|
Subnet routing issue on MacOS X
![[ca]](/s/countries/ca.gif) Shadow Hawkins on Friday, 04 April 2008 04:21:26
I recently set up aiccu with a subnet. Doing the following:
aiccu start
sudo sysctl -w net.inet6.ip6.forwarding=1
rtadvd -d en0
The second computer sees a local network address for the router and uses an address in the subnet corresponding to the one assigned to me. The problem is that while the main computer can ping6 an external site, the second computer can't. It can ping the first computer.
I did manage after a bit of messing around get the second machine to ping6 an external site. The main computer was then rebooted and even after going through the commands above I have been unable to provide external access to the seconds computer.
The main computer is running MacOS X 10.4 and the second machine MacOS X 10.5. At this point I am about to give up with my IPv6 subnet experimentation, since I just can't get it working consistently. If anyone has any ideas I would be grateful.
Note I have also an old Windows 2000 machine with IPv6 installed and it too get the subnet prefix, but can't ping6 an external network.
Subnet routing issue on MacOS X
![[si]](/s/countries/si.gif) Shadow Hawkins on Friday, 04 April 2008 08:54:54
I recommend you read the other recent forum posts with similar problems.
And ofcourse the FAQ, especially this item : https://noc.sixxs.net/faq/connectivity?faq=usingsubnet
Subnet routing issue on MacOS X
If you want people to be able to help you diagnose a problem, please actually provide full interface and routing tables as the bare minimum. Other information from the "Reporting Problems Checklist" is also generally very helpful, that is why they are requested there.
Subnet routing issue on MacOS X
Shadow Hawkins on Friday, 04 April 2008 22:46:40
I have gone through the FAQ as best as I could. Since MacOS X is not listed as a platform, I tried following the BSD section, but this still leaves me with issues.
My end point is: 2001:4978:f:48::2
My subnet is: 2001:4978:15d::/48
I have tried putting my en0 setting in the system preferences for IPv6 to automatic, manual and off, though these states don't seem to change much.
Below is the routing table displayed, in various states.
Before initial aiccu connection:
Destination Gateway Flags Netif Expire
localhost link#1 UHL lo0
localhost Uc lo0
localhost link#1 UHL lo0
link#4 UC en0
zanniati.local 0:30:65:d6:b1:64 UHL lo0
ff01:: localhost U lo0
ff02::%lo0 localhost UC lo0
ff02::%en0 link#4 UC en0
After aiccu has connected, but the other host can't ping6 out of the network:
Internet6:
Destination Gateway Flags Netif Expire
default localhost UGSc en0
localhost link#1 UHL lo0
gw-73.chi-02.us.si cl-73.chi-02.us.si UH tun0
cl-73.chi-02.us.si link#7 UHL lo0
link#4 UC en0
cl-73.chi-02.us.si 0:30:65:d6:b1:64 UHL lo0
cl-73.chi-02.us.si 0:16:cb:9f:dc:47 UHLW en0
cl-73.chi-02.us.si Uc lo0
cl-73.chi-02.us.si link#1 UHL lo0
link#4 UC en0
ghostwalker.local 0:16:cb:9f:dc:47 UHLW en0
zanniati.local 0:30:65:d6:b1:64 UHL lo0
zanniati.local Uc tun0
zanniati.local link#7 UHL lo0
ff01:: localhost U lo0
ff02::%lo0 localhost UC lo0
ff02::%en0 link#4 UC en0
ff02::%tun0 zanniati.local UC tun0
In a state that allows the other hosts to ping6 ipv6.google.com:
Internet6:
Destination Gateway Flags Netif Expire
default gw-73.chi-02.us.si UGSc tun0
localhost link#1 UHL lo0
gw-73.chi-02.us.si cl-73.chi-02.us.si UH tun0
cl-73.chi-02.us.si link#7 UHL lo0
cl-73.chi-02.us.si 0:16:cb:9f:dc:47 UHL en0
cl-73.chi-02.us.si Uc lo0
cl-73.chi-02.us.si link#1 UHL lo0
link#4 UC en0
zanniati.local 0:30:65:d6:b1:64 UHL lo0
zanniati.local link#7 UHL lo0
ff01:: localhost U lo0
ff02::%lo0 localhost UC lo0
ff02::%tun0 zanniati.local UC tun0
Subnet routing issue on MacOS X
Shadow Hawkins on Friday, 04 April 2008 22:50:29
Forgot the interface:
$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::230:65ff:fed6:b164%en0 prefixlen 64 scopeid 0x4
