On Wed, Dec 8, 2010 at 7:44 PM, Simon Perreault <[email protected] > wrote:
> Stop right there. This cannot work. > > comcast --------<tunnel>------- OpenBSD ---------<LAN>---------... > 2001:55c:dead:beef::/64 2001:55c:dead:beef:10::/80 > > The address range you assign to your LAN overlaps with the address range > assigned to the tunnel. > Okay, then I wasn't losing my mind thinking that this assignment sounded a bit 'off.' > You need non-overlapping ranges. > > Usually, tunnel brokers give out two prefixes: one for the tunnel, and > another for your LAN (see e.g. Hurricane Electric). > >From all that I've read from Comcast, they give us 2001:55c::/32, we deduce the next /32 bits from our IPv4 IP, giving me 2001:55c:dead:beef::/64 to play with. I was never given another prefix for my LAN. Following on Stuart's subsequent email, I changed rtadvd to hand out the above /64 to my local lan. Which gave me a bit more progress, I can now ping6 the link local address fe80::20d:b9ff:fe1b:b64d%em0 for my router from clients on the LAN. But when I run traceroute6's from anywhere on the LAN (except the router) to the IPv6 Internet, i'm greeted with the following failures: # traceroute6 ipv6.google.com traceroute6 to ipv6.l.google.com (2001:4860:800f::63) from 2001:55c:dead:beef:5054:ff:feb0:6d7a, 64 hops max, 12 byte packets 1 * * * 2 * * * 3 * * * .... On the router watching tcp dump: 06:35:35.806099 2001:558:e0:52::1 > 2001:55c:dead:beef:5054:ff:feb0:6d7a: icmp6: time exceeded in-transit for iad04s01-in-x63.1e100.net (len 68, hlim 63) watching pflog: Dec 09 06:36:35.104640 rule 21/(match) pass in on vr1: fe80::5054:ff:feb0:6d7a > fe80::20d:b9ff:fe1b:b64d: [|icmp6] Dec 09 06:36:35.104727 rule 21/(match) pass out on vr1: fe80::20d:b9ff:fe1b:b64d > fe80::5054:ff:feb0:6d7a: [|icmp6] Dec 09 06:36:35.106639 rule 17/(match) pass out on gif0: 2001:55c:dead:beef::1 > 2001:55c:dead:beef:5054:ff:feb0:6d7a: [|icmp6] Dec 09 06:36:40.097487 rule 17/(match) pass out on vr1: fe80::20d:b9ff:fe1b:b64d > fe80::5054:ff:feb0:6d7a: [|icmp6] So it doesn't look like pf is blocking anything. It seems I've got all the OpenBSD bits set up correctly, and am almost ready to bounce this back to my ISP asking for more network information. -Jeff
