IPv6 Policy Routing and OpenVPN
-
Thanks for your reply, but I receive a / 64 from my ISP on each "tracked" interface, so the prefix ID can be 100, right?
hexadecimal from 0 to ffff
-
No. It depends on what prefix you receive. Is it /48, /56 or /60. So with /56 you can choose between 00 and ff and then you have 256 subnets with one /64 for each LAN Interface.
-
How do I check what prefix I receive? I'm not sure.
-
@pfadmin said in IPv6 Policy Routing and OpenVPN:
/48, /56 or /60
I just read that I receive a /48 net on my ISP's website. Just info.
-
@Cathal1201 said in IPv6 Policy Routing and OpenVPN:
I just read that I receive a /48 net on my ISP's website. Just info.
Then you'll only get 65536 /64s.
Your prefix ID range should be 0 - ffff.
-
@Cathal1201 said in IPv6 Policy Routing and OpenVPN:
I just read that I receive a /48 net on my ISP's website. Just info.
Then you should hint a /48 and then 100 is allowed. You can do paket sniffing on WAN and then reconnect. Somewhere you should find the prefix in the dhcp6 answer from ISP.
-
@JKnott said in IPv6 Policy Routing and OpenVPN:
Then you'll only get 65536 /64s.
Only :-)
Your prefix ID range should be 0 - ffff.
I have changed my prefix to LAN (1), GAME (2) and HOUSE (ff) - but no effect on the policy routing issue. :-(
-
@pfadmin said in IPv6 Policy Routing and OpenVPN:
Then you should hint a /48 and then 100 is allowed. You can do paket sniffing on WAN and then reconnect. Somewhere you should find the prefix in the dhcp6 answer from ISP.
Use Packet Capture and filter on port 546 or 547. There will be some XID lines and you can dig through them with Wireshark.
-
@pfadmin said in IPv6 Policy Routing and OpenVPN:
Then you should hint a /48 and then 100 is allowed. You can do paket sniffing on WAN and then reconnect. Somewhere you should find the prefix in the dhcp6 answer from ISP.
I'm "hinting" my ISP for /48 and get all my IP subnets assigned to the LAN, GAME and HOUSE without any issues. They get a /64 each. That part works just fine. All my test on various IPv6 testsites show that it works.
Why would this be an issue when it comes to my policy routing problem to OpenVPN interface? The OpenVPN (OPT1) get an /80 address. Does that matter?
I still have the same problem....
-
-
Yep.
-
Two small lines, but the first isn't working
A packet trace shows that I have many retransmissions on OPT1
Does it point to the VPN provider, that I can't route?
I'm really at a dead end and way over my abilities
-
All my rules have * or default for gateway. I didn't specify anything for any of them.
-
So prefix is ok, it came as idea because original you don't tell the prefix length.
So, your rules seams to be ok. I don't know enough about policy routing, but the docs look the same.
I think, you use the wrong IPv6 adress as gateway. It should be a fe80:: link local, because it's IPv6. But this is not that clear to me. Only guess. Look at the Routing Tab, the WAN IPv6 Gateway is fe80:xxxx...Delete for testing the source and test it. When it works, "HOUSEVLAN net" delivers the wrong IPv6 Net.
-
@pfadmin said in IPv6 Policy Routing and OpenVPN:
Interface OPT1
Gateway from VPN provider
I think, you use the wrong IPv6 adress as gateway. It should be a fe80:: link local, because it's IPv6. But this is not that clear to me. Only guess. Look at the Routing Tab, the WAN IPv6 Gateway is fe80:xxxx...
And everything looks good, I don't see why I should use Local-Link address instead?
From my desktop, I can ping the interface OPT1, but not the OPT1_VPNV6 address. That points to at routing problem for sure, but the routing table is confusing to me.
How can I change the gateway address?Delete for testing the source and test it. When it works, "HOUSEVLAN net" delivers the wrong IPv6 Net.
What do you mean?
-
@Cathal1201 said in IPv6 Policy Routing and OpenVPN:
Delete for testing the source and test it. When it works, "HOUSEVLAN net" delivers the wrong IPv6 Net.
What do you mean?
Configure "*" as Source and not "HOUSEVLAN net", test it. If it works, Problem is within "HOUSEVLAN Net". If not, rewind it back to "HOUSEVLAN net".
Link Local are often use to route, but that is not that clear to me as I could explain it to you.
Try this first:
Ok, think about the Gateway. Did it know, where the network of your desktop is? You reach Opt1 because pfsense is your default gateway. You reach OPT1_VPNV6 from OPT1 because its the same network. You reach OPT1_VPNV6 from desktop because your default gateway knows the OPT1_VPNV6 Network, BUT OPT1_VPNV6 don't know about the Network of your desktop. The answer is send to gateways default gateway. This is often the problem with IPv4 and I guess it is IPv6 too.
