subject:"OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working"

Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

2015-11-02 Thread Stuart Henderson

On 2015-10-28, Daniel Corbe  wrote:
> I'm not sure what I missed here so I would appreciate it if someone would
> hit me with a clue bat.
>
> My OpenBSD firewall is acting as a DHCPv6-PD client and successfully
> getting IP information:

See https://marc.info/?l=openbsd-tech=144645681008370=2

Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

2015-10-28 Thread Giancarlo Razzolini

Em 28-10-2015 02:29, Daniel Corbe escreveu:
> But I can't ping out or do anything on the client:
>
> C:\Users\dcorbe>ping ipv6.cybernode.com
>
> Pinging ipv6.cybernode.com [2001:470:1:1b9::31] with 32 bytes of data:
> Control-C
> ^C
> C:\Users\dcorbe>tracert 2601:5ce:101:5350:21e:37ff:fed6:ad
>
> Tracing route to 2601:5ce:101:5350:21e:37ff:fed6:ad over a maximum of 30
> hops
>
>   1  Destination host unreachable.
>
> Trace complete.

You probably have the same issue I ran into. Please run tcpdump on
your external if. You will see the packets leaving your internal net.
And, if you have control over the remote host being pinged, you can even
see the packets getting there. But, no replies ever get back. Your CPE
do not know about you delegating the prefix to your internal machines.
So, you should be seeing ndp neighbour discovery messages in your
external interface. Since OpenBSD do not proxy the ndp messages to your
internal lan, the packets get dropped by the CPE.

At first, I used a bridge to solve this. But filtering on them is a
nightmare. So, know I'm using a ULA prefix on my internal network and
natting (I know) ipv6 packets to my external lan address. I will try to
port some of the ndp proxy solutions available to OpenBSD. Everyone I
found are linux centric. OpenBSD ndp(8) has proxy functionality. I
couldn't make it work, and you also need to add entries host by host to it.

Cheers,
Giancarlo Razzolini

Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

2015-10-28 Thread lists

On 10/28/2015 8:41 AM, Giancarlo Razzolini wrote:
> Em 28-10-2015 02:29, Daniel Corbe escreveu:
>> But I can't ping out or do anything on the client:
>>
>> C:\Users\dcorbe>ping ipv6.cybernode.com
>>
>> Pinging ipv6.cybernode.com [2001:470:1:1b9::31] with 32 bytes of data:
>> Control-C
>> ^C
>> C:\Users\dcorbe>tracert 2601:5ce:101:5350:21e:37ff:fed6:ad
>>
>> Tracing route to 2601:5ce:101:5350:21e:37ff:fed6:ad over a maximum of 30
>> hops
>>
>>   1  Destination host unreachable.
>>
>> Trace complete.
> 
> You probably have the same issue I ran into. Please run tcpdump on
> your external if. You will see the packets leaving your internal net.
> And, if you have control over the remote host being pinged, you can even
> see the packets getting there. But, no replies ever get back. Your CPE
> do not know about you delegating the prefix to your internal machines.
> So, you should be seeing ndp neighbour discovery messages in your
> external interface. Since OpenBSD do not proxy the ndp messages to your
> internal lan, the packets get dropped by the CPE.
> 
> At first, I used a bridge to solve this. But filtering on them is a
> nightmare. So, know I'm using a ULA prefix on my internal network and
> natting (I know) ipv6 packets to my external lan address. I will try to
> port some of the ndp proxy solutions available to OpenBSD. Everyone I
> found are linux centric. OpenBSD ndp(8) has proxy functionality. I
> couldn't make it work, and you also need to add entries host by host to it.
> 
> Cheers,
> Giancarlo Razzolini
> 

I dont think rtadvd is running and allowing his devices to use SLAAC.

I would check to make sure your device are generating an IPv6 address in
the correct prefix.


Jim

Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

2015-10-28 Thread Giancarlo Razzolini

Em 28-10-2015 11:55, lists escreveu:
> I dont think rtadvd is running and allowing his devices to use SLAAC.

It is. At least from the information he provided.

>
> I would check to make sure your device are generating an IPv6 address in
> the correct prefix.

The prefix is different from the one in its external interface, but that
doesn't mean that he isn't getting a valid prefix through PD. He might
have configured its dhcpv6 client to assign a IA_NA to its external if,
and the CPE got him one from a different prefix. But it sure need to be
checked. OP, please take a look into that. If your CPE doesn't have the
internal lan prefix, you can't expect it to work.

Cheers,
Giancarlo Razzolini

OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

2015-10-27 Thread Daniel Corbe

I'm not sure what I missed here so I would appreciate it if someone would
hit me with a clue bat.

