• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Problems with initial setup on Debian

Started by adhawkins, November 03, 2017, 08:26:58 AM

Previous topic - Next topic

adhawkins

Hi,

Trying to set up a tunnelbroker tunnel on Debian. It seems to be failing to assign the default gateway:

root@xcp-gateway:~# ifup -v he-ipv6

ifup: configuring interface he-ipv6=he-ipv6 (inet6)
/bin/run-parts --exit-on-error --verbose /etc/network/if-pre-up.d
run-parts: executing /etc/network/if-pre-up.d/ethtool
/sbin/modprobe -q net-pf-10 > /dev/null 2>&1 || true # ignore failure.
/bin/ip tunnel add he-ipv6 mode sit remote 216.66.88.98 local my.ip.addr.here        ttl 255
/bin/ip link set he-ipv6 up
/bin/ip addr add 2001:470:xxxx:da2::2/64 dev he-ipv6
/bin/ip route add 2001:470:xxxx:da2::1 dev he-ipv6
/bin/ip route add ::/0 via 2001:470:1f1c:da2::1  dev he-ipv6 onlink
RTNETLINK answers: File exists
ifup: failed to bring up he-ipv6

This machine already acts as a NAT firewall / gateway for my internal network vian ip4. All works fine. I'm pretty sure I've allowed protocol 41 through the firewall.

Any suggestions?

Thanks

Andy

cholzhauer

Well, an easy test to tell whether or not it's the firewall is to just disable it and try again.  If it works, you have a firewall issue, if it doesn't, the firewall isn't the issue.

adhawkins

Hi,

I've done some further testing, and if I use the commands to manually create two sit interfaces, and bring up the tunnel that way, it all works.

That suggests the firewall config is just fine, there's something else about the instructions that isn't working.

Thanks

Andy

divad27182

#3
I'm not sure what "onlink" is doing.  My older Debian's program does not include it.  The line with that is an attempt to assign a default gateway.

Once you've brought up your links, you first test should be to ping the other end.  In your case, "2001:470:1f1c:da2::1".  If that works, try something else.  Actually, your link is up now as I can ping your address.

If you want the machine to forward for everybody else, install and configure radvd.  This will get all the other machines on the subnet addresses, and tell them where to route.  This should be using "2001:470:1f1d:da2::/64" , unless you've also requested a /48.

If "my.ip.addr.here" is you masking it out, OK.  If not, you can just omit the "local" clause altogether, and let the kernel decide on its own.

Edit: if you want it forwarding, you also need to turn on IPv6 routing, typically by adding "net.ipv6.conf.all.forwarding = 1" to /etc/sysctl.conf or /etc/sysctl.d/something.conf (and then either run the command manually or reboot...)

adhawkins

Hi,

I have since been able to manually bring up the link with the following series of commands:

ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.88.98
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:xxxx:da2::2/64
route -A inet6 add ::/0 dev sit1

Once I've done this, I can do a ping6 and it works.

However, I'd obviously like the link to come up automatically when the system starts, so ideally this should happen via /etc/network/interfaces.

The 'my.ip.addr.here' bit is me just masking out my local IPv4 address, yes.

Once I can bring the link up and down using 'standard' Debian means, I'll then move on to enabling forwarding etc.

Thanks

Andy


divad27182

Quote from: adhawkins on November 03, 2017, 08:26:58 AM
/bin/ip route add ::/0 via 2001:470:1f1c:da2::1  dev he-ipv6 onlink
RTNETLINK answers: File exists
ifup: failed to bring up he-ipv6
I don't know why I didn't see it before, but the text "RTNETLINK answers: File exists" is an error from the ip command.  In particular, in this case it means it is trying to add a route to somewhere there is already a route to.   It can't add an IPv6 default route because you already have one.  Remove the preexisting default route and try again.

adhawkins

That seems to be it. Somehow during the setup, a default ipv6 route is being created. I need to manually delete this route in order to be able to add the new default route.

Any suggestions as to how I prevent this 'other' default route from being created?

Thanks

Andy

adhawkins

I think I've got to the bottom of it. It appears to be the 'local' line that causes this.

If I remove that, then it seems to bring up the interface correctly.

Will monitor to make sure, but fingers crossed that's it sorted.

Andy

divad27182

Quote from: adhawkins on November 13, 2017, 01:16:33 AM
I think I've got to the bottom of it. It appears to be the 'local' line that causes this.

If I remove that, then it seems to bring up the interface correctly.

Will monitor to make sure, but fingers crossed that's it sorted.

Andy

Well, I think the "local" line picks the IP address that the tunnel sends from.  It isn't needed, but should be slightly faster than letting the kernel pick for you based on the routing tables.  It is also more flexible not to use it, in that a change in your IP address won't require reconfiguration.

As for why that makes a default route fail: It probably doesn't, and probably didn't.  Configuration errors often leave some pieces behind, particularly if the configuration is changed between an ifup and an ifdown.  Sometimes, you just have to go through and remove everything that isn't right by hand, before trying again.  Frankly, this is one reason Microsoft Windows wants you to reboot so often. 

Other things that could be making the default route:  well, SLAAC based on your ISP's multicasts could do it.  Other entries in /etc/network/interfaces could do it.  Something in /etc/rc.local or similar could do it.  DHCP6 could do it.

Have fun with your IPv6.

adhawkins

Thanks.

I did also do some playing around with sysctl, after finding that if the machine is configured with forwarding enabled, it won't automatically create a default route. Perhaps it was this that did it.

Anyway, all seems to be well now. I've even rebooted the gateway a number of times to make sure that it all comes back cleanly from a cold start.

Thanks again for the help.

Andy