JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
 ·Comcast Workplace
 ·Integra Telecom
|  M0n0wall and multiple interfaces
This may be better asked in the m0n0wall mailing list or forums, but since I don't want to sign up to yet another mailing list or forum if I don't have to, I figured I would try here first. 
Setup:
M0n0wall latest beta for IPv6 support in a VM
Tunnel via Hurricane Electric
Interfaces:
LAN (in LAN, A:B:C:D::1:X/96)
WAN (in DMZ for tunnel, A:B:C:D::/64)
DMZ (in DMZ for DMZ clients, A:B:C:D::2:X/96)
WAN, DMZ and LAN are all static assignments using /96 (I believe I've divided up the /64 correctly).
Clients on the LAN can ping6 out perfectly
Tests from »www.berkom.blazing.de/tools/ping.cgi and »www.berkom.blazing.de/tools/traceroute.cgi to a LAN IP work
DMZ side, however, when I assign an address to than interface, I get "Destination unreachable: Address unreachable" Pinging another machine in the DMZ works.
For giggles, I bridged the DMZ and LAN interfaces and was able to ping a machine in the DMZ from the LAN, but DMZ machines couldn't ping the m0n0 LAN interface.
Either I've got something setup wrong in regards to the subnets (which I kind of doubt as the LAN side works), or there is something weird going on with IPv6, multiple interfaces and routing.
Has anyone else tried doing the LAN/DMZ thing with m0n0 and IPv6?
--
All hardware sucks, all software sucks, some just suck more than others |
|
mcnet
join:2005-12-19
Cary, IL
2 edits | i think you may be off by a digit there, and have different abcd on WAN and LAN. tunnels come with single /64 routed(LAN) to another /64 which is on tunnel interface(WAN).
so:
TUNNEL-LOCAL/WAN A:B:C:D::2/64
LAN A:B:E:F:1:1::Z/96
DMZ A:B:E:F:1:2::Z/96
otherwise what you can request /48 for your tunnel (requires stable tunnel that has been up for 30 days i believe check requirements on HE tunnel broker site), and assign two /64's from that /48 to your two interfaces instead.
so:
TUNNEL-LOCAL/WAN A:B:C:D::2/64
LAN A:B:E:F::X/64
DMZ A:B:E:G::X/64
[from A:B:E::/48]
i'm sure there's more to this, but i think this is simplest solution that will work. |
|
JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
·Comcast Workplace
·Integra Telecom
1 edit | said by mcnet  :i think you may be off by a digit there, and have different abcd on WAN and LAN. tunnels come with single /64 routed(LAN) to another /64 which is on tunnel interface(WAN). Thanks for replying!
This is what I received from he:
Tunnel info:
Server IPv6 address: 2001:ded:bef4:dc6::1/64
Client IPv6 address: 2001:ded:bef4:dc6::2/64
Routed /48: 2001:ded:8331::/48
Routed /64: 2001:ded:bef5:0dc6::/64
And this is the current address assignment:
WAN global: 2001:ded:bef4:dc6::2/64
LAN global: 2001:ded:bef5:dc6::10:eeee/96
DMZ global: 2001:ded:bef5:dc6::78:eeee/96
So what you are saying (and from what I just found based on what you posted), I should use the /48 so it looks something like this:
WAN global: 2001:ded:bef4:dc6::2/64
LAN global: 2001:ded:8331:bef::eeee/64
DMZ global: 2001:ded:8331:beef::eeee/64
If this is the case, I still don't understand why the 2001:ded:bef5:dc6::78:eeee/96 interface wasn't pingable on the DMZ side, but the 2001:ded:bef5:dc6::10:eeee/96 on the LAN was. I also thought that I could further subdivide the /64 down as everything I have read says that v6 has the equivalent of CDIR built in. Or am I thinking too much in v4 terms?
Thank you for any insite or pointers you can provide. Most of what I have read seems incomplete or assumes that everyone will want to run the advertising daemons and not manually configure everything (which has it's uses, but I want to know how to do this manually first before taking any shortcuts, as it were).
--
All hardware sucks, all software sucks, some just suck more than others |
|
mcnet
join:2005-12-19
Cary, IL
1 edit | yes that should work for /64 sub division of /48
because it's off by ipv6 equiv of an octet... 16-et? hexadigit? hexet?
2001:ded:bef5:dc6::78:eeee/96
2001:ded:bef5:dc6::10:eeee/96
should be:
2001:ded:bef5:dc6::1:78:eeee/96
2001:ded:bef5:dc6::2:10:eeee/96
(one more 4-space to left)
long format /96 S = network/subnet H = host
SSSS:SSSS:SSSS:SSSS:SSSS:SSSS:HHHH:HHHH
so have have 2nd subnet routable it should be difference in 3rd from right group of 4 hex digits. right? i think so... |
|
JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
·Comcast Workplace
·Integra Telecom
| said by mcnet :yes that should work for /64 sub division of /48 Ok, I'll try that when I get back in front of a console tonight.
said by mcnet :because it's off by ipv6 equiv of an octet... 16-et? hexadigit? hexet? 2001:ded:bef5:dc6::78:eeee/96 2001:ded:bef5:dc6::10:eeee/96 should be: 2001:ded:bef5:dc6::1:78:eeee/96 2001:ded:bef5:dc6::2:10:eeee/96 (one more 4-space to left) long format /96 S = network/subnet H = host SSSS:SSSS:SSSS:SSSS:SSSS:SSSS:HHHH:HHHH so have have 2nd subnet routable it should be difference in 3rd from right group of 4 hex digits. right? i think so... Hmmm...
Expanded, out the address (2001:ded:bef5:dc6::78:eeee) should be:
2001:0ded:bef5:0dc6:0000:0000:0078:eeee
So at 96 bits... (add add add)...
2001:0ded:bef5:0dc6:0000:0000:0078:eeee
So for the :0078: part to make the difference, I should have used /104? That doesn't sound right, but I've been wrong before...
--
All hardware sucks, all software sucks, some just suck more than others |
|
mcnet
join:2005-12-19
Cary, IL | that would be a /112 i believe (each 4 symbols = 16 bits, 128-16=112) |
|
JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
·Comcast Workplace
·Integra Telecom
| said by mcnet :that would be a /112 i believe (each 4 symbols = 16 bits, 128-16=112) Doh, I think I grok...
So given the address of 2001:0ded:bef5:0dc6:0000:0000:0078:eeee, /112 would make 2001:0ded:bef5:0dc6:0000:0000:0078 the 'subnet', with the 0078 part the entry that changes to identify the different subnets and the eeee part for each machine.
BTW, I tried the /48 approach and it's working, thanks for the pointer. Now to try and figure out if a DHCPv6 server and DHCPv4 can coexist on the same network without banging heads and get bind set up to deal with ip6 as well.
Thank you for the help and info so far, it is appreciated!
--
All hardware sucks, all software sucks, some just suck more than others |
|
