News: This forum is now permanently frozen.
Pages: [1]
Topic: m0n0wall does not respond to Neighbor Solicitation on WAN  (Read 9924 times)
« on: November 18, 2010, 19:59:42 »
TheDecker *
Posts: 4

Hi all!

I'm running a m0n0wall 1.32 setup on an VMWare ESXi host.

Amongst other things, I've got the OPT2 interface running a network with an IPv4 subnet
routed from the outside. That works fine.

Now I want to setup IPv6 and my ISP assigned me the following:
   My Subnet: xxx:24e2:: /64

In accordance with that I configured m0n0wall the following way:
   WAN IPv6 address  : xxxx:24e2::2 /59 (static)
   WAN IPv6 gateway : xxxx:24e0::1 /59
   LAN IPv6 address   : xxxx:24e2:0:2:0:1 /96
   OPT2 IPv6 address  : xxxx:24e2:0:1:0:1 /96

One of the vHosts on the OPT2 interface now has been given a static IP from the subnet above.
   Test Host address   : xxxx:24e2:0:1:0:8 (attached to OPT2)

When I ping a host in the LAN subnet (i.e. xxxx:24e2:0:2:0:2) it works perfectly, ECHO REQUEST goes out, ECHO RESPONSE comes back.

When I ping a host on the Internet, the problem appears:
The ECHO REQUEST goes out fine, but when the ISP attempts to route the reply back to me, it sends an IPv6 Neighbor Solicitation asking for the route to xxxx:24e2:0:1:0:8.

That Neighbor Solicitation arrives at m0n0wall, but my router (the m0n0wall box) doesn't respond, meaning that the ISP router doesn't find a route to the pinging host (xxxx:24e2:0:1:0:Cool and the ECHO REPLY never makes it back from the internet.

Does anyone have an idea what might be the problem?

TheDecker
« Reply #1 on: November 24, 2010, 19:31:50 »
TheDecker *
Posts: 4

Can anyone confirm the bug?

Does anyone have a working setup with IPv6 on WAN (no tunnel) ?
« Reply #2 on: November 24, 2010, 20:45:17 »
brushedmoss ****
Posts: 446

Your isp is dsl or cable modem or Huh  The opt and lan interfaces are not neighbours of the wan, they are routed subnets, so I don't see why you receive this on your wan and not a routered via your wan subnet
« Reply #3 on: November 24, 2010, 20:54:49 »
TheDecker *
Posts: 4

Actually I'm talking about a hosting provider where I have a dedicated server. The m0n0wall installation runs as a virtual machine on that dedicated server.

The hoster's network requests a route to my subnet via IPv6 Neighbor Solicitation message, which arrives at m0n0wall on the WAN interface, but m0n0wall doesn't respond.
« Reply #4 on: November 24, 2010, 22:14:17 »
brushedmoss ****
Posts: 446

, which strikes me as unusual. Does the hosting provider have sample configs ?Check out 7.2.r. Here http://www.faqs.org/rfcs/rfc2461.html

This could only work if monowall was to respond as a proxy
« Reply #5 on: November 25, 2010, 06:32:35 »
TheDecker *
Posts: 4

Ah, thanks for that insight. I understand what you mean. Apparently the hosting provider expects the assigned subnet to be used "on-link" (that is, iirc, in the samte L2 segment).

In that case I understand why m0n0wall is not responding.

Thanks so far for the help, although it does not yet solve the problem.

Do you know of any possibility to, as a workaround, enable m0n0wall to act as a proxy for neighbor solicitations? Or at least as a "transparent" firewall for IPv6? (The latter would probably be possible through a dedicated interface that is bridged, I assume?)

TheDecker
« Reply #6 on: November 25, 2010, 08:57:44 »
brushedmoss ****
Posts: 446

http://tools.ietf.org/html/rfc4389  Indicates this is desired in some situations. Freebsd has the ndp -s option which might help, but I'd have to do some research.  I would have though the provider would route the subnet as this rfc is experimental
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines