IPv6 Prefix Delegation from ISP and associated interfaces
sillysausage
Thu Nov 12 16:19:27 2015
Hi,
I'm wondering whether someone can help me with this problem I've been
having with dhcpcd as I expand my network to include IPv6 support,
please :)
I'm fairly certain my problems are from issues regarding prefix
delegation of my routes.
I've been documenting the whole setup here, and I want to add an IPv6
section when I get this working.
http://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi
A bit of background on my network:
http://wiki.alpinelinux.org/w/images/d/de/Network_diagram.png
My current IPv4 interfaces look like this:
# Workstation #
iface eth0 inet static
address 192.168.1.20
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1
# Router #
## Internal ##
iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255
## External ##
iface eth1 inet static
address 192.168.0.2
netmask 255.255.255.252
broadcast 192.168.0.3
# Modem #
And the modem would be:
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.252
A lot of documentation that I've found regarding deployment of IPv6
uses the wide-dhcpv6 client. My distributor informs me this is
unmaintained and won't be packaging it.
http://bugs.alpinelinux.org/issues/564#note-3
I had found these guides, unfortunately all for wide-dhcpv6.
• http://vk5tu.livejournal.com/37206.html - same ISP as me
• https://www.nnbfn.net/tag/dhcp-pd/
• http://www.ipcalypse.ca/?p=204
I wasn't able to test this with the ISC dhclient either as this
apparently doesn't support PPP links
https://bugs.gentoo.org/show_bug.cgi?id=432652#c4 so I decided to use
dhcpcd.
vk5tu uses this configuration with wide-dhcpv6, so it should work for
me if I can translate it to dhcpcd language.
> Set /etc/wide-dhcpv6/dhcp6c.conf:
>
> profile default
> {
> request domain-name-servers;
> request domain-name;
> script "/etc/wide-dhcpv6/dhcp6c-script";
> };
> interface ppp0 {
> # Request a prefix delegation
> send ia-pd 1;
> };
> id-assoc pd 1 {
> prefix-interface eth0 {
> # 8 bits for subnetting
> sla-len 8;
> # Our subnet is VLAN 1
> sla-id 1;
> # Our interface has address ...::1
> ifid 1;
> };
> };
Now. My ISP gives me:
> Your delegated static /56 IPv6 prefix for your LAN is:
> 2001:0db8:1234:0000
> When you login, you will be assigned, via a dual-stack IPv4/IPv6 PPP
> session:
> • Your existing IPv4 address (if static) and any existing framed
> route(s)
> • A dynamic /64 IPv6 prefix for your PPP session
> • A static /56 IPv6 prefix for your LAN (if you are using a router
> with Prefix Delegation)
The way I want my interfaces to work is like this, roughly matching my
IPv4 styling. I don't care so much about the clients, eventually I plan
to configure radvd and let those dynamically be assigned, but I want
the interfaces on the router to be like so:
Internal: 192.168.1.1 /24
2001:0db8:1234:0001::1 /64
External: 192.168.0.2 /30
2001:0db8:1234:0000::2 /64
# Workstation #
iface eth0 inet6 static
address 2001:0db8:1234:0001::20
netmask 64
gateway 2001:0db8:1234:0001::1
# Router #
## Internal ##
iface eth0 inet6 static
address 2001:0db8:1234:0001::1
netmask 64
autoconf 0
accept_ra 0
privext 0
post-up /sbin/sysctl -w net.ipv6.conf.eth0.forwarding=2
post-up /sbin/sysctl -w net.ipv6.conf.default.forwarding=2
post-up /sbin/sysctl -w net.ipv6.conf.default.accept_ra=2
My current sysctl.conf is here
http://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fsysctl.conf
My current dhcpcd.conf that I've been playing around with is here:
gateway:~# cat /etc/dhcpcd.conf
# Enable extra debugging
debug
# Allow users of this group to interact with dhcpcd via the control
# socket.
#controlgroup wheel
# Inform the DHCP server of our hostname for DDNS.
gateway
# Use the hardware address of the interface for the Client ID.
#clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with
# this set. In this case, comment out duid and enable clientid above.
duid
# Persist interface configuration when dhcpcd exits.
persistent
# Rapid commit support.
# Safe to enable by default because it requires the equivalent option
# set on the server to actually work.
option rapid_commit
# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Most distributions have NTP support.
