IPv6 Help Needed

Started by borys.ohnsorge, January 13, 2025, 05:14:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 13, 2025, 05:14:43 PM
Hi,

I have my own IPv6 prefix from IANA, let's say 2001:db8::/32.

I've delegated the prefix 2001:db8:b000::/40 for my lab.

So far, through trial and error, I've managed to create a working IPv6 "like IPv4" network configuration, but I'm aware that's not the way it should be done.

Here's what I did to achieve a theoretically working IPv6 configuration:
2 machines lab1 and lab2 (HA).

On the WAN interface:
  • Assigned static IPv6 addresses:
    Code Select
    2001:db8:b000::11/64 on wan-lab1
    2001:db8:b000::12/64 on wan-lab2
  • Configured the IPv6 gateway:
    Code Select
    2001:db8:b000::1
  • Configured a VIP (WAN Interface CARP):
    Code Select
    2001:db8:b000::10/64

On the LAN interface:
  • I assigned static IPv6 addresses:
    Code Select
    2001:db8:b003::2/64 on lan-lab1
    2001:db8:b003::3/64 on lan-lab2
  • Configured a VIP (LAN Interface CARP):
    Code Select
    2001:db8:b003::1/64

In ISC DHCPv6 LAN Interface, I have:

In Router Advertisements for Lan:

Firewall NAT Outbound Rule:
Code Select
Interface: WAN
Source: LAN_net
Destination: !LAN_net
NAT Address: 2001:db8:b000::10

The above configuration allows a client connected to the LAN network to request for IPv6 address (IPv4 as well, but I'm skipping that part). Client gets two specific IPv6 addresses from DHCPv6: one of the "global temporary dynamic" type and the other of the "global dynamic mngtmpaddr" type.

This client has internet access over IPv6, but its traffic is NAT-ed to the WAN VIP CARP IP, which is not how it should work in the IPv6 world (at least that's what I think).

How should I properly configure the WAN/LAN interfaces and DHCPv6 so that LAN client hosts derive the higher 64 bits from the OPN DHCPv6 and generate the lower 64 bits themselves (because, as far as I know, this is how it should work "properly")?

I need your support to correctly configure WAN IPv6 (static), LAN IPv6 (static?), and DHCPv6 for the LAN network. Unfortunately, I lack experience in this area, and the documentation seems rather sparse, especially regarding owning an IPv6 prefix and configuring interfaces statically.

Any suggestion on this topic is welcome.

Regards
Borys
January 17, 2025, 03:30:22 PM #1
I've made some changes:

On the WAN interface:
  • Assigned static IPv6 addresses:
    Code Select
    2001:db8:b000::11/48 on wan-lab1
    2001:db8:b000::12/48 on wan-lab2
  • Configured the IPv6 gateway:
    Code Select
    2001:db8:b000::1
  • Configured a VIP (WAN Interface CARP):
    Code Select
    2001:db8:b000::10/48

On the LAN interface:
  • I assigned static IPv6 addresses:
    Code Select
    2001:db8:b000:300::1/56 on lan-lab1
    2001:db8:b000:300::2/56 on lan-lab2

In ISC DHCPv6 LAN Interface, I have:

In Router Advertisements for Lan:

IPv6 "world" directly from lab1/lab2 works fine (I can ping google ipv6 dns).

Now my Lan client host gets IPv6 from Lab1 DHCPv6

First question why it is /128??
Code Select
noc@noc-NUC8i3BEK:~$ ip a s
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether xx:xx:xx:xx:7c:f3 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 10.255.5.30/24 brd 10.255.5.255 scope global dynamic noprefixroute eno1
       valid_lft 200sec preferred_lft 200sec
    inet6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb/128 scope global dynamic noprefixroute
       valid_lft 198sec preferred_lft 85sec
    inet6 fe80::92b2:3746:d197:5546/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
noc@noc-NUC8i3BEK:~$

IPv6 routes on client host:
Code Select
noc@noc-NUC8i3BEK:~$ ip -6 ro
2001:db8:b000:3d4:d156:9f78:d2a8:51bb dev eno1 proto kernel metric 100 pref medium
2001:db8:b000:300::/56 dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 1024 pref medium
default via fe80::3eec:efff:fedd:11b4 dev eno1 proto ra metric 20100 pref medium
noc@noc-NUC8i3BEK:~$

When NAT is enabled (Source: LAN_net, Dest: !LAN_Net, NAT Address: 2001:db8:b000::10):
Code Select
noc@noc-NUC8i3BEK:~$ ping 2001:db8:b000::1
PING 2001:db8:b000::1 (2001:db8:b000::1) 56 data bytes
64 bytes from 2001:db8:b000::1: icmp_seq=1 ttl=63 time=0.393 ms
^C
--- 2001:db8:b000::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.393/0.393/0.393/0.000 ms

noc@noc-NUC8i3BEK:~$ ping 2001:4860:4860::8888
PING 2001:4860:4860::8888 (2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=116 time=1.39 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=116 time=1.43 ms
^C
--- 2001:4860:4860::8888 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.391/1.409/1.427/0.018 ms
noc@noc-NUC8i3BEK:~$

