IPv6 woes: gateway on different subnet

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

IPv6 woes: gateway on different subnet

Moritz Grimm-2
Hi,


after a couple of days of running into dead ends, I would appreciate
some help.

To summarize: For more than 3 years I'm successfully running OpenBSD
(it's now at OPENBSD_4_9/i386, running GENERIC.MP) at the German hoster
Hetzner as my expensive little plaything. They offer native IPv6 for
some time now, and I want to use it. However, the same methodology used
with IPv4 does not work with IPv6 and I just can't figure out why (it's
supposed to work identically.)


The working IPv4 setup:

Additional network is 78.47.124.160/29, the gateway is 78.46.41.129/27.
In /etc/hostname.re0 is the aliases and the route to the gateway of that
network:

inet alias 78.47.124.161 255.255.255.248 78.47.124.167
[...]
!route add -inet -iface -ifp re0 -net 78.46.41.128 78.46.41.129 -netmask
255.255.255.224

I set the default gateway 78.46.41.129 in the first line of /etc/mygate.
This works:

$ ping -I 78.47.124.161 www.google.com
PING www.l.google.com (74.125.77.147): 56 data bytes
64 bytes from 74.125.77.147: icmp_seq=0 ttl=56 time=16.943 ms
[...]


The IPv6 setup (broken):

The IPv6 network is supposed to be 2a01:4f8:110:4363::/64, the gateway
is 2a01:4f8:110:4360::1/59. So again there's the aliases in
/etc/hostname.re0 ...

[...]
inet6 alias 2a01:4f8:110:4363::42 64
[...]
!route add -inet6 -iface -ifp re0 -net 2a01:4f8:110:4360:: -prefixlen 59
2a01:4f8:110:4360::1

The second line in /etc/mygate sets the IPv6 default gateway
2a01:4f8:110:4360::1. This does not work:

$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2a01:4f8:110:4363::42 --> 2a00:1450:8005::68
ping6: sendmsg: No route to host
ping6: wrote ipv6.l.google.com 16 chars, ret=-1


A look at the routing table shows various differences between IPv4 and
IPv6. Again, the working IPv4 entries first:

default           78.46.41.129       UGS   19  6792145      -  8 re0
78.46.41.128/27   link#1             UC    2         0      -  4 re0
78.46.41.128/27   link#1             UCS   0         0      -  8 re0
78.46.41.129      00:26:88:76:21:1b  UHLc  1         0      -  4 re0
78.46.41.142      00:1d:92:39:57:54  UHLc  0         6      -  4 lo0
78.47.124.160/29  link#1             UC    0         0      -  4 re0
78.47.124.161     127.0.0.1          UGHS  0        97  33200  8 lo0

(.142 is the main IP of mrsserver.net)

As can be seen, everything resolves nicely ... by comparison, IPv6 looks
fubar'd:

default                 2a01:4f8:110:4360::1  UGS  0  11  -  8 re0
2a01:4f8:110:4360::/59  2a01:4f8:110:4360::1  US   1  0   -  8 re0
2a01:4f8:110:4363::/64  link#1                UC   0  0   -  4 re0
2a01:4f8:110:4363::42   00:1d:92:39:57:54     HL   0  0   -  4 lo0

That's it, nothing else from these networks, and the local host route
for ::42 isn't even (U)p.

ndp -a shows:

Neighbor                      Linklayer Address  Netif Expire    S Flags
2a01:4f8:110:4363::42         0:1d:92:39:57:54     re0 permanent R
fe80::21d:92ff:fe39:5754%re0  0:1d:92:39:57:54     re0 permanent R
fe80::1%lo0                   (incomplete)         lo0 permanent R

I tried to use ndp -I to set the default IPv6 interface to re0, but what
that does is change the behavior of ping6 from EHOSTUNREACH to 100%
packet loss. After doing so, the gateway shows up in ndp:

2a01:4f8:110:4360::1          (incomplete)         re0 permanent I

... and that's as far as I have come. I also tried to solicit router
information after setting net.inet6.ip6.accept_rtadv to 1, but there's
nothing like that on the wire. I have to do manual configuration.

Lastly, the host's pf.conf is family-agnostic in almost all parts (and
the two remaining places have been triple-checked.) It's also creating
state for all outgoing traffic, so it really shouldn't interfere.

