Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: OpenSUSE as a native ipv6 gateway?

  1. #1
    Join Date
    Aug 2017
    Posts
    19

    Question OpenSUSE as a native ipv6 gateway?

    There is a lot of documentation about routing ipv6 and most of it is outdated for tunnels or routing with ipv4.
    My isp supplies native ipv6
    I have installed dhcpcd 6.11.5 from https://build.opensuse.org/package/show/home%3Abastianfriedrich/dhcpcd which is working great, it allocates an ipv6 ip address to my wan, and a public subnet to my bridged lan.

    For testing to see if the public subnet works, I created an address from my bridge on my wan. I did this just to ping and verify I had the address. It worked fine using ipv6 sites to ping me.

    dhcpcd.conf:
    Code:
    denyinterfaces br0 enp10s0f0 enp10s0f1 enp11s0f0 enp11s0f1 wlp5s0 wlp7s0
    duid
    noipv6rs
    waitip 600
    # Uncomment this line if you are running dhcpcd for IPv6 only.
    ipv6only
    
    
    # use the interface connected to WAN
    interface enp12s0
    ipv6rs
    #iaid 1
    ia_na 1
    # use the interface connected to your LAN
    ia_pd 2 br0/0
    I can have radvd.conf apply local ip addresses or public to the lan. This works perfectly. There is also the documentation stating that it can auto generate subnet ipv6 ips from dynamic subnet ip blocks provided by the isp, though not the main concern of my post.

    radvd.conf:
    Code:
    interface br0
    {
        AdvSendAdvert on;
        prefix fc00::1/64
        {
            AdvOnLink on;
            AdvAutonomous on;
            AdvRouterAddr on;
        };
    RDNSS fc00::1{};
    };
    (yes, I am aware fc00::1 is not a public route-able address, for tayga it works just fine. I have a few public subnets on standby for when I learn to do the routing properly)


    I have installed tayga (NAT64) https://software.opensuse.org/packag...rch_term=tayga
    which does the routing ok, but seems like it was meant to translate ipv4 to ipv6 more than routing direct ipv6 --> ipv6.

    I am thinking there is a better way to properly setup a router gateway and route public ipv6 ips to the lan without a nat. Much of the documentation I have read has proven wrong as most of it involves routing with ipv4 and back to ipv6.

    (feels sloppy to route native ipv6 this way)
    tayga.conf:
    Code:
    tun-device nat64
    
    
    ipv4-addr 192.168.255.1
    
    
    ipv6-addr 2001:db8:1::2
    
    
    prefix 2001:db8:1:ffff::/96
    
    
    dynamic-pool 192.168.255.0/24
    
    
    data-dir /var/db/tayga
    
    
    map 192.168.1.1 fc00::1
    tayga is working for the most part, I have a subnet lan and can ping6 outside addresses. But this is not how ipv6 was designed. I am unsure of how to properly setup ipv6 routing in my opensuse linux router. I could use public route-able ips with tayga, but this is not correct ipv6 routing. Something direct should exist?

    Also I have firewalld which I have recently upgraded to with tumbleweed and am unsure of how it interacts with iptables which has led to more confusion reading iptables tutorials. SuSEfirewall2 was dropped a few weeks ago.

  2. #2
    Join Date
    Sep 2012
    Posts
    7,096

    Default Re: OpenSUSE as a native ipv6 gateway?

    Quote Originally Posted by baos View Post
    I ... and can ping6 outside addresses
    I'm extremely surprised it works seeing that you are using unmodified example from manual that contains documentation-only IPv6 prefix shich should not be routable anywhere in real internet. Most likely your ping6 has absolutely nothing to do with your tayga.conf

    I am unsure of how to properly setup ipv6 routing in my opensuse linux router.
    I really do not understand your question. Tayga is designed to connect IPv4 networks over IPv6 backbone. You do not "ping6" on host behind tayga - you use "ping" on native IPv4 hosts.

    IPv6 native routing works just the same as IPv4 native routing. You have default gateway or you have host/network specific gateways. Home connections unlikely need more than default gateway via ISP router.

    There is also the documentation stating that it can auto generate subnet ipv6 ips from dynamic subnet ip blocks provided by the isp, though not the main concern of my post.

