Extended Routing over Fritzbox 3360 with pfsense behind
Shadow Hawkins on Monday, 15 April 2013 08:13:12
Hi all,
I am going nuts actually with my home setup, hopefully someone can help me since I am not able to debug that issue further:
I have a Fritzbox 3360 running on a Cable Internet V4 connection and use the heartbeat tunnel to Sixxs for IPv6 connectivity.
As a quick draft here the network structure:
IPv4 Internet
|
Fritzbox 3360 with Heartbeat tunnel
|
WLAN DMZ like Network (192.168.1.0/24)
|
pfSense Router for internal network (10.20.1.0/24)
IPv6 is running fine on the WLAN DMZ network, as long as the fritzbox supplies all needed stuff via dhcpv6, what makes me headaches is the internal network to which I am unable to supply IPv6 routing.
I just got a /48 IPv6 network approved by Sixxs, the Fritzbox got the new prefix, but pfsense is only able to communicate via the direct interface to the fritzbox and only if the interface is getting ipv6 via dhcp from the fritzbox.
Static IP config and such results in now connectivity, I am even not able to ping the v6 ip of the fritzbox then.
I tried to give the functionality for ipv6 to my internal network via dhcpv6 relay of pfsense, no luck since I even cannot reach my default gw via v6.
So actually I am lost. Thanks to the chained Fritzbox I am also not able to debug further since telnet and such are disabled by the ISP.
Can someone point me to the right direction?
Thanks alot,
Dan
Extended Routing over Fritzbox 3360 with pfsense behind
Jeroen Massar on Monday, 15 April 2013 12:20:35
You need one of the most recent Fritz!Box firmware version for subnet routing to work; that is, I have seen a note in the firmware release notes that that is now possible.
See: firmware 54/74.05.23: Internet: New - settings to use other IPv6 routers in your networkg
Can someone point me to the right direction?
Providing routing tables on all involved devices is a good start, traceroutes another.
Extended Routing over Fritzbox 3360 with pfsense behind
Shadow Hawkins on Tuesday, 16 April 2013 12:13:37
Jeroen Massar wrote:
Providing routing tables on all involved devices is a good start, traceroutes another.
Thanks Jeroen,
I tried several things but I am not able to figure out what the Fritzbox demands from me for the subnet routing.
Actual Situation:
I have currently a WAN and a LAN interface on pfSense running, the WAN interface is on the Fritzbox LAN subnet, IPv6 DHCP server is running on the fritzbox and supplies leases, I also allowed "Prfix (IA_PD) und IPv6-Adresse (IA_NA) zuweisen".
With sniffing via tcpdump on the pfSense WAN interface I get the following:
14:02:25.554918 IP6 (hlim 1, next-header UDP (17) payload length: 76) fe80::20c:29ff:fe2d:f952.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=a578bb (client ID hwaddr/time type 1 time 419072541 000c292df948) (IA_NA IAID:0 T1:0 T2:0) (elapsed time 65535) (option request DNS DNS name) (IA_PD IAID:0 T1:0 T2:0))
14:02:25.561775 IP6 (hlim 64, next-header UDP (17) payload length: 158) fe80::2665:11ff:fefa:8158.dhcpv6-server > fe80::20c:29ff:fe2d:f952.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=a578bb (client ID hwaddr/time type 1 time 419072541 000c292df948) (server ID hwaddr type 1 246511fa8158) (preference 0) (DNS fd00::2665:11ff:fefa:8158) (IA_NA IAID:0 T1:1800 T2:2880 (IA_ADDR 2001:4dd0:fbe3:0:20c:29ff:fe2d:f952 pltime:3600 vltime:7200)) (IA_PD IAID:0 T1:1800 T2:2880 (IA_PD prefix 2001:4dd0:fbe3:fc::/62 pltime:3600 vltime:7200)))
The pfSense WAN interface is currently running as dhcpv6 client interface.
Based on that output I tried to use the /62 prefix written above on my pfSense router since I admit that my "lovely" fritzbox delegates this subnet.
