trouble setting up ipv6

Jon Radel jon at radel.com
Sat Jul 11 20:22:44 UTC 2020 

>>> ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
>>> gateway_enable="YES"
>>> ipv6_gateway_enable="YES" 
>> The last line sets your FreeBSD machine up as a router.  If a device is
>> a router, it completely ignores, by design, routing information from
>> incoming RAs.
>>
>> So I think your two primary choices are to, if you don't need the
>> FreeBSD machine to route ipv6, remove the
>>
>> ipv6_gateway_enable="YES"
>>
>> and if you do want the machine to route, explicitly set a default
>> gateway
>>
>> ipv6_defaultrouter="fe80::1"
>>
>> Either should give you a usable routing table.
>>
>>
>>
Your followup makes clear that you want to route ipv6 traffic on your
host, so

ipv6_defaultrouter="fe80::1"

would almost certainly be worth putting in your rc.conf.

You could

ping6 fe80::1

before changing anything; as a sanity check.   Based on other things
you've sent, that should work fine.

That may be all you need.

>
>
> The production system is running 12.1-p6 on real hardware using only
> ipv4 addresses. This production system has many non-vnet jails and a
> few vnet jails that use the bridge/epair method with private ipv6
> addresses that get NATed by the ipf firewall NAT service. All the
> jails have public internet access. There is also a cabled/wifi LAN
> behind the gateway host. This current environment has been running for
> 10+ years now. Qjail is used to create and administrate the non-vnet
> jails. The vnet jails are defined in jail.conf and use the native
> "service jail" command for start/stop/restart.
Personally, I'd avoid private ipv6 addresses entirely if you mean
addresses in fd00::/8 or fec0::/10, and use only public addresses. 
Assuming your ISP hasn't done something obnoxious such as giving you a
single /64 and you're not subject to local NAT==security rules.
>
> Ipv6 has been available for 2 years now and with the current pandemic
> there is time to add ipv6 support to the production system first
> working out the details using the development vm system.
I can only imagine you mean that ipv6 transit has been provided by your
ISP for 2 years.  ipv6 itself has been loose in the wild for a lot
longer than that.
>
> Now about ipv6. It's my understanding that the gateway host primary
> interface connects to the ISP and through them to the public internet
> gets automatically assigned a static/permanent ipv6 address by just
> having this statement in the hosts rc.conf.
> ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
Could well be.  Ask your ISP what they actually do, but that would be a
standard and dull way of doing it.
>
> vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
> mtu
> options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,
> TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
>         ether f2:3c:92:bc:54:37
>         inet6 fe80::f03c:92ff:febc:5437%vtnet0 prefixlen 64 scopeid 0x1
>         inet xx.xx.xx.x netmask 0xffffff00 broadcast xx.xx.xx.255
>         media: Ethernet 10Gbase-T <full-duplex>
>         status: active
>         nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
>
> fe80::f03c:92ff:febc:5437 is what is called the ipv6 prefix

Nope.  That's an ipv6 address.  It's a link-local address associated
with the vtnet0 interface, to be precise.  Link-local addresses in
fe80::/10 are valid only on a single LAN or link and are completely
non-routable.  That's why FreeBSD reports it as
fe80::f03c:92ff:febc:5437%vtnet0 -- it's only valid on vtnet0.  The
machine could also have a fe80::f03c:92ff:febc:5437 address on another
interface, but the addresses wouldn't actually have anything to do with
each other.  Normally, these addresses happen automatically and allow
the interface to talk locally, which you don't want to break.  These
should always happen automatically by default once you turn on ipv6, and
you really don't want to break them if you want to do ipv6 at all.

One big thing you have to get used to with ipv6 is that your interfaces
will almost certainly have many addresses.

However, my suggestion is, assuming an ample supply of addresses from
your ISP (it'd be nice if they gave you at least a /56), is that you
explicitly assign a public /64 to every LAN you have and then explicitly
and statically assign addresses to every device acting as a router and
every device acting as server.  Personally, I find life easier and less
confusing if devices I need to put in DNS or routing tables have
addresses more along the lines of 2600:3c02::1, 2600:3c02::2, etc.

If Linode is giving you a single /64, or a single virtual server with a
single address in a shared /64, then life becomes more complicated and
outside the scope of this discussion.

>
>
> Now this is about the end of my ipv6 knowledge.
There are plenty of tutorials out there.
>
>
>
> This is were I am requesting your advice on how to configure this. I
> think the host needs a ipv6 router service because without one I was
> not able to ping6 anything.
>
Yes, it does sound like you want to route.   And maintain your firewall
with care.

-- 
--Jon Radel
jon at radel.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4177 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200711/811e4806/attachment.bin>

More information about the freebsd-questions mailing list