Linux – Native IPv6: routing between eth0 and eth1

ipv6linuxradvdrouting

I humbly ask for your assistance with the problem I can't resolve myself.

I have a native IPv6 link with 2001:db8:14::/48 assigned. I'm running Slackware on 3.2.50-grsec kernel. My ISP's side (my default gw for ::/0) is 2001:db8:14::1. I have assigned 2001:db8:14::2 to my WAN interface (eth0) and it's working – I can ping and access various services in the Internet via IPv6. I would like this machine to act as a router for machines in LAN (eth1). I deployed radvd and all computers (various Win XP, Win 7 and Linux systems) successfully acquired IPv6 addresses from 2001:db8:14:a::/64 subnet. I assigned 2001:db8:14:a::1 to the eth1 LAN interface. Now… I can ping6 between all machines inside LAN. I can ping6 2001:db8:14:a::1 from any machine in the LAN. I can't ping6 2001:db8:14::2 (eth0) from any machine the LAN ("Destination unreachable: Address unreachable"). I can ping 2001:db8:14::2 from the Internet. I can't ping 2001:db8:14:a::1 from the Internet.

Clearly there is something wrong with the forwarding traffic between interfaces. Of course I have set all /proc/sys/net/ipv6/conf/*/forwarding pseudofiles to "1". I have my default route set to "::/0 via 2001:db8:14::1 on dev eth0". I do not have any firewall and just in case the default policy on ip6tables for FORWARDING (and anything else) is ACCEPT.

Is there something I'm missing? Any ideas what might be wrong with the routing?

Best Answer

I notice one specific problem in your routing table. It specifies 2001:db8:14::/48 as directly attached to eth0. That should have been a /64. But I don't see how that could explain the symptoms.

One piece of information is clearly missing. The ISP router would have to be configured with a gateway address for 2001:db8:14::/48. If that gateway address is 2001:db8:14::2, the routing should be working correctly. If it is something else, then packets from outside cannot reach anything on your LAN, only the router WAN address would be reachable. That would explain why 2001:db8:14:a::1 is not reachable from outside. But 2001:db8:14::2 should still have been reachable from inside, which is puzzling.

The only way forward in such a situation is to repeat the pings, which did not work, and this time be observing the network traffic on both interfaces of the router with tcpdump or equivalent.

When sending packets from outside, the eth0 interface on the router should see neighbor discovery for the gateway that the ISP assigned for your prefix. If sending packets to any address in your /48 results in neighbor discovery for the exact same address, then that address is the gateway address you should be assigning to eth0. There is a few other ways this can turn out, in that case you need to update your question with information about what traffic you actually see.

Related Solutions

IPv6 routing problem

Unless your provider really routes your subnet to your host, you'll have to setup your host so that it proxies ICMPv6 neighbourhood discovery (ND) for the IPs of your guests.

Assuming you have been assigned 2001:0DB8:A::/64, your host is 2001:0DB8:A::1 on eth0, and your guest VM uses 2001:0DB8:A::2 (on a virtual bridge br0). To tell your host to proxy ND queries issue the following command:

ip -6 neigh add proxy 2001:0DB8:A::2 dev eth0

Also make sure that you have fowarding and ND proxying enabled for IPv6:

sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.proxy_ndp=1

On the guest, you either use the link-local address of the host on br0 as default gateway. Or you add an additional IP on the br0 interface on the host, and use that as default gateway in the guests.

Openvpn – How to setup OpenVPN with IPv4 and IPv6 using a tap device

Timothy Baldwins answer put me on the right track, although the answer was rather cryptic. IPv6 neighbor advertisements/solicitation is like ARP for IPv6. It's used to "see" other machines on the network. The router send a neighbor solicitation on which the machine (server or client) should reply on with a neighbor advertisement.

Even with net.ipv6.conf.all.forwarding set to 1, neighbor advertisements and solicitations are not forwarded. To make eth0 forward neighbor advertisements and solicitations, eth0 should be set as proxy for the IPv6 address of the client behind tap0, and proxying for neighbor stuff should be enabled for eth0:

echo 1 > /proc/sys/net/ipv6/conf/eth0/proxy_ndp
/sbin/ip -6 neigh add proxy 2001:db8::100:abc:2 dev eth0

Unfortunately, it's not possible to retrieve the list of proxies added, nor does ip -6 show error messages on repeatedly executing the command. Neither am I sure if "neigh del proxy" works, it does not give an error message and the C source is not really meaningful to me.

As I do not want to do everything manually, I've created a script which does the work for me.

