Re: IPv6 Woes...

On Jun 26, 2007, at 4:32 PMJun 26, 2007, Bruce A. Mah wrote:

If memory serves me right, Eric F Crist wrote:
Hi Eric--

First note that I'm a different Bruce than the chap who's been helping
thus far. :-)

BTW, use "ndp -a" to see this.

Your setup is not *too* different from what I have at home in terms of
network topology and what you hope to accomplish. (I have a Soekris
net4801 run 6.2-STABLE and acting as a filtering bridge between an IPv4
/29 and the rest of the Internet, and also terminating a gif(4) tunnel
for IPv6.)

This is so that I don't have to do routing on my firewall. I have a
IPv4 /28 network, so a limited number of IP addresses, this saves one
of those. This system is filtering traffic with PF. That's really
the only reason for the bridging. Also, it does allow me to do
traffic shaping and bandwidth monitoring. This bridging stuff
really, as you said, has nothing to do with my IPv6 configuration
issues.

I think the biggest difference between your network and mine is that
rather than using options BRIDGE I'm using the if_bridge(4) driver
between my "inside" and "outside" network interfaces. The physical
interfaces in the bridge are unnumbered and the if_bridge
pseudo_interface has IPv4 and IPv6 addresses.

The main reason for doing this is that I've seen that bridge(4) can have
difficulty determining the correct physical interface to use for packets
that originate on the bridging host. I recall having this problem with
pfnat. (I don't remember the exact details, but I did some postings to
the m0n0wall mailing lists on this topic some time ago...your favorite
search engine can probably help find these messages.)

I wonder if the problem I've seen with bridge(4) might be related to
your IPv6 problems (since you're terminating the tunnel on your
firewall). If so, maybe switching to if_bridge(4) as I've described
above might help things.

In any case, good luck!

Bruce! Thanks for all the help! That did the trick! Only one more thing that's holding me up.

On my gateway, I've got 2001:4980:1:111::145/64 as the primary IP address. In addition, I've got 2001:4980:1:111::1/128 as an alias. I can ping/connect to the xxx:145 address, but not the xxx:1 address. What did I configure wrong? Here's the output of netstat - r -f inet6:

Routing tables

Internet6:
Destination Gateway Flags Refs Use Mtu Netif Expire
:: localhost.secure-computing.net UGRS 0 0 16384 lo0 =>
default 2001:4980:1::5 UGS 0 0 1280 gif0
localhost.secure-computing.net localhost.secure-computing.net UHL 5 0 16384 lo0
::ffff:0.0.0.0 localhost.secure-computing.net UGRS 0 0 16384 lo0
2001:4980:1::4 link#7 UC 0 0 1280 gif0
2001:4980:1::5 link#7 UHLW 2 4 1280 gif0
2001:4980:1::6 link#7 UHL 1 4 1280 lo0
2001:4980:1:111:: link#1 UC 0 1 1500 fxp0
2001:4980:1:111::1 00:06:5b:05:30:19 UHL 1 4 1500 lo0
2001:4980:1:111::145 00:06:5b:05:30:19 UHL 2 4 1500 lo0
2001:4980:1:111::147 00:06:5b:38:2e:82 UHLW 1 14 1500 fxp0
fe80:: localhost.secure-computing.net UGRS 0 0 16384 lo0
fe80::%fxp0 link#1 UC 0 0 1500 fxp0
fe80::206:5bff:fe05:3019%fxp0 00:06:5b:05:30:19 UHL 1 0 1500 lo0
fe80::%fxp1 link#2 UC 0 0 1500 fxp1
fe80::206:5bff:fe05:301a%fxp1 00:06:5b:05:30:1a UHL 1 0 1500 lo0
fe80::%lo0 fe80::1%lo0 U 0 0 16384 lo0
fe80::1%lo0 link#3 UHL 1 0 16384 lo0
fe80::%gif0 link#7 UC 0 0 1280 gif0
fe80::206:5bff:fe05:3019%gif0 link#7 UHL 1 0 1280 lo0
fe80::%tun0 link#8 UC 0 0 1500 tun0
fe80::206:5bff:fe05:3019%tun0 link#8 UHL 1 0 1500 lo0
ff01:1:: link#1 UC 0 0 1500 fxp0
ff01:2:: link#2 UC 0 0 1500 fxp1
ff01:3:: localhost.secure-computing.net UC 0 0 16384 lo0
ff01:7:: link#7 UC 0 0 1280 gif0
ff01:8:: link#8 UC 0 0 1500 tun0
ff02:: localhost.secure-computing.net UGRS 0 0 16384 lo0
ff02::%fxp0 link#1 UC 0 0 1500 fxp0
ff02::%fxp1 link#2 UC 0 0 1500 fxp1
ff02::%lo0 localhost.secure-computing.net UC 0 0 16384 lo0
ff02::%gif0 link#7 UC 0 0 1280 gif0
ff02::%tun0 link#8 UC 0 0 1500 tun0

Thanks for one last piece of advice!


-----
Eric F Crist
Secure Computing Networks


_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: IPv6 Woes...
    ... My setup works fine if I ping the network address of my v6 router from the v6 enabled hosts in my lab. ... You shouldn't need to use bridging to achieve what you want in this scenario, in fact it makes no sense because you want to route v6 traffic over the gif, therefore ethernet bridging is not relevant here. ... this gateway/firewall gets the gateway part from the duties I'm assigning regarding the IPv6 stuff. ...
    (freebsd-net)
  • Re: INET6 -- and why I dont use it
    ... derive from setting up an IPv6 network and attempting to experiment ... You don't set up an IPv6 network. ... to your IPv4 network. ... Whether you need to or not, you WILL have it if you run Vista. ...
    (freebsd-stable)
  • Re: INET6 -- and why I dont use it
    ... your computer will or better CAN use ipv6 when it is on a ipv6 network ... to your IPv4 network. ... connection is IPv4 only. ...
    (freebsd-stable)
  • Re: Host of networking problems ...
    ... I have been working several hours now on my network problem and have gotten ... network adapters (but acually three show up in network connections, ... native IPV4 platform. ... Some folks claim that IPV6 and Windows Networking ...
    (microsoft.public.windowsxp.network_web)
  • Re: Has my router failed?
    ... higher level of the TCP/IP stack, i.e. at the socket and application level. ... Network packets are still IPv4 packets with IPv4 headers and addresses, and the IPv4 clients never know they are talking to an IPv6 socket. ...
    (comp.os.linux.networking)