What I haven't pursued, yet, is that Hetzner configured my network
wrong. This is hard to believe, though, as getting an IPv6 subnet from
them is 100% automated and a problem would probably affect all their
customers.

I'm stumped. What have I missed? Any and all help is greatly appreciated!


Thanks,

Moritz

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Moritz Grimm-2
Additional information I forgot previous writeup: at some point in the
current setup, the kernel complains. I have one additional line in my dmesg

nd6_rtrequest: bad gateway value: re0

Googling this didn't steer me in the right direction. It's also the only
error message I'm getting here.


Moritz

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

FRLinux-2
In reply to this post by Moritz Grimm-2
Hello Moritz,

On Sun, Mar 13, 2011 at 11:43 AM, Moritz Grimm <[hidden email]> wrote:
> The IPv6 setup (broken):

Have you tried pinging the local interface first? Does ping ::1 works?
Then does ping fe80:xxx (replace by output of your interface) works?
etc...

> The IPv6 network is supposed to be 2a01:4f8:110:4363::/64, the gateway
> is 2a01:4f8:110:4360::1/59. So again there's the aliases in
> /etc/hostname.re0 ...

Can you ping the gateway?

Also, showing us a full ifconfig might be good.

> inet6 alias 2a01:4f8:110:4363::42 64

How did you assign this? Did they or did you?

> !route add -inet6 -iface -ifp re0 -net 2a01:4f8:110:4360:: -prefixlen 59
> 2a01:4f8:110:4360::1

Same question here, if they are using ra, i  doubt your routing
gateway will actually be 2a01, more likely to be fe80:xxxx

> $ ping6 ipv6.google.com

Start with internal diagnosis first, then worry about reaching the
outside world.

Try this: tracepath6 2a01:4f8:110:4360::1

In my case, the trace reached with a final result of:

2a01:4f8:110:4360::1                                 56.566ms reached
Resume: pmtu 1480 hops 13 back 50

Whereas your assigned IP (2a01:4f8:110:4363::42) did not.

Cheers,
Steph

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Moritz Grimm-2
Hi,


> Have you tried pinging the local interface first? Does ping ::1 works?
> Then does ping fe80:xxx (replace by output of your interface) works?
> etc...

Ping6ing those two works.

>> The IPv6 network is supposed to be 2a01:4f8:110:4363::/64, the gateway
>> is 2a01:4f8:110:4360::1/59. So again there's the aliases in
>> /etc/hostname.re0 ...
>
> Can you ping the gateway?

Nope. Not from the server, anyway ... I can ping6 it here from home
through my 6in4 tunnel.

> Also, showing us a full ifconfig might be good.

Here you go. The unabridged ifconfig re0 output:

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1d:92:39:57:54
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 78.46.41.142 netmask 0xffffffe0 broadcast 78.46.41.159
        inet6 fe80::21d:92ff:fe39:5754%re0 prefixlen 64 scopeid 0x1
        inet 78.47.124.161 netmask 0xfffffff8 broadcast 78.47.124.167
        inet 78.47.124.162 netmask 0xfffffff8 broadcast 78.47.124.167
        inet 78.47.124.163 netmask 0xfffffff8 broadcast 78.47.124.167
        inet 78.47.124.164 netmask 0xfffffff8 broadcast 78.47.124.167
        inet 78.47.124.165 netmask 0xfffffff8 broadcast 78.47.124.167
        inet 78.47.124.166 netmask 0xfffffff8 broadcast 78.47.124.167
        inet6 2a01:4f8:110:4363::2 prefixlen 64
        inet6 2a01:4f8:110:4363::3 prefixlen 64
        inet6 2a01:4f8:110:4363::4 prefixlen 64
        inet6 2a01:4f8:110:4363::5 prefixlen 64
        inet6 2a01:4f8:110:4363::6 prefixlen 64
        inet6 2a01:4f8:110:4363::7 prefixlen 64
        inet6 2a01:4f8:110:4363::42 prefixlen 64

>> inet6 alias 2a01:4f8:110:4363::42 64
>
> How did you assign this? Did they or did you?

I did, via ifconfig/hostname.if. All of this requires 100% manual
configuration.