But when NAT rule is disabled:
I can ping lab1-lan ipv6 address:
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000:300::1
PING 2001:db8:b000:300::1 (2001:db8:b000:300::1) 56 data bytes
64 bytes from 2001:db8:b000:300::1: icmp_seq=1 ttl=64 time=0.240 ms
64 bytes from 2001:db8:b000:300::1: icmp_seq=2 ttl=64 time=0.384 ms
^C
--- 2001:db8:b000:300::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1035ms
rtt min/avg/max/mdev = 0.240/0.312/0.384/0.072 ms

I can ping lab1-wan ipv6 address:
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000::11
PING 2001:db8:b000::11 (2001:db8:b000::11) 56 data bytes
64 bytes from 2001:db8:b000::11: icmp_seq=1 ttl=64 time=0.314 ms
64 bytes from 2001:db8:b000::11: icmp_seq=2 ttl=64 time=0.385 ms
^C
--- 2001:db8:b000:300::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1034ms
rtt min/avg/max/mdev = 0.314/0.349/0.385/0.035 ms

When I try to ping Lab1 IPv6 WANs GW, I can see that packet is going out from Lab1 and is reaching that GW
Code Select
noc@noc-NUC8i3BEK:~$ ping6 2001:db8:b000::1
PING 2001:db8:b000::1 (2001:db8:b000::1) 56 data bytes
^C
--- 2001:db8:b000::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2037ms

Code Select
root@lab1:~ # tcpdump -ni lagg0_vlan52 host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lagg0_vlan52, link-type EN10MB (Ethernet), snapshot length 262144 bytes

12:16:35.053213 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 1, length 64
12:16:36.066610 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 2, length 64
12:16:37.090509 IP6 2001:db8:b000:3d4:d156:9f78:d2a8:51bb > 2001:db8:b000::1: ICMP6, echo request, id 5298, seq 3, length 64

tcpdump from that GW:
Code Select
f1b-core01#tcpdump interface vlan 52 verbose filter host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: listening on vlan52, link-type EN10MB (Ethernet), capture size 262144 bytes

14:54:27.170987 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
  source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
    0x0000:  001c 7388 3b66
14:54:28.183078 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
  source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
    0x0000:  001c 7388 3b66


GW (2001:db8:b000::1) has route to this host:
Code Select
f1b-core01#show ipv6 route 2001:db8:b000:3d4:d156:9f78:d2a8:51bb

VRF: default
Routing entry for 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R - RIP, A B - BGP Aggregate, I L1 - IS-IS level 1, I L2 - IS-IS level 2, DH - DHCP, NG - Nexthop Group Static Route, M - Martian, DP - Dynamic Policy Route, L - VRF Leaked

 C        2001:db8:b000::/48 [0/1]
           via Vlan52, directly connected

That GW sends "who has":
tcpdump from that GW:
Code Select
f1b-core01#tcpdump interface vlan 52 verbose filter host 2001:db8:b000::1 and not host 2001:db8:b000::11
tcpdump: listening on vlan52, link-type EN10MB (Ethernet), capture size 262144 bytes

14:54:27.170987 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
  source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
    0x0000:  001c 7388 3b66
14:54:28.183078 xx:xx:xx:xx:3b:66 > xx:xx:xx:xx:51:bb, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::21c:73ff:fe88:3b66 > ff02::1:ffa8:51bb: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb
  source link-address option (1), length 8 (1): xx:xx:xx:xx:3b:66
    0x0000:  001c 7388 3b66


I can see it on lab1-wan interface:
Code Select
root@lab1:~ # tcpdump -ni lagg0_vlan52 host 2001:db8:b000::1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lagg0_vlan52, link-type EN10MB (Ethernet), snapshot length 262144 bytes

14:22:32.860398 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32
14:22:33.890708 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32
14:22:34.914744 IP6 2001:db8:b000::1 > ff02::1:ffa8:51bb: ICMP6, neighbor solicitation, who has 2001:db8:b000:3d4:d156:9f78:d2a8:51bb, length 32

And nothing else happens...

Do you have any idea what might be wrong?
How can I ensure that client computers in the LAN network receive a /64 instead of a /128?
Why doesn't lab1 (OPNsense) respond to "neighbor solicitation," even though it clearly knows this host is in its LAN network?

Any information, suggestions, or feedback is welcome—even if it's not entirely accurate, it might still help or point me in the right direction to solve the problem.

Regards
Borys
Print
Go Up Pages1
User actions