More complicated ipv6 routing with radvd

vegard wrote:
> On Tue, Dec 23, 2008 at 04:28:08AM -0500, Ron Murray wrote:
>> I have a slightly more complicated network topology than normal:
>>
>>
>> Debian box as
>> (Internet) <-----> firewall/router <-------- Ethernet LAN ---------> etc
>> (1) |
>> |
>> Debian box
>> as router (2)
>> |
>> |
>> Wireless LAN
>> |
>> |
>> etc
>>
>
> My setup is;
>
>
> (Internet) <---> OpenBSD as
> firewall/router <------ Ethernet LAN
> ^
> |
> |
> |
> Wireless LAN
>
>
>
> Any particular reason you don't run it on the same box? I think that
> makes it a bit simpler, no?

I did actually have it that way once, but the firewall box I was using
at the time was more than a little old and didn't have any free PCI
slots. I needed to add a card for another purpose, which meant there was
no room for three NIC cards. That was when I offloaded the wireless LAN
to the other box.

You're right though: it would make things a lot simpler (one default
route to rule them all etc etc etc), and I do have a machine in the
firewall position that could take another NIC card, but right now I
don't feel like that much work. Unless there's no other way, that is.

And, of course, this way I learn a lot about routing. Sigh.

But thanks for your response!

.....Ron


--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Ron Murray <rjmx RemoveThis @rjmx.net> wrote:

Hello Ron,

> I have a slightly more complicated network topology than normal:
>
>
> Debian box as
> (Internet) <-----> firewall/router <-------- Ethernet LAN ---------> etc
> (1) |
> |
> Debian box
> as router (2)
> |
> |
> Wireless LAN
> |
> |
> etc
>
> (I decided long ago that I felt much safer if I had the wireless net on
> a separate subnet: I can use box (2) to protect my Ethernet net).
>
> I set up ipv6 on the network for internal use (to gain experience with
> it) last year some time, and ran radvd on box (2) to do its usual stuff,
> including routing information. It set itself up as a default router, but
> that didn't matter at the time since I wasn't planning on going to the
> Internet on ipv6.
>
> I've now set up a tunnel with Hurricane Electric and got it working on
> box (1). The next step is to set up routing so that I can use IPv6 from
> other machines on the network, and here's where I ran into problems.
>
> I presume box (1) is the right place to run radvd advertising itself as
> a default route. That part works. radvd will, I suppose, also need to
> run on box (2) to work with machines on the wireless subnet. That part
> works too, but how do I set up radvd on that box to advertise the route
> to the wireless subnet on the Ethernet subnet? I can only get it to
> advertise itself as a default route, which is clearly wrong.

No. Router advertisements are designed to configure end-hosts only (give
them a static route and a prefix to perform stateless autoconfig in).
They do not exchange routing information between routers, in fact Linux
kernels with forwarding enabled ignore incoming router advertisements
completely.

Which means you have to add a static route on (1) to (2) for your
wireless subnet and a static default route on (2) towards (1). Or use
one of the real routing daemons (e.g. OSPFv3 or RIPng in the Quagga
package).

Bernhard


--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

Hi. Thanks for the reply.

I think I got confused by radvd having the box advertise a default
route. I think it'd be lots easier if I moved the wireless subnet to
the firewall, though. I'll do that this weekend, and it's probably
time to learn some more about routing too.

Thanks for your help, all.

.....Ron

On Dec 26, 2008, at 4:15, Bernhard Schmidt <berni.TakeThisOut@birkenwald.de> wrote:

> Ron Murray <rjmx.TakeThisOut@rjmx.net> wrote:
>
> Hello Ron,
>
>> I have a slightly more complicated network topology than normal:
>>
>>
>> Debian box as
>> (Internet) <-----> firewall/router <-------- Ethernet LAN ---------
>> > etc
>> (1) |
>> |
>> Debian box
>> as router (2)
>> |
>> |
>> Wireless LAN
>> |
>> |
>> etc
>>
>> (I decided long ago that I felt much safer if I had the wireless
>> net on
>> a separate subnet: I can use box (2) to protect my Ethernet net).
>>
>> I set up ipv6 on the network for internal use (to gain experience
>> with
>> it) last year some time, and ran radvd on box (2) to do its usual
>> stuff,
>> including routing information. It set itself up as a default
>> router, but
>> that didn't matter at the time since I wasn't planning on going to
>> the
>> Internet on ipv6.
>>
>> I've now set up a tunnel with Hurricane Electric and got it working
>> on
>> box (1). The next step is to set up routing so that I can use IPv6
>> from
>> other machines on the network, and here's where I ran into problems.
>>
>> I presume box (1) is the right place to run radvd advertising
>> itself as
>> a default route. That part works. radvd will, I suppose, also need to
>> run on box (2) to work with machines on the wireless subnet. That
>> part
>> works too, but how do I set up radvd on that box to advertise the
>> route
>> to the wireless subnet on the Ethernet subnet? I can only get it to
>> advertise itself as a default route, which is clearly wrong.
>
> No. Router advertisements are designed to configure end-hosts only
> (give
> them a static route and a prefix to perform stateless autoconfig in).
> They do not exchange routing information between routers, in fact
> Linux
> kernels with forwarding enabled ignore incoming router advertisements
> completely.
>
> Which means you have to add a static route on (1) to (2) for your
> wireless subnet and a static default route on (2) towards (1). Or use
> one of the real routing daemons (e.g. OSPFv3 or RIPng in the Quagga
> package).
>
> Bernhard
>
>
> --
> To UNSUBSCRIBE, email to debian-ipv6-REQUEST.TakeThisOut@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org
>


