On 17-08-2015 22:27, Giancarlo Razzolini wrote:
Em 17-08-2015 17:05, Claus Lensbøl escreveu:
Ok, I'll try it out tomorrow and return with results. Thank you for now.
I was re-reading your e-mail and the following come to my attention:
# ping6 fe02::1%vlan710
ping6: no address associated with name
Do you have a link-local address on that vlan interface? If not, then it
might not be a firewall problem, after all. Also, when I said for you to
allow the entire link-local range, I meant to allow then to perform
router solicitation and DHCPv6 requests. Do not allow everything from
link-local. Also, you can enforce a boundary by dropping NDP messages
(rtsol, rtadvd, neighrsol, etc) that do not have a hop limit of 255. See
[0]. By the way, it is equally important, specially for machines that
have IPv6 global addresses, that they also have a firewall enabled.
Remember, IPv6, by default, do not have edges anymore. So, unless told
otherwise, your OpenBSD firewall will happily route any incoming packets
directly to their intended destination. Keep that in mind when writing
your ruleset.
Cheers,
Giancarlo Razzolini
[0] https://tools.ietf.org/html/rfc4861
The vlan interface has a link-local address, but that address is
shared among the hundred-something vlan interfaces, so the
physical interface has a link-local address and all the vlan
interfaces has the same link-local address. Each vlan interface
has a scope though, which I do not know how works.
# ifconfig vlan711 | grep inet6
inet6 fe80::8634:97ff:fe11:c495%vlan711 prefixlen 64 scopeid 0x6b
# ifconfig vlan710 | grep inet6
inet6 fe80::8634:97ff:fe11:c495%vlan710 prefixlen 64 scopeid 0x6a
Giving out addresses with rtadvd is working fine, it's only the
dhcpv6 daemon that cannot give out addresses.
I've tried both with a manual dhclient -6 (on a linux client)
and with "dispatch" from rtadvd. Both ends up with the dhcpv6
service dropping the "send_packet6: Network is unreachable"
error.
--
Med venlig hilsen/Best regards
Claus Lensbøl
Fab:IT ApS
Vesterbrogade 37, 2. th
DK-1620 København
Tlf: +45 70 202 407
Main Site: www.fab-it.dk
VPS Product: vpsforce.eu
