:04:23.823309 IP6 fe80::2646:57ff:fe30:3124 > fe80::264c:4eff:fe58:3124: ICMP6, neighbor advertisement, tgt is fe80::2646:57ff:fe30:3124, length 24
14:04:23.823620 IP6 fe80::2646:57ff:fe30:3124 > fe80::264c:4eff:fe58:3124: ICMP6, neighbor solicitation, who has fe80::264c:4eff:fe58:3124, length 32
14:04:23.823840 IP6 fe80::264c:4eff:fe58:3124 > fe80::2646:57ff:fe30:3124: ICMP6, neighbor advertisement, tgt is fe80::264c:4eff:fe58:3124, length 24
14:04:23.825545 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 11, length 64
14:04:23.825638 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:23.825673 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 11, length 64
14:04:24.824686 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 12, length 64
14:04:24.824790 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:24.824823 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 12, length 64
14:04:25.824695 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 13, length 64
14:04:25.824803 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:25.824835 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 13, length 64
14:04:26.824728 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 14, length 64
14:04:26.824831 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:26.824861 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 14, length 64
14:04:26.891918 IP6 fe80::2646:57ff:fe30:3124 > ff02::1: ICMP6, router advertisement, length 24
14:04:27.825023 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 15, length 64
14:04:27.825130 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:27.825162 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 15, length 64

please can someone give me a hint where the problem resides ...

Thanks,
Walter
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2529
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #1 on: September 14, 2016, 07:45:40 AM »

He shouldn't use the entire /48

Split it into /64's and assign those.
Logged

Walter H.

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #2 on: September 14, 2016, 08:10:12 AM »

how is this done?

or other question how many IPv6 addresses does the router have then?

the /48 routed prefix is
2001:470:747b::/48

the DHCPv6 server (also runs on the Mini-PC) uses 2001:470:747b:7::/48 for deploy

Code: [Select]
subnet6 2001:470:747b::/48 {
        range6 2001:470:747b:7:0:0:0:0 2001:470:747b:7:0:0:0:ffff;

        ddns-rev-domainname "7.0.0.0.b.7.4.7.0.7.4.0.1.0.0.2.ip6.arpa";
}
does the router need to have for each
2001:470:747b:xxxx::/64 subnet an IPv6-address
like 2001:470:747b:xxxx::1/64?
means: do I have to add several IPv6 addresses to br0 device?
one for DHCP part, one for roommate part, one for my extended part, ....
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2529
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #3 on: September 14, 2016, 12:32:58 PM »

The router has one address per interface, same as an IPv4 router. 

Split your /48 into /64s and assign one per interface via DHCP
Logged

Walter H.

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #4 on: September 14, 2016, 08:21:24 PM »

The router has one address per interface, same as an IPv4 router. 
in IPv4 I use 172.16.0.0/255.255.0.0

Quote
Split your /48 into /64s and assign one per interface via DHCP
the DHCPv6 assigns e.g. 2001:470:747b:7:0:0:0:1234/64 to a linux VM
and this IPv6 from the routed /48 I can ping from the above mentioned linux VM
but not when it's a Windows with an IPv6 from the routed /48;
Windows bug?

this is my radvd.conf
Code: [Select]
interface br0
{
        AdvSendAdvert on;
        AdvManagedFlag on;

        AdvOtherConfigFlag on;

        MinRtrAdvInterval 5;
        MaxRtrAdvInterval 15;

#       for range see /etc/dhcp/dhcpd6.conf
};
« Last Edit: September 14, 2016, 08:53:02 PM by Walter H. »
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2529
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #5 on: September 15, 2016, 04:54:00 AM »

Let me try another way.

Forget about your /48...you don't use this other than to subnet from.

If your range is 2001:db8:1234::/48, you take a /64, say 2001:db8:1234:4567::/64 and assign it to a vlan.  Break off another and do the same thing.
Logged

Walter H.

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #6 on: September 15, 2016, 05:12:17 AM »

What does this change to the origin problem
that a host which got its IPv6 address from the /64 routed prefix cannot ping
a Windows host which got its IPv6 address from the /48 routed prefix?
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2529
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #7 on: September 15, 2016, 05:15:00 AM »

I did not understand that from your first question.

All of your hosts should get an address from the /48.

If you're trying to do something else, I'm not understanding.

Logged

Walter H.

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #8 on: September 15, 2016, 05:25:52 AM »

I got two prefixes from HE
one /64 and
one /48
several hosts already have IPv6 addresses from the /64 prefix
and how do I have to use IPv6 addresses from the /48 in Windows?

this is a logik splitting not a physical splitting;
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2529
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #9 on: September 15, 2016, 05:27:33 AM »

Don't use the /64.  You only use the tunnel /64, don't bother with the routed /64

If your hosts already have addresses from the /64, now is a good time to migrate
Logged

Walter H.

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #10 on: September 15, 2016, 06:12:55 AM »

Don't use the /64.
why?

Quote
You only use the tunnel /64, don't bother with the routed /64
why this, because there is no better logical splitting than the routed /64 for me and the routed /48 for my roommate, isn't it?

Quote
If your hosts already have addresses from the /64, now is a good time to migrate
why this?

let's be a little bit more in detail:

if 2001:db8:1234::/48 is my routed /48 prefix and
2001:db8:cafe:beef::/64 is my routed /64 prefix, how can I use e.g.
2001:db8:1234::dead::/64 (a part of the /48 prefix) in Windows hosts besides the already
existing (mostly linux) hosts with IPv6 addresses from the routed /64 prefix?

and if I would migrate  the already existing hosts with the /64 addresses to the /48 addresses as you mentioned, then there would be the same problem because I need of more than one /64 subnet from the /48 routed prefix;
e.g. 2001:db8:1234:0::/64 for me,
2001:db8:1234:1::/64 for dynamically deployed IPv6 addresses by DHCPv6
2001:db8:1234:2::/64 for my mate ...
hosts from any subnet must be routed to the other subnets;
which address(es) does the router have on his LAN interface in this situation?
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2529
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #11 on: September 15, 2016, 06:17:27 AM »

You have 64k of /64's in a /48, why do you need one more?
Logged

Walter H.

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #12 on: September 15, 2016, 09:40:29 AM »

You have 64k of /64's in a /48,
this is correct mathematics, but that's not all;

Quote
why do you need one more?
there is no need of more just a little bit logical splitting on a physical LAN;
like this: "packets doing strange and from the /48 are from my roommate; others are from myself;"
that's all;
Logged

Walter H.

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #13 on: September 15, 2016, 10:41:52 AM »

tried the following:
my routed /48 prefix is  2001:470:747b::/48
a Win7 VM with  IPv6address 2001:470:747b:1::314/64
a Linux VM this IPv6address 2001:470:747b::10/64
and both with fe80:.... as default gateway and this fe80:... is the scope local of the router (Mini-PC) on LAN side;

on the Win7 VM I can do ping 2001:470:747b::10
but on the Linux VM I can't do ping6 2001:470:747b:1::314 ...

why?
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2529
    • View Profile
Re: Linux based router (Mini-PC)
« Reply #14 on: September 15, 2016, 10:43:06 AM »

Unless your router has an address on its interfaces for those subnets, you need to add a route

this is the same behavior if you were trying to ping 10.0.0.1 from 192.168.1.1
Logged
Pages: [1] 2