I have a server in a datacenter with native IPv6 connectivity. (I have a /48 block at my disposal.)
I want to use this server as a ipv6 tunnel server over openvpn, but I can't get it to work completely.
My server:
Linux, Centos 5.2
eth0 dual stacked ipv4/ipv6
ip addr list:
eth0
inet aa.bb.cc.dd/24 (my global IP address)
inet6 2001:aaaa:bbb::2/48 (2001:aaaa:bbb::1 is the default GW of my ISP)
sit2
link/sit 10.8.0.1 peer 10.8.0.2
inet6 2001:aaaa:bbb:2::1/64
tun0
inet 10.8.0.1 peer 10.8.0.2/32
My client:
Mac OS 10.6
tun0: 10.8.0.2 --> 10.8.0.1
gif0 2001:aaaa:bbb:2::2 --> 2001:aaaa:bbb:2::1 prefixlen 128
route to default gw 2001:aaaa:bbb:2::1 (the ip of my server on the sit interface)
I think the mac side is OK, as a traceroute6 to ipv6.google.com gives 2001:aaaa:bbb:2::1 as the next hop, but it stalls there.
Pinging ipv6.google.com from the server works.
Ip6tables is turned off, and I did echo "1" to /proc/sys/net/ipv6/conf/all/forwarding.
Output from ip6tables -L:
ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Output from sysctl -a |grep forward|grep ipv6:
net.ipv6.conf.sit2.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
What's keeping my router from forwarding the packages between his two interfaces?
Best Answer
Putting a /64 from inside this /48 space behind another router (your diy tunnelbox) will not work because your ISP's router does not route the traffic for this /64 back to your tunnelbox, but expects the hosts to be directly in the local subnet.
Your ISP should not put a /48 on the link, but use a /64 instead.
Either you'll need to do some proxy-arp magic (haven't been there, wouldn't do that) or you'll tell your ISP to put a /64 on link, e.g. the first /64 in the /48. Then, your ISP also has to add a route to some other part of your /48 via your tunnelserver. (been there, have that running at my ISP in colocation). A possibility is to ask to route a /56 inside the /48 to your tunnelbox, so you can create tunnels which have one or multiple /64 on the other side. For the tunnels itself you can either also use /64's from the /56, or use one /64 with something like a /80 as tunnel itself.
(Note: 2001:A000::/20 is address space in use by APNIC, if you want to hide your actual adresses, it's better to use an address range like 2001:db8::/32 which is meant to be used for documentation purpose)