From owner-freebsd-questions@FreeBSD.ORG Sun Nov 23 22:59:20 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 65BB9F13 for ; Sun, 23 Nov 2014 22:59:20 +0000 (UTC) Received: from fly.radel.com (fly.radel.com [70.184.242.170]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D4899235 for ; Sun, 23 Nov 2014 22:59:19 +0000 (UTC) X-CGP-ClamAV-Result: CLEAN X-VirusScanner: Niversoft's CGPClamav Helper v1.16.8 (ClamAV engine v0.97.8) Received: from [2001:470:880a:4389:e40e:6eec:b736:996e] (account jon@radel.com HELO gravenstein.local) by radel.com (CommuniGate Pro SMTP 6.0.4 _community_) with ESMTPSA id 468407; Sun, 23 Nov 2014 21:59:05 +0000 Message-ID: <54725884.5060006@radel.com> Date: Sun, 23 Nov 2014 16:58:28 -0500 From: Jon Radel User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: pepe , freebsd-questions@freebsd.org Subject: Re: IPv6 aliases on FreeBSD 10 References: <5447AD3F.8060304@bytecamp.net> <54490752.7080504@radel.com> <544BEBB8.7000408@radel.com> In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms050500060608070008000205" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2014 22:59:20 -0000 This is a cryptographically signed message in MIME format. --------------ms050500060608070008000205 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable On 11/23/14, 5:14 AM, pepe wrote: > I also tried adding > aliases with /128 instead of /64, but it changed nothing. > With /128 it worked just the same way. As one of the people mentioning /128s, I'd like to retract that=20 suggestion; I've been reading the ipv6 related documentation given that=20 I'm bringing up my first 10.1 box with ipv6.....and things have changed=20 a bit since 8.4. > > Current rc.conf is: > ipv6_activate_all_interfaces=3D"YES" > #ipv6_defaultrouter=3D"2001:14b8:1801::1" > ipv6_defaultrouter=3D"fe80::1%em0" > ifconfig_em0_ipv6=3D"inet6 2001:14b8:1801::c001 prefixlen 64" > ifconfig_em0_alias59=3D"inet6 2001:14b8:1801::2 prefixlen 64" > ifconfig_em0_alias60=3D"inet6 2001:14b8:1801::c002 prefixlen 64" > ifconfig_em0_alias61=3D"inet6 2001:14b8:1801::3 prefixlen 64" > ifconfig_em0_alias62=3D"inet6 2001:14b8:1801:1:: prefixlen 64" > ifconfig_em0_alias63=3D"inet6 2001:14b8:1801:1::1 prefixlen 64" > Just making sure that you realize that if the ISP's equipment is=20 addressed 2001:14b8:1801::1/64, it wouldn't necessarily do good things=20 with your address 2001:14b8:1801:1::/64 unless it had a route to that=20 network. But that's an aside and doesn't appear to be the root issue=20 you're dealing with. > > I'm starting to think it's problem on ISP side and not ours. But just t= o > sure - anyone have any ideas what more to try? > > I read through this thread, and as far as I can tell, you've told us=20 almost nothing useful about the topology of your network. Where does=20 the cable from em0 go? Directly into the ISP's equipment? If so, what=20 kind of equipment are we talking about? What type of media? I admit=20 complete ignorance of the industry norms specific to Finland, but around = these parts it makes a world of difference whether you're talking=20 directly to a cable carrier's "modem" or a point-to-point circuit into a = high-end router. What I would do, given what little I know about your topology: 1) Run "ndp -an" on your machine. All the addresses you expect to=20 work should show up as permanent entries in this table. 