Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: How do I allow internal clients access to the IPv6 space?  (Read 9103 times)

qtwre

  • Newbie
  • *
  • Posts: 6
How do I allow internal clients access to the IPv6 space?
« on: May 19, 2009, 04:17:12 PM »

I currently have an opensuse 11 router with eth0 connected to the internet and eth1 connected to the internal network.  I've followed the steps to create the tunnel and it seems to be working just fine.  What I'd like to do is allow the clients on the internal network access to this tunnel.

I'm learning as I go so at first I thought the opensuse box would just route traffic over the tunnel without any further configuration.  It seems I was wrong.  I've since read this thread http://www.tunnelbroker.net/forums/index.php?topic=330.0 which was helpful but I've been having trouble applying it to my situation.

Here's what I've done:
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.38.XX (for privacy)
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:b094::/48
route -A inet6 add ::/0 dev sit1
sysctl -w net.ipv6.conf.all.forwarding=1
ifconfig eth1 inet6 add 2001:470:b094::1/64

I'm hoping what I've done there is assigned the 2001:470:b094::/64 subnet to the eth1 interface.  What do I do next?  Have I gone wrong already?

If it matters, the Opensuse router is a dhcp server as well.
Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 259
    • aRDy Music
Re: How do I allow internal clients access to the IPv6 space?
« Reply #1 on: May 20, 2009, 04:05:34 AM »

You're trying to forward using your tunnel /64, use your ROUTED /64 instead, assign ::1 from the routed /64 to eth1, and you should be good to go. Optionally you can configure radvd to advertise the routed /64 to your lan so lan clients can autoconfigure themselves.
Logged

qtwre

  • Newbie
  • *
  • Posts: 6
Re: How do I allow internal clients access to the IPv6 space?
« Reply #2 on: May 20, 2009, 06:43:29 AM »

I meant to post this in the linux forum, sorry.

I'm not sure I understand what you mean.  I've been going over the other thread to which I linked and it looks like this is what I'm supposed to do.

Here are my tunnel details:
Routed /48: 2001:470:b094::/48
Routed /64: 2001:470:1d:7c::/64

So I thought what I'm doing is breaking a /64 out of the /48.

Would this be enough for a radvd config?

interface eth1 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        prefix 2001:470:b094::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
};
« Last Edit: May 20, 2009, 06:46:50 AM by qtwre »
Logged

qtwre

  • Newbie
  • *
  • Posts: 6
Re: How do I allow internal clients access to the IPv6 space?
« Reply #3 on: May 20, 2009, 08:15:23 AM »

Well I know I've done something wrong.

My ubuntu 8.04 test bed has received an ipv6 ip, but my Fedora 10 desktop has not.  The Ubuntu machine isn't able to ping ipv6.google.com.  I'm hoping somebody will tell me it's because I've configured the wrong ip and it won't be an issue like I've read from some people here.

edit:
Posting up some info to more easily pinpoint where I've gone wrong.

This is the eth1 ifconfig on the opensuse router
Code: [Select]
sit1      Link encap:IPv6-in-IPv4
          inet6 addr: 2001:470:b094::/48 Scope:Global
          inet6 addr: 2001:470:1c:7c::2/64 Scope:Global
          inet6 addr: fe80::c0a8:141/64 Scope:Link
          inet6 addr: fe80::45c4:b4b3/64 Scope:Link
          inet6 addr: fe80::c0a8:1/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1472  Metric:1
          RX packets:90 errors:0 dropped:0 overruns:0 frame:0
          TX packets:132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11016 (10.7 Kb)  TX bytes:15760 (15.3 Kb)

This is the ifconfig from my ubuntu test bed.
Code: [Select]
eth0      Link encap:Ethernet  HWaddr 00:11:09:66:24:c2
          inet addr:192.168.0.159  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:470:b094:0:211:9ff:fe66:24c2/64 Scope:Global
          inet6 addr: fe80::211:9ff:fe66:24c2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:267083 errors:0 dropped:0 overruns:0 frame:0
          TX packets:142234 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:397616770 (379.1 MB)  TX bytes:9785862 (9.3 MB)
          Interrupt:16 Base address:0xec00

