Date: Sat, 11 Jul 2020 14:42:16 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Jon Radel <jon@radel.com> Cc: freebsd-questions@freebsd.org Subject: Re: trouble setting up ipv6 Message-ID: <5F0A0808.9070802@gmail.com> In-Reply-To: <b80af7d7-e7fc-b6aa-2df1-b2969f9cbf65@radel.com> References: <5F088CAE.2090400@gmail.com> <a8339776-478e-2274-428e-5f451c06f0dc@radel.com> <5F08A3BA.8060401@gmail.com> <f63ed225-5b6a-765e-aee3-259469bd8609@radel.com> <5F08D889.8080708@gmail.com> <b80af7d7-e7fc-b6aa-2df1-b2969f9cbf65@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jon Radel wrote: > On 7/10/20 17:07, Ernie Luzar wrote: >> Jon Radel wrote: >>> On 7/10/20 13:22, Ernie Luzar wrote: >> snip >>> Notable largely for the complete lack of a default route. >>> >>> Consider setting your gateway explicitly instead of depending on router >>> advertisements: >>> >>> ipv6_defaultrouter="2600:3c02::dead:dead:dead:beef" >> Put this ipv6_defaultrouter= in rc.conf? > > > Yes. The address fe80::1 should work, as you report that below as the > link local address of the equipment identifying itself as a local router. > > >>> or whatever that address is. Otherwise you'll need to figure out >>> what's >>> broken with router advertisements on your network. My quick read of >>> your ipf.rules file leads me to believe that you're allowing icmp6 >>> router advertisements in >> Let me put into my own words what I think your are saying. >> 1. That the standard inbound icmpv6 routeradvert is suppose to auto >> populate the host internal ipv6 default router ipv6 address. > Yes. Mostly.  By default.  There are, ways to turn things off. > https://blogs.infoblox.com/ipv6-coe/why-you-must-use-icmpv6-router-advertisements-ras/ > is a fairly nice description. >> 2. That the inbound icmpv6 routeradvert my host is receiving from my >> ISP is incomplete or being incorrectly populated by my ISP. > > Maybe. Now I that I look over your config again, it appears that you're > getting your ipv6 address just fine via Routing Advertisement (RA).... > so why aren't you getting a default gateway address? I haven't a clue. > [But see below for a correction to this.] > > But I will note that unless you connect to your ISP with only a L2 > bridge and have no L3 router of any type, the RA would be generated on a > local router. > >> 3. There are also icmp6 neighborsolicit in bound packets that are not >> being passed by the same rule that passes the inbound icmpv6 >> routeradvert packets but get blocked by the default block all rule. I >> am thinking this is a un-reported bug in ipfilter. > It does sound odd. >>>> # pass in ipv6 pings. no ipv6 with keep state option allowed >>>> pass in log quick proto icmp6 all >>> Are you logging advertisements based on that? If you don't see them, >>> you probably need to figure out what's up with your gateway device. >> Yes I see router advertisements logged in the ipf.log file. >> >>  fe80::1 -> ff02::1 PR icmpv6 len 40 104 icmpv6 routeradvert/0 IN >> multicast >> >> Get this log line 2222 times per minute > Interesting. That's orders of magnitude higher frequency than I'd > expect per RFC 4861, unless you have a vast network with many nodes > soliciting RAs. I'd actually have to sniff networks around here before > I could say more--I've honestly never worried about the frequency of RAs. >> I also see the blocked inbound icmpv6 neighborsolicit packets that get >> logged by the default block all rule for inbound traffic. >> >>> As a quick check, you can also override the routing table with the -g >>> option to ping6. >> The ipv6 address auto assigned to the vtnet0 is what is considered as >> the default route. Am I understanding this correctly? > > ?? I don't think so. If you want to talk to the Internet from your > machine via vtnet0, vtnet0 has an address and on the same network there > is a router with a different address in the same network. The router's > address would be configured as the default gateway on your machine. In > the case of ipv6, there are frequently multiple sets of addresses on the > same physical/virtual network. In your case > > 2600:3c02::f03c:92ff:febc:1 and 2600:3c02::f03c:92ff:febc:5437 are both > addresses on your machine and there *may* be an address also in > 2600:3c02::/64 on your router that would work as the gateway. > > fe80::f03c:92ff:febc:5437%vtnet0 is the link local address (completely > non-routable) on your machine associated with vtnet0, which should be > able to use fe80::1, which you know exists as that's what your router is > using as a source address. > > See > https://blogs.infoblox.com/ipv6-coe/fe80-1-is-a-perfectly-valid-ipv6-default-gateway-address/ > about the background regarding using fe80::1 as a default route. > > ---------a bit more rummaging in your configs and actually thinking a > bit------------- > > Oh.......  