inet 192.168.2.101 netmask 0xffffff00 broadcast 192.168.2.255
inet6 2001:4978:15d::1 prefixlen 64
ether 00:30:65:d6:b1:64
media: autoselect (100baseTX <full-duplex>) status: active
supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> 1000baseT <full-duplex,flow-control,hw-loopback>
fw0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1006
lladdr 00:30:93:01:00:00:43:3e
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>
fw1: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 2030
lladdr 00:30:65:ff:fe:d6:b1:64
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1280
inet6 fe80::230:65ff:fed6:b164%tun0 prefixlen 64 scopeid 0x7
inet6 2001:4978:f:48::2 --> 2001:4978:f:48::1 prefixlen 128
open (pid 1922)
and the contents of the rtadvd.conf file:
en0:\
:addrs#1:addr="2001:4978:15d::":prefixlen#64:
Subnet routing issue on MacOS X
As per the "Reporting Problems Checklist", use '-n' or equivalent when listing, as then you get the IP address and not the hostname.
cl-73.chi-02.us.si 0:30:65:d6:b1:64 UHL lo0 cl-73.chi-02.us.si 0:16:cb:9f:dc:47 UHLW en0 cl-73.chi-02.us.si Uc lo0 cl-73.chi-02.us.si link#1 UHL lo0
why is the client address going over en0? That should definitely be a tun0. Check your aiccu.conf as I guess it is misconfigured. The routes over lo0 are there because the address is locally.
From your other post:
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1280 inet6 fe80::230:65ff:fed6:b164%tun0 prefixlen 64 scopeid 0x7 inet6 2001:4978:f:48::2 --> 2001:4978:f:48::1 prefixlen 128 open (pid 1922)
Which looks fine though, did you define the tunnel addresses on the en0 interface?
Best thing you can probably try to do is purge your IPv6 configuration, as something is definitely wrong.
Subnet routing issue on MacOS X
Shadow Hawkins on Saturday, 05 April 2008 01:49:47
Whatever settings are in the routing table are there by whatever process puts them there. I have not added these values by hand.
How would I go about purging my IPv6 config?
This is my aiccu config (login settings masked):
# Login information - register for account at: http://www.sixxs.net/signup/create
username XXXXXX
password XXXXXX
# Interface names to use
# ipv6_interface is the name of the interface that will be used as a tunnel interface.
# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels
# or tunX (eg tun0) for AYIYA tunnels.
# ipv6_interface tun0
ipv6_interface tun1
# The tunnel_id to use - request one at: http://noc.sixxs.net/home
# (only required when there are multiple tunnels in the list)
#tunnel_id Txxxx
# Be verbose?
verbose true
# Daemonize?
daemonize false
# Automatic Login and Tunnel activation?
automatic true
# Require TLS?
# When set to true, if TLS is not supported on the server
# the TIC transaction will fail.
# When set to false, it will try a starttls, when that is
# not supported it will continue.
# In any case if AICCU is build with TLS support it will
# try to do a 'starttls' to the TIC server to see if that
# is supported.
requiretls false
---
Here is the current netstat entry, specifying the -n option:
Internet6:
Destination Gateway Flags Netif Expire
default fe80::230:65ff:fed6:b164%en0 UGc en0
::1 link#1 UHL lo0
2001:4978:f:48::1 2001:4978:f:48::2 UH tun0
2001:4978:f:48::2 link#7 UHL lo0
2001:4978:15d::/64 link#4 UC en0
2001:4978:15d::1 0:30:65:d6:b1:64 UHL lo0
2001:4978:15d::216:cbff:fe9f:dc47 0:16:cb:9f:dc:47 UHLW en0
fe80::%lo0/64 fe80::1%lo0 Uc lo0
fe80::1%lo0 link#1 UHL lo0
fe80::%en0/64 link#4 UC en0
fe80::216:cbff:fe9f:dc47%en0 0:16:cb:9f:dc:47 UHLW en0
fe80::230:65ff:fed6:b164%en0 0:30:65:d6:b1:64 UHL lo0
fe80::%tun0/64 fe80::230:65ff:fed6:b164%tun0 Uc tun0
fe80::230:65ff:fed6:b164%tun0 link#7 UHL lo0
ff01::/32 ::1 U lo0
ff02::/32 ::1 UC lo0
ff02::/32 link#4 UC en0
ff02::/32 fe80::230:65ff:fed6:b164%tun0 UC tun0
Subnet routing issue on MacOS X
Whatever settings are in the routing table are there by whatever process puts them there. I have not added these values by hand.
