Date: Thu, 16 Feb 2017 17:23:23 -0500 From: Jon Radel <jon@radel.com> To: Ernie Luzar <luzar722@gmail.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Questions about local ipv6 setup Message-ID: <8e9557c5-291a-8b24-ce09-115f979c15eb@radel.com> In-Reply-To: <58A5D342.1020505@gmail.com> References: <58A5D342.1020505@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms000104030800040809060606 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2/16/17 11:28 AM, Ernie Luzar wrote: >=20 > Does ipv6 have a range of non-public routeable ipv4 address that are > reserved for LAN use like 10.0.0.0/8 is for ipv4? Yes, several different flavors, some of which are not directly comparable to anything in ipv4. A mandatory address for every ipv6 configured interface is the link-local address in fe80::/64. As suggested by the name, this is an address that is only usable on the LAN the interface is attached to, these addresses are not routed. On most modern ipv6 stacks you'll end up with one of these automatically, with least significant 64 bits based on a transformation of the MAC for the interface. You can, however, assign a different or additional one of these and use that on the LAN. Most directly comparable to RFC 1918 addresses would the the unique local addresses in fc00::/7. To do it right, you'd use fd00::/8 half of that space, concatenated with a different 40-bit pseudo-random number for each of your LANs. You could route these anywhere in your network, but not globally. After that you get into the weird stuff, such as using ipv4-mapped-ipv6 space for the RFC 1918 numbers. I can't think of why this wouldn't work, but certainly haven't tried it. >=20 > Do any of the 3 freebsd firewalls have ability to do ipv6 NAT? Consider avoiding NAT entirely. One of the beautiful things about ipv6 is avoiding NAT and all the breakage that results from NAT. If you're actually connected to the ipv6 Internet you should have no trouble getting an address for every device you own many times over. >=20 > Can the default dhcp client handle ipv6? I believe not but haven't checked recently if that is still true. But really, the use case for DHCP is minimal in IPv6. There are better ways to dynamically assign addresses unless you have special requirements. See net/dhcp6 and other ports for more. >=20 > On my host I run ipfilter firewall, I have done nothing to enable ipv6,= > but the daily security email shows a list of ipv6 denied packets. Does > this mean that ipv6 packets are flowing freely on the public internet? >=20 It possibly just means that something else on your LAN is talking ipv6. However, it is true that there are an awful lot of ipv6 packets on the ipv6 Internet--frankly it would be extremely sad if there weren't. There are even a lot of ipv6 packets on the ipv4 Internet, though they're all encapsulated in some fashion or another. But without the slightest hint as to whether you're connected to the ipv6 Internet, what type of packets they are, and what address they're coming from, it's right hard for us to even guess what it all means. It could be that your local gateway is configured to send out RA (router advertisement) packets routinely. See https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol for more. > My current goal is to configure ipv6 to work only between my gateway an= d > LAN nodes. Have been unable to find example on how to accomplish this. > Can anyone point me to such documentation. Things to try when you've got a bit of ipv6 running: ndp -a ndp -an which show you everything speaking ipv6 on your LAN(s). ping6 traceroute6 should be obvious. If during setup you say you want to use ipv6, you should end up with at very least an fe80:: address, which should be sufficient to talk to anything else on your LAN that speaks