IPv6

Hi!

Not having any success in getting the DHCP server working with IPv6, I just wondered if I'm missing something.. Anyone got it working?
I'm using v1.3b18

/L

Hi beljar,

I have not had any luck getting the DHCPv6 server to work, although I have not tested the new 1.3 release yet. I was unable to get any response from the DHCPv6 server when I last tried. When I tried the same test on a D-Link DIR-615C1 (which supports DHCPv6) I was able to obtain an address.

-Matt

what size is your subnet for the LAN ?

your client should get an ip if you have RA enabled, even with DHCP turned off.

it works fine for me on win7 and ubuntu.

Hi brushedmoss -

With DHCPv6 disabled, I am able to get an IPv6 address via autoconfiguration and everything seems fine. However, I would like to use DHCPv6 to obtain my address instead. When I configure DHCPv6, I get no response from my monowall router. It almost appears as if the service is not even running.

-Matt

I have posted a fix, can you download

http://svn.m0n0.ch/wall/branches/freebsd6/phpconf/inc/filter.inc

and install to /etc/inc on your m0n0wall (use exec.php to upload and then copy to right location).

Then edit an ipv6 rule (don't have to make a change) and hit the apply button.  This will make m0n0 re-run the filter creation, which should now correct the problem

Hi brushedmoss,

Thank you very much for providing this fix. I tried it, but am still unable to obtain an address via DHCPv6.

I would like to confirm my settings though. On the IPv6 portion of the LAN configuration page I have set my IPv6 mode to static, assigned a LAN IPv6 address of 2004::1, and checked the "send IPv6 RA" and "managed address configuration" boxes. I have then gone to the DHCP Server configuration page and enabled the DHCPv6 server with a range of 2004::2 through 2004::50. All of these addresses are fictitious addresses I am using only for testing purposes. I also deleted and re-entered my IPv6 rules as per your instructions.

Am I missing anything obvious in my configuration?

Thanks!
-Matt

can you send me the output of running

ipfstat -6 -nioh

from exec.php ?

you should see a  line like this

1010 @2 pass in quick on fxp2 proto udp from any port = dhcpv6-client to ff02::1:2/128 port = dhcpv6-server

Also check you firewall logs , see if there is a deny , look for address ff02::1:2 ?

Hi brushedmoss,

I'm not seeing that line in my ipfstat output:

$ ipfstat -6 -nioh
0 @1 pass out quick on lo0 all
0 @2 pass out quick proto ipv6-icmp from any to any
79 @3 pass out quick proto ipv6-icmp from any to any
6 @4 pass out quick proto ipv6-icmp from any to any

2 @5 pass out quick proto ipv6-icmp from any to any
0 @6 pass out quick proto ipv6-icmp from any to any
0 @7 pass out quick proto ipv6-icmp from any to any
0 @8 pass out quick proto ipv6-icmp from any to any
5 @9 pass out quick on em0 all keep state

3 @10 pass out quick on em1 all keep state
8 @11 block out log quick all
0 @1 pass in quick on lo0 all
2 @2 pass in quick proto ipv6-icmp from any to any
79 @3 pass in quick proto ipv6-icmp from any to any

2 @4 pass in quick proto ipv6-icmp from any to any
2 @5 pass in quick proto ipv6-icmp from any to any
0 @6 pass in quick proto ipv6-icmp from any to any
0 @7 pass in quick proto ipv6-icmp from any to any
0 @8 pass in quick proto ipv6-icmp from any to any

0 @9 block in log quick on em1 from 2004::/64 to any
25 @10 block in log quick on em0 from !2004::/64 to any
0 @11 skip 1 in proto tcp from any to any flags S/FSRA
0 @12 block in log quick proto tcp from any to any

0 @13 block in log quick on em0 all head 10100
0 @14 block in log quick on em1 all head 10200
0 @15 block in log quick all
# Group 10100
0 @1 pass in quick from 2004::/64 to 2004::1/128 keep state group 10100

0 @2 pass in quick from any to any keep state group 10100
# Group 10200
0 @1 block in quick from any to any group 10200


I checked the firewall logs and it appears that DHCPv6 requests are still being blocked. I'm going to reset the state of my m0n0wall router and try building the config back up from scratch. I will report back shortly.

-Matt

Then the new filter.inc didn't work.

check that

ls -l /etc/inc/filter.inc

reports size of 34231 ?

If so, then it didn't regenerate the rules, you didn't have any problems reported with modifying a v6 rule and applying the changes ?

Hi brushedmoss,

I rebuilt my test config from scratch following your original instructions and now things seem to be working as expected!! Thank you for your help!

On a somewhat related note, another issue I've encountered is with simple pings to the m0n0wall router using LLAs. For some reason, the m0n0wall router will not respond to pings using LLAs, although it will if I use global IPv6 addresses. I have checked my IPv6 rules and it is not obvious to me why this is happening. Do you have any knowledge of this issue?

-Matt

Let me get you another new filter.inc :-( give me a few mins (if no-one interrupts me)

Thank you very much!!

-Matt

rename this attachment to .inc (board doesn't allow .inc files)

don't test on a remote box incase it breaks something, i have given it a basic test and seems good

Excellent! This new filter seems to have fixed the problem - thank you very much!

Will these updates make it into the next release of m0n0wall?

-Matt

I hope so.

I need to test this change a bit more then commit, and there is at least two other fixes pending for other problems that I am aware, then MK might roll it up to a release.

You could make a custom image if you have the time and skills (documented elsewhere on this board) which will make the change persistant.