Unless you have entered them, by hand, into some GUI or other configuration file, and they only become active when IPv6 is enabled, for instance by aiccu which is calling the ifconfig and route commands.
# ipv6_interface tun0 ipv6_interface tun1
Strange, you have tun1 there, but your routing tables contain tun0, the interface that you show that gets configured (and opened, looking at the PID) also contains tun0.
Your new routing list somewhat makes sense, except that your default is set wrong:
default fe80::230:65ff:fed6:b164%en0 UGc en0
The default should definitely be a 'default 2001:4978:f:48::2 ... tun0'
Which aiccu should set. Aiccu doesn't configure anything over en0, and especially not in the link-local address list (except for adding a link-local address on some OS's which don't put one on tun0 interfaces).
That default, seems to be pointing to the host itself, which is rather odd.
For some reason the default doesn't get configured, error/debug message output from aiccu would tell you that it is adding it and maybe what goes wrong.
Looking at your configuration file though and what it actually does, I guess that you are looking at the wrong configuration file. Most likely that other configuration file also has different interface names and possibly 'defaultroute false' in there, which could explain the default not being added.
Theoretically with the above routing table you should at least already be able to ping6 the local end and the remote end of the tunnel. If you then add a correct default route to the remote end (which should be done by aiccu) then all should, like normal, work properly.
Subnet routing issue on MacOS X
Shadow Hawkins on Saturday, 05 April 2008 16:17:11
Turns out I copied and pasted the wrong aiccu.conf file. The values in the one being used is indeed tun0, but the rest of the values are the same. The ifconfig is also the right one.
On the aiccu client machine I can indeed ping6 ipv6.google.com, but not on the host computer. I tried "defaultroute true", but that doesn't seem to change much.
Startup of aiccu looks as follows:
$ sudo aiccu start
sock_getline() : "200 SixXS TIC Service on noc.sixxs.net ready (http://www.sixxs.net)"
sock_printf() : "client TIC/draft-00 AICCU/2007.01.15-console-darwin Darwin/8.11.0"
sock_getline() : "200 Client Identity accepted"
sock_printf() : "get unixtime"
sock_getline() : "200 1207404256"
sock_printf() : "username AME4-SIXXS"
sock_getline() : "200 Choose your authentication challenge please"
sock_printf() : "challenge md5"
sock_getline() : "200 xxxxxxxxxxxxxxx"
sock_printf() : "authenticate md5 xxxxxxxxxxxxxxx"
sock_getline() : "200 Succesfully logged in using md5 as AME4-SIXXS (Andre-John Mas) from 70.55.58.48"
sock_printf() : "tunnel list"
sock_getline() : "201 Listing tunnels"
sock_getline() : "T13775 2001:4978:f:48::2 ayiya uschi02"
sock_getline() : "202 <tunnel_id> <ipv6_endpoint> <ipv4_endpoint> <pop_name>"
sock_printf() : "tunnel show T13775"
sock_getline() : "201 Showing tunnel information for T13775"
sock_getline() : "TunnelId: T13775"
sock_getline() : "Type: ayiya"
sock_getline() : "IPv6 Endpoint: 2001:4978:f:48::2"
sock_getline() : "IPv6 POP: 2001:4978:f:48::1"
sock_getline() : "IPv6 PrefixLength: 64"
sock_getline() : "Tunnel MTU: 1280"
sock_getline() : "Tunnel Name: My First Tunnel"
sock_getline() : "POP Id: uschi02"
sock_getline() : "IPv4 Endpoint: ayiya"
sock_getline() : "IPv4 POP: 216.14.98.22"
sock_getline() : "UserState: enabled"
sock_getline() : "AdminState: enabled"
sock_getline() : "Password: xxxxxxxxxxxxxx"
sock_getline() : "Heartbeat_Interval: 60"
sock_getline() : "202 Done"
Succesfully retrieved tunnel information for T13775
sock_printf() : "QUIT Even the spirits are afraid"
Tunnel Information for T13775:
POP Id : uschi02
IPv6 Local : 2001:4978:f:48::2/64
IPv6 Remote : 2001:4978:f:48::1/64
Tunnel Type : ayiya
Adminstate : enabled
Userstate : enabled
[tun-start] Trying Configured TUN/TAP interface tun0...
