IPv6 Woes...

Tue Jun 26 22:15:02 UTC 2007

On Jun 26, 2007, at 4:32 PMJun 26, 2007, Bruce A. Mah wrote:

> If memory serves me right, Eric F Crist wrote:
>> Hi Eric--
>
> First note that I'm a different Bruce than the chap who's been helping
> thus far.  :-)
>
> BTW, use "ndp -a" to see this.

> Your setup is not *too* different from what I have at home in terms of
> network topology and what you hope to accomplish.  (I have a Soekris
> net4801 run 6.2-STABLE and acting as a filtering bridge between an  
> IPv4
> /29 and the rest of the Internet, and also terminating a gif(4) tunnel
> for IPv6.)
>
>> This is so that I don't have to do routing on my firewall.  I have a
>> IPv4 /28 network, so a limited number of IP addresses, this saves one
>> of those.  This system is filtering traffic with PF.  That's really
>> the only reason for the bridging.  Also, it does allow me to do
>> traffic shaping and bandwidth monitoring.  This bridging stuff
>> really, as you said, has nothing to do with my IPv6 configuration
>> issues.
>
> I think the biggest difference between your network and mine is that
> rather than using options BRIDGE I'm using the if_bridge(4) driver
> between my "inside" and "outside" network interfaces.  The physical
> interfaces in the bridge are unnumbered and the if_bridge
> pseudo_interface has IPv4 and IPv6 addresses.
>
> The main reason for doing this is that I've seen that bridge(4) can  
> have
> difficulty determining the correct physical interface to use for  
> packets
>  that originate on the bridging host.  I recall having this problem  
> with
> pfnat.  (I don't remember the exact details, but I did some  
> postings to
> the m0n0wall mailing lists on this topic some time ago...your favorite
> search engine can probably help find these messages.)
>
> I wonder if the problem I've seen with bridge(4) might be related to
> your IPv6 problems (since you're terminating the tunnel on your
> firewall).  If so, maybe switching to if_bridge(4) as I've described
> above might help things.
>
> In any case, good luck!

Bruce! Thanks for all the help!  That did the trick!  Only one more  
thing that's holding me up.

On my gateway, I've got 2001:4980:1:111::145/64 as the primary IP  
address.  In addition, I've got 2001:4980:1:111::1/128 as an alias.   
I can ping/connect to the xxx:145 address, but not the xxx:1  
address.  What did I configure wrong?  Here's the output of netstat - 
r -f inet6:

Routing tables

Internet6:
Destination                    Gateway                         
Flags    Refs      Use    Mtu    Netif Expire
::                             localhost.secure-computing.net  
UGRS        0        0  16384      lo0 =>
default                        2001:4980:1::5                  
UGS         0        0   1280     gif0
localhost.secure-computing.net localhost.secure-computing.net  
UHL         5        0  16384      lo0
::ffff:0.0.0.0                 localhost.secure-computing.net  
UGRS        0        0  16384      lo0
2001:4980:1::4                 link#7                          
UC          0        0   1280     gif0
2001:4980:1::5                 link#7                          
UHLW        2        4   1280     gif0
2001:4980:1::6                 link#7                          
UHL         1        4   1280      lo0
2001:4980:1:111::              link#1                          
UC          0        1   1500     fxp0
2001:4980:1:111::1             00:06:5b:05:30:19               
UHL         1        4   1500      lo0
2001:4980:1:111::145           00:06:5b:05:30:19               
UHL         2        4   1500      lo0
2001:4980:1:111::147           00:06:5b:38:2e:82               
UHLW        1       14   1500     fxp0
fe80::                         localhost.secure-computing.net  
UGRS        0        0  16384      lo0
fe80::%fxp0                    link#1                          
UC          0        0   1500     fxp0
fe80::206:5bff:fe05:3019%fxp0  00:06:5b:05:30:19               
UHL         1        0   1500      lo0
fe80::%fxp1                    link#2                          
UC          0        0   1500     fxp1
fe80::206:5bff:fe05:301a%fxp1  00:06:5b:05:30:1a               
UHL         1        0   1500      lo0
fe80::%lo0                     fe80::1%lo0                     
U           0        0  16384      lo0
fe80::1%lo0                    link#3                          
UHL         1        0  16384      lo0
fe80::%gif0                    link#7                          
UC          0        0   1280     gif0
fe80::206:5bff:fe05:3019%gif0  link#7                          
UHL         1        0   1280      lo0
fe80::%tun0                    link#8                          
UC          0        0   1500     tun0
fe80::206:5bff:fe05:3019%tun0  link#8                          
UHL         1        0   1500      lo0
ff01:1::                       link#1                          
UC          0        0   1500     fxp0
ff01:2::                       link#2                          
UC          0        0   1500     fxp1
ff01:3::                       localhost.secure-computing.net  
UC          0        0  16384      lo0
ff01:7::                       link#7                          
UC          0        0   1280     gif0
ff01:8::                       link#8                          
UC          0        0   1500     tun0
ff02::                         localhost.secure-computing.net  
UGRS        0        0  16384      lo0
ff02::%fxp0                    link#1                          
UC          0        0   1500     fxp0
ff02::%fxp1                    link#2                          
UC          0        0   1500     fxp1
ff02::%lo0                     localhost.secure-computing.net  
UC          0        0  16384      lo0
ff02::%gif0                    link#7                          
UC          0        0   1280     gif0
ff02::%tun0                    link#8                          
UC          0        0   1500     tun0

Thanks for one last piece of advice!

-----
Eric F Crist
Secure Computing Networks