ipv6. Whether you get more depends on what your router is configured to do in regards to NDP, etc., etc. --=20 --Jon Radel jon@radel.com --------------ms000104030800040809060606 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC Cq8wggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4 dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak +FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC 4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb 4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ 26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT 9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl tukWeh95FPZKEBom+nyK+5swggX4MIIE4KADAgECAhBzVOU8fWu0zQ1gaQ38zgEbMA0GCSqG SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0EwHhcNMTUwMzMwMDAwMDAwWhcNMTgwMzI5MjM1OTU5WjCB+jELMAkGA1UEBhMCVVMx DjAMBgNVBBETBTIyMTUwMQswCQYDVQQIEwJWQTEUMBIGA1UEBxMLU3ByaW5nZmllbGQxGjAY BgNVBAkTETY5MTcgUmlkZ2V3YXkgRHIuMRUwEwYDVQQKEwxKb24gVC4gUmFkZWwxMjAwBgNV BAsTKUlzc3VlZCB0aHJvdWdoIEpvbiBULiBSYWRlbCBFLVBLSSBNYW5hZ2VyMR8wHQYDVQQL ExZDb3Jwb3JhdGUgU2VjdXJlIEVtYWlsMRIwEAYDVQQDEwlKb24gUmFkZWwxHDAaBgkqhkiG 9w0BCQEWDWpvbkByYWRlbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe 1Rth9hbQqaODn++C5dVAQH9nM2VH3oPazZufOwmIG2SXI/v3PuemcQQ3JkhmpQ06gYszyXbk TCLsqvEfalYj81jdt/K5lT4aVdj0LfJIWyTcU95V2rsCuHsSvn/PnIcsEtXg53rCtqS4EOtJ 9u3rY2hP8YCiyz1yY3mn4nKJs93MHG4AkXYuVpzfaIADETcVrA+razvXEfnDJXXDZZ9ZuuV1 06yIovOvhYWSlaVu8nrSHJjXFZI2IXwgIeVBoMih3yu6LLj14I/YdZ0rIA8K+UNB+NW6Ri3u wHXBbr4jh3ZqkrqIVUrf1VeybhdrJcdqXdMNHjKDSlCoaxYRbLy1AgMBAAGjggHVMIIB0TAf BgNVHSMEGDAWgBSSYWuC4aKgqk/sZ/HCo/e0gADB7DAdBgNVHQ4EFgQUz9YB10WEfBNHskRw o/0vh8qaQuwwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB BQUHAwQGCCsGAQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMFMCswKQYIKwYBBQUH AgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMF0GA1UdHwRWMFQwUqBQoE6GTGh0 dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9u YW5kU2VjdXJlRW1haWxDQS5jcmwwgZAGCCsGAQUFBwEBBIGDMIGAMFgGCCsGAQUFBzAChkxo dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlv bmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9j YS5jb20wGAYDVR0RBBEwD4ENam9uQHJhZGVsLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAS1Pe +gBgP+SQ/a5I5e7zX0Rg0DhH378LHlZixJgS6LfCPL2edKMUQi3Th9GXfLjdeyeWuMWoz925 ZzBHcPwkBeH+iM/AEhu0Dhi0kop/p66g9tEPJUZ/KDsqxddNDrD0Typn3/33pHTjJEDqydzA gwB0Nn8blpMbqSwT+j8wuPakfLsj1cSDzXrTLLsmIQB7auAyaYXdWyW8Yqw336rLUCvjOUfn qOOyjVsieTw/0PLoOHJaGyez+VtV4eyi6p1SNiX32A+fvxBMzKQLCokE43cXItc9Okzq//f2 fuvGp17r8mpm4OjjM5E2kwsg9bBPUBMR4/sxosKVLn0o9rxlozGCBEEwggQ9AgEBMIGwMIGb MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNI QS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEHNU5Tx9 a7TNDWBpDfzOARswDQYJYIZIAWUDBAIBBQCgggJhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDIxNjIyMjMyM1owLwYJKoZIhvcNAQkEMSIEIKK7CY4E Gsn3xum6GDGfk9LPOJ21IYCqOkvC+iq+gQqaMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUD BAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcEGCSsGAQQBgjcQBDGBszCBsDCBmzEL MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEt MjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBzVOU8fWu0 zQ1gaQ38zgEbMIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N T0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhBzVOU8fWu0zQ1gaQ38zgEbMA0GCSqGSIb3 DQEBAQUABIIBAMc9Y3rMOdHN/ID1HeJnodbV2r+TXSWXYtWE43hY0DjSboB0EAnJ5Ehhyv5g 2ydzAomrlgFLzJoI4n7bPCf60Cj8usx/m58TNMzBR0rP8s9zURNLVm9f8CbuIl/iaD7k9UYE hdtVlc30BM6bcYfC1SoFMQi7vfZtr/TZKJ2s6myM8BZ1GkLlKKDNxxIiD0lfNxbGkBtlYL/U cdCWghIFzZpNpP23+d72EWMSHIY3O2YwIwZ98S8EdDV7uI/IfYgqmNa4alVytklj4olc26LK 7E43VpilPgyTxNTN7wuudcDeTLgLKWmMNUIu5jIqMZc+1vPvyGCGedERZzqFIFT+yTgAAAAA AAA= --------------ms000104030800040809060606--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8e9557c5-291a-8b24-ce09-115f979c15eb>