2) You're not doing any firewalling are you? 3) If you don't run em0 into a switch, insert one (preferably one that=20 does L3 and port mirroring, if you just happen to have access to one=20 like that) between the server and your ISP. 4) Attach another ipv6 speaking machine to the switch. Can it ping=20 all the addresses? Does its ndp table show the proper mac address for=20 all the addresses? 5) Optional: mirror all the traffic on the switch port attached to the = ISP the test machine you added and using tcpdump or wireshark or=20 what-have-you look at the traffic between the ISP and your server. If the test machine in #4 reaches all the server addresses just fine=20 even though the ISP doesn't, particularly if #5 shows the ISP never=20 sending the traffic that should be going to the "non-functional"=20 addresses, my leading suspicion would be that that the ISP's equipment=20 has very, very limited capacity for a L2 address table, quite possibly=20 as a matter of deliberate configuration, and after it learns about N=20 neighbors, where N is a very small number, it simply ignores any=20 additional addresses. Other than getting your ISP to do something about = that, the only fix I can think of is to put a router (which is where a=20 L3 switch would be handy) between your ISP and your server. Then, in=20 theory, your ISP's equipment should have to deal with the only addresses = on the outside of your router in L2 and everything else would be L3=20 routing. My big concern about that, however, is that the default=20 address they've given you is actually in your /48, so it's unclear to me = what the heck they're doing with the routing. So you probably have to=20 talk to them in any case about what the outside interface of your router = should be addressed as. --Jon Radel jon@radel.com --------------ms050500060608070008000205 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILBDCC BRowggQCoAMCAQICEG0Z6qcZT2ozIuYiMnqqcd4wDQYJKoZIhvcNAQEFBQAwga4xCzAJBgNV BAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoT FVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3Qu Y29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg RW1haWwwHhcNMTEwNDI4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjCBkzELMAkGA1UEBhMCR0Ix GzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE ChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVudGlj YXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAJKEhFtLV5jUXi+LpOFAyKNTWF9mZfEyTvefMn1V0HhMVbdClOD5J3EHxcZppLkyxPFA GpDMJ1Zifxe1cWmu5SAb5MtjXmDKokH2auGj/7jfH0htZUOMKi4rYzh337EXrMLaggLW1DJq 1GdvIBOPXDX65VSAr9hxCh03CgJQU2yVHakQFLSZlVkSMf8JotJM3FLb3uJAAVtIaN3FSrTg 7SQfOq9xXwfjrL8UO7AlcWg99A/WF1hGFYE8aIuLgw9teiFX5jSw2zJ+40rhpVJyZCaRTqWS D//gsWD9Gm9oUZljjRqLpcxCm5t9ImPTqaD8zp6Q30QZ9FxbNboW86eb/8ECAwEAAaOCAUsw ggFHMB8GA1UdIwQYMBaAFImCZ33EnSZwAEu0UEh83j2uBG59MB0GA1UdDgQWBBR6E04AdFvG eGNkJ8Ev4qBbvHnFezAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADARBgNV HSAECjAIMAYGBFUdIAAwWAYDVR0fBFEwTzBNoEugSYZHaHR0cDovL2NybC51c2VydHJ1c3Qu Y29tL1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFpbC5jcmwwdAYI KwYBBQUHAQEEaDBmMD0GCCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVRO QWRkVHJ1c3RDbGllbnRfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1 c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCF1r54V1VtM39EUv5C1QaoAQOAivsNsv1Kv/av QUn1G1rF0q0bc24+6SZ85kyYwTAo38v7QjyhJT4KddbQPTmGZtGhm7VNm2+vKGwdr+XqdFqo 2rHA8XV6L566k3nK/uKRHlZ0sviN0+BDchvtj/1gOSBH+4uvOmVIPJg9pSW/ve9g4EnlFsjr