>> !route add -inet6 -iface -ifp re0 -net 2a01:4f8:110:4360:: -prefixlen 59
>> 2a01:4f8:110:4360::1
>
> Same question here, if they are using ra, i  doubt your routing
> gateway will actually be 2a01, more likely to be fe80:xxxx

If by ra you mean rtadv, i.e. router advertisement, they're explicitly
not using/offering it.

> Start with internal diagnosis first, then worry about reaching the
> outside world.

Heh. :) Well, yeah. Purely local IPv6 works, and the sane tunnel setup I
have here at home does, too.

> Try this: tracepath6 2a01:4f8:110:4360::1

Not sure what that is, but traceroute6 has no chance on mrsserver. The
interface-bound route seems to be defunct. Again, works fine through my
home tunnel.

Thanks for looking into this.


Moritz

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Rod Whitworth-3
In reply to this post by FRLinux-2
On Sun, 13 Mar 2011 13:45:57 +0000, FRLinux wrote:

>Try this: tracepath6 2a01:4f8:110:4360::1

Wrong mailing list.


*** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Todd T. Fries-2
In reply to this post by Moritz Grimm-2
Have you tried ping6 -n ff02::2%re0 ? Does anyone respond?  Try using
the respond(ers) as your IPv6 default gateway.

Link local is best for IPv6 gateways for various reasons, if your upstream
isn't picky (unlike he.net tunnels, for example).

Penned by Moritz Grimm on 20110313  6:43.32, we have:
| Hi,
|
|
| after a couple of days of running into dead ends, I would appreciate
| some help.
|
| To summarize: For more than 3 years I'm successfully running OpenBSD
| (it's now at OPENBSD_4_9/i386, running GENERIC.MP) at the German hoster
| Hetzner as my expensive little plaything. They offer native IPv6 for
| some time now, and I want to use it. However, the same methodology used
| with IPv4 does not work with IPv6 and I just can't figure out why (it's
| supposed to work identically.)
|
|
| The working IPv4 setup:
|
| Additional network is 78.47.124.160/29, the gateway is 78.46.41.129/27.
| In /etc/hostname.re0 is the aliases and the route to the gateway of that
| network:
|
| inet alias 78.47.124.161 255.255.255.248 78.47.124.167
| [...]
| !route add -inet -iface -ifp re0 -net 78.46.41.128 78.46.41.129 -netmask
| 255.255.255.224
|
| I set the default gateway 78.46.41.129 in the first line of /etc/mygate.
| This works:
|
| $ ping -I 78.47.124.161 www.google.com
| PING www.l.google.com (74.125.77.147): 56 data bytes
| 64 bytes from 74.125.77.147: icmp_seq=0 ttl=56 time=16.943 ms
| [...]
|
|
| The IPv6 setup (broken):
|
| The IPv6 network is supposed to be 2a01:4f8:110:4363::/64, the gateway
| is 2a01:4f8:110:4360::1/59. So again there's the aliases in
| /etc/hostname.re0 ...
|
| [...]
| inet6 alias 2a01:4f8:110:4363::42 64
| [...]
| !route add -inet6 -iface -ifp re0 -net 2a01:4f8:110:4360:: -prefixlen 59
| 2a01:4f8:110:4360::1
|
| The second line in /etc/mygate sets the IPv6 default gateway
| 2a01:4f8:110:4360::1. This does not work:
|
| $ ping6 ipv6.google.com
| PING6(56=40+8+8 bytes) 2a01:4f8:110:4363::42 --> 2a00:1450:8005::68
| ping6: sendmsg: No route to host
| ping6: wrote ipv6.l.google.com 16 chars, ret=-1
|
|
| A look at the routing table shows various differences between IPv4 and
| IPv6. Again, the working IPv4 entries first:
|
| default           78.46.41.129       UGS   19  6792145      -  8 re0
| 78.46.41.128/27   link#1             UC    2         0      -  4 re0
| 78.46.41.128/27   link#1             UCS   0         0      -  8 re0
| 78.46.41.129      00:26:88:76:21:1b  UHLc  1         0      -  4 re0
| 78.46.41.142      00:1d:92:39:57:54  UHLc  0         6      -  4 lo0
| 78.47.124.160/29  link#1             UC    0         0      -  4 re0
| 78.47.124.161     127.0.0.1          UGHS  0        97  33200  8 lo0
|
| (.142 is the main IP of mrsserver.net)
|
| As can be seen, everything resolves nicely ... by comparison, IPv6 looks
| fubar'd:
|
| default                 2a01:4f8:110:4360::1  UGS  0  11  -  8 re0
| 2a01:4f8:110:4360::/59  2a01:4f8:110:4360::1  US   1  0   -  8 re0
| 2a01:4f8:110:4363::/64  link#1                UC   0  0   -  4 re0
| 2a01:4f8:110:4363::42   00:1d:92:39:57:54     HL   0  0   -  4 lo0
|
| That's it, nothing else from these networks, and the local host route
| for ::42 isn't even (U)p.
|
| ndp -a shows:
|
| Neighbor                      Linklayer Address  Netif Expire    S Flags
| 2a01:4f8:110:4363::42         0:1d:92:39:57:54     re0 permanent R
| fe80::21d:92ff:fe39:5754%re0  0:1d:92:39:57:54     re0 permanent R
| fe80::1%lo0                   (incomplete)         lo0 permanent R
|
| I tried to use ndp -I to set the default IPv6 interface to re0, but what
| that does is change the behavior of ping6 from EHOSTUNREACH to 100%
| packet loss. After doing so, the gateway shows up in ndp:
|
| 2a01:4f8:110:4360::1          (incomplete)         re0 permanent I
|
| ... and that's as far as I have come. I also tried to solicit router
| information after setting net.inet6.ip6.accept_rtadv to 1, but there's
| nothing like that on the wire. I have to do manual configuration.
|
| Lastly, the host's pf.conf is family-agnostic in almost all parts (and
| the two remaining places have been triple-checked.) It's also creating
| state for all outgoing traffic, so it really shouldn't interfere.
|
| What I haven't pursued, yet, is that Hetzner configured my network
| wrong. This is hard to believe, though, as getting an IPv6 subnet from
| them is 100% automated and a problem would probably affect all their
| customers.
|
| I'm stumped. What have I missed? Any and all help is greatly appreciated!
|
|
| Thanks,
|
| Moritz

