On Thu 29 Aug 2013 18:37:53 BST, Todd T. Fries wrote:
Penned by Andy on 20130829 9:57.29, we have:
| Hi everyone,
|
| I'm hoping someone can help me as I'm not having much luck with adding
| IPv6 to the mix of our already working IPv4 setup.
|
| What should /etc/hostname.carpX look like for an IPv6 setup? Is this
| correct;?
|
| inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
| advskew 0
| inet6 2a00:7e0:0:a::1 64
Any 'inet6' except the first link local reference in a given hostname.if(4)
file should be followed by 'alias'.
Aka you need:
inet6 alias 2a00:7e0:0:a::1
The 64 is implicitly default, if you choose to explicitly list it thats ok too.
Ah, of course! I have a ton of IPv4 alias', but I didn't think to just
add an IPv6 alias :)
| Or should I have a separate carpX interface for the IPv6?
|
| When I do a tcpdump on the master I see;
| Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
| Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=0 demote=33
| Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
| fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101
| Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
| fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1
| Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=100 demote=0
| Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=100 demote=0
| Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=100 demote=0
| Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
| Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=0 demote=33
|
| I can see that the IPv6 CARP messages are using the link local address
| and not the global IPv6 addresses I have configured? Why?? :(
| This makes it really hard to write PF files as I would have to write
| filter rules considering the each physical hosts MAC addresses :(
Because multicast is on the local link not on the global addresses?
Can you not use pf to filter fe80::/8 address space?
Actually yes that would be OK as it's only local to the link... I was
thinking I would have to filter the individual EUI64 addresses meaning
I would have had to do something with puppet to pull MAC's etc.. But
fe80::/8 should be ok thinking about it. Thanks.
| I'm also seeing errors stating that the inet6 carp address I have
| configured is a duplicate address! Although this could be due to the
| fact the firewalls are flapping between backup and master and there are
| going to be multi master periods.
I thought at one point there was a commit to ignore duplicate v6 ndp
due to this issue. I can't find it right now though, so I don't know
if it is in 5.3 or not.
Now you mention it, I think I saw that in the release notes for
-current (so should be 5.4). I'll ignore it for now. Thanks.
| net.inet.carp.allow=1
| net.inet.carp.preempt=1
| net.inet.carp.log=3
| net.inet6.ip6.forwarding=1
| net.inet6.ip6.redirect=0
| net.inet6.ip6.accept_rtadv=0
|
| I am also starting to read "Firewalling IPv6 with OpenBSD's pf (packet
| filter)".
|
| Thanks for your time, Andy.
Hope the above helps.
Thanks Todd, yes it does :) Can you recommend anything else that should
be done for IPv6 filtering/forwarding other than the pf rules
themselves? First time doing IPv6 on OBSD.
Cheers, Andy.
