Default gateway on different net
Lasse Brandt
I have a server in location that provides ipv6 (not sure the ipv6 part is important, but thats how I stumbled upon this). First a bit of information about the server:
FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010
1 NIC with ipv4 and v6 addresses.
I got an ipv6 subnet (/64) from the hosting provider but the default gateway is not in the same subnet. The recommendation from the provider is simple: Create a static route, that routes all traffic to the subnet with the gateway to the interface. Then create default gateway.
What I have done is this:
ipv6_enable="YES"
ipv6_static_routes="defgw"
ipv6_route_defgw="2a01:xxxx:xxxx:3180::1 -prefixlen 59 -iface re0"
ipv6_defaultrouter="2a01:xxxx:xxxx:3180::1"
ipv6_ifconfig_re0="2a01:xxxx:xxxx:3183::2 prefixlen 64"
( Notice the slight difference in the ip on the nick :3183: and the gateway :3180: )
If I reboot the machine, the following happens:
*) The nic re0 got the ip: 2a01:xxxx:xxxx:3183::2 - ifconfig:
inet6 2a01:xxxx:xxxx:3183::2 prefixlen 64
*) The static route is in the routing table:
2a01:xxxx:xxxx:3180::/59 6c:62:6d:0d:9b:e8 US re0
*) But there is no default route :(
I then stumbled upon line 1057 in /etc/network.subr:
ipv6_static_routes="default ${ipv6_static_routes}"
If I understand this correctly, the ipv6_defaultrouter is simply added in the static_route configuration (which is added later).
But I also recall that I cannot create a default route to an ip not in my subnet, if the static route is missing. And the above code place the default route as the very first.
If I move default to the "last" position:
ipv6_static_routes="${ipv6_static_routes} default"
And reboots, the routing table shows my static route and the default route just fine:
Internet6:
Destination Gateway Flags Netif Expire
default 2a01:xxxx:xxxx:3180::1 UGS re0
2a01:xxxx:xxxx:3180::/59 6c:62:6d:0d:9b:e8 US re0
But! I still can't get any ipv6 packets out of the server. Trying to ping6 the gateway (or anything else outside) simply returns a: ping6: sendmsg: Operation not permitted
I have tried tcpdumping ipv6 packets on re0, but absolutely nothing is showing up when either ping6 or telnet to something outside on an ipv6 address (firewall is disabled btw). If I tcpdump while ping6 from outside to 2a01:xxxx:xxxx:3183::2, ipv6 packets is showing just fine.
If you are still reading this email, thanks :)
Now to the actual questions:
1) Is the hosting provider actually forcing me to do something "bad" og plain wrong?
2) Should the default route really be the last route to be added in /etc/network.subr:1057? (not sure if there is a reason to why its first - but I feel guilty messing with that file directly :) )
3) Am I setting this up in a completely wrong way?
( At this point it feels like "everything is right, but I miss _that_ fundamental option/config somewhere )
Any hint, tips or trick is highly appreciated.
Best regards,
Lasse Brandt_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net...@freebsd.org"
Lasse Brandt
Just wanted to update on the problem, in case someone stumbles upon this in the archives - original mail:
http://lists.freebsd.org/pipermail/freebsd-net/2010-September/026481.html
On 21. Sep 2010, at 12:37 , Lasse Brandt wrote:
> 2) Should the default route really be the last route to be added in /etc/network.subr:1057? (not sure if there is a reason to why its first - but I feel guilty messing with that file directly :) )
I am still wondering about this. I found another post in the archives going way back that asks the same question, but no really answer. In my case it's important that the static routes are created before the default route.
Anyone know if there is a reason for the default to be first?
> 3) Am I setting this up in a completely wrong way?
> ( At this point it feels like "everything is right, but I miss _that_ fundamental option/config somewhere )
Well, I was, after creating my static and default route, the only missing part was: ndp -I re0
There is a more in-depth explanation on the matter here:
http://social.bitmand.com/post/1168584251/hetzner-freebsd-and-ipv6
Best regards,
Lasse Brandt
Hiroki Sato
in <6BE964C4-0838-4DA6...@bitmand.com>:
la> 1) Is the hosting provider actually forcing me to do something "bad"
la> og plain wrong?
In that situation normally you get an IP address in the /59 network
to communicate with the gateway router from ISP. An IP address in
your /64 network cannot directly communicate with an address in /59.
If you do not have the /59 address, I think using link-local address
is the easiest way. As long as the gateway works correctly, you can
get its link-local address by using the following command:
% ping6 ff02::2%re0
PING6(56=40+8+8 bytes) fe80::XXXX:XXXX:XXXX:XXXX%re0 --> ff02::2%re0
16 bytes from fe80::YYYY:YYYY:YYYY:YYYY%re0, icmp_seq=0 hlim=64 time=0.525 ms
16 bytes from fe80::YYYY:YYYY:YYYY:YYYY%re0, icmp_seq=1 hlim=64 time=0.312 ms
^C
Note that "XXXX:.." is your address on re0, and "YYYY:.." is the
gateway's. You do not need any configuration like assigning
2a01:... address into re0 or static routes before performing this
ping. At least one router replies to this and displays its link-local
address.
