Solved IPv6 gateway?

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

My ISP started rolling out IPv6 and gave my a 56-bits block. I managed to get it working on my FreeBSD-server, which I also use as a gateway/firewall to the internet. I can ping6 my modem, clients on my LAN and even the internet.

My clients can ping6 each other and the FreeBSD-server. But they can't ping beyond the FreeBSD-server. So, something seems to be wrong with routing. But I can't figure out what.

My rc.conf
Code:
ipv6_gateway_enable="YES"
ipv6_router_enable="YES"
ifconfig_em0_ipv6="inet6 2000:1000:beef:ab01::1 prefixlen 64"
ifconfig_msk0_ipv6="inet6 2000:1000:beef:ab02::1 prefixlen 64"
ipv6_defaultrouter="2000:1000:beef:ab01:3001:3002:3003:3004"
rtadvd_enable="YES"
rtadvd_interfaces="msk0"
em0 is connected to my modem and msk0 is connected to my LAN.

What am I missing here?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,681
Messages: 30,611

Your rc.conf looks good, ipv6_router_enable can be removed, it doesn't do anything. The ipv6_gateway_enable is what turns on routing for IPv6.

Perhaps your firewall? Are you allowing IPv6 to pass through?
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

That's what I'm suspecting. But as far as I can see, it should work.

What's the quickest way to allow all ipv6 traffic? I know that's a horrible idea, but it will give me a working situation. And I can work my way from there.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,681
Messages: 30,611

For PF it's something like:
Code:
pass inet6 all
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

Nope, that's not it. Which is kind of dissapointing :(

I even tried
Code:
pass quick inet6 all
at the beginning of my firewall. Still, no dice.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,681
Messages: 30,611

Just realized something. Have a look on the clients and make sure they're getting a proper gateway through SLAAC. If your clients don't have a correct IPv6 gateway you can ping everything within your subnet but not beyond.
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

Ok... I'm totally new to the whole ipv6 deal. I've been doing some research on the ins and outs, but it's implementing it on FreeBSD that's giving me some headaches. So, how do I check if a client recieved the correct gateway? And how do I make sure my server is broadcasting the correct gateway?

This is currently my /etc/rtadvd.conf
Code:
interface msk0 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        prefix 2000:1000:beef:ab02::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
};
I've been using this too
Code:
msk0:\
    :addrs#1:addr="2000:1000:beef:ab02::": prefixlen#64:tc=ether:
My clients are actually receiving an ipv6-address in the 2000:1000:beef:ab02 range. So, that part seems to work alright.
 

gkontos

Daemon

Reaction score: 480
Messages: 2,153

Can you tracert6 from your clients to 2001:4860:4860::8888 and see where the packets get dropped ?
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

Ok. I used traceroute6(8) on a Mac. But that is really just the same, I suppose. It's secretly just a modified version of FreeBSD, right?

Here's the result:
Code:
MacBook-Pro:~ mario$ traceroute6 2001:4860:4860::8888
traceroute6 to 2001:4860:4860::8888 (2001:4860:4860::8888) from 2000:1000:beef:ab02:1234:1234:1234:1234, 64 hops max, 12 byte packets
1  2000:1000:beef:ab02::1  0.961 ms  0.294 ms  0.390 ms
2  * * *
3  * * *
From what I can make out of this, the signal made it to the NIC that connects my server to the LAN (2000:1000:beef:ab02::1). From there it should hop over to the NIC that connects my server to the internet (2000:1000:beef:ab01::1), work it's way to my modem, onto the internet, all the way to 2001:4860:4860::8888.

But it didn't.

If only I knew why?
 

gkontos

Daemon

Reaction score: 480
Messages: 2,153

In order for this to work, you need to put your modem in bridge mode and have your FreeBSD box perform all the routing. You should not assign an IPv6 address to your external interface nor any static routes. Something like this should work:

/etc/rc.conf
Code:
gateway_enable="YES" ###FOR IPv4
ipv6_gateway_enable="YES" #### FOR IPv6
ifconfig_msk0_ipv6="inet6 2000:1000:beef:ab02::1 prefixlen 64" ### 
rtadvd_enable="YES"
rtadvd_interfaces="msk0"

ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="My_ISP"
/etc/ppp.conf
Code:
default:
  set log Phase tun command

