• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Clients not in "Routed /64" subnet

Started by gdmbweil42, February 12, 2018, 04:51:39 AM

Previous topic - Next topic

gdmbweil42

Hi,

I have a router and a Hardware Firewall behind said Router. Router manages the HE Tunnel.

HE Server IPv6 is 2001:x:A:y::1
Router Address is 2001:x:A:y::2
Routed /64 is      2001:x:B:y::/64

Router address is fd00::something. Router is exposed IPv4 & IPv6 for Firewall.
Firewall address is first address from "Routed /64", 2001:x:B:y::1

What I don't understand are the addresses for my clients behind the firewall. I would expect those to be something from my "Routed /64", but they are not. In fact, they all have a different prefix, meaning 2001:x:C:y::/64 (the third group is "C", not "B" as I would expect it. Also the "y" is identical in all addresses). This prefix is not shown in my HE Account nor anywhere else. Can someone elaborate on that?

Thanks
Martin

cholzhauer

Obfuscating makes it hard to help and is not needed, can you please post the real ranges?

With that being said, you're supposed to use the routed /64 for hosts behind your firewall.  If you have multiple subnets, you need to request a /48.

The outside interface of your router has an ip from your tunnel /64 and the inside interface has an IP from the routed /64

gdmbweil42

Sorry for that, here are the real values:

2001:470:1f0a:160d::1 is HE Server
2001:470:1f0a:160d::2 is Router

2001:470:1f0b:160d::/64 is "routed /64"

So my router gives out this subnet and clients should generate any address beginning with "2001:470:1f0b:160d:", correct?

My firewall has 2001:470:1f0b:160d::1

But every client has an address with prefix 2001:470:1f0c:160d:: (there is a "c" in the third group, not a "b"). Why? Am I even "allowed" to use that prefix since Tunnelbroker does not provide this one to me?

Hope this explains it better

cholzhauer

Quote
So my router gives out this subnet and clients should generate any address beginning with "2001:470:1f0b:160d:", correct?

That's correct.

Quote
My firewall has 2001:470:1f0b:160d::1.  But every client has an address with prefix 2001:470:1f0c:160d:: (there is a "c" in the third group, not a "b"). Why? Am I even "allowed" to use that prefix since Tunnelbroker does not provide this one to me?


This has to be a misconfiguration on your router.  As you pointed out, this isn't one of your ranges, but since you're getting addresses in that range and your router is the one handing out addresses, your router has to be wrong.  Check for a typo in the config, or if you want, post a screenshot.

gdmbweil42

And - of course - a typo was the culprit. Thank you for pointing that out.

The internal interface of my firewall had a static IPv6 and this one had the "c" error

Thanks