--
Todd Fries .. [hidden email]

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112  \  sip:[hidden email]
| "..in support of free software solutions."  \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Moritz Grimm-2
Hi Todd,


> Have you tried ping6 -n ff02::2%re0 ? Does anyone respond?  Try using
> the respond(ers) as your IPv6 default gateway.
>
> Link local is best for IPv6 gateways for various reasons, if your upstream
> isn't picky (unlike he.net tunnels, for example).

Awesome, this almost works! :-)

When doing it like that, I get to replace the inet6 default route with
an fe80::...%re0 address, and to remove the "-inet6 -iface -ifp re0"
route altogether. Afterwards, I have full -- but temporary -- IPv6
connectivity.

This setup does not survive a reboot. It is strange, but only *after*
ping6ing ff02::2%re0 I get to use the responder as a gateway. I assume
this is because until then, it's not in the ndp table. So ... ping6
would have to become part of my networking setup. Huhhh.

This is also completely against upstream's documentation, as these fe80
gateway addresses might be subject to change. I guess, for all intends
and purposes, my upstream is picky and I'm really supposed to use the
public IPs.

Is there a reason why

 # route add -inet6 -iface -ifp re0 -net 2a01:4f8:110:4360:: -prefixlen
59 2a01:4f8:110:4360::1
 # route add -inet6 default 2a01:4f8:110:4360::1

does not work (as opposed to the equivalent in IPv4)?

Thank you, this already was a huge step forward for me.


Moritz

> | The IPv6 network is supposed to be 2a01:4f8:110:4363::/64, the gateway
> | is 2a01:4f8:110:4360::1/59.

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Gilles Chehade-7
Hi Moritz,

I have a server at hetzner too, after battling for a while I gave up
and resorted to a hack -> setting up your interface to have the same
netmask as the gateway.

Dirty, but works..

