Routed /48 for use on a 2nd router (ish)

[mijedk]

Hi,

I'm still really new to all this, but have run in to a problem that I'm not sure how to handle.

Got one firewall (Palo Alto, shame on them, for not supporting 6in4 tunnels) where our public lab IPv4 subnet is terminated.

Since I can't create the tunnel on the firewall, I was thinking about just adding a small linux VM behind that FW, that creates the tunnel to he.net (that part works fine), but I really want the main firewall to handle all network related rules (ipv4/6), my initial ideas would be to just route the /48 to an IPv6 client address assigned to the Palo Alto firewall from the /64 net, but it seems to be hard coded to route it to ::2 (the "Client IPv6 Address" on the tunnel details), which is on the linux VM, so that wont help me much, unless I'm missing something completely.

Does anyone, have any ideas how I can achieve this, or got any pointers for stuff to search for, if its possible at all.

[cholzhauer]

I do something like this; my firewall is an ASA and you can't create a tunnel on there.  I stood up a FreeBSD VM outside of the firewall and terminated my tunnel on it.  Then, all traffic that comes through my firewall and I can filter it as needed.

[mijedk]

Finally got my head around it, ended up with:

1 Linux VM (ubuntu 16.10) with a plain normal HE tunnel setup (sitting on a public IPv4 address (123.123.123.123)):

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
        address 2001:470:xxx:123::2
        netmask 64
        mtu 1280
        local 123.123.123.123
        endpoint 216.66.86.114
        ttl 255
        gateway 2001:470:xxx:123::1

Then added a site-local address ( fde4:8dba:82e1::/64) on ens160 on the same linux box:
iface ens160 inet6 static
address  fde4:8dba:82e1::1
netmask 64
mtu 1280

Then enabled IPv6 routing on the Linux VM (/etc/sysctl.conf)

Finally adding a route on the Linux VM: ip route add 2001:470:xxxx::/48 dev ens160

Then on the Palo Alto firewall:
1) Adding  fde4:8dba:82e1::2/64 to an interface
2) Adding a address (2001:470:xxxx::1/48) from the /48 routed network on the same interface (will be split up later)
3) Adding a static route for ::/0 -> fde4:8dba:82e1::1 (the linux VM)

Then connected a client on the same vlan/interface as the Palo Alto FW, and assigned it 2001:470:xxxx::2/48 with 2001:470:xxxx::1/48 as GW, and it can connect to 2600:: / google etc.

In case someone needs something similar, there is likely some things i haven't considered with doing it this way, but was a small success on the road to get this working at least.

[mijedk]

Turns out the above worked pretty badly for what i wanted, so went with ospfv3 instead, that however is working exactly like I wanted it now.

Still using the same Linux VM as above, with the same tunnel conf, but installed quagga with a simple zebra/ospf6d conf (ens192 is what's connected to the palo alto interface/vlan, ens160 is only used for ipv4 for the tunnel), moved the fde4:8dba:82e1::1 to ens192 instead, this is main parts of the quagga conf:

!
interface ens192
  ip address 10.10.90.1/24
  ipv6 nd suppress-ra
  ipv6 ospf6 network broadcast
!
interface he-ipv6
  ipv6 nd suppress-ra
  ipv6 ospf6 network point-to-point
  ipv6 ospf6 passive
!
router ospf6
  router-id 10.10.90.1
  interface ens192 area 0.0.0.0
  interface he-ipv6 area 0.0.0.0
!
ipv6 route 2001:470:xxxx::/48 ens192
!
ipv6 forwarding
!

I wanted to use different /56 on varies different interfaces/vlans on the palo alto fw, so this is how i configured it:

On the Palo Alto firewall, created a new (sub)interface on the same vlan as ens192 on the Linux VM, gave it an fde4:8dba:82e1::2 address, added 10.10.90.2/24, enabled ipv6 on the interface (L3), assigned the default virtual router to the interface, then went to ospfv3 on the default virtual router config, set the router id to 10.10.90.2, ticked enable, added a new 0.0.0.0 area, added the interfaces i wanted to use the different /56 networks on (default settings), on the main ospfv3 settings page, unticked "Reject default route", then went to "Static routes" -> IPv6, added a new default route for IPv6, dest = ::/0, interface = the interface the linux vm is connected to, next hop, IPv6 address = fde4:8dba:82e1::1.

Added firewall rules as needed (looked at the monitor tab).

Just posting in case anyone else is having issues getting it to work on the palo alto fws, it's not the easiest thing to find help on, and this is in no way best practices for anything, just pushing different things until it works :P