Discussion:
Cannot get IPv6 router working
(too old to reply)
Roy Marples
2009-06-30 20:10:18 UTC
Permalink
Hi List

My NetBSD-5 IPv6 PPPoE router doesn't want to route :/

I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.
I add the route
-inet6 default fe80::2 -iface -ifp pppoe0
I add a /64 address from my /48 block to ath0 in the same box.

From ftp.netbsd.org I can ping6 and traceroute6 this address without issue.
From the router I cannot ping6 ftp.netbsd.org, and this is the
traceroute6 output:

uberserver$ sudo traceroute6 ftp.netbsd.org
traceroute6 to ftp.netbsd.org (2001:4f8:3:7:230:48ff:fe31:43f2) from
2a01:348:31:2:209:5bff:fe84:887d, 64 hops max, 12 byte pa
ckets
1 fe80::21b:53ff:feda:6e60%pppoe0 16.329 ms 14.144 ms 13.804 ms
2 * * *

Is that traceroute6 output normal?

The only way I can get any IPv6 to work is to add a /64 address from my
/48 block to pppoe0, which my ISP tells me I should not have to do.
Also, no clients on the LAN who use this router can actually use it for
IPv6, as all IPv6 traceroutes won't get past the router.

I've been struggling with this all day and any help is appreciated. Is
there any more information I can give, or any debugging I can do? Are
there any obvious kernel options I'm missing?

Thanks

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Brian A. Seklecki
2009-06-30 23:30:57 UTC
Permalink
Post by Roy Marples
I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.
Shouldn't your WAN interface get IP space in 2000::/3 (via NDP or
PPPoE)?

FE80::/10 is reserved by IANA for link-local (autoconfig).

I don't see it being able to actually route.

Also, what /64 are you handing out to your ath0/LAN interface? Are you
handing it out via rtadvd(8)? What does rtadvd.conf(5) look like?

~BAS



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Steven M. Bellovin
2009-07-01 01:29:10 UTC
Permalink
On Tue, 30 Jun 2009 19:30:57 -0400
Post by Brian A. Seklecki
Post by Roy Marples
I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.
Shouldn't your WAN interface get IP space in 2000::/3 (via NDP or
PPPoE)?
FE80::/10 is reserved by IANA for link-local (autoconfig).
I don't see it being able to actually route.
Also, what /64 are you handing out to your ath0/LAN interface? Are
you handing it out via rtadvd(8)? What does rtadvd.conf(5) look like?
I'm having rtadvd troubles, too, with or without rtadvd.conf.

tcpdump shows the messages being received, on both another NetBSD box
and a Mac. Neither is creating non-link-local addresses with the
advertised prefix. Both machines have correctly used v6 elsewhere.
Yes, I have the NetBSD box (both the advertiser and receiver are
running very recent -current) configured to accept router
advertisements:

net.inet6.ip6.accept_rtadv = 1

Here's a tcpdump of the received message, with the addresses edited for
privacy:

21:26:30.393860 IP6 (hlim 255, next-header: ICMPv6 (58), length: 56) fe80::211:xxxx:xxxx:xxxx > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
source link-address option (1), length 8 (1): 00:yy:yy:yy:yy:yy
0x0000: 00yy yyyy yyyy
prefix info option (3), length 32 (4): 2001:zzz:z:zzz::/56, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
0x0000: 38c0 0027 8d00 0009 3a80 0000 0000 2001
0x0010: zzzz zzzz zzzz 0000 0000 0000 0000

Both speak v6 successfully with manually configured v6 addresses on that
net.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Greg Troxel
2009-07-01 11:51:04 UTC
Permalink
Post by Steven M. Bellovin
21:26:30.393860 IP6 (hlim 255, next-header: ICMPv6 (58), length: 56) fe80::211:xxxx:xxxx:xxxx > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
source link-address option (1), length 8 (1): 00:yy:yy:yy:yy:yy
0x0000: 00yy yyyy yyyy
prefix info option (3), length 32 (4): 2001:zzz:z:zzz::/56, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
0x0000: 38c0 0027 8d00 0009 3a80 0000 0000 2001
0x0010: zzzz zzzz zzzz 0000 0000 0000 0000
Both speak v6 successfully with manually configured v6 addresses on that
net.
/56?? It's fine for you to get a /56 from your provider (static or
BGP), but the convention is that prefixes for a link are /64. So that's
probably running afoul of a sanity check later, at least for stateless
autoconfiguration.