Gilles

On Mon, Mar 14, 2011 at 09:07:38AM +0100, Moritz Grimm wrote:

> Hi Todd,
>
>
> > Have you tried ping6 -n ff02::2%re0 ? Does anyone respond?  Try using
> > the respond(ers) as your IPv6 default gateway.
> >
> > Link local is best for IPv6 gateways for various reasons, if your upstream
> > isn't picky (unlike he.net tunnels, for example).
>
> Awesome, this almost works! :-)
>
> When doing it like that, I get to replace the inet6 default route with
> an fe80::...%re0 address, and to remove the "-inet6 -iface -ifp re0"
> route altogether. Afterwards, I have full -- but temporary -- IPv6
> connectivity.
>
> This setup does not survive a reboot. It is strange, but only *after*
> ping6ing ff02::2%re0 I get to use the responder as a gateway. I assume
> this is because until then, it's not in the ndp table. So ... ping6
> would have to become part of my networking setup. Huhhh.
>
> This is also completely against upstream's documentation, as these fe80
> gateway addresses might be subject to change. I guess, for all intends
> and purposes, my upstream is picky and I'm really supposed to use the
> public IPs.
>
> Is there a reason why
>
>  # route add -inet6 -iface -ifp re0 -net 2a01:4f8:110:4360:: -prefixlen
> 59 2a01:4f8:110:4360::1
>  # route add -inet6 default 2a01:4f8:110:4360::1
>
> does not work (as opposed to the equivalent in IPv4)?
>
> Thank you, this already was a huge step forward for me.
>
>
> Moritz
>
> > | The IPv6 network is supposed to be 2a01:4f8:110:4363::/64, the gateway
> > | is 2a01:4f8:110:4360::1/59.
>

--
Gilles Chehade

                   http://www.poolp.org

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Moritz Grimm-2
Hi Gilles,


> I have a server at hetzner too, after battling for a while I gave up
> and resorted to a hack -> setting up your interface to have the same
> netmask as the gateway.
>
> Dirty, but works..

OK then, good to know that this also works. Thanks. I suppose I'll
resort to that, too, if no proper solution can be found.

Considering that it is said to be working for all those OtherOSs,
including FreeBSD and various Linux spawn, I'm wondering if we have a
bug here.

If someone could confirm that ...

>>  # route add -inet6 -iface -ifp re0 -net 2a01:4f8:110:4360:: -prefixlen
>> 59 2a01:4f8:110:4360::1
>>  # route add -inet6 default 2a01:4f8:110:4360::1

... *should* work, I can confirm that it doesn't, and file a PR if that
helps. At least that way it isn't forgotten.


Moritz

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Lukas Ratajski-2
Our /etc/hostname.re0 (Hetzner EQ.4):

# HIER ist der Pudel begraben ;-) You need a local IP in the subnet
# of the gateway.

inet6 alias 2a01:4f8:120:70c0::2 59

# IPs in the assigned subnet follow:

inet6 alias 2a01:4f8:120:70c1::1 64
inet6 alias 2a01:4f8:120:70c1::2 64
# ...

# Since the gateway is reachable now, we specify the default route.
!route add -inet6 default 2a01:4f8:120:70c0::1

# ???
# PROFIT!!

Mit freundlichen Gruessen
Lukas Ratajski

--

--- Anbieterkennzeichnung ----------------------------

HSL GmbH

Gildenweg2
50354 Huerth

Geschaeftsfuehrer: Thomas Goetten
Sitz der Gesellschaft: Huerth

UstID: DE 2469 3695 3, Steuernr.: 224/5808/2105
Handelsregister: Amtsgericht Koeln HRB 61070

--- Kundenkontakt ------------------------------------

Web : www.h-s-l.de
E-Mail : [hidden email]
Telefon : (02233) 80804-00
Fax : (02233) 80804-10
Mobil : (0173) 1882880

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 woes: gateway on different subnet

Moritz Grimm-2
Hi Lukas,


> # HIER ist der Pudel begraben ;-) You need a local IP in the subnet
> # of the gateway.
>
> inet6 alias 2a01:4f8:120:70c0::2 59

Gilles' solution of using (in your case)

inet6 alias 2a01:4f8:120:70c1::1 59
instead of
inet6 alias 2a01:4f8:120:70c1::1 64

has less potential for mayhem and does not require you to use an IP from
a range that does not belong to you. ;)

It's enough to use the 59 prefixlen on only one of the v6 aliases.

I'll be using this "solution", too, until the dedicated route to the
gateway works.

> # ...

> # Since the gateway is reachable now, we specify the default route.
> !route add -inet6 default 2a01:4f8:120:70c0::1

FYI, /etc/mygate can handle the 2nd default route for IPv6 just fine.


Moritz