My OpenBSD firewall is acting as a DHCPv6-PD client and successfully
getting IP information:

My outside interface:

vlan9: flags=208843 mtu
1500
lladdr 00:1e:37:d6:00:ad
priority: 0
vlan: 9 parent interface: em0
groups: vlan egress
status: active
inet 73.12.6.33 netmask 0xfe00 broadcast 73.12.7.255
inet6 fe80::21e:37ff:fed6:ad%vlan9 prefixlen 64 scopeid 0x6
inet6 2001:558:6036:5a:2cb5:eab1:8726:104c prefixlen 128 pltime
344957 vltime 344957

My inside interface:

vlan10: flags=8843 mtu 1500
lladdr 00:1e:37:d6:00:ad
priority: 0
vlan: 10 parent interface: em0
groups: vlan
status: active
inet 10.64.14.1 netmask 0xff00 broadcast 10.64.14.255
inet6 fe80::21e:37ff:fed6:ad%vlan10 prefixlen 64 scopeid 0x5
inet6 2601:5ce:101:5350:21e:37ff:fed6:ad prefixlen 64

I can reach things from the OpenBSD box itself:

# ping6 www.google.com
PING6(72=40+8+24 bytes) 2601:5ce:101:5350:21e:37ff:fed6:ad -->
2607:f8b0:4004:809::1010
32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=0 hlim=56 time=17.318 ms
32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=1 hlim=56 time=17.933 ms
32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=2 hlim=56 time=16.289 ms
32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=3 hlim=56 time=16.240 ms
^C
--- www.google.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 16.240/16.945/17.933/0.714 ms

I have IPv6 forwarding enabled:

# sysctl -a | grep forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=0

My PF ruleset:

# pfctl -s all
FILTER RULES:
pass in on vlan9 inet from any to 73.12.6.0/23 flags S/SA
pass out on vlan9 inet from 73.12.6.0/23 to any flags S/SA
pass out on vlan9 inet from 10.64.14.0/24 to any flags S/SA nat-to
73.12.6.33
pass in quick inet6 all flags S/SA
pass out quick inet6 all flags S/SA
pass quick inet6 proto ipv6-icmp all

I have rtadv turned on and my client machine gets IPv6:

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : corbe.net
   Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network
Connection
   Physical Address. . . . . . . . . : 74-D0-2B-27-BE-B3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . :
2601:5ce:101:5350:28af:3026:cf75:988c(Preferred)
   Temporary IPv6 Address. . . . . . :
2601:5ce:101:5350:1dd6:cc0e:98b:50a9(Preferred)
   Link-local IPv6 Address . . . . . :
fe80::28af:3026:cf75:988c%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.64.14.13(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, October 27, 2015 10:48:18 PM
   Lease Expires . . . . . . . . . . : Wednesday, October 28, 2015 10:48:19
AM
   Default Gateway . . . . . . . . . : fe80::21e:37ff:fed6:ad%7
   10.64.14.1
   DHCP Server . . . . . . . . . . . : 10.64.14.1
   DHCPv6 IAID . . . . . . . . . . . : 91541547
   DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-1D-C1-F8-6C-74-D0-2B-27-BE-B3
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   4.2.2.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

IPv6 Route Table
===
Active Routes:
 If Metric Network Destination  Gateway
  7276 ::/0 fe80::21e:37ff:fed6:ad
  1306 ::1/128  On-link
  2306 2001::/32On-link
  2306 2001:0:5ef5:79fb:ca8:3fdf:f5bf:f1f2/128
On-link
  7276 2601:5ce:101:5350::/64   On-link
  7276 2601:5ce:101:5350:1dd6:cc0e:98b:50a9/128
On-link
  7276 2601:5ce:101:5350:28af:3026:cf75:988c/128
On-link
  7276 fe80::/64On-link
  2306 fe80::/64On-link
  2306 fe80::ca8:3fdf:f5bf:f1f2/128
On-link
  7276 fe80::28af:3026:cf75:988c/128
On-link
  1306 ff00::/8 On-link
  7276 ff00::/8 On-link
  2306 ff00::/8 On-link
===
Persistent Routes:
  None

But I can't ping out or do anything on the client:

C:\Users\dcorbe>ping ipv6.cybernode.com

Pinging ipv6.cybernode.com [2001:470:1:1b9::31] with 32 bytes of data:
Control-C
^C
C:\Users\dcorbe>tracert 2601:5ce:101:5350:21e:37ff:fed6:ad

Tracing route to 2601:5ce:101:5350:21e:37ff:fed6:ad over a maximum of 30
hops

  1

Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

Re: OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

5 matches

Site Navigation

Mail list logo

Footer information