Re: IPv6 routing(?)
On 2016-11-18 22:44, Robert Elz wrote: [---] > |What do I need to do to make it respond to such requests? > > You don't want it to, just assign your addressing rationally, rather than > attempting to cram the world into one /64 (copying horrid IPv4 required hacks) > and I suspect it will all be OK. > > Assign a different /64 to your LAN (from the same /48). After getting over the initial "How dare he imply I have an IPv4 fetish?!" shock, I thought about it and you're completely right: I've been thinking in terms of IPv4. I stopped trying to shoehorn. It works now. Thanks to everyone who contributed toward helping me break the IPv4 chains. IPv6 ftw. /Jan
Re: IPv6 routing(?)
Date:Fri, 18 Nov 2016 17:32:47 +0100 From:Jan DanielssonMessage-ID: |So what happens is that the echo request is sent out from my host | (say it has address X), then I see then Cisco modem (ISP's equipment) | make a Neighbor Solicitation for the address X, but my NetBSD router | (which knows about address X according to "ndp -a") never replies. Nor should it, it doesn't own the address. |What do I need to do to make it respond to such requests? You don't want it to, just assign your addressing rationally, rather than attempting to cram the world into one /64 (copying horrid IPv4 required hacks) and I suspect it will all be OK. Assign a different /64 to your LAN (from the same /48). kre
Re: IPv6 routing(?)
On 2016-11-18 03:35, Andy Ruhl wrote: [---] > Packets going out but not coming back seems to be the key. Exactly, and .. > IPv6 likes to have ICMP enabled for path mtu discovery, might look into that. .. I think you're on to it here. So what happens is that the echo request is sent out from my host (say it has address X), then I see then Cisco modem (ISP's equipment) make a Neighbor Solicitation for the address X, but my NetBSD router (which knows about address X according to "ndp -a") never replies. The issue seems to be that the router isn't acting as an "NDP proxy" (analogous to an ARP proxy in IPv4, I assume). What do I need to do to make it respond to such requests? Linux appears to have a sysctl knob called net.ipv6.conf.all.proxy_ndp, is there such a thing for NetBSD? I looked through the sysctl list, but couldn't find any obvious candidates. (NetBSD/amd64 -7). > Also wondering if there is some issue receiving traffic, like you're > firewalled? If you don't see ping replies they could be getting > dropped before you can see them. Woud be nice to confirm by sniffing > the outside interface somehow. I'm using npf on my NetBSD router, but it's configured to allow everything currently, so it shouldn't be an issue. /Jan
Re: IPv6 routing(?)
Date:Thu, 17 Nov 2016 22:28:32 +0100 From:Jan Danielsson <jan.m.daniels...@gmail.com> Message-ID: <03604c00-17eb-f3de-d69e-ec070d06a...@gmail.com> |This is a proper global /48 network. That sounds good, but what is "this" there - that is, to whom is that /48 assigned, you or the ISP ? |The re0 interface is assigned a 2001:::0:... address (from | the ISP) with a prefixlen of 64 That's normal, though if this is some kind of emulated P2P link, a /64 is kind of overkill.. (but that is the ISP's choice, just accept it.) | (there's a static route in their router | which is /48, but it seems routers are typically assigned /64 chunks). Links are typically assigned /64 chunks. Routers have interfaces to links, each interface has an address (of each class in use) usually. Aside from links, the only other thing (and this is true both in v4 and v6) that is usually assigned blocks of addresses is a dhcp server (which may be running in a router, of course.) |The router's wm0 is manually assigned a /80 subnet, Why /80 ? |What works: |- From the router, I can ping6/traceroute6 any address on the public | Internet. (I.e. "ping6 netbsd.org" or "traceroute6 google.com" works fine). |- The router can ping6 the host1's IPv6 address. |- host1 can ping6 both the lan and wan addresses of the router. That's good. |What doesn't work: |- From host1, I can not ping addresses on the public Internet. (i.e. | ping6 netbsd.org) does not work. traceroute6 google.com will only get a | reply for the first entry (2001:::0:4::1 (the router's lan | interface)) and then won't progress any further. You might need to talk to the ISP, find out exactly what is in their routing tables. If the suggestion below doesn't help, you should also probably show us what is in the router's IPv6 routing table: netstat -rn -f inet6 Unless you have a really good reason, don't obfuscate the addresses with that just makes it harder to see what is really happening. |Typical cause for issues similar to this is that forwarding is not | enabled -- but it is (double and triple-checked). v6 forwarding as well as v4 ? (That is, what does sysctl net.inet6.ip6.forwarding return ? (On the router)) But I assume this is OK, as you say you see ping requests from host1 passing out re0 on the router towards the ISP. That working tells you that the router is forwarding packets. | Plus, and correct me | if I'm wrong here, I can ping the router's wan address from host1 which | wouldn't work if IPv6 forwarding had been disabled. No, proves nothing, we don't have enough of a strict host model for that to be a good test. |To my untrained eye, the routing tables on both host1 and the router | look fine; host1's default entry is to the router's link-local address | of the lan interface (analogous to the router's default route pointing | to fe80::1, autoconfigured and in accordance with the instructions from | the ISP). Yes, those