option ntp_servers
# Respect the network MTU.
# Some interface drivers reset when changing the MTU so disabled by
# default.
#option interface_mtu
# A ServerID is required by RFC2131.
require dhcp_server_identifier
# Generate Stable Private IPv6 Addresses instead of hardware based
# ones
slaac private
# A hook script is provided to lookup the hostname if not set by the
# DHCP server, but it should not be run by default.
nohook lookup-hostname
# IPv6 Only
ipv6only
# Disable solicitations on all interfaces
noipv6rs
# Wait for IP before forking to background
waitip 6
# Don't install any default routes.
# PPP has already set a default route
nogateway
# Don't touch DNS
nohook resolv.conf
# Use the interface connected to WAN
interface eth1
ipv6rs # enable routing solicitation get the default IPv6 route
iaid 1
ia_pd 1/::/64 eth0/1/64
Before I start dhcpcd:
gateway:~# ip -f inet6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:0db8:1234:0001::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe63:46b5/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:0db8:1234:0000::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8249:71ff:fe12:3879/64 scope link
valid_lft forever preferred_lft forever
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qlen 3
inet6 2001:0db8:16:606:98ea:4841:1037:349f/64 scope global
mngtmpaddr dynamic valid_lft 5930sec preferred_lft 5930sec
inet6 fe80::98ea:4841:1037:349f/10 scope link
valid_lft forever preferred_lft forever
gateway:~# ip -f inet6 route
2001:0db8:16:606::/64 dev ppp0 proto kernel metric 256 expires
5897sec 2001:0db8:1234:0000::/64 dev eth1 proto kernel metric 256
2001:0db8:1234:0001::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth1 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/10 dev ppp0 metric 1
fe80::/10 dev ppp0 proto kernel metric 256
default via fe80::222:55ff:fe75:ec00 dev ppp0 proto ra metric 1024
expires 5837sec hoplimit 64
gateway daemon.debug dhcpcd[1956]: dhcpcd-6.9.0 starting
gateway kern.info kernel: [ 338.423631] cfg80211: Calling CRDA to
update world regulatory domain
gateway daemon.debug dhcpcd[1956]: eth1: disabling kernel IPv6 RA
support
gateway daemon.debug dhcpcd[1956]: eth0: executing
`/lib/dhcpcd/dhcpcd-run-hooks' PREINIT gateway daemon.debug
dhcpcd[1956]: eth0: executing `/lib/dhcpcd/dhcpcd-run-hooks' CARRIER
gateway daemon.debug dhcpcd[1956]: eth1: executing
`/lib/dhcpcd/dhcpcd-run-hooks' PREINIT gateway daemon.debug
dhcpcd[1956]: eth1: executing `/lib/dhcpcd/dhcpcd-run-hooks' CARRIER
gateway daemon.info dhcpcd[1956]: DUID
RE:MO:VE:ED:DU:ID:FF:FF:FF:FF:FF:FF:FF:FF
gateway daemon.info dhcpcd[1956]: eth0: IAID eb:63:46:b5
gateway daemon.info dhcpcd[1956]: eth1: IAID 00:00:00:01
gateway daemon.debug dhcpcd[1956]: eth1: delaying IPv6 router
solicitation for 0.2 seconds
gateway daemon.info dhcpcd[1956]: eth1: soliciting a DHCPv6 lease
gateway daemon.debug dhcpcd[1956]: eth1: delaying SOLICIT6 (xid
0x6c386c), next in 0.5 seconds
gateway daemon.info dhcpcd[1956]: eth1: soliciting an IPv6 router
gateway daemon.debug dhcpcd[1956]: eth1: sending Router Solicitation
gateway daemon.debug dhcpcd[1956]: eth1: broadcasting SOLICIT6 (xid
