From owner-freebsd-net@FreeBSD.ORG Tue Jun 26 22:15:02 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8C2E16A421; Tue, 26 Jun 2007 22:15:02 +0000 (UTC) (envelope-from ecrist@secure-computing.net) Received: from snipe.secure-computing.net (snipe.secure-computing.net [209.240.66.149]) by mx1.freebsd.org (Postfix) with ESMTP id 6BC9F13C465; Tue, 26 Jun 2007 22:15:02 +0000 (UTC) (envelope-from ecrist@secure-computing.net) Received: from [192.168.1.2] (unknown [209.240.66.157]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ecrist@secure-computing.net) by snipe.secure-computing.net (Postfix) with ESMTP id CD2DB1702D; Tue, 26 Jun 2007 17:15:01 -0500 (CDT) In-Reply-To: <46818609.3080202@freebsd.org> References: <39D6F9D8-3A2C-4AD7-9FA4-0024E304194A@secure-computing.net> <468011FC.4050308@FreeBSD.org> <7731B558-35C7-4E22-A40D-8BCE208AFD6A@secure-computing.net> <468063F6.2050303@FreeBSD.org> <8AA398FC-A753-4BB8-A93F-224FDDCE41BA@secure-computing.net> <46818609.3080202@freebsd.org> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Eric F Crist Date: Tue, 26 Jun 2007 17:14:59 -0500 To: Bruce A. Mah X-Mailer: Apple Mail (2.752.3) Cc: freebsd-net@freebsd.org, "Bruce M. Simpson" Subject: Re: IPv6 Woes... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2007 22:15:02 -0000 On Jun 26, 2007, at 4:32 PMJun 26, 2007, Bruce A. Mah wrote: > If memory serves me right, Eric F Crist wrote: >> Hi Eric-- > > First note that I'm a different Bruce than the chap who's been helping > thus far. :-) > > BTW, use "ndp -a" to see this. > Your setup is not *too* different from what I have at home in terms of > network topology and what you hope to accomplish. (I have a Soekris > net4801 run 6.2-STABLE and acting as a filtering bridge between an > IPv4 > /29 and the rest of the Internet, and also terminating a gif(4) tunnel > for IPv6.) > >> This is so that I don't have to do routing on my firewall. I have a >> IPv4 /28 network, so a limited number of IP addresses, this saves one >> of those. This system is filtering traffic with PF. That's really >> the only reason for the bridging. Also, it does allow me to do >> traffic shaping and bandwidth monitoring. This bridging stuff >> really, as you said, has nothing to do with my IPv6 configuration >> issues. > > I think the biggest difference between your network and mine is that > rather than using options BRIDGE I'm using the if_bridge(4) driver > between my "inside" and "outside" network interfaces. The physical > interfaces in the bridge are unnumbered and the if_bridge > pseudo_interface has IPv4 and IPv6 addresses. > > The main reason for doing this is that I've seen that bridge(4) can > have > difficulty determining the correct physical interface to use for > packets > that originate on the bridging host. I recall having this problem > with > pfnat. (I don't remember the exact details, but I did some > postings to > the m0n0wall mailing lists on this topic some time ago...your favorite > search engine can probably help find these messages.) > > I wonder if the problem I've seen with bridge(4) might be related to > your IPv6 problems (since you're terminating the tunnel on your > firewall). If so, maybe switching to if_bridge(4) as I've described > above might help things. > > In any case, good luck! Bruce! Thanks for all the help! That did the trick! Only one more thing that's holding me up. On my gateway, I've got 2001:4980:1:111::145/64 as the primary IP address. In addition, I've got 2001:4980:1:111::1/128 as an alias. I can ping/connect to the xxx:145 address, but not the xxx:1 address. What did I configure wrong? Here's the output of netstat - r -f inet6: Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Netif Expire :: localhost.secure-computing.net UGRS 0 0 16384 lo0 => default 2001:4980:1::5 UGS 0 0 1280 gif0 localhost.secure-computing.net localhost.secure-computing.net UHL 5 0 16384 lo0 ::ffff:0.0.0.0 localhost.secure-computing.net UGRS 0 0 16384 lo0 2001:4980:1::4 link#7 UC 0 0 1280 gif0 2001:4980:1::5 link#7 UHLW 2 4 1280 gif0 2001:4980:1::6 link#7 UHL 1 4 1280 lo0 2001:4980:1:111:: link#1 UC 0 1 1500 fxp0 2001:4980:1:111::1 00:06:5b:05:30:19 UHL 1 4 1500 lo0 2001:4980:1:111::145 00:06:5b:05:30:19 UHL 2 4 1500 lo0 2001:4980:1:111::147 00:06:5b:38:2e:82 UHLW 1 14 1500 fxp0 fe80:: localhost.secure-computing.net UGRS 0 0 16384 lo0 fe80::%fxp0 link#1 UC 0 0 1500 fxp0 fe80::206:5bff:fe05:3019%fxp0 00:06:5b:05:30:19 UHL 1 0 1500 lo0 fe80::%fxp1 link#2 UC 0 0 1500 fxp1 fe80::206:5bff:fe05:301a%fxp1 00:06:5b:05:30:1a UHL 1 0 1500 lo0 fe80::%lo0 fe80::1%lo0 U 0 0 16384 lo0 fe80::1%lo0 link#3 UHL 1 0 16384 lo0 fe80::%gif0 link#7 UC 0 0 1280 gif0 fe80::206:5bff:fe05:3019%gif0 link#7 UHL 1 0 1280 lo0 fe80::%tun0 link#8 UC 0 0 1500 tun0 fe80::206:5bff:fe05:3019%tun0 link#8 UHL 1 0 1500 lo0 ff01:1:: link#1 UC 0 0 1500 fxp0 ff01:2:: link#2 UC 0 0 1500 fxp1 ff01:3:: localhost.secure-computing.net UC 0 0 16384 lo0 ff01:7:: link#7 UC 0 0 1280 gif0 ff01:8:: link#8 UC 0 0 1500 tun0 ff02:: localhost.secure-computing.net UGRS 0 0 16384 lo0 ff02::%fxp0 link#1 UC 0 0 1500 fxp0 ff02::%fxp1 link#2 UC 0 0 1500 fxp1 ff02::%lo0 localhost.secure-computing.net UC 0 0 16384 lo0 ff02::%gif0 link#7 UC 0 0 1280 gif0 ff02::%tun0 link#8 UC 0 0 1500 tun0 Thanks for one last piece of advice! ----- Eric F Crist Secure Computing Networks