Re: IPV6 routing issue

Fri, 26 Jun 2015 06:14:25 -0700 

I have struggled with a similar problem a few years back. Can it be that
the upstream equipment does not create a route for the delegated prefix
pointing to your openbsd machine?

This would explain why you see neighbour solicitations on the outside
interface. The upstream router is not aware that the prefix should be
routed to you.

-- 
Patrik Lundin

----- Original message -----
From: Giancarlo Razzolini <grazzol...@gmail.com>
To: "Openbsd-Misc" <misc@openbsd.org>
Subject: IPV6 routing issue
Date: Thu, 25 Jun 2015 21:06:51 -0300

HI all,

     I've recently changed my ISP and they have native IPv6. My customer 
premises equipment, which is a GPON, supports both stateless as DHCPv6 
on it's LAN interface. I want to put a OpenBSD firewall between this CPE 
and my internal network. I'm using OpenBSD 5.7 stable. My CPE receive a 
/64 prefix delegation from my ISP. Unfortunately, this is a dynamic 
prefix, so I can't configure anything manually.

     I've managed to get wide-dhcp6 working and requesting the prefix to 
be delegated to my internal network. After that, all I needed to do was 
to run rtadvd on my internal interface, and my internal LAN machines 
began to be autoconfigurated getting ip's from the delegated prefix.

     The OpenBSD firewall has 2 ipv6 addresses. One on the WAN interface 
and another on the LAN interface. If I use ping6 to ping any ipv6 host 
from my firewall, I can ping them with no problems. But, If I ping 
setting the source to be the ipv6 address from the internal interface, 
it won't work. Also, no machine from my LAN can connect to any host 
through ipv6.

     I've inspected the traffic with tcpdump, and I can see the packets 
leaving my network and getting on the destination. The problem is the 
packets never gets back. My CPE equipment keeps asking for neighbour 
solicitation asking who has the ipv6 address, but the OpenBSD firewall 
never replies, so the packts get dropped. I'm currently with PF 
disabled. But I had the same problem with it enabled and with the 
default firewall configuration. I'm trying first to get ipv6 
connectivity working to after filter the packets. Anyone had a similar 
issue?

Cheers,
Giancarlo Razzolini

Reply via email to