• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Routing Issue?

Started by cholzhauer, August 12, 2009, 11:33:33 AM

Previous topic - Next topic

cholzhauer

I have IPv6 connectivity to the outside, but the outside is unable to get to me.  I'm running all of my traffic through an ASA 5520 and I have a rule set up temporarily to allow all incoming IPv6 traffic.

However, I can't connect to myself from the outside world over IPv6.  I do have AAAA records published for the servers that need them.

http://mars.sscorp.com/briank/ should work from the outside, but does not.

Can anyone give me some suggestions as to what I should look for?

Thanks

cholzhauer

Here's more...it looks like the request is getting passed and acknowledged by my web server, but my IPv6 router isn't passing the return traffic?  I'm not running IP tables or anything else on the machines.  IPv6 works fine against the webserver internally.

From my router:
15:28:29.255951 IP6 ipv6.he.net.59116 > mars.sscorp.com.http: S 1658172855:1658172855(0) win 5760 <mss 1440,sackOK,timestamp 1502976556 0,nop,wscale 6>

From webserver
15:20:54.922015 IP6 ipv6.he.net.59116 > mars.sscorp.com.http: S 1658172855:1658172855(0) win 5760 <mss 1440,sackOK,timestamp 1502976556 0,nop,wscale 6>
15:20:54.922504 IP6 mars.sscorp.com.http > ipv6.he.net.59116: S 1693715780:1693715780(0) ack 1658172856 win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 32$

broquea

Firewall issue maybe, more than routing? Can't MTR, traceroute6, ping6, tracepath6 to mars.sscorp.com. Stops at a SixXS hop before getting any farther.

cholzhauer

Yep, thats the same thing I get.  I think it's an internal routing issue, but I'm at a loss to explain it.  I've attached the routing table from my router

2001:4978:1d8:e000:21d:a2ff:feaf:2ffd  is the address of the router

I  just figured out that I can't do any pings from the 2001:4978:1d8:e000::64 subnet, but the others work fine.

broquea

Can the machines behind your router, access IPv6 sites? Could it be IPv6 forwarding not set in sysctl?

cholzhauer

Yep, sure can.

Every other machine on my network (40+) have no problems accessing the IPv6 Internet.  Everything used to work fine when I did everything on the Router, but since I wasn't real good with IPTables, I moved the firewalling stuff to the ASA and used it to dole out addresses.  Here's the revelant sections of /etc/rc.conf


ipv6_enable="YES"
ipv6_defaultrouter="2001:4978:f:22e::1"
ipv6_network_interfaces="fxp0 tun0"
ipv6_gateway_enable="YES"
ipv6_ifconfig_fxp0="2001:4978:1d8:e000::9"
ipv6_prefix_fxp0="2001:4978:1d8:e000"


jimb

#6
Based on your routing table on your BSD tunnel router, it appears that your e000/64 subnet is the only one not going through the Cisco firewall.  It appears to be directly connected to your fxp0 interface.  The other subnets appear to be on the other side of the ASA5520.

Can the other hosts on other subnets of your LAN reach mars?  Could it be a bad default route on mars?  I also notice that it's running under vmware.  Could it be some odd vmware issue?

Also, do the Cisco ASAs have the same issues as a PIX in that they can't route traffic back out of the interface through which it came?  If the default route on mars is pointing to the ASA, then return traffic to the internet would go to the ASA, then be bounced back to your BSD router on the same interface which the traffic arrived.  PIXes had an issue where this couldn't be done.

If this is the case, you may want to point the default route on mars to the BSD tunnel router, and let the traffic for the other subnets bounce through the BSD router, or put statics for these subnets on mars.

That's my only guess at this point.  :P

cholzhauer

Changing the default route did it...I swear I tried doing that yesterday.  Oh well.

Thanks for the idea.  Is there a way to change that for all hosts?  I don't want to have to go around to every machine and change the default route, but I don't see any other way.

BTW..how did you know I was using VMware? The names of the network interfaces?

jimb

#8
Quote from: cholzhauer on August 13, 2009, 06:21:26 AM
Changing the default route did it...I swear I tried doing that yesterday.  Oh well.
Ah so was the default pointing to the Cisco, and you pointed it to the BSD right?  I thought Cisco's newer PIXos and the ASA routers got rid of that problem (the "can't turn a packet around" problem), but perhaps not?  Or maybe it was an ACL issue?  Or maybe it's a feature u have to turn on?  I haven't played with Cisco ASAs much I'll have to say.