P0OD8ODuDcHTzTNfm9C9YGqzO/761Mk6PB/tm/+bSTO+Qik5g+4zaS6CnUVNqGnagBsePdIa XXxHmaWbCG0SmYbWXVcHG6cwvktJRLiQfsrReTjrtDP6oDpdJlieYVUYtCHVmdXgQ0BCML7q peeU0rD+83X5f27nMIIF4jCCBMqgAwIBAgIQUaWQdTU6RvxxeOjTUN4DtDANBgkqhkiG9w0B AQUFADCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENP TU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xMjAz MjcwMDAwMDBaFw0xNTAzMjcyMzU5NTlaMIH6MQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMjIx NTAxCzAJBgNVBAgTAlZBMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDEaMBgGA1UECRMRNjkxNyBS aWRnZXdheSBEci4xFTATBgNVBAoTDEpvbiBULiBSYWRlbDEyMDAGA1UECxMpSXNzdWVkIHRo cm91Z2ggSm9uIFQuIFJhZGVsIEUtUEtJIE1hbmFnZXIxHzAdBgNVBAsTFkNvcnBvcmF0ZSBT ZWN1cmUgRW1haWwxEjAQBgNVBAMTCUpvbiBSYWRlbDEcMBoGCSqGSIb3DQEJARYNam9uQHJh ZGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuufqoh9QnyjZTH7UdO wpx6XnRz/94zoK1C1SaAepIRMyInXiwOVwT7iXKtkeRGEQA2vwTyqu5JVcvWkGxlTWPACgDW dDE3296Up2K9CFfrm+RKdlc6xfMklR7qQWyNw5ULkeOZZOIoSAlVAJPhjIvHcf0UPxjTqgtP 4JafBBvL8RFhMAm74I1kWltMcFPVm1sLFDR1CDZ48/zqmhK/0ppbiBGapi8vAO382laFgHaN 8ODBFBffom5zjL/I9SggGGAdtwi7Vp2cjzgtuNVyORPv5Jz9zLylVKlhNvyq3VjbWXuJNw0E J03F/UkjQsqsCkQnSdHAxtPkGhoBw/UvqEsCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFHoT TgB0W8Z4Y2QnwS/ioFu8ecV7MB0GA1UdDgQWBBR8oxwxzLSB4/equQ4EqdH5Fld3sTAOBgNV HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUH AwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwUwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9z ZWN1cmUuY29tb2RvLm5ldC9DUFMwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL2NybC5jb21v ZG9jYS5jb20vQ09NT0RPQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNy bDCBiAYIKwYBBQUHAQEEfDB6MFIGCCsGAQUFBzAChkZodHRwOi8vY3J0LmNvbW9kb2NhLmNv bS9DT01PRE9DbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsG AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wGAYDVR0RBBEwD4ENam9uQHJhZGVs LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAJB+JWM2MbG5rR7/RCEm8bQRziBfl/FztfoV6dDGU Y0uTRegiwM2LA/GHGju7xtp49MrcmEciZs6Di2pvGzS5m/v5IBT0gMK6dyplBmBe4BXzwckE 1MH/iui+VstVHds+36SsQqPCtVmFWlX6QN56F6aGSCjI27f2mUYL3NBr6DPsslRIhF9PamKQ Bp4Y25/hnd+paEGIF6AZM3Uv7TvsTdCaBOt3dLrwUIpyQex5yqO8GPKWwgEPKxKiro7uLNNY yZU4dEEenQIi/4SD49XHd9Zqwf60jKVPeZjcrK7QSSQ8dlOYOGH60WBBFVwD1CCBCLSJnglY Dwh5wcgQG9ZRvjGCBBkwggQVAgEBMIGoMIGTMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0Eg TGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBRpZB1NTpG/HF46NNQ3gO0MAkGBSsOAwIaBQCgggJFMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MTEyMzIxNTgyOFowIwYJKoZI hvcNAQkEMRYEFF/T/3LACaMwu6E901ymaoXWEzszMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZI AWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgbkGCSsGAQQBgjcQBDGBqzCBqDCB kzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBD bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQUaWQdTU6RvxxeOjT UN4DtDCBuwYLKoZIhvcNAQkQAgsxgauggagwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD QSBMaW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBT ZWN1cmUgRW1haWwgQ0ECEFGlkHU1Okb8cXjo01DeA7QwDQYJKoZIhvcNAQEBBQAEggEAkFkJ mW2uxfttgKfdQQ/Mg2JDlQRirBFJLzwcqhdIR0ekTm7YEaW51BQnR6idmYudF9UqURQtP75L WP9st8PeR4BtMHIuWuvsZRit3r9wr+MDB1N843qxR9WyMUaGyBaDD5O6feQ9kzc89eS4Xsbo U7HZd1WomZM99LIGRurwuvd28vB0bEcgnMvu8GnbMCNhat74iOETBlLdpA9rYE9MtQNmDBVN H6lDgkBFXvCDW9+GWD41AxGW0I5mWpMrbr/JmIpGPbEDhz78xV4QrTQV8PmDvxvM0v1FUdJU hzNhgq9CNkrhP+9RJO648dVt1hNmYeaUUlg8gAFhv3lotRYOQQAAAAAAAA== --------------ms050500060608070008000205--