If you have a /56, then that leaves you 8 bits for subnets. Assuming
your tunnel uses some other addresses from your provider, I would assign
subnet 1 to your lan, and then use more as needed.

Hence 2001:pppp:pppp:ppp1::/64 as your prefix.
Steven Bellovin
2009-07-01 13:25:02 UTC
Permalink
Post by Greg Troxel
Post by Steven M. Bellovin
56) fe80::211:xxxx:xxxx:xxxx > ff02::1: [icmp6 sum ok] ICMP6,
router advertisement, length 56
hop limit 64, Flags [none], pref medium, router lifetime
1800s, reachable time 0s, retrans time 0s
00:yy:yy:yy:yy:yy
0x0000: 00yy yyyy yyyy
prefix info option (3), length 32 (4): 2001:zzz:z:zzz::/
56, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
0x0000: 38c0 0027 8d00 0009 3a80 0000 0000 2001
0x0010: zzzz zzzz zzzz 0000 0000 0000 0000
Both speak v6 successfully with manually configured v6 addresses on that
net.
/56?? It's fine for you to get a /56 from your provider (static or
BGP), but the convention is that prefixes for a link are /64. So that's
probably running afoul of a sanity check later, at least for stateless
autoconfiguration.
If you have a /56, then that leaves you 8 bits for subnets. Assuming
your tunnel uses some other addresses from your provider, I would assign
subnet 1 to your lan, and then use more as needed.
Hence 2001:pppp:pppp:ppp1::/64 as your prefix.
Yup, I discovered that about 10 minutes ago with the help of Linux --
its radvd gave a warning message about that, which I don't think that
rtadvd does.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2009-07-01 07:48:35 UTC
Permalink
Post by Brian A. Seklecki
Post by Roy Marples
I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.
Shouldn't your WAN interface get IP space in 2000::/3 (via NDP or
PPPoE)?
FE80::/10 is reserved by IANA for link-local (autoconfig).
I don't see it being able to actually route.
There is a 2a01 address assigned to the wireless card, it should be able to
route from there.
Post by Brian A. Seklecki
Also, what /64 are you handing out to your ath0/LAN interface? Are you
handing it out via rtadvd(8)? What does rtadvd.conf(5) look like?
rtadvd is handing it out.
I don't use a config - I didn't need to for the previous IPv6 tunnel I ran on
the same box and I don't see why I should need to now.

And yes, I do have ip6 forwarding enabled in the kernel, ip6mode is set to
router.

Thanks

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2009-07-01 09:11:36 UTC
Permalink
Post by Roy Marples
My NetBSD-5 IPv6 PPPoE router doesn't want to route :/
Turns out it was a problem with the PF firewall configuration

Faulty line:
nat on $ext_if from !($ext_if) -> ($ext_if:0)

Fixed line:
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

So basically we only NAT IPv4 traffic.

Anyone mind if I update /usr/share/examples/pf/faq-exammple1 to reflect
this, or is this a bug with PF?

Thanks

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Brian A. Seklecki
2009-07-01 21:40:21 UTC
Permalink
Post by Roy Marples
So basically we only NAT IPv4 traffic.
Just out of curiosity: Does this mean your provider is handing you
FE80::/10 space on the WAN?

This reminds me of ISPs that used to hand out RFC1918 IPv4 space for
WANs on DSL/Cable.