I expected to be fine from what you said worked. |The 2001:::0:4::/80 subnet on the router routes to link#2 (wm0). |If I run "tcpdump -nttt -i re0" on the router and then try to ping6 | netbsd.org, I can see the echo requests (from the host1 address to | netbsd.org's IPv6 address), but no replies. For various reasons, ping is not always a great test (it is when it works, but when it fails the number of possible reasons is staggering...) But ... | (Running the same ping6 | command on the router will cause both requests and replies to be seen in | tcpdump). Makes it look like the ISP isn't filtering ICMPv6 (which some do, stupidly). |Any tips on what I should be looking closer at? Right now, my guess would be routing at the ISP. I would tend to assume that they are routing 2001:::0::/64 to the wan link between you and them. That includes your carved out /80 from that /64. If that wan link was really an emulated ethernet (or similar) you might see the ISP's router issuing NDP requests for your host1 on that wan link - but the lack of those (if they are absent) proves nothing. You might want to try using a /64 on the lan link, perhaps 2001:::1::/64 With that you could use autoconfig on the hosts (that requires /64 prefixes, not bigger, not smaller) rather than manual config (or DHCP). (You can still do manual config of course, and might want to while you're debugging - manually config'd addresses tend to be much easier to type!) Of course, this is assuming that the ISP has assigned 2001::::/48 to you.That's the (at least original) model for how IPv6 addresses should be assigned, but not everyone believes in the calculations of address availability, and some want to give smaller (that is, bigger 'n' in /n) allocations to end
Re: IPv6 routing(?)
On Thu, Nov 17, 2016 at 2:57 PM, Jan Danielssonwrote: > On 2016-11-17 22:36, Andy Ruhl wrote: >>>- The router can ping6 the host1's IPv6 address. >> >> I'm not really sure if this is relevant, but what source IP are you >> using when this happens? Can you force it to be the external global >> address? > >Using -S of ping6? > >router$ ping6 -S > >.. seems to work fine. > >I honestly don't know what -I is supposed to do, and if it's at all > relevant, but: > >router$ ping6 -I re0 > >.. yields "ping6: sendmsg: No route to host". (Maybe it's grabbing > the link-local address?) Packets going out but not coming back seems to be the key. IPv6 likes to have ICMP enabled for path mtu discovery, might look into that. Also wondering if there is some issue receiving traffic, like you're firewalled? If you don't see ping replies they could be getting dropped before you can see them. Woud be nice to confirm by sniffing the outside interface somehow. Seems like not a forwarding issue like you say if you can ping the outside global address. Andy
Re: IPv6 routing(?)
On Thu, Nov 17, 2016 at 2:28 PM, Jan Danielssonwrote: >- The router can ping6 the host1's IPv6 address. I'm not really sure if this is relevant, but what source IP are you using when this happens? Can you force it to be the external global address? Andy
IPv6 routing(?)
Hello, Thanks to help from the list, I got past some initial IPv6 configuration issues; the router gets its address and prefixlength from the ISP and a host on the LAN gets a subnet address from the router. However, one issue remains, and I've been banging my head against it for too long and I need some more assistance. This is a proper global /48 network. As before, I'm reducing the network to this for simplicity: host1 router (re0) <---> (wm0)(re0) <> ISP "lan" wan The re0 interface is assigned a 2001:::0:... address (from the ISP) with a prefixlen of 64 (there's a static route in their router which is /48, but it seems routers are typically assigned /64 chunks). The router's wm0 is manually assigned a /80 subnet, with the address 2001:::0:4::1. (I had initially misunderstood the role of the link-local address; per the suggestion of Martin Husemann I set a hardcoded address on wm0 and that's when the address assignment of host1 started working). What works: - From the router, I can ping6/traceroute6 any address on the public Internet. (I.e. "ping6 netbsd.org" or "traceroute6 google.com" works fine). - The router can ping6 the host1's IPv6 address. - host1 can ping6 both the lan and wan addresses of the router. What doesn't work: - From host1, I can not ping addresses on the public Internet. (i.e. ping6 netbsd.org) does not work. traceroute6 google.com will only get a reply for the first entry (2001:::0:4::1 (the router's lan interface)) and then won't progress any further. Typical cause for issues similar to this is that forwarding is not enabled -- but it is (double and triple-checked). Plus, and correct me if I'm wrong here, I can ping the router's wan address from host1 which wouldn't work if IPv6 forwarding had been disabled. To my untrained eye, the routing tables on both host1 and the router look fine; host1's default entry is to the router's link-local address of the lan interface (analogous to the router's default route pointing to fe80::1, autoconfigured and in accordance with the instructions from the ISP). The 2001:::0:4::/80 subnet on the router routes to link#2 (wm0). If I run "tcpdump -nttt -i re0" on the router and then try to ping6 netbsd.org, I can see the echo requests (from the host1 address to netbsd.org's IPv6 address), but no replies. (Running the same ping6 command on the router will cause both requests and replies to be seen in tcpdump). Any tips on what I should be looking closer at? /Jan