From owner-freebsd-net@FreeBSD.ORG Tue Jun 26 21:33:05 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AA54916A475; Tue, 26 Jun 2007 21:33:05 +0000 (UTC) (envelope-from bmah@freebsd.org) Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by mx1.freebsd.org (Postfix) with ESMTP id 9020B13C45D; Tue, 26 Jun 2007 21:33:05 +0000 (UTC) (envelope-from bmah@freebsd.org) Received: from bmah.local (hornet.kitchenlab.org [64.142.31.105]) (authenticated bits=0) by a.mail.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id l5QLX45g021208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Jun 2007 14:33:04 -0700 Message-ID: <46818609.3080202@freebsd.org> Date: Tue, 26 Jun 2007 14:32:57 -0700 From: "Bruce A. Mah" User-Agent: Thunderbird 2.0.0.4 (Macintosh/20070604) MIME-Version: 1.0 To: Eric F Crist References: <39D6F9D8-3A2C-4AD7-9FA4-0024E304194A@secure-computing.net> <468011FC.4050308@FreeBSD.org> <7731B558-35C7-4E22-A40D-8BCE208AFD6A@secure-computing.net> <468063F6.2050303@FreeBSD.org> <8AA398FC-A753-4BB8-A93F-224FDDCE41BA@secure-computing.net> In-Reply-To: <8AA398FC-A753-4BB8-A93F-224FDDCE41BA@secure-computing.net> X-Enigmail-Version: 0.95.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigDB76B82339FFF460601F957C" Cc: freebsd-net@freebsd.org, "Bruce M. Simpson" Subject: Re: IPv6 Woes... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2007 21:33:05 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDB76B82339FFF460601F957C Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable If memory serves me right, Eric F Crist wrote: > On Jun 25, 2007, at 7:55 PMJun 25, 2007, Bruce M. Simpson wrote: >=20 >> Eric F Crist wrote: >>> My problem isn't getting out to 2001:4980:1::5, it's getting to my =20 >>> LAN, the 2001:4980:1:111::/64 network. My gateway, the machine =20 >>> from which I posted the routing and ifconfig information, is able =20 >>> to ping across the tunnel, and to the internet just fine. Nothing =20 >>> is able to get from the gateway to my LAN, however. Is it a =20 >>> problem with the fxp driver, or perhaps my setup with the ethernet =20 >>> bridging? >> You appear to have a /64 network address on the inside of your v6 =20 >> router. Are you using stateless address auto-configuration? You =20 >> appear to have statically assigned ....::145 as a host address on =20 >> that net. >> >> My setup works fine if I ping the network address of my v6 router =20 >> from the v6 enabled hosts in my lab. >> >> When you ping local machines on the inside LAN from that router, do =20 >> you see NDP entries being created? Hi Eric-- First note that I'm a different Bruce than the chap who's been helping thus far. :-) BTW, use "ndp -a" to see this. >> You shouldn't need to use bridging to achieve what you want in this =20 >> scenario, in fact it makes no sense because you want to route v6 =20 >> traffic over the gif, therefore ethernet bridging is not relevant =20 >> here. I'm not quite so sure about this...see below. > First, thanks for taking time to help me through this. Here's some =20 > more information regarding the topography of my network. My FBSD =20 > firewall is running with 'options BRIDGE' in the kernel, and the =20 > following two lines in /etc/sysctl.conf: >=20 > net.link.ether.bridge.enable=3D1 > net.link.ether.bridge.config=3Dfxp0,fxp1 Your setup is not *too* different from what I have at home in terms of network topology and what you hope to accomplish. (I have a Soekris net4801 run 6.2-STABLE and acting as a filtering bridge between an IPv4 /29 and the rest of the Internet, and also terminating a gif(4) tunnel for IPv6.) > This is so that I don't have to do routing on my firewall. I have a =20 > IPv4 /28 network, so a limited number of IP addresses, this saves one = > of those. This system is filtering traffic with PF. That's really =20 > the only reason for the bridging. Also, it does allow me to do =20 > traffic shaping and bandwidth monitoring. This bridging stuff =20 > really, as you said, has nothing to do with my IPv6 configuration =20 > issues. I think the biggest difference between your network and mine is that rather than using options BRIDGE I'm using the if_bridge(4) driver between my "inside" and "outside" network interfaces. The physical interfaces in the bridge are unnumbered and the if_bridge pseudo_interface has IPv4 and IPv6 addresses. The main reason for doing this is that I've seen that bridge(4) can have difficulty determining the correct physical interface to use for packets that originate on the bridging host. I recall having this problem with pfnat. (I don't remember the exact details, but I did some postings to the m0n0wall mailing lists on this topic some time ago...your favorite search engine can probably help find these messages.) I wonder if the problem I've seen with bridge(4) might be related to your IPv6 problems (since you're terminating the tunnel on your firewall). If so, maybe switching to if_bridge(4) as I've described above might help things. In any case, good luck! Bruce. --------------enigDB76B82339FFF460601F957C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGgYYN2MoxcVugUsMRAtecAKCRbSU5N7rvqejW+V+wNnkEhYEfXgCg+W3P XLYrjIPGYz3KBvoEYX3fW10= =XItX -----END PGP SIGNATURE----- --------------enigDB76B82339FFF460601F957C--