It works, IIRC, but foreign traceroutes always time out at your your
next-hop-router (or next-two depending on how extensive the ISP's
private network is).

I just assumed that we were past all of that using V6
Post by Roy Marples
Anyone mind if I update /usr/share/examples/pf/faq-exammple1 to
reflect this, or is this a bug with PF?
Definitely!



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Martin Husemann
2009-07-02 07:51:52 UTC
Permalink
Post by Brian A. Seklecki
Just out of curiosity: Does this mean your provider is handing you
FE80::/10 space on the WAN?
Unlikely, but our IPv6 code selects a real adress (if any is assigned
to whatever interface) and uses that as route, so it just works.

I have this on my router:

pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1456
inet 82.139.198.17 -> 82.139.222.46 netmask 0xff000000
inet6 fe80::a00:20ff:fe99:fc91%pppoe0 -> prefixlen 64 scopeid 0xa
hme0: flags=8a63<UP,BROADCAST,NOTRAILERS,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
capabilities=3c00<TCP4CSUM_Rx,TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx>
enabled=c00<TCP4CSUM_Rx,TCP4CSUM_Tx>
address: 08:00:20:99:fc:91
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.150.10 netmask 0xffffff00 broadcast 192.168.150.255
inet6 fe80::a00:20ff:fe99:fc91%hme0 prefixlen 64 scopeid 0x1
inet6 2a01:170:1032:1::1 prefixlen 64

and it all just seems to work fine.

What I found strange is that I can't distinguish a v6 "enabled" pppoe
connection from a non-v6 one:

pppoe1: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
inet 79.218.103.121 -> 217.0.118.173 netmask 0xff000000
inet6 fe80::a00:20ff:fe99:fc91%pppoe1 -> prefixlen 64 scopeid 0xb

But this is just like normal ethernet - they get a link local v6 address and
you can't see if v6 works on the wire.

However, to help avoid confusion, I plan to add a command to pppoectl that
allows listing of active controll programs, so I could see "LCP IPCP IPv6CP"
on pppoe0 but only "LCP IPCP" on pppoe1.

Martin

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2009-07-02 08:30:02 UTC
Permalink
Post by Martin Husemann
But this is just like normal ethernet - they get a link local v6 address and
you can't see if v6 works on the wire.
However, to help avoid confusion, I plan to add a command to pppoectl that
allows listing of active controll programs, so I could see "LCP IPCP IPv6CP"
on pppoe0 but only "LCP IPCP" on pppoe1.
That would certainly help :)

/me still fights client IPv6 routing/firewall issues.

Thanks

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ignatios Souvatzis
2009-07-02 10:20:49 UTC
Permalink
Post by Brian A. Seklecki
Post by Roy Marples
So basically we only NAT IPv4 traffic.
Just out of curiosity: Does this mean your provider is handing you
FE80::/10 space on the WAN?
This should always happen, maybe in ADDITION to global addresses.
FE80:: space on the link is not the same as FE80:: space *only* for
the customer.

-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ignatios Souvatzis
2009-07-01 09:20:15 UTC
Permalink
Post by Brian A. Seklecki
Post by Roy Marples
I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.
Shouldn't your WAN interface get IP space in 2000::/3 (via NDP or
PPPoE)?
FE80::/10 is reserved by IANA for link-local (autoconfig).
I don't see it being able to actually route.
That's wrong. *If* there is a router listening on a link-local address
at the other end,

( ping6 ff02::1%pppoe0 to find the list of hosts on the link. )

it will work fine using that as the destination, or actually doing
what Roy wrote below should be ok, too, for PPP.
Post by Brian A. Seklecki
I get an inet6 fe80: address on pppoe0 which indicates IP6CP
worked.
I add the route
-inet6 default fe80::2 -iface -ifp pppoe0
add a /64 address from my /48 block to ath0 in the same box.
HTH
-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...