From owner-freebsd-net@freebsd.org Thu May 26 19:36:10 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 860B9B4B104; Thu, 26 May 2016 19:36:10 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-fra-01.niklaas.eu (box-fra-01.niklaas.eu [46.165.253.68]) by mx1.freebsd.org (Postfix) with ESMTP id 4F9731516; Thu, 26 May 2016 19:36:09 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-fra-01.niklaas.eu (Postfix, from userid 1001) id 4682161FEC; Thu, 26 May 2016 21:36:02 +0200 (CEST) Date: Thu, 26 May 2016 21:36:02 +0200 From: Niklaas Baudet von Gersdorff To: tinc@tinc-vpn.org, freebsd-net@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPv6, ULAs and FreeBSD Message-ID: <20160526193602.GF49239@box-fra-01.niklaas.eu> Mail-Followup-To: tinc@tinc-vpn.org, freebsd-net@freebsd.org, freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="oFbHfjnMgUMsrGjO" Content-Disposition: inline In-Reply-To: <20160519124446.GB2444@box-fra-01.niklaas.eu> <20160523034855.GA37797@box-fra-01.niklaas.eu> <20160524061707.GA77980@box-fra-01.niklaas.eu> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 19:36:10 -0000 --oFbHfjnMgUMsrGjO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I was eventually able to solve this issue. I asked for help on several mailing lists. So, for reference, here are links to the relevant threads: https://lists.freebsd.org/pipermail/freebsd-questions/2016-May/271810.html https://lists.freebsd.org/pipermail/freebsd-net/2016-May/045349.html https://www.tinc-vpn.org/pipermail/tinc/2016-May/004573.html Niklaas Baudet von Gersdorff [2016-05-24 08:17 +0200] : > I want to serve IPv4 subnets 10.1.0.0/16 (machine A) and 10.2.0.0/16 > (machine B), and IPv6 subnets fd16:dcc0:f4cc:0:0:1::/96 (machine A) and > fd16:dcc0:f4cc:0:0:2::/96 (machine B) respectively. The jails are > connected on lo1. Here lies the first problem. It seems that it's not legitimate to assign /96 subnets when using unique local addresses (ULAs). I was right getting some /48 subnet for my local IPv6 network; some easy way to get one generated randomly is http://unique-local-ipv6.com/ . But instead of assigning /96 subnets to each host, you must assign /64 subnets. I guess (but I am not sure because I have not found any reference that mentions this explicitly) you *must not* use any other subnet when dealing with ULAs. So I decided for the following two subnets for machine A and B respectively: fd16:dcc0:f4cc:1::/64 and fd16:dcc0:f4cc:2::/64. > The following is the tinc-up script on each machine that assignes IP > addresses and creates routes. I commented out some variations that > I tried but haven't had success with either: >=20 > A $ cat /usr/local/etc/tinc/klaas/tinc-up > ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80 > route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1 > route -6 add -net fd16:dcc0:f4cc:0:0:2::/96 fd16:dcc0:f4cc:0:0:1:0:1 > #route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1 fd16:dcc= 0:f4cc::1:0:1 > #route -6 add -ifp $INTERFACE -net fd16:dcc0:f4cc::2:0:0/96 fd16:dcc= 0:f4cc::1:0:1 >=20 > ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0 > route -4 add -host 10.2.0.1 10.1.0.1 > route -4 add -net 10.2.0.0/16 10.1.0.1 In addition, it seems not sufficient to solely assign IP address, but you must also assign a route for the respective foreign (!) subnet(s) to the tap interface. Without these I couldn't get the connection working. Thus, you get the following tinc-up scripts for both machines: A $ cat /usr/local/etc/tinc/tinc-up ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:1::1 prefixlen 48 alias ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0 alias route add -inet6 -net fd16:dcc0:f4cc:2::/64 -interface $INTERFACE B $ cat /usr/local/etc/tinc/tinc-up ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:2::1 prefixlen 48 alias ifconfig $INTERFACE 10.2.0.1 netmask 255.0.0.0 alias route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE The following you should include into tinc-down to clean up the route when the daemon is shut down (alter this for machine B respectively): route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE To make this complete, these are the relevant host configurations for tinc: A $ cat /usr/local/etc/tinc/hosts/A Address =3D A Subnet =3D fd16:dcc0:f4cc:1::/64 Subnet =3D 10.1.0.0/16 -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- A $ cat /usr/local/etc/tinc/hosts/B Address =3D B Subnet =3D fd16:dcc0:f4cc:2::/64 Subnet =3D 10.2.0.0/16 -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- For reference -- in hope that duckduckgo does a good job indexing this and prevents others from struggling the same way as I did -- here are the errors I would get from tinc if either the subnet was not set up correctly (see above) or if I had not configured the routes: Cannot route packet: neighbor solicitation request for unknown address = fd16:dcc0:f4cc:0:0:1:0:1 In hope that nobody else has to struggle with this as long as I did. Niklaas --oFbHfjnMgUMsrGjO Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXR1AZAAoJEG2fODeJrIU/5OkP/0RJ4PrCLOaN6zxNqnziSkIE mUqwhR1Nql3o6+amn1/EsJ7cT2XBulvWV5Xmk3QmRsa1L5+xSx0AqMX7zNRJOOh2 0Ypjg2OE7E7jgJ+Tu6uiwMOlw8x0QM+m3jzYSUkTsyNWydyjzmXDCB//T8QVhMQZ sI5zpHDW+ehfu1Cl+4pEyD+/FfJ/sOGHmzkkHF4iO30vEeHuqZ8Y28v/enKvuYvJ u0XWjAk8DLIe0aKsEPJLRyrPKLVwj6H/E2N5AE0upxMMhv29XJfX0Gu7V9n0YYIX zDDdsKMiogyzlj/R3FV3dl5A6uljeO77Zb+oNhoA10MijCMEiUqUMdZgShZ4wlNp s1Ko7OdAQzj3lP1pZ9eHzqisXIZawAEf1qrKRLcpse/kPmbLCA9zL2vRjuzeWvtT dQwOMTgF7gkqgQbexL6MUruSL7p3yRLtexlF9LJLEoELtjQ0NAP8loSSj9J9Bzgo Hhk2PX9i2iQWFGojbhyqB+hgdVjG+Sv2ufP9YTHy/ilbIK4+5RohUxs7TKfNiq3G 7+WMuhZMzezUfbVwisUarIrji+8h4+bkTxEI/secCAQ6fb73eRHeATQYEj/c4/ol PlE0r9tAzV89NZeIvrJ35qlT76ojxtXggOr5THB6T2mLulxEg70moGVIXv748jRD pUoh/xttHM/L+RkNeUWb =UQWs -----END PGP SIGNATURE----- --oFbHfjnMgUMsrGjO--