OPNsense Forum
English Forums => General Discussion => Topic started by: nibblerrick on January 12, 2016, 04:09:07 pm
-
Hi there,
I think I am a blockhead here as it is probably easy: When I get a routed /48 subnet from he.net tunneled to my router and want to use multiple smaller /64 out of it and route between them, how to do that?
Just create different interfaces and assign the /64 to it?
Made with the pfsense tunneling howto you have a gateway setup for the tunnel which has the tunneladdresses. But where is the routing done of the incoming /48 and opnsense will choose where to route what? Is it done just with the interefaces that are there oder have gateways to be created?
I really have the feeling I am missing something obvious here.
Thanks in advance
Nico
-
Hi there,
really noone? If the question is so easy please some stoop to answer the question. Or is it really that hard?
Thanks :-)
-
Hi!
I am not using he.net tunnelbroker any more. My ISP delegated to me native IPv6 /60 subnet
This is my HE Account:
(http://i.imgur.com/xqxr0w8.png)
You do it like in pfSense
Building a Tunnel
Enable ICMP
Don't forget to enable ICMP on the WAN interface, if ICMP is blocked the tunnelbroker will not allow a tunnel to be configured. The source IP address on this rule should be the remote endpoint IP of the gif tunnel, or any.
(http://i.imgur.com/pDqqBp8.png)
Create GIF Interface
Now navigate to the assign gif interfaces screen on OPNSense where the address information from Hurricane Electric or Sixxs may be entered. Navigate to Interfaces: Other Types: GIF.
The HE or Sixxs Server IPv4 address goes into the gif remote address
The HE or Sixxs Client IPv6 address goes into the gif tunnel local address
The HE or Sixxs Server IPv6 address goes into the gif tunnel remote address
Enter a Description and click Save.
(http://i.imgur.com/3WyKhN8.png)
Assign GIF Interface
Go to Interfaces: Assignments and choose the GIF interface to be used for an OPT interface. In this example, the OPT interface is named HE_IPv6. Click Save and Apply Changes if they appear.
(http://i.imgur.com/UJ5d1Xe.png)
Configure OPT Interface
With the OPT interface assigned, the OPT interface may be enabled from the Interfaces menu. Keep IPv6 Configuration Type set to None.
(http://i.imgur.com/vaXvxyT.png)
Go to System: Gateways: All
And configure gateway:
(http://i.imgur.com/KrIt7Fe.png)
If all of the settings were entered correctly and the tunnel broker is working, the gateway will now be listed as online
(http://i.imgur.com/cYKvW92.png)
Set Up LAN for IPv6
Before configuring LAN interfaces split youre /48 subnet to /64 subnets use IPv6 Calculator or etc.
Choose prefered /64 subnet for each LAN interface
(http://i.imgur.com/8rGiF4m.png)
Configure interfaces
First LAN
(http://i.imgur.com/FmfuTSk.png)
(http://i.imgur.com/loBk7fF.png)
And how much you need
------------
(http://i.imgur.com/JuPdkSk.png)
(http://i.imgur.com/zmmyLfH.png)
------------
(http://i.imgur.com/vEKKx68.png)
(http://i.imgur.com/A8J5YIf.png)
Set Up DHCPv6 and RA
Go to Services: DHCPv6: Server and configure all IPv6 Interfaces
DHCP
(http://i.imgur.com/WxcBmXv.png)
RA
(http://i.imgur.com/aJuOVPv.png)
Try it out
Check IPv6 addresses
(http://i.imgur.com/puhQ9tX.png)
(http://i.imgur.com/QcfwFvJ.png)
Don't forget to add firewall rules to allow IPv6 on all configured interfaces.
-
Thank you very much for your post!
So you have the tunnel with the routed /48 at your opnsense and just assign on the different interfaces the appropriate /64 subnets, right? No other routingsetting on opnsense at this point to set? That was the thing I wasn't sure about. Thank you very much.
The other thing I won't really understand at the moment is the Prefix delegation range on the DHCPv6 server how this will be used, but that is another question...
Thanks again
Nico
-
So you have the tunnel with the routed /48 at your opnsense and just assign on the different interfaces the appropriate /64 subnets, right? No other routingsetting on opnsense at this point to set? That was the thing I wasn't sure about. Thank you very much.
Hi!