--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Hello,

Ron Murray a écrit :
>
> I presume box (1) is the right place to run radvd advertising itself as
> a default route. That part works. radvd will, I suppose, also need to
> run on box (2) to work with machines on the wireless subnet. That part
> works too, but how do I set up radvd on that box to advertise the route
> to the wireless subnet on the Ethernet subnet? I can only get it to
> advertise itself as a default route, which is clearly wrong.

As Bernhard pointed out, you have to add a route to the wireless prefix
on router (1) either statically or using a routing protocol, because a
router ignores RAs.

About router (2) advertising the route to the wireless prefix for the
ethernet hosts, you could use the 'route information' option described
in RFC 4191. You would have to set the router lifetime to 0 so it won't
be used as a default route by hosts on the ethernet link. So radvd.conf
on router (2) would basically look like this :

============ /etc/radvd.conf ===================
interface <wireless>
{
AdvSendAdvert on;

prefix <wireless_prefix>
{
};
};

interface <ethernet>
{
AdvSendAdvert on;
AdvDefaultLifetime 0;

route <wireless_prefix>
{
};
};
================================================

In practice, things are not that simple. The 'route information' option
is not part of the original Router Discovery specification, so older
IPv6 implementations may not support it. Linux supports it since version
2.6.17 if configuration option IPV6_ROUTE_INFO is enabled, but it is
functionnally disabled by default because the sysctl parameters
net.ipv6.conf.*.accept_ra_rt_info_max_plen which defines the maximum
prefix length of accepted route information is set to 0 by default. In
order to accept a route for a /64 prefix, you must set it to at least
64. In Debian it can be set at startup for all interfaces by appending
the following line in /etc/sysctl.conf, assuming that the 'ipv6' module
has been loaded before (.e.g. by adding it in /etc/modules), otherwise
the parameter won't exist yet :

net.ipv6.conf.default.accept_ra_rt_info_max_plen=64

If an ethernet host ignores the route information in RAs, it will send
packets for the wireless prefix to the default router, (1). Router (1)
will forward the packets to router (2). It should also send an ICMPv6
Redirect to tell the host that there is a better route to the prefix.
However I tested this scenario on my Debian router with 2.6.24 kernel
and didn't see it sending ICMPv6 Redirects, although it forwarded the
packets back on the same interface as expected.


--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Pascal Hambourg a écrit :
>
> In practice, things are not that simple. The 'route information' option
> is not part of the original Router Discovery specification, so older
> IPv6 implementations may not support it. Linux supports it since version
> 2.6.17 if configuration option IPV6_ROUTE_INFO is enabled, but it is
> functionnally disabled by default because the sysctl parameters
> net.ipv6.conf.*.accept_ra_rt_info_max_plen which defines the maximum
> prefix length of accepted route information is set to 0 by default. In
> order to accept a route for a /64 prefix, you must set it to at least
> 64. In Debian it can be set at startup for all interfaces by appending
> the following line in /etc/sysctl.conf, assuming that the 'ipv6' module
> has been loaded before (.e.g. by adding it in /etc/modules), otherwise
> the parameter won't exist yet :
>
> net.ipv6.conf.default.accept_ra_rt_info_max_plen=64

Hmm, looks like this is may not work with a kernel 2.6.21 or later
because entries for interfaces in net.ipv6.conf are created as soon as
the interface is created, whereas older kernels used to create the entry
in net.ipv6.conf only when the interface goes UP for the first time. So
it might be necessary to add
net.ipv6.conf.<interface>.accept_ra_rt_info_max_plen=64 too.

Note :
A similar change was applied to IPv4 interface parameters in
net.ipv4.conf too. However I observed that changing a parameter value in
net.ipv4.conf.default immediately applies to all interfaces which are
not UP, which may preserve the previous behaviour. Unfortunately this
does not work for IPv6 parameters.

> If an ethernet host ignores the route information in RAs, it will send
> packets for the wireless prefix to the default router, (1). Router (1)
> will forward the packets to router (2). It should also send an ICMPv6
> Redirect to tell the host that there is a better route to the prefix.
> However I tested this scenario on my Debian router with 2.6.24 kernel
> and didn't see it sending ICMPv6 Redirects, although it forwarded the
> packets back on the same interface as expected.

I think I got it. The RFC 4861 says that the redirect target address
must be the link-local address of the next-hop router, but I had used
the global address of the router in the route. When using the link-local
address instead, the router sends ICMPv6 redirects.


--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org