    Well, that's the whole point of IPv6 - each host receives unique IPv6 address from address block allocated to you by your ISP. That automatically solves the "problem" of routing, as each host also receives native IPv6 route pointing to ISP gateway.

    Either you misunderstand how IPv6 works or I misunderstood your question. Could you explain in some more details what you are trying to achieve?

  3. #3
    Join Date
    Aug 2017
    Posts
    19

    Default Re: OpenSUSE as a native ipv6 gateway?

    Without tayga I am unable to route public ipv6 addresses from my lan to my wan. I should not require or need ipv4 anywhere in that loop. I have a public ipv6 address assigned to my wan, from my isp, and a public ipv6 subnet applied to my lan, also from my isp. How can I route this properly without the use of tayga? Many of the examples I attempted over the last week were very dated and did not function.

  4. #4
    Join Date
    Aug 2017
    Posts
    19

    Default Re: OpenSUSE as a native ipv6 gateway?

    I think you misunderstand my documentation-only subnet. This subnet is recommended on many tutorials for use with a nat and is routed similar to 192.168.1.1. As I have a public ipv6 subnet lan, I should not require a nat or tayga to handle the routing. Previously I had used SuSEfirewall2 to route ipv4 and we were all forced to adapt to firewalld recently. I do not understand what ip6tables commands to issue in which to have my public ipv6 lan routed to my public ipv6 wan.

  5. #5
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,673
    Blog Entries
    3

    Default Re: OpenSUSE as a native ipv6 gateway?

    I also don't know what you are trying to do. And I probably don't know how to do it.

    IPv6 is working fine here. I'm using the router provided by my ISP.

    Here's my understanding of how it works:

    My home router is assigned (or "delegated") a "/60" range of IPv6 addresses. It uses one of those for itself. And then it advertises a "/64" to the LAN. Each computer on the LAN assigns itself an IPv6 address from that "/64" block (checking that this doesn't cause a conflict). And each computer presumably announces what it has chosen, so that other LAN hosts know how to contact it.

    The main router can also be set to assign an IPv6 address to each host. If I turn that on, then my computers get two IPv6 addresses -- the one that they have chosen for themselves and the assigned address. That's of course, with privacy extensions turned off. With privacy extensions turned on, they assign themselves another IPv6 address chosen randomly and used only for 24 hours.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: OpenSUSE as a native ipv6 gateway?

    I also do not understand your routing objectives or design.

    Some basic questions and concepts...
    - Why your segregation of "public" and "private" addresses? Is this for organization if you are managing a very large number of host addresses?
    - Is there some reason why you would want to deploy an IPv6 DHCP server? There is no need to do so since self-generated addresses should always "just work." Only reason to use a DHCP server is to manage assignments.
    - A significant diff between IPv6 and IPv4 is that IPv6 addresses are generally publicly accessible (with exceptions).
    - A significant diff between IPv6 and IPv4 is that routing tables should almost always be built automatically and "just work" not needing the special routes sometimes seen in IPv4 networks.
    - Is firewalling security part of your networking objectives? If so, then you need to state those clearly. In that case, then yes you will want to configure your firewall as a "critical node" but still ordinarily should not need to configure NAT or configure routing tables manually.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7
    Join Date
    Aug 2017
    Posts
    19

    Default Re: OpenSUSE as a native ipv6 gateway?

    Quote Originally Posted by tsu2 View Post
    I also do not understand your routing objectives or design.
    - Why your segregation of "public" and "private" addresses? Is this for organization if you are managing a very large number of host addresses?
    Because I chose to not post public ip addresses on the internet and it is an example of my config which also works for the public ipv6 address. You get to see the config example of what I am using and may have some insight to flags I could be missing. with the use of a nat (tayga) my ipv6 lan can communicate with the internet. This is not a 'correct' usage and I should not need to route ipv6 through a nat.

    Quote Originally Posted by tsu2 View Post
    I also do not understand your routing objectives or design.
    - Is there some reason why you would want to deploy an IPv6 DHCP server? There is no need to do so since self-generated addresses should always "just work." Only reason to use a
    DHCP server is to manage assignments.
    The ipv6 dhcp server or radvd.conf is working 100% fine. all 'self generated' addressed did not work out of the box, nothing routed to nothing. I could not even ping the self generated addresses "fe80::". dhcp is not the issue of my question. as far as the ipv6 subnet goes, I will have to assign those from my own server as this is what is provided. I get 1 isp specific routable ipv6 address and several others with subnets that I must assign and route myself. The radvd (or dhcp) server is working 100% as intended.