If you not sure, just try :)
You do all things like in pfSense or other network appliance!
You can do it even with Windows Server!!!
The other thing I won't really understand at the moment is the Prefix delegation range on the DHCPv6 server how this will be used, but that is another question...
You can set RA Subnet on Router Adverstiment tab and turn off DHCPv6, then you must set DNSv6 servers manualy on clients. Or if youre DNSv4 server reply to DNSv6 query - youre done.
(http://i.imgur.com/LYfYM9J.png)
Not necessary to set DNSv6 server manualy.
If you want to use IPv6 on Android phone, RA must be turned ON, Android does not recieve IP with DHCPv6 use Router Adverstiment!!!
Or you can set IPv6 manually on all of youre clients like with IPv4
To understand prefix delegation DHCPv6 and RA you must learn IPv6
I have done that long time ago here (https://ipv6.he.net/certification/scoresheet.php?pass_name=ittc)
-
Forget to add screenshot with RA config...
(http://i.imgur.com/w27wRA8.png)
-
no you cant custom the subnet prefix that he provided to you
according to https://www.22decembre.eu/2016/05/28/openbsd-ipv6-router-en/
A slice of reflexion
You have to, sort of, copy your configuration/topology from ipv4 to ipv6.
HE will give you automatically a /48. If you read my article about ipv6, so you know that your network is of minimal size: you cannot have sub-nets in it. If you have several sub-nets in ipv4 (Ethernet and Wifi separated), then you will have to do the same with ipv6. HE will give you a /48 if the server you registered your tunnel on has enough place while you request it.
and
As a reference see https://forum.openwrt.org/viewtopic.php?pid=248046#p248046
Nothing wrong on your side, however your ISP / LTE-carrier must provide you with a delegated prefix for your clients which it doesn't at the moment. You cannot just use an arbitrary value in ip6prefix since it must be routed to you.
what he tunnel provides is a non prefix delegation subnet, say if you add an arbitrary value in it, you will encounter slow speed no route-able subnet. its differ from whom provided a native ipv6 subnet that can delegate prefix through DHCPv6-PD.
and try to distinguish
2001:xxx:x:xxx::1/64 with 2001:xxx:x:xxx:1:1/64 if you ownly ra the later subnet its not he tunnel who routed default to you.
-
A huge "Thank you" for this very detailed post.
To configure this, it would take me at least a day in FreeBSD (not to say a week with firewalling).
You saved me a lot of time.
A few remarks (maybe it was written before):
* On HE.net side, adjust MTU to 1452. This will allow the gateway to ping6, otherwize in my configuration the gateway could not mount. This may differ from one installation to another based on your ISP.
Kind regards,
French Fries
-
It is very important to pass at least ICMP-v6 and block all IPv6 from the Internet to LAN net.
It is important to allow IPv6 traffic through HE.Net.
My firewalling rules for HE.NET are:
Proto Source Port Destination Port Gateway Schedule Description
pass IPv6 * WAN net * LAN net * *
pass IPv6 IPV6-ICMP * * * * *
pass IPv4 ICMP * * * * *
block IPv6 * * * WAN net * *
block IPv6 * * * LAN net * *
pass IPv4+6 * * * * * *
Without these settings, no traffic goes through HE.Net.
I am curious: Would it be more simple to allow protocol 59 IN, just like in Linux? Can it be done this way.
-
This is strange, I do not have firewall rules on my HE tunnel at all. The test still reports 10/10.
Cheers,
Franco
-
This is strange, I do not have firewall rules on my HE tunnel at all. The test still reports 10/10.
Test reporting 10/10 is normal if you don't have any rules in HE Tunnel.
Take this differently: how do you allow pingv6 from Internet to your LAN ipV6 network and filter other incoming IPv6 traffic?
How do you filter external WWW=>LAN ipv6 network if you don't have any rules in HE tunnel.
Did you filter ipv6 in WAN ?
Can you make an map -6 test to one of your hosts in LAN.
Are they wide open on the ipv6 network from the outside?
-
Fair point, I do not use IPv6 for incoming traffic, so that's two different sets of goals.
-
Okay, these are only filtering rules blocking IPv6 traffic to the LAN/WAN,
except PING6, multicast v6 and network sollication v6.
Otherwize, your network is wide open on the ipv6 Internet.