DOH! > > So all the above is true except for my not having a clue as to why the > gateway portion of incoming RAs is ignored. You might find some of it > useful anyway. > >> ifconfig_vtnet0_ipv6="inet6 accept_rtadv" >> gateway_enable="YES" >> ipv6_gateway_enable="YES" > The last line sets your FreeBSD machine up as a router. If a device is > a router, it completely ignores, by design, routing information from > incoming RAs. > > So I think your two primary choices are to, if you don't need the > FreeBSD machine to route ipv6, remove the > > ipv6_gateway_enable="YES" > > and if you do want the machine to route, explicitly set a default gateway > > ipv6_defaultrouter="fe80::1" > > Either should give you a usable routing table. > > > First I want to thank you for the effort you have already put in about helping me with setting ipv6 on my equipment. You have pointed out some questions that I can't answer because I don't know enough about how ipv6 works. I am going to need your advice about how to configure my host but first you will need more information about my current environment. I am running RELEASE 12.1-p6 on a virtual machine that is used for development. This vm configuration is pretty much a clone of the production system I am responsible to maintain. The production system is running 12.1-p6 on real hardware using only ipv4 addresses. This production system has many non-vnet jails and a few vnet jails that use the bridge/epair method with private ipv6 addresses that get NATed by the ipf firewall NAT service. All the jails have public internet access. There is also a cabled/wifi LAN behind the gateway host. This current environment has been running for 10+ years now. Qjail is used to create and administrate the non-vnet jails. The vnet jails are defined in jail.conf and use the native "service jail" command for start/stop/restart. Ipv6 has been available for 2 years now and with the current pandemic there is time to add ipv6 support to the production system first working out the details using the development vm system. Now about ipv6. It's my understanding that the gateway host primary interface connects to the ISP and through them to the public internet gets automatically assigned a static/permanent ipv6 address by just having this statement in the hosts rc.conf. ifconfig_vtnet0_ipv6="inet6 accept_rtadv" vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM, TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether f2:3c:92:bc:54:37 inet6 fe80::f03c:92ff:febc:5437%vtnet0 prefixlen 64 scopeid 0x1 inet xx.xx.xx.x netmask 0xffffff00 broadcast xx.xx.xx.255 media: Ethernet 10Gbase-T <full-duplex> status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> fe80::f03c:92ff:febc:5437 is what is called the ipv6 prefix Now this is about the end of my ipv6 knowledge. In general terms I think what I need to do is be able to assign ipv6 address on my host using a format that is static/permanent and can be entered into the domain AAA record to drive public internet traffic directly to the desired non-vnet and vnet jails. I know how to assign ipv6 addresses to non-vnet and vnet jails. If possible doing this without needing ra icmp6 packets. I need ipv6 address for the LAN NIC, each non-vnet jail, the bridge0 and each vnet jails epairXb interface just like I have now for ipv4. Also I read that ipv6-icmp can be used to break into the host or interrupt ipv6 service, must have protection against such a thing happening. My host is the front door to my environment and is also the end of the line. This is were I am requesting your advice on how to configure this. I think the host needs a ipv6 router service because without one I was not able to ping6 anything.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5F0A0808.9070802>