QuoteThanks for the idea.  Is there a way to change that for all hosts?  I don't want to have to go around to every machine and change the default route, but I don't see any other way.
You could set whatever is doing your route advertisements (the Cisco?) to advertise the FBSD box as the default route on that link/LAN.  You could do something similar if you were runnning DHCPv6.

One thing to watch out for though is that all traffic going to your other LANs will now bounce through the BSD box and could become a bottleneck.  Optimally, you'd want the default route pointing to the FBSD box, and the routes for your LANs (perhaps aggregated) pointing to the Cisco.  That would either require statics to be configured on each server, or running a routing protocol (OSPF, or whatever) on your servers and routers.  Setting up a routing protocol would take a bit of work/planning, but would automate everything.

Another thing you could do is turn in ICMPv6 redirects.  But that's usually bad security practice.

QuoteBTW..how did you know I was using VMware? The names of the network interfaces?
Based on the IPv6 address.  It appears that you're doing autoconfiguration, so the IPs are being set based on the MAC address of your interfaces.  I could tell it was VMWare from the OUI of your MAC.  That and the FBSD routing/neighbor table also helped me get a little picture of your net in my head.  :)

{root@gts/pts/7}~# ipv6calc -i 2001:4978:1d8:e000:21d:a2ff:feaf:2ffd  
No input type specified, try autodetection...found type: ipv6addr
No output type specified, try autodetection...found type: ipv6addr
Address type: unicast, global-unicast
Address type has SLA: e000
Registry for address: ARIN
Interface identifier: 021d:a2ff:feaf:2ffd
EUI-48/MAC address: 00:1d:a2:af:2f:fd
MAC is a global unique one
MAC is an unicast one
OUI is: Cisco Systems


{root@gts/pts/7}~# ipv6calc -i 2001:4978:1d8:e000:20c:29ff:fe26:51b7
No input type specified, try autodetection...found type: ipv6addr
No output type specified, try autodetection...found type: ipv6addr
Address type: unicast, global-unicast
Address type has SLA: e000
Registry for address: ARIN
Interface identifier: 020c:29ff:fe26:51b7
EUI-48/MAC address: 00:0c:29:26:51:b7
MAC is a global unique one
MAC is an unicast one
OUI is: VMware, Inc.


From a security standpoint, I'd advise using statics on servers and routers and such so this can't be done.  You could also use DHCPv6 with reservations for your server(s).  It also tends to make the IPv6s shorter to type.  For instance, "2001:4978:1d8:e000::10" instead of "2001:4978:1d8:e000:21d:a2ff:feaf:2ffd".  

cholzhauer

I would have thought they would have changed it too, but I guess not.  The default route is now pointed at the BSD machine...for the most part, most of my servers don't need outside IPv6 access, so it's not THAT big of a deal.  The only thing I have now is a webserver (too bad Exchange 07 on Server 2k3 won't do IPv6)

Regarding the static vs dynamic...is the issue because you can determine the mac address and then use the mac address to do some spoofing or something?

jimb

Quote from: cholzhauer on August 15, 2009, 09:47:22 AM
I would have thought they would have changed it too, but I guess not.  The default route is now pointed at the BSD machine...for the most part, most of my servers don't need outside IPv6 access, so it's not THAT big of a deal.  The only thing I have now is a webserver (too bad Exchange 07 on Server 2k3 won't do IPv6)
Yeah what I was trying to say is that whichever hosts on the e000 subnet now have a default route pointed to the FBSD box, whenever they talk to other machines on your other networks via the Cisco, all the traffic will go through the FBSD box first, then bounce from that into the Cisco to your other LANs. 

QuoteRegarding the static vs dynamic...is the issue because you can determine the mac address and then use the mac address to do some spoofing or something?
Not sure what you're referring to here.  If you're talking about IPv6 addresses, setting them manually, or using DHCPv6, instead of letting them autoconfig, would prevent the "information leak" that allowed me to determine what each system was.  MAC address spoofing isn't really the issue here.  It's just that an autoconfig IPv6 reveals a the MAC address, and thus reveals a bit about one's network.  It would allow someone to more easily map out your network, get an idea/guess what kind of system each is, etc.  e.g. an "information leak"

kriteknetworks

Exposing your MAC address is really only an issue for mobile machines as that can potentially be tracked. For a desktop/server, it only exposes who made the nic. Much ado about nothing is made over exposing MAC addresses. You're already exposed if you have an IP address, v4 or v6.