Re: adding ipv6 and pppoe to my firewall

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: adding ipv6 and pppoe to my firewall

shadrock uhuru
Hi Stuart
thanks for the reply

On 7/12/19 1:20 PM, [hidden email] wrote:
>> hypothetical ipv4 Address and ipv6 prefix from zen:
>> ND Prefix: aaaa:bbbb:cccc:dddd::/64
>> PD Prefix: 1111:2222:3333::/48
>> IPv4 Address: ?????? 12.34.56.78 (Subnet mask 255.255.255.255)
---------------------------------------------------------------------------
>> ?????? fw1 em0: 192.168.2.2 (lan)
>> ?????? fw1 em1: 12.34.56.78 (wan)
i have taken carp out of the configuration which leaves me with:

/etc/hostname.em0
mtu 1508
inet 192.168.2.2 255.255.255.0 NONE

/etc/hostname.em1
mtu 1508
inet 12.34.56.78 255.255.255.255 NONE
inet6 autoconf -autoconfprivacy -soii

/etc/hostname.pppoe
mtu 1500
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1 authproto chap
authname "XXX@isp" authkey "XXX" up
dest 0.0.0.1
inet6 eui64
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8

/etc/rad.conf
interface em0

dhcpcd to be added

> If you need DHCPv6-PD then don't hardcode the addresses on the
> inside interfaces, just let PD fetch them.(For the UK ISPs I'm most familiar with, zen seems to need PD otherwise
> they don't route the block to me, at least in the config they've got
> on my user account
by inside interfaces do you mean the lan facing nic on the firewall and
any tun interfaces ?
i am on zen also and will have a look at dhcpcd
> question 5
>>> do i need to put -autoconfprivacy -soii?? in the nics or should i remove it.
> Don't use autoconf on interfaces where you run rad(8), that is like
> running dhclient and dhcpd on the same interface.
>
so remove autoconf from em0 ?

should i be using the mtu option in rad.conf to ensure that all nodes on
a link use the same MTU value i.e. 1508 ?

could you send examples of the following files to compare with mine for
any misconfigurations on my side please.
wan hostname file
lan hostname file
pppoe hostname file
rad.conf
dhcpcd.conf

thanks
shadrock

Reply | Threaded
Open this post in threaded view
|

Re: adding ipv6 and pppoe to my firewall

shadrock uhuru
Hi Stuart
thanks for the reply

On 7/12/19 1:20 PM, [hidden email] wrote:
>> hypothetical ipv4 Address and ipv6 prefix from zen:
>> ND Prefix: aaaa:bbbb:cccc:dddd::/64
>> PD Prefix: 1111:2222:3333::/48
>> IPv4 Address:     12.34.56.78 (Subnet mask 255.255.255.255)
---------------------------------------------------------------------------
>>     fw1 em0: 192.168.2.2 (lan)
>>     fw1 em1: 12.34.56.78 (wan)
i have taken carp out of the configuration which leaves me with:

/etc/hostname.em0
mtu 1508
inet 192.168.2.2 255.255.255.0 NONE

/etc/hostname.em1
mtu 1508
inet 12.34.56.78 255.255.255.255 NONE
inet6 autoconf -autoconfprivacy -soii

/etc/hostname.pppoe
mtu 1500
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1 authproto chap
authname "XXX@isp" authkey "XXX" up
dest 0.0.0.1
inet6 eui64
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8

/etc/rad.conf
interface em0

dhcpcd to be added

> If you need DHCPv6-PD then don't hardcode the addresses on the
> inside interfaces, just let PD fetch them.(For the UK ISPs I'm most familiar with, zen seems to need PD otherwise
> they don't route the block to me, at least in the config they've got
> on my user account
by inside interfaces do you mean the lan facing nic on the firewall and
any tun interfaces ?
i am on zen also and will have a look at dhcpcd
> question 5
>>> do i need to put -autoconfprivacy -soii  in the nics or should i remove it.
> Don't use autoconf on interfaces where you run rad(8), that is like
> running dhclient and dhcpd on the same interface.
>
so remove autoconf from em0 ?