    Quote Originally Posted by tsu2 View Post
    I also do not understand your routing objectives or design.
    - A significant diff between IPv6 and IPv4 is that IPv6 addresses are generally publicly accessible (with exceptions).
    all of the addresses on my lan with current configuration or public ipv6 are not publicly accessible. I would like them to be, and the major issue is that I do not know how to route public wan ipv6 to lan ipv6 with public ips. the assignment of public ip addresses is currently working and of no issue. again I may have a flag I have missed that I should have placed in the config, and so I posted the config.

    Quote Originally Posted by tsu2 View Post
    I also do not understand your routing objectives or design.
    - A significant diff between IPv6 and IPv4 is that routing tables should almost always be built automatically and "just work" not needing the special routes sometimes seen in IPv4 networks.
    with a default install of opensuse and firewalld NOTHING has worked. nothing has been routed through my router(opensuse box). I have and get access to the ipv6 addresses without issue as I posted above with my tests. Opensuse at current is not capable of routing the ipv6 wan to the ipv6 lan addresses without use of a nat. I don't know why, this is the issue I do not understand. I should not require tayga(nat64) to do this routing. I realize this is likely a very simple solution that has been overlooked.

    Quote Originally Posted by tsu2 View Post
    I also do not understand your routing objectives or design.
    - Is firewalling security part of your networking objectives? If so, then you need to state those clearly. In that case, then yes you will want to configure your firewall as a "critical node" but still ordinarily should not need to configure NAT or configure routing tables manually.
    Nope, If it was, this is currently working just fine. And again, the routing tables need manual configuration for anything as NOTHING works. I suspect this has to do with the forced upgrade to firewalld, though I did not do any ipv6 testing with susefirewall2. firewalld's routing tables are very different than what I had noticed with susefirewall2 which again makes most of the tutorials I have found not helpful. Again, no I do not need a firewall for ipv6, but the routing has in the past 'automatically' just worked after inputting the information into the firewall which in the past has handled the routing tables. Currently no default ipv6 routing that should work, is working.

    Quote Originally Posted by nrickert View Post
    IPv6 is working fine here. I'm using the router provided by my ISP.

    ipv6 is working fine as far as 1 computer(the opensuse router) doing anything online with an ipv6. My problem is that it is not routing ipv6 publicly to the lan. I currently have access to a few ipv6 subnets. each one consists of
    18,446,744,073,709,551,616 IPv6 addresses. I will probably use 20 with laptops and cell phones.

    I have disabled all of the normal lan routing capabilities of my isp router and have placed an opensuse server with 100% access to the internet. It has both a public ipv4 and ipv6 ip and several subnets. There are several reasons for doing this which are not the criteria of my question.



    I am going to draw it out to make 100% clear what is not working

    opensuse router --> wan ipv6 (working)
    opensuse router --> requested ipv6 subnet (addresses routed to me and tested as working via online ping from websites when I assigned subnet ips to the wan)
    opensuse router --> ipv6 subnet assigned to lan (assignment is working)

    'ipv6 internet' --> 'opensuse router' --> 'ipv6lan computer' (not working)
    this is the breakdown 'ipv6 internet' --> 'opensuse router' -/- no routing -/- 'ipv6lan computer'

    I installed tayga and managed to get routing somewhat working, but this is a very wrong way to route the ipv6 to the lan.
    I would love it if the routing tables just 'worked', but they have not.
    so my table looks like this
    'ipv6 internet' --> 'opensuse router' --> 'opensuse router tayga(nat64)' --> 'ipv6lan computer'
    This also means that my lan works similar to 192.168.1.1 addresses because they are forced to go through a nat.

    How do I get ipv6 to properly route from interface enp12s0 (public wan) to interface br0 (my bridged lan consisting of 2x wifi and 4x ethernet).

    Because this has not worked 'out of the box'. I don't know how to tell enp12s0 to send traffic it receives for 'br0's ipv6 subnet', to br0.
    The main reason I don't know how to route ipv6 is because the routing tables are different with firewalld and I have no idea what to do with them. As well most examples on the internet did not feature such a simple setup wan-ipv6 --> opensuse router --> lan-ipv6(for which all addresses should be 100% publicly accessible)



  8. #8
    Join Date
    Sep 2012
    Posts
    7,096

    Default Re: OpenSUSE as a native ipv6 gateway?