I configured pfSense interfaces to the following:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:2d:f9:48
inet6 fe80::20c:29ff:fe2d:f948%em0 prefixlen 64 scopeid 0x1
inet 10.20.1.1 netmask 0xffffff00 broadcast 10.20.1.255
inet6 2001:4dd0:fbe3:fc::1 prefixlen 63
nd6 options=1<PERFORMNUD>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:2d:f9:52
inet6 fe80::20c:29ff:fe2d:f952%em1 prefixlen 64 scopeid 0x2
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2001:4dd0:fbe3:0:20c:29ff:fe2d:f952 prefixlen 64 autoconf
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1 is WAN (dhcp), em0 is LAN (static).
The weird is that now even over WAN interface I get no connection to the internet over IPv6, here the routing table where I miss my default gw:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
2001:4dd0:fbe3::/64 link#2 U em1
2001:4dd0:fbe3:0:20c:29ff:fe2d:f952 link#2 UHS lo0
2001:4dd0:fbe3:1::/64 link#2 U em1
2001:4dd0:fbe3:2::/64 link#8 U ovpns1
2001:4dd0:fbe3:3::/64 link#8 U ovpns1
2001:4dd0:fbe3:3::1 link#8 UHS lo0
2001:4dd0:fbe3:fc::/63 link#1 U em0
2001:4dd0:fbe3:fc::1 link#1 UHS lo0
fe80::%em0/64 link#1 U em0
fe80::20c:29ff:fe2d:f948%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
fe80::20c:29ff:fe2d:f952%em1 link#2 UHS lo0
fe80::%lo0/64 link#6 U lo0
fe80::1%lo0 link#6 UHS lo0
fe80::20c:29ff:fe2d:f948%ovpns1 link#8 UHS lo0
ff01::%em0/32 fe80::20c:29ff:fe2d:f948%em0 U em0
ff01::%em1/32 fe80::20c:29ff:fe2d:f952%em1 U em1
ff01::%lo0/32 ::1 U lo0
ff01::%ovpns1/32 fe80::20c:29ff:fe2d:f948%ovpns1 U ovpns1
ff02::%em0/32 fe80::20c:29ff:fe2d:f948%em0 U em0
ff02::%em1/32 fe80::20c:29ff:fe2d:f952%em1 U em1
ff02::%lo0/32 ::1 U lo0
ff02::%ovpns1/32 fe80::20c:29ff:fe2d:f948%ovpns1 U ovpns1
also not to forget the radvd config:
# Automatically Generated, do not edit
# Generated for DHCPv6 Server lan
interface em0 {
AdvSendAdvert on;
MinRtrAdvInterval 5;
MaxRtrAdvInterval 20;
AdvLinkMTU 1500;
AdvDefaultPreference high;
AdvManagedFlag on;
prefix 2001:4dd0:fbe3:fc::/63 {
DeprecatePrefix on;
AdvOnLink on;
AdvAutonomous off;
AdvRouterAddr on;
};
route ::/0 {
RemoveRoute on;
};
RDNSS 2001:4dd0:fbe3:fc::1 { };
DNSSL coldharbour.org { };
};
# Generated for DHCPv6 Server wan
interface em1 {
AdvSendAdvert on;
MinRtrAdvInterval 5;
MaxRtrAdvInterval 20;
AdvLinkMTU 1500;
AdvDefaultPreference medium;
AdvManagedFlag on;
prefix 2001:4dd0:fbe3::/64 {
DeprecatePrefix on;
AdvOnLink on;
AdvAutonomous off;
AdvRouterAddr on;
};
route ::/0 {
RemoveRoute on;
};
RDNSS 2001:4dd0:fbe3:0:20c:29ff:fe2d:f952 { };
DNSSL coldharbour.org { };
};
To be true I think this whole issues is a mixture on lower knowledge on ipv6 and bad config file generation of pfSense.
Hope this helps you to help me... :)
Thanks,
Dan
Extended Routing over Fritzbox 3360 with pfsense behind
Jeroen Massar on Tuesday, 07 May 2013 14:54:40 Based on that output I tried to use the /62 prefix written above on my pfSense router
You should never use anything else than /64 in a router advertisement. There is no way for a client to figure out what the other bits should be, as it is not standardized.
What you are looking for is the Prefix Delegation option.
See for instance: www.qacafe.com/static/pdf/dhcpv6-pd-whitepaper.pdf and various other resources that can be found in google.
I don't think many end-sites bother with DHCPv6, static config is so much easier to monitor and control.
Of course, for a large ISP with lots of end-users DHCPv6 Prefix Delegation can make sense, but then you just take the details out of radius.
Posting is only allowed when you are logged in. |