IPv6, ULAs and FreeBSD

Niklaas Baudet von Gersdorff stdin at niklaas.eu
Thu May 26 19:36:10 UTC 2016

I was eventually able to solve this issue. I asked for help on several
mailing lists. So, for reference, here are links to the relevant


Niklaas Baudet von Gersdorff [2016-05-24 08:17 +0200] :

> I want to serve IPv4 subnets (machine A) and
> (machine B), and IPv6 subnets fd16:dcc0:f4cc:0:0:1::/96 (machine A) and
> fd16:dcc0:f4cc:0:0:2::/96 (machine B) respectively. The jails are
> connected on lo1.

Here lies the first problem. It seems that it's not legitimate to assign
/96 subnets when using unique local addresses (ULAs). I was right
getting some /48 subnet for my local IPv6 network; some easy way to get
one generated randomly is http://unique-local-ipv6.com/ . But instead of
assigning /96 subnets to each host, you must assign /64 subnets. I guess
(but I am not sure because I have not found any reference that mentions
this explicitly) you *must not* use any other subnet when dealing with

So I decided for the following two subnets for machine A and
B respectively: fd16:dcc0:f4cc:1::/64 and fd16:dcc0:f4cc:2::/64.

> The following is the tinc-up script on each machine that assignes IP
> addresses and creates routes. I commented out some variations that
> I tried but haven't had success with either:
>     A $ cat /usr/local/etc/tinc/klaas/tinc-up
>     ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80
>     route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1
>     route -6 add -net  fd16:dcc0:f4cc:0:0:2::/96  fd16:dcc0:f4cc:0:0:1:0:1
>     #route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1    fd16:dcc0:f4cc::1:0:1
>     #route -6 add -ifp $INTERFACE -net  fd16:dcc0:f4cc::2:0:0/96 fd16:dcc0:f4cc::1:0:1
>     ifconfig $INTERFACE netmask
>     route -4 add -host
>     route -4 add -net

In addition, it seems not sufficient to solely assign IP address, but
you must also assign a route for the respective foreign (!) subnet(s) to
the tap interface. Without these I couldn't get the connection working.
Thus, you get the following tinc-up scripts for both machines:

    A $ cat /usr/local/etc/tinc/tinc-up
    ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:1::1 prefixlen 48 alias
    ifconfig $INTERFACE netmask alias

    route add -inet6 -net fd16:dcc0:f4cc:2::/64 -interface $INTERFACE

    B $ cat /usr/local/etc/tinc/tinc-up
    ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:2::1 prefixlen 48 alias
    ifconfig $INTERFACE netmask alias

    route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE

The following you should include into tinc-down to clean up the route
when the daemon is shut down (alter this for machine B respectively):

    route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE

To make this complete, these are the relevant host configurations for

    A $ cat /usr/local/etc/tinc/hosts/A
    Address = A
    Subnet = fd16:dcc0:f4cc:1::/64
    Subnet =

    -----BEGIN RSA PUBLIC KEY-----
    -----END RSA PUBLIC KEY-----

    A $ cat /usr/local/etc/tinc/hosts/B
    Address = B
    Subnet = fd16:dcc0:f4cc:2::/64
    Subnet =

    -----BEGIN RSA PUBLIC KEY-----
    -----END RSA PUBLIC KEY-----

For reference -- in hope that duckduckgo does a good job indexing this
and prevents others from struggling the same way as I did -- here are
the errors I would get from tinc if either the subnet was not set up
correctly (see above) or if I had not configured the routes:

    Cannot route packet: neighbor solicitation request for unknown address fd16:dcc0:f4cc:0:0:1:0:1

In hope that nobody else has to struggle with this as long as I did.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160526/24307b1c/attachment.sig>

More information about the freebsd-questions mailing list