...And here is a traceroute from the same computer.
Code: [Select]
traceroute to ipv6.l.google.com (2001:4860:0:2001::68) from 2001:470:b094:0:211:9ff:fe66:24c2, 30 hops max, 16 byte packets
 1  2001:470:b094::1 (2001:470:b094::1)  2.256 ms  0.145 ms  0.116 ms
 2  2001:470:b094::1 (2001:470:b094::1)  0.17 ms  1.275 ms  0.142 ms

Here is the ifconfig from my Fedora 10 desktop.
Code: [Select]
eth0      Link encap:Ethernet  HWaddr 00:16:E6:84:AF:D9
          inet addr:192.168.0.160  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::216:e6ff:fe84:afd9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3938614 errors:0 dropped:38 overruns:0 frame:0
          TX packets:2129853 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5511802395 (5.1 GiB)  TX bytes:248889862 (237.3 MiB)
          Interrupt:16

As you can see, it isn't taking an ipv6 ip for some reason though that is a different problem.
« Last Edit: May 20, 2009, 08:54:30 AM by qtwre »
Logged

kristiankrohn

  • Newbie
  • *
  • Posts: 31
Re: How do I allow internal clients access to the IPv6 space?
« Reply #4 on: May 20, 2009, 09:21:24 AM »

Get rid of the 2001:470:b094::/48 assignment on sit1 & check again.

Going from your radvd config you should have 2001:470:b094::1/64 on your eth1. (I assume this is allready configured. Just wanted to make sure.)
Logged

qtwre

  • Newbie
  • *
  • Posts: 6
Re: How do I allow internal clients access to the IPv6 space?
« Reply #5 on: May 20, 2009, 09:59:43 AM »

Yes, sorry.  eth1 is configured as such.  I got rid of the /48 on sit1.

Code: [Select]
eth1      Link encap:Ethernet  HWaddr 00:04:AC:CB:72:9F
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:470:b094::1/64 Scope:Global
          inet6 addr: fe80::204:acff:fecb:729f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1270276 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1856048 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:106493257 (101.5 Mb)  TX bytes:2465189204 (2350.9 Mb)

ipv6 forwarding is also enabled.
Code: [Select]
cat /proc/sys/net/ipv6/conf/all/forwarding
1

I'm still getting the same traceroute result from the ubuntu client.
Code: [Select]
traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2001:4860:0:2001::68) from 2001:470:b094:0:211:9ff:fe66:24c2, 30 hops max, 16 byte packets
 1  2001:470:b094::1 (2001:470:b094::1)  4.125 ms  0.163 ms  0.104 ms
 2  2001:470:b094::1 (2001:470:b094::1)  0.168 ms  1.27 ms  0.148 ms

Is this helpful? My routing.
Code: [Select]
ip -6 route show
::/96 via :: dev sit0  metric 256  expires 21268356sec mtu 1480 advmss 1420 hoplimit 4294967295
2001:470:1c:7c::/64 via :: dev sit1  metric 256  expires 21268385sec mtu 1472 advmss 1412 hoplimit 4294967295
2001:470:b094::/64 dev eth1  metric 256  expires 21326712sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires 21266244sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1  metric 256  expires 21266245sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev sit1  metric 256  expires 21268360sec mtu 1472 advmss 1412 hoplimit 4294967295
default dev sit1  metric 1  expires 21268386sec mtu 1472 advmss 1412 hoplimit 4294967295
« Last Edit: May 20, 2009, 10:18:59 AM by qtwre »
Logged

kristiankrohn

  • Newbie
  • *
  • Posts: 31
Re: How do I allow internal clients access to the IPv6 space?
« Reply #6 on: May 20, 2009, 10:34:45 AM »

Hmm .. strange.

Can you paste both a "ip -6 addr show" and a "ip -6 route show" from both the router & client?