    Quote Originally Posted by baos View Post
    I do not understand what ip6tables commands to issue in which to have my public ipv6 lan routed to my public ipv6 wan.
    You should not need any ip6tables to route anything.

    Quote Originally Posted by baos View Post

    opensuse router --> wan ipv6 (working)
    opensuse router --> requested ipv6 subnet (addresses routed to me and tested as working via online ping from websites when I assigned subnet ips to the wan)
    opensuse router --> ipv6 subnet assigned to lan (assignment is working)

    You know, discussion when you say "everything is working" without providing any technical details is not going to lead anywhere. Because if that is working, you should not have issues with routing. And if you have, something is not working, and to tell what, we need details.

    'ipv6 internet' --> 'opensuse router' --> 'ipv6lan computer' (not working)
    The obvious first answer is firewall.
    I installed tayga and managed to get routing somewhat working, but this is a very wrong way to route the ipv6 to the lan.
    Here we agree
    ... forced to go through a nat.

    How do I get ipv6 to properly route from interface enp12s0 (public wan) to interface br0 (my bridged lan consisting of 2x wifi and 4x ethernet).

    Ouch ... NAT, bridges, iptables, tayga ... really, start with the most simple configuration. Single system with single interface and firewall disabled. Show "ip address" and "ip route" output on this system and explain what exactly does not work ideally pasting actual commands and their output you used to verify it.

  9. #9
    Join Date
    Sep 2012
    Posts
    7,096

    Default Re: OpenSUSE as a native ipv6 gateway?

    Quote Originally Posted by baos View Post
    ipv6 is working fine as far as 1 computer(the opensuse router) doing anything online with an ipv6. My problem is that it is not routing ipv6 publicly to the lan. I currently have access to a few ipv6 subnets. each one consists of 18,446,744,073,709,551,616 IPv6 addresses.

    If "have access" means "you use addresses from these subnets on your LAN" then the following must be true

    1. Internet must know that traffic for these subnets must be sent to your ISP router.
    2. Your ISP router must know that traffic for these subnets must be sent to your openSUSE box WAN address

    Are you sure these are true? The simplest way to verify is to sniff openSUSE box WAN interface while trying to access internal address from outside. If you do not see any traffic, the problem is outside of openSUSE box.

    Of course, openSUSE must also have routing enabled, but I assumed this is so obvious that I do not need to mention it. But that is the next step, if preceding does not work, there is nothing you can do. Then the only possibility is indeed to masquerade everything as your openSUSE box WAN address because this is the only one that can have connectivity.
    routing tables are different with firewalld

    firewalld has absolutely nothing to do with routing. You seem to confuse routing and NAT.

  10. #10
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: OpenSUSE as a native ipv6 gateway?

    IMO some IPv6 Basics is needed here.

    Based on a <very> brief skim of only a few Internet hits,
    I'd recommend reading

    https://www.tutorialspoint.com/ipv6/index.htm

    Some points of emphasis to clear up some misunderstandings...

    - Everywhere autoconfiguration is described, and why it makes DHCP unnecessary and only a voluntary option.
    - The Address Types & Formats page. Besides the address structure (critical to know if you're subnetting, routing and assigning addresses), you should also pay close attention to the Address Types so you know for instance of the many auto-generated IPv6 addresses you will see on your system, for some odd reason you chose the Link-local address to test routing (it's the only one that can't)
    - How headers are used so that you can identify and use them properly yourself which is essential for routing
    - IPv6 subnetting. Ordinarily, there is no need or desire. But, for possible management and consequentially possibly applying special security reasons, you will have to know this first.

    Perhaps some additional points of interest
    - Anycast vs Broadcast, but know that for over 99% of all connections, Unicast is the relevant type

    If you have further questions, post again,
    But first try to establish a base of knowledge.
    I'd also expect there should be some decent YouTube(and other provider) videos on the subject

    Unfortunately, the best slide deck and presentation I've seen (an over 6 hour talk, packed with info) is not available publicly. Here's hoping one day the presenter will change his mind about publishing openly since AFAIK he doesn't actually have any reason to hold back.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •