• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Linux based router (Mini-PC)

Started by Walter H., September 14, 2016, 05:14:46 AM

Previous topic - Next topic

Walter H.

Hello,

the situation: the Mini-PC (2 RJ45-interfaces and a WLAN antenna) is between the IPv4only NAT-router from my ISP and my own LAN;
eth0 and wlan0 is connected to a bridge (br0) and is the LAN "interface"
eth1 is the WAN interface
sit1 is the IPv6 tunnel end at my side (IPv6 address: 2001:470:1f0a:9c4::2/64)

the br0 has the following two addresses
2001:470:747b::1/48 (one IPv6 address from the routed /48)
2001:470:1f0b:9c8::1/64 (one IPv6 address from the routed /64)

my home LAN is for me and my roommate;
the time before I've been using this Mini-PC I used IPv6 only myself;

on my virtual machines (mostly Linux) I use fixed IPv6 addresses from the routed /64,
so there is as gateway the one IPv6 address from the routed /64 from above;
this works: the virtual machines to each other and also internet;

but: my roommate uses on his windows IPv6 addresses from the routed /48 like this:
IPV6 address: 2001:470:747b:13::10
Subnet prefix length: 48
Default gateway: 2001:470:747b::1

Preferred DNS server: 2001:470:747b::1

one of the virtual machines (mentioned above) has the
inet6 addr 2001:470:1f0b:9c8::17/64 with default gateway 2001:470:1f0b:9c8::1

and now the question that sounds really strange:

why can the mate's computer (has /48 routed IPv6 address) ping the virtual machine (has /64 routed IPv6 address)
but not the other way round?
except the only Linux is the mini-pc itself that can ping computers with /48 routed IPv6 addresses ...
(this is not specific to this two, every computer/virtual machine that has a /48 routed IPv6 address
can ping another one with /64 routed IPv6 address and not the other way round)

is there missing a routing between these to prefixes on my mini pc router?

I did run tcpdump -n icmpv6 on the mini-pc router while I ran ping6 on the virtual machine with a /64 routed IPv6 address

14:04:19.827501 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 7, length 64
14:04:19.827544 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:19.827552 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 7, length 64
14:04:20.827554 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 8, length 64
14:04:20.827664 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:20.827698 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 8, length 64
14:04:21.826572 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 9, length 64
14:04:21.826669 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:21.826701 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 9, length 64
14:04:22.825612 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 10, length 64
14:04:22.825717 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:22.825748 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 10, length 64
14:04:23.823205 IP6 fe80::264c:4eff:fe58:3124 > fe80::2646:57ff:fe30:3124: ICMP6, neighbor solicitation, who has fe80::2646:57ff:fe30:3124, length 32
14:04:23.823309 IP6 fe80::2646:57ff:fe30:3124 > fe80::264c:4eff:fe58:3124: ICMP6, neighbor advertisement, tgt is fe80::2646:57ff:fe30:3124, length 24
14:04:23.823620 IP6 fe80::2646:57ff:fe30:3124 > fe80::264c:4eff:fe58:3124: ICMP6, neighbor solicitation, who has fe80::264c:4eff:fe58:3124, length 32
14:04:23.823840 IP6 fe80::264c:4eff:fe58:3124 > fe80::2646:57ff:fe30:3124: ICMP6, neighbor advertisement, tgt is fe80::264c:4eff:fe58:3124, length 24
14:04:23.825545 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 11, length 64
14:04:23.825638 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:23.825673 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 11, length 64
14:04:24.824686 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 12, length 64
14:04:24.824790 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:24.824823 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 12, length 64
14:04:25.824695 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 13, length 64
14:04:25.824803 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:25.824835 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 13, length 64
14:04:26.824728 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 14, length 64
14:04:26.824831 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:26.824861 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 14, length 64
14:04:26.891918 IP6 fe80::2646:57ff:fe30:3124 > ff02::1: ICMP6, router advertisement, length 24
14:04:27.825023 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 15, length 64
14:04:27.825130 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:27.825162 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 15, length 64


please can someone give me a hint where the problem resides ...

Thanks,
Walter

cholzhauer

He shouldn't use the entire /48

Split it into /64's and assign those.

Walter H.

how is this done?

or other question how many IPv6 addresses does the router have then?

the /48 routed prefix is
2001:470:747b::/48

the DHCPv6 server (also runs on the Mini-PC) uses 2001:470:747b:7::/48 for deploy

subnet6 2001:470:747b::/48 {
        range6 2001:470:747b:7:0:0:0:0 2001:470:747b:7:0:0:0:ffff;

        ddns-rev-domainname "7.0.0.0.b.7.4.7.0.7.4.0.1.0.0.2.ip6.arpa";
}

does the router need to have for each
2001:470:747b:xxxx::/64 subnet an IPv6-address
like 2001:470:747b:xxxx::1/64?
means: do I have to add several IPv6 addresses to br0 device?
one for DHCP part, one for roommate part, one for my extended part, ....

cholzhauer

The router has one address per interface, same as an IPv4 router. 

Split your /48 into /64s and assign one per interface via DHCP

Walter H.

#4
Quote from: cholzhauer on September 14, 2016, 12:32:58 PM
The router has one address per interface, same as an IPv4 router. 
in IPv4 I use 172.16.0.0/255.255.0.0

Quote
Split your /48 into /64s and assign one per interface via DHCP
the DHCPv6 assigns e.g. 2001:470:747b:7:0:0:0:1234/64 to a linux VM
and this IPv6 from the routed /48 I can ping from the above mentioned linux VM
but not when it's a Windows with an IPv6 from the routed /48;
Windows bug?

this is my radvd.conf

interface br0
{
        AdvSendAdvert on;
        AdvManagedFlag on;

        AdvOtherConfigFlag on;

        MinRtrAdvInterval 5;
        MaxRtrAdvInterval 15;

#       for range see /etc/dhcp/dhcpd6.conf
};

cholzhauer

Let me try another way.

Forget about your /48...you don't use this other than to subnet from.

If your range is 2001:db8:1234::/48, you take a /64, say 2001:db8:1234:4567::/64 and assign it to a vlan.  Break off another and do the same thing.

Walter H.

What does this change to the origin problem
that a host which got its IPv6 address from the /64 routed prefix cannot ping
a Windows host which got its IPv6 address from the /48 routed prefix?

cholzhauer

I did not understand that from your first question.

All of your hosts should get an address from the /48.

If you're trying to do something else, I'm not understanding.


Walter H.

I got two prefixes from HE
one /64 and
one /48
several hosts already have IPv6 addresses from the /64 prefix
and how do I have to use IPv6 addresses from the /48 in Windows?

this is a logik splitting not a physical splitting;

cholzhauer

Don't use the /64.  You only use the tunnel /64, don't bother with the routed /64

If your hosts already have addresses from the /64, now is a good time to migrate

Walter H.

Quote from: cholzhauer on September 15, 2016, 05:27:33 AM
Don't use the /64.
why?

Quote
You only use the tunnel /64, don't bother with the routed /64
why this, because there is no better logical splitting than the routed /64 for me and the routed /48 for my roommate, isn't it?

Quote
If your hosts already have addresses from the /64, now is a good time to migrate
why this?

let's be a little bit more in detail:

if 2001:db8:1234::/48 is my routed /48 prefix and
2001:db8:cafe:beef::/64 is my routed /64 prefix, how can I use e.g.
2001:db8:1234::dead::/64 (a part of the /48 prefix) in Windows hosts besides the already
existing (mostly linux) hosts with IPv6 addresses from the routed /64 prefix?

and if I would migrate  the already existing hosts with the /64 addresses to the /48 addresses as you mentioned, then there would be the same problem because I need of more than one /64 subnet from the /48 routed prefix;
e.g. 2001:db8:1234:0::/64 for me,
2001:db8:1234:1::/64 for dynamically deployed IPv6 addresses by DHCPv6
2001:db8:1234:2::/64 for my mate ...
hosts from any subnet must be routed to the other subnets;
which address(es) does the router have on his LAN interface in this situation?

cholzhauer

You have 64k of /64's in a /48, why do you need one more?

Walter H.

Quote from: cholzhauer on September 15, 2016, 06:17:27 AM
You have 64k of /64's in a /48,
this is correct mathematics, but that's not all;

Quote
why do you need one more?
there is no need of more just a little bit logical splitting on a physical LAN;
like this: "packets doing strange and from the /48 are from my roommate; others are from myself;"
that's all;

Walter H.

tried the following:
my routed /48 prefix is  2001:470:747b::/48
a Win7 VM with  IPv6address 2001:470:747b:1::314/64
a Linux VM this IPv6address 2001:470:747b::10/64
and both with fe80:.... as default gateway and this fe80:... is the scope local of the router (Mini-PC) on LAN side;

on the Win7 VM I can do ping 2001:470:747b::10
but on the Linux VM I can't do ping6 2001:470:747b:1::314 ...

why?

cholzhauer

Unless your router has an address on its interfaces for those subnets, you need to add a route

this is the same behavior if you were trying to ping 10.0.0.1 from 192.168.1.1