OVH Community, your new community space.

Creating a private IPv6 tunnel broker


makno
16-05-2013, 01:55
well i tried to start from scratch and setup the gateway in pfsense wan side to be the proxmox host. assigned an ip to the lan interface however i can't get it to recognise the gw as when i go to assign it the same gw as the wan it just won't let me add it or choose it.
Other problem is to give out ipv6 addresses from the /64 to the lan clients, no matter how i try to set ra or dhcpv6 it doesn't work

Myatu
14-05-2013, 15:07
For stateless configuration, you need a full /64 (aaaa:bbbb:cccc:dddd:x:x:x:x), so you can't specify aaaa:bbbb:cccc:dddd:4::x in that case. That's why OVH has this "weird" /56-64 setup, to allow you to take full advantage of the /64 block (like radvd).

I don't know it applies to DHCPv6 though, as I have never had the need to use that, but I assume you can in that case.

When I'm looking at your setup again, it looks like for the pfSense LAN bit you are giving a 2nd gateway IP just for the LAN. If you are assigning public IPv6's on the LAN side, then you don't have to do this (and will cause all your IPv6 LAN traffic to stop there). If you were to assign private IPv6, then its different.

makno
13-05-2013, 18:46
nisba, forwarding was enabled but still it seems i'm not managing to set pfsense to give out v6 addresses to the lan, i checked pfsense forum but noone is replying to my post either

Myatu
13-05-2013, 17:00
Yes, performing "echo 1 > /proc/sys/net/ipv6/conf/all/forwarding" is only for the time the server is up. If you want to make that permanent, you'll have to either add it as part of your "post-up" in the host's network configuration, or add it to the "/etc/sysctl.conf" (as "net.ipv6.conf.all.forwarding = 1" - I think Debian/Proxmox already has that line, but just commented out).

makno
13-05-2013, 15:06
thinking about it i had to reboot the proxmox host so maybe lost the ipv6 forwarding?

that said i have tried all sorts of dhcpv6 settings with and without static ipv6 on the lan side and using the track interface on the lan but still nothing

Myatu
08-05-2013, 22:58
You would need ipv6 forwarding enabled on the Proxmox host. As for dhcpv6, doesn't it allow for stateless autoconfiguration instead?

makno
08-05-2013, 14:12
in the end i decided to try using pfsense (2.1 now supports ipv6 ... i know you were waiting for that Myatu) and managed to assign an IPv6 to the WAN.

The setup here has changed so instead of a standalon VM with it's failover IP and bridged network to proxmox i have a pfsense VM with 2 NICs (WAN & LAN) and several VMs attached to the LAN of the pfsense in order to gain access to the net.

At IPv4 level everything is functional, on v6 side however things are different.

From the /64 i assigned:

Proxmox: aaaa:bbbb:cccc:dddd::1
GW: aaaa:bbbb:cccc:ddff:ff:ff:ff:ff
Status online, functional

Pfsense WAN: aaaa:bbbb:cccc:dddd:2::1
GW: aaaa:bbbb:cccc:dddd:1
Status online, functional

Pfsense LAN: aaaa:bbbb:cccc:dddd:4::1
GW: aaaa:bbbb:cccc:dddd:2::1
Status offline, non functional

The different VMs attached to the LAN do also get a v6 address however there must be something i'm doing wrong with dhcpv6 as they all get something in the range of:

aaaa:bbbb:cccc:dddd:x:x:x:x when i specify i want them to receive aaaa:bbbb:cccc:dddd:4::x (2-ff)

Any pointers?

makno
05-05-2013, 05:12
i did actually replace the "any"in remote any with my home ip as i have a fixed ip assigned, just didn't want to get involved with vpns

Myatu
04-05-2013, 23:40
The thing here is that you allow anyone to create a tunnel. That's like providing an anonymous proxy - but worse. If you are going to secure that using a VPN (I like 'Tinc') or IPSec, then you might as well provide IPv6 differently too. For example, as you are given a full /64 address range, you can use radvd to spit out IP addresses to those who request it within your server's internal network - provided the VPN allows it, this would also include any clients connected, so there's no need for 6in4 tunnels, etc.

makno
04-05-2013, 22:44
Well i was hoping to go this way as i wasn't really please with the tunnels out there, i guess i'll have to jtag the bthh2 i have here and get a decent firmware on it

Myatu
04-05-2013, 22:22
It is probably easiest to re-consider your approach, as this is very, very convoluted and insecure.

makno
04-05-2013, 14:29
Hello,

As per title I-m trying to set-up a tunnel broker service to use with my home lan. I know there are tunnel services out there and i have used HE.net in the past however i experienced low speeds and high latencies so the idea is to use a VM on proxmox to act as the tunnel (all my VMs are used for data processing so the bandiwidth is free).

So far i have a VM with virtual mac and IP failover. IPv4 works fine.

I have setup IPv6 as per my manager details i can now access the Vm on IPv6 from other v6 machines, success.

Below is an exmple of the IP layout:

IPv4 Failover 1.2.3.4
IPv6 /64: a:b:c:d::
IPv6 of the proxmox host: a:b:c:d::1
IPv6 of the VM: a:b:c:d:3::1

The guide i followed is this:

Code:
Creating a 6in4 gateway:

    Create a IPv6 tunnel interface:

    # ip tunnel add tun6in4 mode sit local  remote any
    # ip link set tun6in4 up

    where  is your server's public IPv4 address;

    Assign a IPv6 address from a new subnet to the tunnel:

    # ip addr add 2001:db8:e3af:666::1/64 dev tun6in4

    Route the subnet to your IP own address, removing the automatic route first:

    # ip route del 2001:db8:e3af:666::/64 dev tun6in4
    # ip route add 2001:db8:e3af:666::/64 via ::78.260.211.195 dev tun6in4

    Enable IPv6 forwarding:

    # echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
The commqands used on the VM:

Code:
ip tunnel add tun6in4 mode sit local 1.2.3.4 remote any
ip link set tun6in4 up
ip addr add a:b:c:d:3:1::1/64 dev tun6in4
ip route del a:b:c:d:::/64 dev tun6in4
ip route add 2001:db8:e3af:666::/64 via ::1.2.3.4 dev tun6in4
All if fine until the last line which gives:

RTNETLINK answers: No route to host

Any idea how to solve this?