0x6c386c), next in 0.9 seconds
gateway daemon.err dhcpcd[1956]: eth1: DHCPv6 REPLY:
gateway daemon.debug dhcpcd[1956]: eth1: broadcasting SOLICIT6 (xid
0x6c386c), next in 1.8 seconds
gateway daemon.err dhcpcd[1956]: eth1: DHCPv6 REPLY:
gateway daemon.info dhcpcd[1956]: eth1: Router Advertisement from
fe80::5089:2fff:fe97:4c6b
gateway daemon.info dhcpcd[1956]: eth1: adding address
2001:0db8:1234:0000:486:ffff:ffff:fffa/64
gateway daemon.debug dhcpcd[1956]: eth1: pltime 120 seconds, vltime 300
seconds
gateway daemon.info dhcpcd[1956]: eth1: adding route to
2001:0db8:1234:0000::/64
gateway daemon.debug dhcpcd[1956]: eth1: waiting for Router
Advertisement DAD to complete
gateway daemon.debug dhcpcd[1956]: eth1: broadcasting SOLICIT6 (xid
0x6c386c), next in 3.5 seconds
gateway daemon.err dhcpcd[1956]: eth1: DHCPv6 REPLY:
gateway daemon.debug dhcpcd[1956]: eth1: Router Advertisement DAD
completed
gateway daemon.debug dhcpcd[1956]: eth1: executing
`/lib/dhcpcd/dhcpcd-run-hooks' ROUTERADVERT
gateway daemon.debug dhcpcd[1956]: eth1: broadcasting SOLICIT6 (xid
0x6c386c), next in 7.3 seconds
gateway daemon.err dhcpcd[1956]: eth1: DHCPv6 REPLY:
gateway:~# ip -f inet6 addr show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:0db8:1234:0000:486:ffff:ffff:fffa/64 scope global
noprefixroute dynamic valid_lft 296sec preferred_lft 116sec
inet6 2001:0db8:1234:0000::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8249:71ff:fe12:3879/64 scope link
valid_lft forever preferred_lft forever
The problem seems to be I can ping out of my router, via default
gateway.
I cannot ping any of my internal hosts from the outside though.
> Destination unreachable: Address unreachable
so I think it's a problem with my routing...
I also cannot ping any IPv6 host on the Internet from my workstation ie
2001:0db8:1234:0001::20.
It also creates a unique IP
2001:0db8:1234:0000:486:ffff:ffff:fffa/64
which I don't really want. I want it to use the static one I created
2001:0db8:1234:0000::2/64
For complete sake I've got my very permissive ip6tables ruleset:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_ETH1 - [0:0]
:FWD_PPP0 - [0:0]
# Create rule chain per input interface for input packets (for host
itself) :IN_ETH0 - [0:0]
:IN_ETH1 - [0:0]
:IN_PPP0 - [0:0]
# Create a drop chain
:LOG_DROP - [0:0]
# Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i eth1 -j IN_ETH1
-A INPUT -i ppp0 -j IN_PPP0
# Accept ICMPv6 from localhost
-A INPUT -i lo -p ipv6-icmp -j ACCEPT
-A IN_ETH1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -j DROP
# Forward ICMPv6
-A FORWARD -p ipv6-icmp -j ACCEPT
# Forward all from LAN
-A FWD_ETH0 -j ACCEPT
# Forward tracked connections from outside
-A FWD_ETH1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#-A FORWARD -j DROP
# Accept ICMP from LAN
-A IN_ETH0 -p ipv6-icmp -j ACCEPT
# Accept all traffic from LAN
-A IN_ETH0 -j ACCEPT
# Accept ICMP from outside
-A IN_ETH1 -p ipv6-icmp -j ACCEPT
-A IN_PPP0 -p ipv6-icmp -j ACCEPT
# Drop rest
#-A INPUT -j DROP
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
Archive administrator: postmaster@marples.name