EDIT: had "-4" instead of "-6" for the route show command .. which is of course wrong
Logged

qtwre

  • Newbie
  • *
  • Posts: 6
Re: How do I allow internal clients access to the IPv6 space?
« Reply #7 on: May 20, 2009, 10:43:56 AM »

router "ip -6 addr show"
Code: [Select]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 fe80::250:baff:fe83:cb09/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:470:b094::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::204:acff:fecb:729f/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP,UP,LOWER_UP> mtu 1480
    inet6 ::69.196.180.179/96 scope global
       valid_lft forever preferred_lft forever
    inet6 ::192.168.0.1/96 scope global
       valid_lft forever preferred_lft forever
    inet6 ::192.168.1.65/96 scope global
       valid_lft forever preferred_lft forever
    inet6 ::127.0.0.2/96 scope host
       valid_lft forever preferred_lft forever
    inet6 ::127.0.0.1/96 scope host
       valid_lft forever preferred_lft forever
6: sit1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472
    inet6 2001:470:1c:7c::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::45c4:b4b3/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::c0a8:1/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::c0a8:141/64 scope link
       valid_lft forever preferred_lft forever

router "ip -6 route show"
Code: [Select]
::/96 via :: dev sit0  metric 256  expires 21266876sec mtu 1480 advmss 1420 hoplimit 4294967295
2001:470:1c:7c::/64 via :: dev sit1  metric 256  expires 21266905sec mtu 1472 advmss 1412 hoplimit 4294967295
2001:470:b094::/64 dev eth1  metric 256  expires 21325232sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires 21264763sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1  metric 256  expires 21264765sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev sit1  metric 256  expires 21266879sec mtu 1472 advmss 1412 hoplimit 4294967295
default dev sit1  metric 1  expires 21266906sec mtu 1472 advmss 1412 hoplimit 4294967295

client "ip -6 addr show"
Code: [Select]
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:470:b094:0:211:9ff:fe66:24c2/64 scope global dynamic
       valid_lft 2591993sec preferred_lft 604793sec
    inet6 fe80::211:9ff:fe66:24c2/64 scope link
       valid_lft forever preferred_lft forever

client "ip -6 route show"
Code: [Select]
2001:470:b094::/64 dev eth0  proto kernel  metric 256  expires 2591998sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires -64704sec mtu 1500 advmss 1440 hoplimit 4294967295
default via fe80::204:acff:fecb:729f dev eth0  proto kernel  metric 1024  expires 28sec mtu 1500 advmss 1440 hoplimit 64
« Last Edit: May 20, 2009, 11:02:07 AM by qtwre »
Logged

kristiankrohn

  • Newbie
  • *
  • Posts: 31
Re: How do I allow internal clients access to the IPv6 space?
« Reply #8 on: May 20, 2009, 11:06:47 AM »

Thanks for outputs. I'm afraid I still can't help you since everything looks alright to me. :(

The 2001:470:b094:1::/64 route on the client seems unnecessary -- but shouldn't cause your symptoms.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1705
Re: How do I allow internal clients access to the IPv6 space?
« Reply #9 on: May 20, 2009, 03:40:11 PM »

So I've verified the tunnel is configured correctly on the tunnel-server. A few questions:

1) can the opensuse router reach the ipv6 internet? (ping6, traceroute6, etc to remote sites like google or kame?)
2) are you running any kind of ip6tables rules? (if so what happens when you drop/stop using ip6tables?)

Otherwise it does look like your client machines are autoconfiguring, which means at least radvd is working. What happens on the client if you try ping6/traceroute6 to the tunnel-server's side of the v6 tunnel, anything? Have you tried a static ipv6 assignment to the client, and manually setting the default ipv6 route?
Logged

qtwre

  • Newbie
  • *
  • Posts: 6
Re: How do I allow internal clients access to the IPv6 space?
« Reply #10 on: May 20, 2009, 04:55:24 PM »