MyISP:
 set device PPPoE:em0 # replace xl1 with your Ethernet device
 resolv readonly
 set authname *****Your username*****
 set authkey ******Your Password******
 set dial
 set login
 set mtu max 1492
 set mru max 1492
 enable echo
 enable lqr
 enable ipv6cp
 add default HISADDR
 add default HISADDR6
/etc/rtadvd.conf
Code:
msk0:\
    :raflags="mo":\
    :addr="2000:1000:beef:ab02::":prefixlen#64:\
    :pinfoflags="l":
Important: you should replace 2000:1000:beef:ab02:: with the /56 that your ISP gave you, although you will use prefixlen#64
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

Isn't there an easier way to handle this? I mean, it should be possible to let my modem handle all the routing between my server and the internet, while my server handles all the routing on my internal LAN. Pretty much like I do right now with IPv4.

ISP <-->
2000:1000:beef:ab00:abcd:abcd:abcd:abcd ext - modem - int 2000:1000:beef:ab01:3001:3002:3002:3004 <-->
2000:1000:beef:ab01::1 em0 - FreeBSD - msk0 2000:1000:beef:ab02::1 <-->
LAN (2000:1000:beef:ab02::1/64)

  • 2000:1000:beef:ab00::/64 is what my ISP is using on the internet-side.
  • 2000:1000:beef:ab01::/64 is what my modem is using on it's LAN-side. It did this automatically. If I hookup a laptop directly to my modem, it will get an 2000:1000:beef:ab00::/64 address.
  • So, I hooked up FreeBSD to my modem with a 2000:1000:beef:ab01:/64 address and used 2000:1000:beef:ab02::/64 for my internal LAN

I see no reason why this shouldn't work. Unless there is a very fundamental difference between IPv4 and IPv6 that I don't understand (yet).
 

kpa

Beastie's Twin

Reaction score: 1,807
Messages: 6,318

Your modem that is now in routing mode has no clue what to do with 2000:1000:beef:ab02::/64 prefix and the traffic stalls there. You could assign static IPv6 route on the modem that sends 2000:1000:beef:ab02::/64 to the WAN IPv6 address of your FreeBSD box.
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

That makes sense. What I found about this, regarding my modem, is this

Configure the IPv6 router so that it requests its own prefix from the FRITZ!Box using IPv6 prefix delegation and that it announces its routing information to the FRITZ!Box via router advertisement.
I guess that's the problem, right there. That's a FreeBSD specific thingy, I have to configure. And apparently what I'm doing not right.
 

gkontos

Daemon

Reaction score: 480
Messages: 2,153

That's not a FreeBSD issue. You configured your FreeBSD box as a gateway and you also have your modem doing the same thing. There is no reason to use both.
 

nakal

Active Member

Reaction score: 37
Messages: 245

You have already a router on the /64 prefix with your Fritzbox that does SLAAC. Switch it off and make it a real modem (it's a router now, not a bare modem!) or live with the SLAAC on from the Fritzbox. SLAAC is only defined on 64 prefixlen, by the way.
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

I found this article, describing the same problem I'm having. It's in Dutch, but that's no problem for me, because I also happen to be Dutch ;)

I'll start tinkering with this as soon as I find the time.
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

So, I've been messing around with dhcpv6 and rtadvd, to see if I can get things working.

First of all, I completely removed my Fritzbox and plugged my fiber connection directly into em0, on my freeBSD-server. This worked fine for ipv4. I automatically got an IP-address via DHCP and I was good to go. No configuration what-so-ever was needed from my end. Simply DHCP and that was it.

As for ipv6, unfortunately that doesn't work as easy. dhcpv6 seems to get the subnets from my ISP and gives those to rtadvd. Then rtadvd starts broadcasting that on my LAN (2000:1000:beef:ab01::/64), via msk0. So far, so good. However, em0 itself doesn't get an ipv6-address. I contacted my provider about this and they told me to simply pick an ipv6-addres from the first subnet available and put that in manually. For example, 2000:1000:beef:ab00::1. Apparently, that's exactly what the Fritzbox is doing as well.

