[eduVPN-deploy] NDP problems using public IPv6
François Kooman
fkooman at deic.dk
Mon Sep 12 23:52:28 CEST 2022
Hi Pascal,
Ah! You have two interfaces with public addresses. You probably have to
do "source routing":
https://github.com/eduvpn/documentation/blob/v3/SOURCE_ROUTING.md
The "Making it permanent" still needs to be updated for Debian, didn't
get around to that yet. If you find out how to do that, please me me know :)
Regards,
François
On 12.09.22 13:49, Pascal Panneels wrote:
> Hi François,
>
>>> net.ipv4.ip_forward = 1
>>> net.ipv4.conf.all.proxy_arp = 1
>>> net.ipv6.conf.all.forwarding = 1
>>> net.ipv6.conf.all.proxy_ndp = 1
>>
>> All that should be needed is the sysctl options that are already set in
>> /etc/sysctl.d/70-vpn.conf (by default).
>
> Yes that 's the content of the file (btw, I've added
> net.ipv6.conf.all.proxy_ndp = 1 as it is not defined there as standard
> if I remember well)
>
>> Do you have a "non-standard" IPv6 deployment on that site?
>>
>> The configuration assumes that (just like it would be with IPv4) the
>> IPv6 prefix that is to be assigned to the VPN clients is routed to the
>> public IPv6 address of the VPN server by the first router in the path
>> (and allow egress from this prefix as well arriving from the VPN
>> server's public IPv6 address).
>
> As you may remember, we are hosting (and managing) VM servers for our
> customers; the servers are in our premises and the link with the
> customer's networks is (currently) done via a dedicated VLAN that
> travels from cusrtomer's router through the BB and terminates on the
> eduvpn server. IPv4 and Ipv6 addresses are assigned to each end of the
> VLAN, one being on the eduvpn server.
> Customer gave us a public IPv6 subrange (a /64) from his assigned range.
> I've splitted his range into several /111, each assigned to a couple of
> vpn profiles.
>
>
>> Of course, this all assumes that you use a *static* IPv6 address on the
>> VPN server and have the routing properly configured in your router.
>
> Static IPv6 addresses are used.
> the /64 is routed by the server into the dedicated ethernet interface
> where the VLAN ends (eth1 in the attached file).
>
>> Make sure you update the VPN server firewall to allow the forwarding
>> to/from the correct IP ranges and disable NAT there. Even without *any*
>> firewall rules on the VPN server it should work, so you can temporary
>> disable the entire firewall to see if that helps
>
> NAT is well disabled (not nat table rules defined)
>
> I've also tested by setting ACCEPT as default policy and ip6tables
> flushed (no rule) without any success so far.
>
> The only way I've found to make it work is to issue following command
> (for example):
>
> ip -6 neigh add proxy 2001:6a8:2100:136::2:3 dev eth1
>
> After that, 2001:6a8:2100:136::2:3 (=an ipv6 assigned to a VPN client)
> can use the IPv6 network and ping or use any allowed trafic to internal
> servers... but I cannot use the new script feature to apply it to
> connections being setup. (back to the purpose of my initial mail :-) )
>
>> Can you provide the output of `ip6tables -S` and `ip6tables -S -t nat`
>> and `ip -6 addr show`
>
> see attached.
>
> --
>
> *Pascal Panneels*
> *System Architect*
> *Belnet - Services*
> WTC III
> Simon Bolivarlaan 30 Boulevard Simon Bolivar
> Brussel 1000 Bruxelles
> België - Belgique
> T: +32 2 790 33 33
> *https://www.belnet.be* <http://www.belnet.be>
>
More information about the eduVPN-deploy
mailing list