1) Yes, the router has no problem reaching ipv6 addresses.
2)Here is an output of my ip6tables.  I didn't specifically add anything.
Code: [Select]
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere           
ACCEPT     all      anywhere             anywhere           state ESTABLISHED
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED
input_int  all      anywhere             anywhere           
input_ext  all      anywhere             anywhere           
input_ext  all      anywhere             anywhere           
input_ext  all      anywhere             anywhere           
input_ext  all      anywhere             anywhere           
LOG        all      anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all      anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
forward_int  all      anywhere             anywhere           
forward_ext  all      anywhere             anywhere           
forward_ext  all      anywhere             anywhere           
forward_ext  all      anywhere             anywhere           
LOG        all      anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP       all      anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere           
ACCEPT     ipv6-icmp    anywhere             anywhere           
ACCEPT     all      anywhere             anywhere           state NEW,RELATED,ESTABLISHED
LOG        all      anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (3 references)
target     prot opt source               destination         
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp parameter-problem
LOG        tcp      anywhere             anywhere           limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG        ipv6-icmp    anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG        udp      anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG        all      anywhere             anywhere           limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV '
DROP       all      anywhere             anywhere           

Chain forward_int (1 references)
target     prot opt source               destination         
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere           state RELATED,ESTABLISHED ipv6-icmp parameter-problem
LOG        tcp      anywhere             anywhere           limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG        ipv6-icmp    anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG        udp      anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG        all      anywhere             anywhere           limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV '
reject_func  all      anywhere             anywhere           

Chain input_ext (4 references)
target     prot opt source               destination         
ACCEPT     ipv6-icmp    anywhere             anywhere           ipv6-icmp echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere           ipv6-icmp router-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere           ipv6-icmp router-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere           ipv6-icmp neighbour-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere           ipv6-icmp neighbour-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere           ipv6-icmp redirect
LOG        tcp      anywhere             anywhere           limit: avg 3/min burst 5 tcp dpt:msnp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere           tcp dpt:msnp
LOG        tcp      anywhere             anywhere           limit: avg 3/min burst 5 tcp dpt:36784 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere           tcp dpt:36784
LOG        tcp      anywhere             anywhere           limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere           tcp dpt:ssh
ACCEPT     udp      anywhere             anywhere           udp dpt:msnp
ACCEPT     udp      anywhere             anywhere           udp dpt:36784
LOG        tcp      anywhere             anywhere           limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        ipv6-icmp    anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        udp      anywhere             anywhere           limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        all      anywhere             anywhere           limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP       all      anywhere             anywhere           

Chain input_int (1 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere           

Chain reject_func (1 references)
target     prot opt source               destination         
REJECT     tcp      anywhere             anywhere           reject-with tcp-reset
REJECT     udp      anywhere             anywhere           reject-with icmp6-port-unreachable
REJECT     all      anywhere             anywhere           reject-with icmp6-addr-unreachable
DROP       all      anywhere             anywhere           

I can't actually find the command to stop ip6tables in opensuse.  None of the regular commands work. (service ip6tables stop, /etc/init.d/ip6tables stop)

Trying to traceroute to the tunnel server endpoint from a client.
Code: [Select]
traceroute6 2001:470:1c:7c::1
traceroute to 2001:470:1c:7c::1 (2001:470:1c:7c::1) from 2001:470:b094:0:211:9ff:fe66:24c2, 30 hops max, 16 byte packets
 1  2001:470:b094::1 (2001:470:b094::1)  3.658 ms  0.197 ms  1.17 ms
 2  2001:470:b094::1 (2001:470:b094::1)  0.162 ms  0.212 ms  1.266 ms

What would be the proper command to set the default route? "ip route add 2000::/3 dev eth0"?

edit:
No, "ip route add 2000::/3 dev eth0" wasn't correct.  That gave me this traceroute result...
Code: [Select]
traceroute6 2001:470:1c:7c::1
traceroute to 2001:470:1c:7c::1 (2001:470:1c:7c::1) from 2001:470:b094:0:211:9ff:fe66:24c2, 30 hops max, 16 byte packets
 1  2001:470:b094:0:211:9ff:fe66:24c2 (2001:470:b094:0:211:9ff:fe66:24c2)  3007.74 ms !H  3001.41 ms !H  3009.91 ms !H
« Last Edit: May 20, 2009, 04:59:20 PM by qtwre »
Logged