should i be using the mtu option in rad.conf to ensure that all nodes on
a link use the same MTU value i.e. 1508 ?

could you send examples of the following files to compare with mine for
any misconfigurations on my side please.
wan hostname file
lan hostname file
pppoe hostname file
rad.conf
dhcpcd.conf

thanks
shadrock
Reply | Threaded
Open this post in threaded view
|

Re: adding ipv6 and pppoe to my firewall

Stuart Henderson
On 2019-07-20, shadrock uhuru <[hidden email]> wrote:

> Hi Stuart
> thanks for the reply
>
> On 7/12/19 1:20 PM, [hidden email] wrote:
>>> hypothetical ipv4 Address and ipv6 prefix from zen:
>>> ND Prefix: aaaa:bbbb:cccc:dddd::/64
>>> PD Prefix: 1111:2222:3333::/48
>>> IPv4 Address:     12.34.56.78 (Subnet mask 255.255.255.255)
> ---------------------------------------------------------------------------
>>>     fw1 em0: 192.168.2.2 (lan)
>>>     fw1 em1: 12.34.56.78 (wan)
> i have taken carp out of the configuration which leaves me with:
>
> /etc/hostname.em0
> mtu 1508
> inet 192.168.2.2 255.255.255.0 NONE
>
> /etc/hostname.em1
> mtu 1508
> inet 12.34.56.78 255.255.255.255 NONE
> inet6 autoconf -autoconfprivacy -soii
>
> /etc/hostname.pppoe
> mtu 1500
> inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1 authproto chap
> authname "XXX@isp" authkey "XXX" up
> dest 0.0.0.1
> inet6 eui64
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8
>
> /etc/rad.conf
> interface em0
>
> dhcpcd to be added
>
>> If you need DHCPv6-PD then don't hardcode the addresses on the
>> inside interfaces, just let PD fetch them.(For the UK ISPs I'm most familiar with, zen seems to need PD otherwise
>> they don't route the block to me, at least in the config they've got
>> on my user account
> by inside interfaces do you mean the lan facing nic on the firewall and
> any tun interfaces ?

Yes any lan facing nics. tun depends on what you are doing with them,
I haven't use that for ages.

> i am on zen also and will have a look at dhcpcd
>> question 5
>>>> do i need to put -autoconfprivacy -soii  in the nics or should i remove it.
>> Don't use autoconf on interfaces where you run rad(8), that is like
>> running dhclient and dhcpd on the same interface.
>>
> so remove autoconf from em0 ?

Yes.

> should i be using the mtu option in rad.conf to ensure that all nodes on
> a link use the same MTU value i.e. 1508 ?

No - the only place MTU should be set to 1508 is the "pppoedev" (parent
interface) for the pppoe connection, in your case em1.

> could you send examples of the following files to compare with mine for
> any misconfigurations on my side please.
> wan hostname file

pppoe is the "wan" interface. I guess you mean the pppoedev interface, em1 in my case:

mtu 1508
up

> lan hostname file

Showing those will just add complication as I have multiple subnets
and they're all on vlans. Typically just "inet XX.XX.XX.XX/YY" in those,
no IPv6 setup.

> pppoe hostname file

mtu 1500
group zen
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev em1 authproto chap authname "zenXXXXXX@zen" authkey "XXXXXXXXXXX" up
inet6 eui64
inet6 autoconf -autoconfprivacy
!/sbin/route add default -ifp pppoe1 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe1 fe80::%pppoe1 -priority 8

> rad.conf

just "interface" lines listing all the "lan" interfaces, e.g.

interface vlan2
interface vlan3
[...]

> dhcpcd.conf

the below tells it to fetch a handful of subnets from the ISP; one for
vlan2, one for vlan3, one for vlan4, etc. if you only have one "lan" /
"inside" interface then you would just list that instead of the
multiple vlan interfaces.

=====
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier
slaac private
nohook resolv.conf, lookup-hostname
allowinterfaces pppoe1 vlan2 vlan3 vlan4 vlan5
script ""

interface pppoe1
  ia_na 1
  ia_pd 2 vlan2/1 vlan3/2 vlan4/3 vlan5/4
=====