Debian/ip6tables ipv6 forwarding
Shadow Hawkins on Saturday, 07 January 2012 18:11:27
I've scoured the web but appear to be missing a key piece of the puzzle. I have ipv6 running on my Debian Linux box through an SixXS ipv6 tunnel successfully. The next step is to enable ipv6 inside of my home network. To do this, I am attempting to use ip6tables to forward the traffic. All of the documentation I saw says this should work based upon my current configuration. The Debian box can ping both internal/external ipv6 addresses. Internal boxes can ping the Debian eth1 interface and internal hosts, but not external.
For this example the ip6tables firewall is wide open - I cleared out all the rulesets and set the default policies to ACCEPT as a test. I've also tried other forwarding rulsets with the same results.
Any advice or pointers would be appreciated.
root@rocket:~# sysctl -p
net.ipv6.conf.all.forwarding = 1
root@rocket:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:1b:21:b7:75:f5
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: 2001:4978:xxxx:xxxx::3/128 Scope:Global
inet6 addr: fe80::21b:21ff:feb7:75f5/64 Scope:Link
root@rocket:~# ifconfig sixxs
sixxs Link encap:IPv6-in-IPv4
inet6 addr: fe80::40e9:d843/128 Scope:Link
inet6 addr: 2001:4978:xxxx:xxxx::2/64 Scope:Global
root@rocket:~# ip6tables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all sixxs eth1 anywhere 2001:4978:xxxx:xxxx::/64
37 2072 ACCEPT all eth1 sixxs 2001:4978:xxxx:xxxx::/64 anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Debian/ip6tables ipv6 forwarding
Jeroen Massar on Saturday, 07 January 2012 18:20:24 inet6 addr: 2001:4978:xxxx:xxxx::3/128 Scope:Global [..] inet6 addr: 2001:4978:xxxx:xxxx::2/64 Scope:Global
if those xxxx's are all the same then it will not work, a single /64 exists on one interface, not on two.
You will also want to show the routing tables (ip -6 ro show) on both router and clients.
Debian/ip6tables ipv6 forwarding
Shadow Hawkins on Sunday, 08 January 2012 18:52:33
Jeroen -- Thank you for your reply:-)
You are correct in that all xxxx's are the same value. I also had suspicious that this may be an issue with my setup but I'm still trying to wrap my head around ipv6 here. Lets try to clarify a few things. Perhaps I am just misunderstanding something simple with ipv6.
In ipv4, I would use iptables/MASQUERADE to set up a NAT to share my ISP provided ipv4 IP to my home network.
On to ipv6, the use of NAT/MASQUERADING is not necessary as I am provided a /64 ipv6 address from my ISP (or in this case, SixXS). The first 64 bits should be the routing information to direct the ipv6 traffic to my router. Then I can use radvd to auto-configure my home network ipv6 IPs using the last 64 bits of my ipv6/64 address on the router. Thus, an example client on my network will have the ipv6 address of (based upon the client's mac address):
inet6 2001:4978:xxxx:xxxx:226:8ff:feec:4407 prefixlen 64 tentative autoconf
Therefore, the /64 prefix will direct traffic to my router, then the router will route the traffic to the client on my network based upon the last 64 bits of the ipv6 IP above. This is also why I have the ::3 IP on eth1 is showing as a /128 - it will serve as the gateway for incoming ipv6 traffic on eth1 and be forwarded out on sixxs/eth0.
I performed a wireshark capture on eth0 (the interface with a static ipv4 through which the sixxs interface is tunneled through). When I ping an external ipv6 addresses (i.e. ipv6.google.com) from a client, I see outgoing echo requests in Wireshark on the eth0 interface, however the incoming echo replies are not showing on the eth0 or sixxs interfaces - leading me to believe that the ipv6 ping is leaving my home network but not returning.
I understand that I can request a /48 subnet which would allow me greater flexibility. However, my tunnel needs to exist for a few weeks longer to generate the required points to do this. However, based upon my understanding, I should be able to create a network of clients based upon a single /64 ipv6 address.