[tun-start] Using TUN/TAP interface tun0
[tun-start] Setting TUNSIFHEAD for tun0
add net default: gateway 2001:4978:f:48::1
[AYIYA-start] : Anything in Anything (draft-02)
[AYIYA-tun->tundev] : (Socket to TUN) started
Subnet routing issue on MacOS X
On the aiccu client machine I can indeed ping6 ipv6.google.com, but not on the host computer.
Aka your routing on the 'router' machine is correct, but your subnet routing (or forwarding) isn't.
I tried "defaultroute true", but that doesn't seem to change much.
It is a default condition.
add net default: gateway 2001:4978:f:48::1
Clearly it gets added.
The question of course, again, is how does your interface and routing tables look like? And how does radvd.conf look like, and did you toggle the forwarding flag (most likely sysctl somewhere).
Subnet routing issue on MacOS X
Shadow Hawkins on Tuesday, 08 April 2008 04:22:28
The rtadvd entry is as follows:
en0:\
:addrs#1:addr="2001:4978:15d::":prefixlen#64:
as for the interface and routing tables, I have already posted them in previous posts to this thread.
Unfortunately I have no IPv6 experts locally that could log in to my computer and see what its going on. So I am still in the dark as to the issue.
Subnet routing issue on MacOS X
Shadow Hawkins on Tuesday, 08 April 2008 05:45:45
Looks like I have found my culprit. It was the ipv6 firewall rules on my router. I had completely forgotten about them. These are the values I had:
ip6fw -f flush
ip6fw add allow tcp from any to 2001:4978:15d::/64 ssh,http setup
ip6fw add allow ipv6 from 2001:4978:15d::/64 to any
ip6fw add allow tcp from any to any established
ip6fw add deny ipv6 from any to 2001:4978:15d::/64
ip6fw add 65534 deny ip from any to any
What settings should I be using?
Subnet routing issue on MacOS X
Shadow Hawkins on Tuesday, 08 April 2008 16:41:38
I use this : none
(and it works ;))
Subnet routing issue on MacOS X
![[us]](/s/countries/us.gif) Shadow Hawkins on Tuesday, 08 April 2008 18:27:39
I wouldn't turn off your firewall if this is the router that's running aiccu and you've no other firewall in front of it. You might start with something simple, though, like allow the one or two inbound services you know you'll want (e.g. SSH and HTTP) and end with an explicit deny. There is a lot of documentation for ipfw so just be sure to sub ip6fw or you'll be setting IPv4 rules instead. There are plenty of sample ipfw6 rules, too, that I turned up with a couple of quick web searches. I don't recall if you're using OS X client or server but also note that the firewall rules set in Server Admin only set IPv4 rules but that could have changed with Leopard.
q.v. http://www.oreillynet.com/pub/a/mac/2005/11/01/firewall.html,
http://textsnippets.com/posts/show/1267, and http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/ip6fw.8.html
Subnet routing issue on MacOS X
Shadow Hawkins on Wednesday, 09 April 2008 11:34:15
So it works, if the firewall is off ?
Then add restrictions to the firewall, one by one (testing the net after each). Try to use a tool that you understand. (like GUI versions)
Or run a firewall on the client(s). (if they are easier to set up)
Subnet routing issue on MacOS X
Shadow Hawkins on Wednesday, 09 April 2008 19:49:34
It works with the firewall off and also with a modified set of rules. You can see in this thread:
https://noc.sixxs.net/forum/?msg=setup-705848
This current thread should be treated as resolved :)
|
![[ch]](/s/countries/ch.gif)
on Friday, 04 April 2008 12:26:30
Posting is only allowed when you are