IPv6 Policy Routing and OpenVPN
-
Hello Everyone,
I have a PFSENSE 2.4.5 with three internal interfaces (LAN, GAME and HOUSE) and a WAN. Everyone receives IPv6 from the ISP via TRACK Interface. Each interface has a different IPv6 Prefix ID (1, 50, 100) and I have configured DHCPv6 to share addresses from :: 8: 20 to :: 8: 2000 as well as set Router Advertisements to Managed so that it is always handled by DHCPv6 - so no stateless autoconfig.
It works really well and I can route between interfaces and out to the internet without any problems.
NOW here comes problems - I made an OPENVPN tunnel against https://www.OVPN.com where I got the openvpn
tunnel up and running. That interface is called OPT1. I received an IPv6 address on the interface. In addition, I also have an IPv4 tunnel address on OPT1.
I have created a Route Policy that allows HOUSE interface to route via OPT1_VPNV6. The same thing I've done on IPv4 and it works! BUT it does not work on IPv6.I can't route via OPT1_VPNV6 - it seems I made a config error somewhere, but I simply can't figure out where!
Is there anything I've overlooked? Why doesn't Policy Routing work? Do I need to mess with NDP?. I already think IPv6 is difficult. I think I've looked through all the logs but can't figure out why it doesn't work. The ISP says it "should" work as others have similar setups.
Please help!
BR
-
@Cathal1201 said in IPv6 Policy Routing and OpenVPN:
v6.
The prefix ID is hexadecimal, so 100 is not allowed for a /56 (I guess you get a /56) , only 0 to ff is allowed
pfadmin
-
Thanks for your reply, but I receive a / 64 from my ISP on each "tracked" interface, so the prefix ID can be 100, right?
hexadecimal from 0 to ffff
-
No. It depends on what prefix you receive. Is it /48, /56 or /60. So with /56 you can choose between 00 and ff and then you have 256 subnets with one /64 for each LAN Interface.
-
How do I check what prefix I receive? I'm not sure.
-
@pfadmin said in IPv6 Policy Routing and OpenVPN:
/48, /56 or /60
I just read that I receive a /48 net on my ISP's website. Just info.
-
@Cathal1201 said in IPv6 Policy Routing and OpenVPN:
I just read that I receive a /48 net on my ISP's website. Just info.
Then you'll only get 65536 /64s.
Your prefix ID range should be 0 - ffff.
-
@Cathal1201 said in IPv6 Policy Routing and OpenVPN:
I just read that I receive a /48 net on my ISP's website. Just info.
Then you should hint a /48 and then 100 is allowed. You can do paket sniffing on WAN and then reconnect. Somewhere you should find the prefix in the dhcp6 answer from ISP.
-
@JKnott said in IPv6 Policy Routing and OpenVPN:
Then you'll only get 65536 /64s.
Only :-)
Your prefix ID range should be 0 - ffff.
I have changed my prefix to LAN (1), GAME (2) and HOUSE (ff) - but no effect on the policy routing issue. :-(
-
@pfadmin said in IPv6 Policy Routing and OpenVPN:
Then you should hint a /48 and then 100 is allowed. You can do paket sniffing on WAN and then reconnect. Somewhere you should find the prefix in the dhcp6 answer from ISP.
Use Packet Capture and filter on port 546 or 547. There will be some XID lines and you can dig through them with Wireshark.
-
@pfadmin said in IPv6 Policy Routing and OpenVPN:
Then you should hint a /48 and then 100 is allowed. You can do paket sniffing on WAN and then reconnect. Somewhere you should find the prefix in the dhcp6 answer from ISP.
I'm "hinting" my ISP for /48 and get all my IP subnets assigned to the LAN, GAME and HOUSE without any issues. They get a /64 each. That part works just fine. All my test on various IPv6 testsites show that it works.
Why would this be an issue when it comes to my policy routing problem to OpenVPN interface? The OpenVPN (OPT1) get an /80 address. Does that matter?
I still have the same problem....
-
-
Yep.
-
-
All my rules have * or default for gateway. I didn't specify anything for any of them.
-
So prefix is ok, it came as idea because original you don't tell the prefix length.
So, your rules seams to be ok. I don't know enough about policy routing, but the docs look the same.
I think, you use the wrong IPv6 adress as gateway. It should be a fe80:: link local, because it's IPv6. But this is not that clear to me. Only guess. Look at the Routing Tab, the WAN IPv6 Gateway is fe80:xxxx...Delete for testing the source and test it. When it works, "HOUSEVLAN net" delivers the wrong IPv6 Net.
-
@pfadmin said in IPv6 Policy Routing and OpenVPN:
Interface OPT1
Gateway from VPN provider
I think, you use the wrong IPv6 adress as gateway. It should be a fe80:: link local, because it's IPv6. But this is not that clear to me. Only guess. Look at the Routing Tab, the WAN IPv6 Gateway is fe80:xxxx...
And everything looks good, I don't see why I should use Local-Link address instead?
From my desktop, I can ping the interface OPT1, but not the OPT1_VPNV6 address. That points to at routing problem for sure, but the routing table is confusing to me.
How can I change the gateway address?Delete for testing the source and test it. When it works, "HOUSEVLAN net" delivers the wrong IPv6 Net.
What do you mean?
-
@Cathal1201 said in IPv6 Policy Routing and OpenVPN:
Delete for testing the source and test it. When it works, "HOUSEVLAN net" delivers the wrong IPv6 Net.
What do you mean?
Configure "*" as Source and not "HOUSEVLAN net", test it. If it works, Problem is within "HOUSEVLAN Net". If not, rewind it back to "HOUSEVLAN net".
Link Local are often use to route, but that is not that clear to me as I could explain it to you.
Try this first:
Ok, think about the Gateway. Did it know, where the network of your desktop is? You reach Opt1 because pfsense is your default gateway. You reach OPT1_VPNV6 from OPT1 because its the same network. You reach OPT1_VPNV6 from desktop because your default gateway knows the OPT1_VPNV6 Network, BUT OPT1_VPNV6 don't know about the Network of your desktop. The answer is send to gateways default gateway. This is often the problem with IPv4 and I guess it is IPv6 too.