If it still matters (granted I should adjust the ipv6 MTU for performance...):
root@rocket:~$ ip -6 ro show
2001:4978:xxxx:xxxx::1 dev sixxs metric 1024 mtu 1280 advmss 1220 hoplimit 4294967295
2001:4978:xxxx:xxxx::3 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
2000::/3 via 2001:4978:xxxx:xxxx::1 dev sixxs metric 1024 mtu 1280 advmss 1220 hoplimit 4294967295
fe80::/64 via :: dev sixxs proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:4978:xxxx:xxxx::1 dev sixxs metric 1024 mtu 1280 advmss 1220 hoplimit 4294967295
Debian/ip6tables ipv6 forwarding
Jeroen Massar on Sunday, 08 January 2012 21:03:06 but I'm still trying to wrap my head around ipv6 here.
Even in IPv4 if you have 192.0.2.0/24 you cannot put that on both eth0 and eth1 and expect it to work.
Nothing changed there, actually there is very little different in IPv6 compared to IPv4, it is primarily a longer address and ND instead of ARP.
As for the rest, the /64 is solely for the tunnel, you need to request a subnet (/48) to be able to have any prefixes behind your <tunnel>::2.
Debian/ip6tables ipv6 forwarding
Shadow Hawkins on Sunday, 08 January 2012 23:33:24
If I am following - I am hitting a limitation due to the ipv6 tunnel and would need to have a /48 subnet with SixXS to share over my home network. I'm stuck for now until I have a /48 subnet.
Let me ask a different question:
Based upon what I have been reading,*IF* I had native ipv6 support from my ISP - I would be assigned an ipv6 /64 IP. If I wanted to share that ipv6 connection to my home network, would I still need to request an additional ipv6 /64 prefix or a /48 subnet from the ISP for the internal network?
Something similar to:
eth0: 2001:xxxx:xxxx:xxxx::1/64
eth1: 2001:xxxx:yyyy:zzzz::1/64
--Or--
Would there be a method to take that single ipv6 /64 IP and share it across my home network with the client IPs using the same /64 prefix as the IP from my ISP? As I understand, the first 64 bits are for routing, therefore ANY ipv6 IP with the same /64 prefix would be directed to my eth0 interface from my ISP. Then my box would act as a router to the internal network on eth1 forwarding traffic to the client IPs with the same /64 prefix. At least this has been my takeaway as to why NATs are obsolete on ipv6. This was what I was trying to do with my SixXS /64 IP.
Thanks again for your help Jeroen!
Debian/ip6tables ipv6 forwarding
Jeroen Massar on Monday, 09 January 2012 11:28:22 I would be assigned an ipv6 /64 IP.
You might be misunderstanding prefixes wrong. You get 1 IP address but the prefix it is in is a /64. The reasoning behind the /64 is because of autoconfiguration and thus that being the default prefix length.
All network links are /64. (Of course one could manually use other lengths but why bother with that).
If I wanted to share that ipv6 connection to my home network, would I still need to request an additional ipv6 /64 prefix or a /48 subnet from the ISP for the internal network?
Indeed you would need at least an extra single /64. Likely you will receive a /48 or in some cases a /56 which in turn contain several /64s that you can route internally.
As I understand, the first 64 bits are for routing, therefore ANY ipv6 IP with the same /64 prefix would be directed to my eth0 interface from my ISP.
If you have a /64 it means that that /64 exists on that interface, be it a tunnel or Ethernet.
In the case that the /64 is fully routed to you you can indeed pick any IP out of that /64, though generally one would use autoconfiguration using Router Advertisement (RA) or DHCPv6 to do that.
In the case that it is a /64 on the link provided by the ISP, in most cases they will determine which IP one can use from that /64. In the SixXS tunnel case that is only <prefix>::2 for your end, while the PoP-side is <tunnel>::1. As such only the <tunnel>::2 is going to your end, nothing else.
At least this has been my takeaway as to why NATs are obsolete on ipv6.
NAT is not truly obsolete when you do not get enough addresses and you only get 1 for a tunnel.
Request a subnet though and you suddenly have a full /48 routed towards you and thus 65536 /64s or 2^80's IP addresses.
Posting is only allowed when you are logged in. |