Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working
On 2015-10-28, Daniel Corbewrote: > I'm not sure what I missed here so I would appreciate it if someone would > hit me with a clue bat. > > My OpenBSD firewall is acting as a DHCPv6-PD client and successfully > getting IP information: See https://marc.info/?l=openbsd-tech=144645681008370=2
Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working
Em 28-10-2015 02:29, Daniel Corbe escreveu: > But I can't ping out or do anything on the client: > > C:\Users\dcorbe>ping ipv6.cybernode.com > > Pinging ipv6.cybernode.com [2001:470:1:1b9::31] with 32 bytes of data: > Control-C > ^C > C:\Users\dcorbe>tracert 2601:5ce:101:5350:21e:37ff:fed6:ad > > Tracing route to 2601:5ce:101:5350:21e:37ff:fed6:ad over a maximum of 30 > hops > > 1 Destination host unreachable. > > Trace complete. You probably have the same issue I ran into. Please run tcpdump on your external if. You will see the packets leaving your internal net. And, if you have control over the remote host being pinged, you can even see the packets getting there. But, no replies ever get back. Your CPE do not know about you delegating the prefix to your internal machines. So, you should be seeing ndp neighbour discovery messages in your external interface. Since OpenBSD do not proxy the ndp messages to your internal lan, the packets get dropped by the CPE. At first, I used a bridge to solve this. But filtering on them is a nightmare. So, know I'm using a ULA prefix on my internal network and natting (I know) ipv6 packets to my external lan address. I will try to port some of the ndp proxy solutions available to OpenBSD. Everyone I found are linux centric. OpenBSD ndp(8) has proxy functionality. I couldn't make it work, and you also need to add entries host by host to it. Cheers, Giancarlo Razzolini
Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working
On 10/28/2015 8:41 AM, Giancarlo Razzolini wrote: > Em 28-10-2015 02:29, Daniel Corbe escreveu: >> But I can't ping out or do anything on the client: >> >> C:\Users\dcorbe>ping ipv6.cybernode.com >> >> Pinging ipv6.cybernode.com [2001:470:1:1b9::31] with 32 bytes of data: >> Control-C >> ^C >> C:\Users\dcorbe>tracert 2601:5ce:101:5350:21e:37ff:fed6:ad >> >> Tracing route to 2601:5ce:101:5350:21e:37ff:fed6:ad over a maximum of 30 >> hops >> >> 1 Destination host unreachable. >> >> Trace complete. > > You probably have the same issue I ran into. Please run tcpdump on > your external if. You will see the packets leaving your internal net. > And, if you have control over the remote host being pinged, you can even > see the packets getting there. But, no replies ever get back. Your CPE > do not know about you delegating the prefix to your internal machines. > So, you should be seeing ndp neighbour discovery messages in your > external interface. Since OpenBSD do not proxy the ndp messages to your > internal lan, the packets get dropped by the CPE. > > At first, I used a bridge to solve this. But filtering on them is a > nightmare. So, know I'm using a ULA prefix on my internal network and > natting (I know) ipv6 packets to my external lan address. I will try to > port some of the ndp proxy solutions available to OpenBSD. Everyone I > found are linux centric. OpenBSD ndp(8) has proxy functionality. I > couldn't make it work, and you also need to add entries host by host to it. > > Cheers, > Giancarlo Razzolini > I dont think rtadvd is running and allowing his devices to use SLAAC. I would check to make sure your device are generating an IPv6 address in the correct prefix. Jim
Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working
Em 28-10-2015 11:55, lists escreveu: > I dont think rtadvd is running and allowing his devices to use SLAAC. It is. At least from the information he provided. > > I would check to make sure your device are generating an IPv6 address in > the correct prefix. The prefix is different from the one in its external interface, but that doesn't mean that he isn't getting a valid prefix through PD. He might have configured its dhcpv6 client to assign a IA_NA to its external if, and the CPE got him one from a different prefix. But it sure need to be checked. OP, please take a look into that. If your CPE doesn't have the internal lan prefix, you can't expect it to work. Cheers, Giancarlo Razzolini
OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working
I'm not sure what I missed here so I would appreciate it if someone would hit me with a clue bat. My OpenBSD firewall is acting as a DHCPv6-PD client and successfully getting IP information: My outside interface: vlan9: flags=208843mtu 1500 lladdr 00:1e:37:d6:00:ad priority: 0 vlan: 9 parent interface: em0 groups: vlan egress status: active inet 73.12.6.33 netmask 0xfe00 broadcast 73.12.7.255 inet6 fe80::21e:37ff:fed6:ad%vlan9 prefixlen 64 scopeid 0x6 inet6 2001:558:6036:5a:2cb5:eab1:8726:104c prefixlen 128 pltime 344957 vltime 344957 My inside interface: vlan10: flags=8843 mtu 1500 lladdr 00:1e:37:d6:00:ad priority: 0 vlan: 10 parent interface: em0 groups: vlan status: active inet 10.64.14.1 netmask 0xff00 broadcast 10.64.14.255 inet6 fe80::21e:37ff:fed6:ad%vlan10 prefixlen 64 scopeid 0x5 inet6 2601:5ce:101:5350:21e:37ff:fed6:ad prefixlen 64 I can reach things from the OpenBSD box itself: # ping6 www.google.com PING6(72=40+8+24 bytes) 2601:5ce:101:5350:21e:37ff:fed6:ad --> 2607:f8b0:4004:809::1010 32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=0 hlim=56 time=17.318 ms 32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=1 hlim=56 time=17.933 ms 32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=2 hlim=56 time=16.289 ms 32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=3 hlim=56 time=16.240 ms ^C --- www.google.com ping6 statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 16.240/16.945/17.933/0.714 ms I have IPv6 forwarding enabled: # sysctl -a | grep forwarding net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0 net.inet6.ip6.forwarding=1 net.inet6.ip6.mforwarding=0 My PF ruleset: # pfctl -s all FILTER RULES: pass in on vlan9 inet from any to 73.12.6.0/23 flags S/SA pass out on vlan9 inet from 73.12.6.0/23 to any flags S/SA pass out on vlan9 inet from 10.64.14.0/24 to any flags S/SA nat-to 73.12.6.33 pass in quick inet6 all flags S/SA pass out quick inet6 all flags S/SA pass quick inet6 proto ipv6-icmp all I have rtadv turned on and my client machine gets IPv6: Ethernet adapter Ethernet: Connection-specific DNS Suffix . : corbe.net Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection Physical Address. . . . . . . . . : 74-D0-2B-27-BE-B3 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2601:5ce:101:5350:28af:3026:cf75:988c(Preferred) Temporary IPv6 Address. . . . . . : 2601:5ce:101:5350:1dd6:cc0e:98b:50a9(Preferred) Link-local IPv6 Address . . . . . : fe80::28af:3026:cf75:988c%7(Preferred) IPv4 Address. . . . . . . . . . . : 10.64.14.13(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Tuesday, October 27, 2015 10:48:18 PM Lease Expires . . . . . . . . . . : Wednesday, October 28, 2015 10:48:19 AM Default Gateway . . . . . . . . . : fe80::21e:37ff:fed6:ad%7 10.64.14.1 DHCP Server . . . . . . . . . . . : 10.64.14.1 DHCPv6 IAID . . . . . . . . . . . : 91541547 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-C1-F8-6C-74-D0-2B-27-BE-B3 DNS Servers . . . . . . . . . . . : 8.8.8.8 4.2.2.2 NetBIOS over Tcpip. . . . . . . . : Enabled IPv6 Route Table === Active Routes: If Metric Network Destination Gateway 7276 ::/0 fe80::21e:37ff:fed6:ad 1306 ::1/128 On-link 2306 2001::/32On-link 2306 2001:0:5ef5:79fb:ca8:3fdf:f5bf:f1f2/128 On-link 7276 2601:5ce:101:5350::/64 On-link 7276 2601:5ce:101:5350:1dd6:cc0e:98b:50a9/128 On-link 7276 2601:5ce:101:5350:28af:3026:cf75:988c/128 On-link 7276 fe80::/64On-link 2306 fe80::/64On-link 2306 fe80::ca8:3fdf:f5bf:f1f2/128 On-link 7276 fe80::28af:3026:cf75:988c/128 On-link 1306 ff00::/8 On-link 7276 ff00::/8 On-link 2306 ff00::/8 On-link === Persistent Routes: None But I can't ping out or do anything on the client: C:\Users\dcorbe>ping ipv6.cybernode.com Pinging ipv6.cybernode.com [2001:470:1:1b9::31] with 32 bytes of data: Control-C ^C C:\Users\dcorbe>tracert 2601:5ce:101:5350:21e:37ff:fed6:ad Tracing route to 2601:5ce:101:5350:21e:37ff:fed6:ad over a maximum of 30 hops 1