After that, you can add the default route to it:
# route add -inet6 default fe80::YYYY:YYYY:YYYY:YYYY%re0
and configure your /64 address (2a01:...) to re0.
-- Hiroki
bz=l...@zabbadoz.net
The drawback with that is if the hosting provider changes the interface
of your gateway, moves you to a different router, ... your default route
stops working.
Imho you do not get an address out of the /59 and to my memory the
usually offered linux doesn't really care and even in the IPv4 happily
arped for gateways on unconnected subnets happily, so I would assume
it's probably the same for nd6 with that?
What they usually do is to give you a pvlan (a private, per customer,
vlan) so you could pick any address of the /59, which may or may not
include your /64. As you do not want to put the /59 on-link though
you may use the /64 or a /126 which includes the address of the router.
The obvious drawback with that is that you have to make sure that the
address isn't used with source address seclection to not run into
troubles as it wouldn't be reachable from outside but only used for
the kernel to properly find the on-link gateway.
I guess the link-local one and risking a "service interruption" in
case of router (interface) changes might be the most elegant one.
One could even use a simple script that would update things
automatically if needed.
/bz
PS: there is a private email in flight as well, as we know someone who
has a working FreeBSD IPv6 setup at that hosting company.
--
Bjoern A. Zeeb Welcome a new stage of life.
Lasse Brandt
Thanks for the replies :)
On 23/09/2010, at 18.15, bz=li...@zabbadoz.net wrote:
> On Fri, 24 Sep 2010, Hiroki Sato wrote:
>> la> 1) Is the hosting provider actually forcing me to do something "bad"
>> la> og plain wrong?
>>
>> In that situation normally you get an IP address in the /59 network
>> to communicate with the gateway router from ISP. An IP address in
>> your /64 network cannot directly communicate with an address in /59.
But I don't get that. I actually asked the hosting provider about this, and they told me specific not to use an ip on the /59 subnet. (I can tell you that it worked, I tried :))
>> If you do not have the /59 address, I think using link-local address
>> is the easiest way. As long as the gateway works correctly, you can
>> get its link-local address by using the following command:
>
> The drawback with that is if the hosting provider changes the interface
> of your gateway, moves you to a different router, ... your default route
> stops working.
Let me just snippet the current (and working) configuration - this is what I got from the hosting provider:
IPs: 2a01:xxxx:xxxx:3183:: /64
Gateway: 2a01:xxxx:xxxx:3180::1 /59
And this is my rc.conf:
ipv6_enable=”YES”
ipv6_static_routes=”defgw”
ipv6_route_defgw=”2a01:xxxx:xxxx:3180:: -prefixlen 59 -iface re0”
ipv6_defaultrouter=”2a01:xxxx:xxxx:3180::1”
ipv6_default_interface=”re0”
There is 2 "issues" at the moment. The first is that the static route and defaultrouter alone will not work - the packets will still not end up at the interface re0. The additional ipv6_default_interface=”re0” will actually do this:
ndp -I re0
And thats the key (in my case) - after specifying the default interface, it works.
But, I still don't think this is very elegant - first of, I need to accept route advertisements in sysctl.conf with: net.inet6.ip6.accept_rtadv=1 - not even sure why, but that check is made in /etc/network.subr.
Secondly, and I am still unsure if this a feature or bug in FreeBSD, but as I mentioned in an earlier post, the defaultrouter is beeing set before the static routes - and that won't work either ( check /etc/network.subr line 1057 - i simply moved default to the end ).
Best regards,
Lasse Brandt_______________________________________________
Lars Eggert
> IPs: 2a01:xxxx:xxxx:3183:: /64
> Gateway: 2a01:xxxx:xxxx:3180::1 /59
>
> And this is my rc.conf:
>
> ipv6_enable=”YES”
> ipv6_static_routes=”defgw”
> ipv6_route_defgw=”2a01:xxxx:xxxx:3180:: -prefixlen 59 -iface re0”
> ipv6_defaultrouter=”2a01:xxxx:xxxx:3180::1”
> ipv6_default_interface=”re0”
This seems very complex. Have you simply tried:
ipv6_defaultrouter="2a01:xxxx:xxxx:3180::1"
ipv6_ifconfig_re0="2a01:xxxx:xxxx:3183::1 prefixlen 64"
Lars
Lasse Brandt
On 24. Sep 2010, at 12:56 , Lars Eggert wrote:
> This seems very complex. Have you simply tried:
>
> ipv6_defaultrouter="2a01:xxxx:xxxx:3180::1"
> ipv6_ifconfig_re0="2a01:xxxx:xxxx:3183::1 prefixlen 64"
Yes - but you can't add a defaultroute to an ip not on the same subnet.
If I had ie. 2a01:xxxx:xxxx:3180::2 on my interface re0, it would work (I tried) - but the hosting provided wasn't very happy with me just picking a $random ip from their subnet ;)