Home » Mailing list archives » openbsd-ipv6 » 2011 » January » 4

Re: can't route traffic from lan out via the aiccu connection

Previous thread: GENDIA Newsletter by GENDIA on Saturday, January 1, 2011 - 9:11 pm. (1 message)

Next thread: none
[view original message]
From: nothingness
Subject: can't route traffic from lan out via the aiccu connection
Date: Tuesday, January 4, 2011 - 7:28 am

Hi all,

  I've been trying for a few days to get my ipv6 tunnel to work from my
lan. I've got a sixxs.net tunnel with a /48 assigned for my lan. I can
connect from the router to irc networks over ipv6 but I'm unable to run
traffic out via the gif0 for anything originating from the lan. I can
also connect to the router over ipv6 for ssh stuff for ex. I'm
completely out of ideas on what to do to get this to work, hope someone
will have a suggestion. Here's my pf.conf (I'm running  openbsd 4.8 with
a generic kernel, patched to latest release):

ext_if="bge0"

ipv6_if="gif0"
ipv6_ip="2001:1620:f00:56::2"
ipv6_gw="2001:1620:f00:56::1"
ipv6_lan="2001:1620:f2e1::/64"
ipv6_lan2="2001:1620:f2e3::/64"

int_if="dc0"
vpn1_if="tun1"
vpn2_if="tun2"
vpn3_if="tun3"
tcp_services="{ 179, 2027:2037, 5002, 7777, 8296, 46411 }"
udp_services="{ 1194, 5003, 5501, 7777, 30000, 46411 }"
icmp_types="echoreq"
ssh_ports="{ ssh , 1194 }"
im_ports="{ icq, msn, ircd, ircd-ssl }"

table <ssh-violations> persist file "/etc/ssh-violations"
table <spamd-white> persist
set block-policy drop
set loginterface $ipv6_if
set skip on lo
set state-policy if-bound

match out on $ext_if inet from !($ext_if) nat-to ($ext_if)

match in on $int_if proto tcp to ($int_if) port ftp rdr-to 127.0.0.1
port 8021
match in on $int_if proto tcp to ($int_if) port http rdr-to 127.0.0.1
port 3128
match in on $ext_if proto tcp to ($ext_if) port smtp rdr-to 127.0.0.1
port spamd
block in log
pass out keep state

block drop in log on $ext_if from <ssh-violations> to any
block drop in log on $ipv6_if from <ssh-violations> to any

#try ipv6 routing
pass quick on $ipv6_if proto {ipencap, ipv6}
pass quick on $ext_if proto {ipencap, ipv6}
pass quick on $ext_if inet6
pass quick on $ipv6_if inet6

pass in on $ext_if proto udp from any to any port 1194
pass in inet proto icmp all icmp-type $icmp_types keep state
pass proto 41 from any to any keep state
pass quick on $int_if no state
pass quick on $vpn1_if no state
pass ...
[ message continues ]
[view original message]
From: nothingness
Subject: Re: can't route traffic from lan out via the aiccu connection
Date: Tuesday, January 4, 2011 - 9:30 am

My int_if is configured via hostname.dc0 with an inet6 entry. The lan
get's its addresses from rtadvd running on dc0 and tun1:

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0d:9d:9b:70:d2
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::20d:9dff:fe9b:70d2%bge0 prefixlen 64 scopeid 0x1
        inet 85.218.10.62 netmask 0xffffff00 broadcast 85.218.10.255
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:80:ad:75:17:60
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.50.1 netmask 0xffffff00 broadcast 192.168.50.255
        inet6 fe80::280:adff:fe75:1760%dc0 prefixlen 64 scopeid 0x2
        inet6 2001:1620:f2e1::1 prefixlen 64
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        priority: 0
        groups: gif egress
        physical address inet 85.218.10.62 --> 213.144.148.74
        inet6 fe80::20d:9dff:fe9b:70d2%gif0 ->  prefixlen 64 scopeid 0x7
        inet6 2001:1620:f00:56::2 -> 2001:1620:f00:56::1 prefixlen 128




[ message continues ]
[view original message]
From: Paul de Weerd
Subject: Re: can't route traffic from lan out via the aiccu connection
Date: Tuesday, January 4, 2011 - 9:42 am

What does `sysctl net.inet6.ip6.forwarding` say ?  It should be set to
1...