So that's what I did. But I still have no route/gateway to my provider.
Code:
[mario@eddard ~]$ ping6 www.google.nl
ping6: UDP connect: No route to host
So, I think my question is: How can I figure out which ipv6-address I have to use as gateway?
 

kpa

Beastie's Twin

Reaction score: 1,807
Messages: 6,318

So, I think my question is: How can I figure out which ipv6-address I have to use as gateway?
Which gateway, the gateway for LAN clients or the gateway for the FreeBSD system? If it's the former you can choose whichever address you desire and rtadvd(8) will advertise the correct address to the clients. You just have to assign some address from the correct prefix on the LAN interface, usually the ::1 address is chosen.
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

I mean the gateway for the FreeBSD system. Right now my server has no clue how to send ipv6 packets to the internet.

I was also wrong about rtadvd broadcasting adresses on my LAN. msk0 on my server does receive an address, but the machines on my LAN (connected to msk0) don't. So, something isn't working as expected right there.

Man, this whole ipv6 business is a lot trickier than I expected. :confused:
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

I managed to get rtadvd working properly. It's now broadcasting ipv6 addresses over my LAN. Apparently rtadvd was under the impression it was running on a host, not a router. After a small change in /etc/rc.conf, that problem was fixed.

Code:
ifconfig_msk0_ipv6="inet6 -accept_rtadv"
Notice the -accept_rtadv.

From my hosts on my LAN I can ping both msk0 and em0. So, it seems some routing is going on there. Which is a good sign. Now all that remains is figure out the ipv6-address of my ISP's gateway, so my server know where to send all the traffic that is destined for the internet.

Any suggestions on that part?
 

nakal

Active Member

Reaction score: 37
Messages: 245

Since your router is directly connected to the modem, you get a /56 prefix. On the LAN side you should be able to have a unique /64 subnet which allows routing to your hosts. For rtsold(8) that runs on the WAN interface should receive the address from your ISP, you can start scripts to further assign IPs to other interfaces that did not get an IP (see option -R). You should also make rtadvd(8) run on the LAN interface and not on the modem/WAN side (does not make any sense).
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

Ok, maybe I completely misunderstand what you're trying to say, but...

Since your router is directly connected to the modem, you get a /56 prefix.
Not exactly. I completely removed my Fritzbox from the equation and plugged my fiber connection directly into em0 on my FreeBSD server.

For rtsold(8) that runs on the WAN interface [...]
I'm using net/dhcp6 to get my ipv6 adresses from my ISP. Which seems to work. Except em0 doesn't get an ipv6-address or gateway. Asking my ISP about this, they told me this is normal, because there is no line-id. Or something like that. To get around this, I should simply pick an address from the first available subnet and put that in manually. Apparently my Fritzbox does exectly the same thing.

You should also make rtadvd(8) run on the LAN interface
That's what I'm doing. And it's broadcasting addresses over my LAN. All my hosts are getting an ipv6-address in the correct range. So, that seems to work fine.

The only missing link is that I don't get a gateway to my provider, for some reason. So, how do I get FreeBSD to configure an ipv6-gateway via dhcpv6? Or maybe I can run some dhcpv6 command, that reveals the address to me, so I can set it manually?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,681
Messages: 30,611

I'm using net/dhcp6 to get my ipv6 adresses from my ISP. Which seems to work. Except em0 doesn't get an ipv6-address or gateway. Asking my ISP about this, they told me this is normal, because there is no line-id. Or something like that. To get around this, I should simply pick an address from the first available subnet and put that in manually. Apparently my Fritzbox does exectly the same thing.
You could try fe80::ffff which seems to be a common gateway address. At least that's the gateway I get on one of my VPS machines. With another VPS at a different provider I have to use static addresses and I need to use the first address of my range.
 
OP
OP
mariourk

mariourk

Well-Known Member

Reaction score: 12
Messages: 269

You could try fe80::ffff
That's a local-link address. I don't think that should/can be used to direct traffic to my ISP, destined for the internet.

I should be able to somehow get a proper gateway-address, right? Anyone knows how?
 

kpa

Beastie's Twin

Reaction score: 1,807
Messages: 6,318

That's a local-link address. I don't think that should/can be used to direct traffic to my ISP, destined for the internet.

I should be able to somehow get a proper gateway-address, right? Anyone knows how?
A link local address is perfectly valid gateway address. You need to interpret it correctly to undestand why. It is the address on the local network where to forward the traffic in question. Even if a link-local address is used for forwarding doesn't mean the the link-local address is visible on the actual data packets.
 
Top