Penned by Andy on 20130829 14:35.48, we have: | On Thu 29 Aug 2013 18:37:53 BST, Todd T. Fries wrote: | >Penned by Andy on 20130829 9:57.29, we have: | >| Hi everyone, | >| | >| I'm hoping someone can help me as I'm not having much luck with adding | >| IPv6 to the mix of our already working IPv4 setup. | >| | >| What should /etc/hostname.carpX look like for an IPv6 setup? Is this | >| correct;? | >| | >| inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3 | >| advskew 0 | >| inet6 2a00:7e0:0:a::1 64 | > | >Any 'inet6' except the first link local reference in a given hostname.if(4) | >file should be followed by 'alias'. | > | >Aka you need: | > | >inet6 alias 2a00:7e0:0:a::1 | > | >The 64 is implicitly default, if you choose to explicitly list it thats ok too. | > | | Ah, of course! I have a ton of IPv4 alias', but I didn't think to | just add an IPv6 alias :) | | >| Or should I have a separate carpX interface for the IPv6? | >| | >| When I do a tcpdump on the master I see; | >| Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10] | >| Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | >| fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1 | >| advbase=3 advskew=0 demote=33 | >| Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86: | >| fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101 | >| Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86: | >| fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1 | >| Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] | >| Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | >| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 | >| advbase=3 advskew=100 demote=0 | >| Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] | >| Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | >| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 | >| advbase=3 advskew=100 demote=0 | >| Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] | >| Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | >| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 | >| advbase=3 advskew=100 demote=0 | >| Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10] | >| Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | >| fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1 | >| advbase=3 advskew=0 demote=33 | >| | >| I can see that the IPv6 CARP messages are using the link local address | >| and not the global IPv6 addresses I have configured? Why?? :( | >| This makes it really hard to write PF files as I would have to write | >| filter rules considering the each physical hosts MAC addresses :( | > | >Because multicast is on the local link not on the global addresses? | > | >Can you not use pf(4) to filter fe80::/8 address space? | Actually yes that would be OK as it's only local to the link... I | was thinking I would have to filter the individual EUI64 addresses | meaning I would have had to do something with puppet to pull MAC's | etc.. But fe80::/8 should be ok thinking about it. Thanks. | | > | >| I'm also seeing errors stating that the inet6 carp address I have | >| configured is a duplicate address! Although this could be due to the | >| fact the firewalls are flapping between backup and master and there are | >| going to be multi master periods. | > | >I thought at one point there was a commit to ignore duplicate v6 ndp | >due to this issue. I can't find it right now though, so I don't know | >if it is in 5.3 or not. | Now you mention it, I think I saw that in the release notes for | -current (so should be 5.4). I'll ignore it for now. Thanks. | | > | >| net.inet.carp.allow=1 | >| net.inet.carp.preempt=1 | >| net.inet.carp.log=3 | >| net.inet6.ip6.forwarding=1 | >| net.inet6.ip6.redirect=0 | >| net.inet6.ip6.accept_rtadv=0 | >| | >| I am also starting to read "Firewalling IPv6 with OpenBSD's pf(4) (packet | >| filter)". | >| | >| Thanks for your time, Andy. | > | >Hope the above helps. | | Thanks Todd, yes it does :) Can you recommend anything else that | should be done for IPv6 filtering/forwarding other than the pf(4) rules | themselves? First time doing IPv6 on OBSD.
You have to be careful to not filter icmp6(4) on the link local multicast subnets. Aka ff02::/8 .. both source and destination. If you wish to filter out some icmp6(4) messages be sure you permit those that make ndp work (neighbrsol/neighbradv specifically) then there's toobig, unrach, echoreq, echorep, fqndreq, fqdnrep .. see icmp(4) and icmp6(4) for a full list of icmp types and codes. Bottom line is, with IPv6 instead of arp that pf(4) cannot currently block, you have multicast ndp which can be blocked by pf(4), giving you more tools to shoot yourself in the foot with. Be sure you test well before assuming a given set of filter rules works ;-) Also, because IPv6 has link-local, a given router only needs a single global address per ethernet segment it wishes to advertise router advertisements (via rtadvd(8)) on. If you are not using rtadvd(4) on a given router, then one is all you need, regardless of the ethernet segments you are on. You can route to link-local addresses just fine. For example, every he.net tunnelbroker account wastes a whole /64 because it uses the global address on a /64 to route between the remote and local endpoints on a point to point link. Then it further routes a /64 to the tunnel endpoint. It could route to the link local inside the tunnel, but for whatever reason, they have chosen not to. I'm told BGP doesn't work this way, but I'll leave those in the know on that front to describe what I should not claim to understand well. Also, in my local system, I sometimes would have to ping6(8) the default route on an IPv6 client for me to access further, but since I've removed carp and have one router, this has remained until I discovered running rtsol(8) frequently solved the issue as well. I'm thinking it might be a switch issue, but haven't had a chance to isolate the issue further. Thanks, -- Todd Fries .. t...@fries.net ____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113-2169 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