Cheers,

Paul 'WEiRD' de Weerd

On Tue, Jan 04, 2011 at 03:28:15PM +0100, nothingness wrote:
| Hi all,
| 
|   I've been trying for a few days to get my ipv6 tunnel to work from my
| lan. I've got a sixxs.net tunnel with a /48 assigned for my lan. I can
| connect from the router to irc networks over ipv6 but I'm unable to run
| traffic out via the gif0 for anything originating from the lan. I can
| also connect to the router over ipv6 for ssh stuff for ex. I'm
| completely out of ideas on what to do to get this to work, hope someone
| will have a suggestion. Here's my pf.conf (I'm running  openbsd 4.8 with
| a generic kernel, patched to latest release):
| 
| ext_if="bge0"
| 
| ipv6_if="gif0"
| ipv6_ip="2001:1620:f00:56::2"
| ipv6_gw="2001:1620:f00:56::1"
| ipv6_lan="2001:1620:f2e1::/64"
| ipv6_lan2="2001:1620:f2e3::/64"
| 
| int_if="dc0"
| vpn1_if="tun1"
| vpn2_if="tun2"
| vpn3_if="tun3"
| tcp_services="{ 179, 2027:2037, 5002, 7777, 8296, 46411 }"
| udp_services="{ 1194, 5003, 5501, 7777, 30000, 46411 }"
| icmp_types="echoreq"
| ssh_ports="{ ssh , 1194 }"
| im_ports="{ icq, msn, ircd, ircd-ssl }"
| 
| table <ssh-violations> persist file "/etc/ssh-violations"
| table <spamd-white> persist
| set block-policy drop
| set loginterface $ipv6_if
| set skip on lo
| set state-policy if-bound
| 
| match out on $ext_if inet from !($ext_if) nat-to ($ext_if)
| 
| match in on $int_if proto tcp to ($int_if) port ftp rdr-to 127.0.0.1
| port 8021
| match in on $int_if proto tcp to ($int_if) port http rdr-to 127.0.0.1
| port 3128
| match in on $ext_if proto tcp to ($ext_if) port smtp rdr-to 127.0.0.1
| port spamd
| block in log
| pass out keep state
| 
| block drop in log on $ext_if from <ssh-violations> to any
| block drop in log on $ipv6_if from <ssh-violations> to any
| 
| #try ipv6 routing
| pass quick on $ipv6_if proto {ipencap, ipv6}
| pass quick on $ext_if proto {ipencap, ipv6}
| pass ...
[ message continues ]
[view original message]
From: nothingness
Subject: Re: can't route traffic from lan out via the aiccu connection
Date: Tuesday, January 4, 2011 - 9:49 am

here you go:

# sysctl -a | grep ip6
kern.malloc.kmemnames=free,,devbuf,debug,pcb,routetbl,,fragtbl,,ifaddr,soopts,sysctl,,,ioctlops,,,,,iov,mount,,NFS_req,NFS_mount,,vnodes,namecache,UFS_quota,UFS_mount,shm,VM_map,sem,dirhash,ACPI,VM_pmap,,,,file,file_desc,,proc,subproc,VFS_cluster,,,MFS_node,,,Export_Host,NFS_srvsock,,NFS_daemon,ip_moptions,in_multi,ether_multi,mrt,ISOFS_mount,ISOFS_node,MSDOSFS_mount,MSDOSFS_fat,MSDOSFS_node,ttys,exec,miscfs_mount,,,,,,,,,,pfkey_data,tdb,xform_data,,pagedep,inodedep,newblk,,,indirdep,,,,,,,,,VM_swap,,,,,RAIDframe_data,UVM_amap,UVM_aobj,,USB,USB_device,USB_HC,,memdesc,,,crypto_data,,IPsec_creds,packet_tags,,,emuldata,,,,,,,,,ip6_options,NDP,,,temp,NTFS_mount,NTFS_node,NTFS_fnode,NTFS_dir,NTFS_hash_tables,NTFS_file_attr,NTFS_resident_data_,NTFS_decomp,NTFS_vrun,kqueue,bluetooth,bwmeter,UDF_mount,UDF_file_entry,UDF_file_id,Bluetooth_HID,AGP_Memory,DRM
kern.malloc.kmemstat.ip6_options=(inuse = 2, calls = 27794, memuse = 1K,
limblocks = 0, mapblocks = 0, maxused = 6K, limit = 39322K, spare = 0,
sizes = (32,128))
net.inet6.ip6.forwarding=1
net.inet6.ip6.redirect=1
net.inet6.ip6.hlim=64
net.inet6.ip6.mrtproto=103
net.inet6.ip6.maxfragpackets=200
net.inet6.ip6.accept_rtadv=0
net.inet6.ip6.keepfaith=0
net.inet6.ip6.log_interval=5
net.inet6.ip6.hdrnestlimit=10
net.inet6.ip6.dad_count=1
net.inet6.ip6.auto_flowlabel=1
net.inet6.ip6.defmcasthlim=1
net.inet6.ip6.kame_version=OpenBSD-current
net.inet6.ip6.use_deprecated=1
net.inet6.ip6.rr_prune=5
net.inet6.ip6.v6only=1
net.inet6.ip6.maxfrags=200
net.inet6.ip6.mforwarding=1
net.inet6.ip6.multipath=0
net.inet6.ip6.multicast_mtudisc=0
net.inet6.ip6.neighborgcthresh=2048
net.inet6.ip6.maxifprefixes=16
net.inet6.ip6.maxifdefrouters=16
net.inet6.ip6.maxdynroutes=4096
net.inet6.ip6.dad_pending=0




[ message continues ]
Previous thread: GENDIA Newsletter by GENDIA on Saturday, January 1, 2011 - 9:11 pm. (1 message)

Next thread: none