Server configuration

IPv6 addresses are based on the IPv4 part (the 1 in 10.8.0.1). The prefix and netmask are stored in /etc/openvpn/variables.

The next steps are made for setting up OpenVPN with encrypted IPv4/IPv6 connectivity to the Internet over a native IPv4 connection. RSA keys and tls-auth are used for authentication and MITM prevention.

/etc/openvpn/variables contains variables which are used for the up script (run on startup, after creation of tap0 device) and client-connect script (run after the client has authenticated).

# this prefix is handled out by the provider, replace it with your own prefix
prefix=2001:db8::abc
# netmask, 2001:db9::abc:0000 - 2001:db9::abc:FFFF
prefixlen=112

/etc/openvpn/server-clientconnect.sh is executed as root and makes sure that IPv6 is routed properly by adding the IPv6 address to the eth0 proxy. Because client-connect is called after OpenVPN switched to the user specified by the User setting, sudo is needed to give the script sufficient permissions to run as root. Of course, variables should be checked before using, the number should be between and including 2 ad 254. (1 is the gateway, 255 the broadcast address).

#!/bin/sh
. /etc/openvpn/variables
if [ -z "$ifconfig_pool_remote_ip" ]; then
        echo "Missing environment variable."
        exit 1
fi
ipp=$(echo "$ifconfig_pool_remote_ip" | cut -d. -f4)
if ! [ "$ipp" -ge 2 -a "$ipp" -le 254 ] 2>/dev/null; then
        echo "Invalid IP part."
        exit 1
fi
hexipp=$(printf '%x' $ipp)
/sbin/ip -6 neigh add proxy $pfx:$hexipp dev eth0

To make this work, the user vpn should be allowed to run the script while preserving $ifconfig_pool_remote_ip which contains the remote network IPv4 address. Add the next lines to the sudoers file by executing sudo visudo and appending:

Defaults:vpn env_keep=ifconfig_pool_remote_ip
vpn ALL=NOPASSWD: /etc/openvpn/server-clientconnect.sh

/etc/openvpn/server-up.sh enables IPv4, IPv6 forwarding (eth0+tap0 did not work, it really had to be all) and neighbor proxy on eth0. It adds the gateway address to servers tap0 too.

#!/bin/sh
. /etc/openvpn/variables
/sbin/ip -6 addr add $pfx:1/$pfxlen dev $dev
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/eth0/proxy_ndp

Finally, the OpenVPN configuration file at /etc/openvpn/internet.conf:

proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
script-security 2
up /etc/openvpn/server-up.sh
client-connect "/usr/bin/sudo -u root /etc/openvpn/server-clientconnect.sh"
# encrypt all traffic
push "redirect-gateway def1"
# keep the same IP addresses each time
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
# OpenVPN will switch to this user, it is also used for sudo
user vpn
group vpn
persist-key
persist-tun

For completeness, permissions and ownerships of files in /etc/openvpn:

drwx------  root root  .
-rw-------  root root  ca.crt
-rw-------  root root  dh1024.pem
drwx------  root root  easy-rsa      <-- left from creation of keys
-rw-------  root root  ipp.txt
-rwx------  root root  server-clientconnect.sh
-rw-------  root root  internet.conf
-rw-------  root root  variables
-rwx------  root root  server-up.sh
-rw-------  root root  server.crt
-rw-------  root root  server.key
-rw-------  root root  ta.key
-rwx------  root root  update-resolv-conf <-- this was installed by default

Firewall settings:

itpables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -i tap0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -s 2001::db8::abc:0/112 -i tap0 -o eth0 -j ACCEPT

Configuration on client

/etc/openvpn/client.conf:

client
dev tap
proto udp
remote 178.21.112.251 1194
script-security 2
up /etc/openvpn/client-up.sh
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert home.crt
key home.key
ns-cert-type server
tls-auth ta.key 1
cipher BF-CBC
comp-lzo

ta.key and ca.key are the same files from the server. home.key and home.crt are files, created on the server.

client-up.sh adds the IPv6 address and route (based on IPv4 address):

#!/bin/sh
pfx='2001:db8::abc'
pfxlen=112
hexippart=`printf '%x' "$(echo $ifconfig_local | cut -d. -f4)"`
/sbin/ip -6 addr add $pfx:$hexippart/$pfxlen dev $dev
/sbin/ip -6 route add default via $pfx:1 dev $dev

The guide at http://www.ipsidixit.net/2010/03/24/239/ was very helpful and OpenVPN manual page is useful for information about various settings.