https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162012-01-25T05:48:48ZpfSense bugtrackerpfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=76582012-01-25T05:48:48ZSeth Mosseth.mos@dds.nl
<ul></ul><p>Got a reply from Swisscom clarifying their 6RD deployment, past trial, now production.</p>
<p>Our productive network uses 6rd, the trial phase is finished. The firmware with IPv6/6rd support is currently rolled out to about 500'000 customer routers, which is almost a third of our customer base. Free.fr has twice that number of customers, and other ISPs such as Softbank in Japan or Fastweb in Italy are also using 6rd. We will not implement DHCP-PD on the current generation of our network. Once all users are migrated to the next generation of networks we will reconsider this situation, but that won't happen before 2015.</p>
<p>So, yes, we need to add a 6RD stf adapter iirc. Or port and fix one of the existing patches.</p>
<p>Forum post.<br /><a class="external" href="http://forum.pfsense.org/index.php/topic,45102.0.html">http://forum.pfsense.org/index.php/topic,45102.0.html</a></p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=76592012-01-25T05:49:10ZSeth Mosseth.mos@dds.nl
<ul><li><strong>Priority</strong> changed from <i>Low</i> to <i>High</i></li></ul> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=76622012-01-25T16:16:36ZSeth Mosseth.mos@dds.nl
<ul><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li></ul><p>A healthy chunk of code is already in there. Come to think of it, 6to4 is very similar to this, but the patch for stf isn't applying against 9.</p>
<p>I've emailed hrs@ but that might take a while.</p>
<p>I might be able to work 6to4 support in, but that takes extra time and the IETF deprecated support for 6to4.</p>
<p>The largest difference between the 2 is that 6RD tunnels are terminated on ISP equipment and are thus a lot faster and reliable then tunneling across the world to the 1st anycasted relay.</p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=76812012-01-27T17:52:51ZSeth Mosseth.mos@dds.nl
<ul></ul><p>earlier 6rd work. <a class="external" href="http://bougaidenpa.org/masakazu/archives/54">http://bougaidenpa.org/masakazu/archives/54</a></p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=77152012-02-01T07:46:00ZSeth Mosseth.mos@dds.nl
<ul></ul><p>from reading the sparse documentation one needs to calculate the IPv6 prefix address for the broker inside the give prefix.</p>
<p>so with a prefix of 2a02:1200:: / 28 that would add up to the following prefix.</p>
<p>Broker IPv4<br />193 5 122 254<br />2a02:12<193>:<5><122>:<254>0::/28<br />route add -inet6 default 2a02:12c1:57a:fe0:0:0:0:1</p>
<p>Local stf0 prefix based on the WAN IPv4<br />2a02:125e:d3de:5c0::/28</p>
<p>This would assign a /60 to each user where they can pick a network from the last 16 bits of the number iirc. Need to verify with Swisscom if the calculus is right.</p>
<p>[2.1-DEVELOPMENT][<a class="email" href="mailto:root@leaf.dnsalias.org">root@leaf.dnsalias.org</a>]/root(6): ifconfig stf0<br />stf0: flags=1<UP> metric 0 mtu 1280<br /> inet6 2a02:125e:d3de:5c0:: prefixlen 28<br /> nd6 options=3<PERFORMNUD,ACCEPT_RTADV></p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=78832012-02-20T05:27:12ZSeth Mosseth.mos@dds.nl
<ul></ul><p>Ok, further testing reveals we need RFC 5969 6rd standards track. That means support for differing IPv4 prefix lengths which only the patch from Masakazu-san does.</p>
<p>The FreeBSD 8.3 builds are now built with this patch and rudimentary testing reveals the incoming path works.</p>
[code]
<ol>
<li>configure the srd device<br />ifconfig srd0 v4plen 0 pfix 2a02:1200:: plen 28 braddr 193.5.122.254</li>
<li>add a single address for communication<br />ifconfig inet6 2a02:1205:25ea:19b0:: prefixlen 128</li>
<li>ifconfig srd0<br />srd0: flags=1<UP> metric 0 mtu 1280<br /> inet6 2a02:1205:25ea:19b0:: prefixlen 128<br /> nd6 options=8043<PERFORMNUD,ACCEPT_RTADV,DEFAULTIF><br /> srd: v4plen 0 pfix 2a02:1200:: plen 28 braddr 193.5.122.254<br />[/code]</li>
</ol>
<p>Send a ping from the IPv6 internet to the configure inet6 on srd0.<br />[code]<br />seth@ratchet:~$ ping6 -c1 2a02:1205:25ea:19b0::<br />PING 2a02:1205:25ea:19b0::(2a02:1205:25ea:19b0::) 56 data bytes</p>
<p>--- 2a02:1205:25ea:19b0:: ping statistics ---<br />1 packets transmitted, 0 received, 100% packet loss, time 0ms<br />[/code]</p>
<p>This show incoming traffic from the 6rd broker relay on the doorstep.</p>
<p>[code]<br />[2.1-DEVELOPMENT][<a class="email" href="mailto:root@pfsense.localdomain">root@pfsense.localdomain</a>]/root(12): tcpdump -nvei em0 host 193.5.122.254<br />tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes<br />11:26:51.901986 00:d0:ff:f8:ac:00 > 00:50:56:83:00:0b, ethertype IPv4 (0x0800), length 138: (tos 0x0, ttl 248, id 37098, offset 0, flags [none], proto IPv6 (41), length 124)<br /> 193.5.122.254 > 82.94.161.155: (hlim 56, next-header ICMPv6 (58) payload length: 64) 2001:67c:226c:e065::1:1 > 2a02:1205:25ea:19b0::: ICMP6, echo request, length 64, seq 1<br />^C<br />1 packets captured<br />[/code]</p>
<p>The ping6 packet is succesfully logged in the pfSense UI as I had a rule for logging all IPv6 traffic on this box.</p>
<p>The problem here is that it is not possible to reach the IPv6 internet because setting the gateway does not currently work.</p>
<p>[code]<br />[2.1-DEVELOPMENT][<a class="email" href="mailto:root@pfsense.localdomain">root@pfsense.localdomain</a>]/root(19): route add -inet6 default ::1 -ifp srd0<br />add net default: gateway ::1<br />[/code]</p>
<p>This command does take and it show in the routing table.</p>
<p>[code]<br />Internet6:<br />Destination Gateway Flags Netif Expire<br />default ::1 UGS srd0<br />::1 ::1 UH lo0<br />[/code]</p>
<p>But I can't get anything out onto the internet with it.</p>
<p>[code]<br />[2.1-DEVELOPMENT][<a class="email" href="mailto:root@pfsense.localdomain">root@pfsense.localdomain</a>]/root(13): ping6 ipv6.google.com<br /><abbr title="56=40+8+8 bytes">PING6</abbr> 2a02:1205:25ea:19b0:: --> 2a00:1450:400c:c01::67<br />ping6: sendmsg: Network is unreachable<br />ping6: wrote ipv6.l.google.com 16 chars, ret=-1<br />^C<br />--- ipv6.l.google.com ping6 statistics ---<br />1 packets transmitted, 0 packets received, 100.0% packet loss<br />[/code]</p>
<p>Complete log<br /><a class="external" href="http://www.pastie.org/private/j6ufhloh2kqesznee6y8na">http://www.pastie.org/private/j6ufhloh2kqesznee6y8na</a></p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=79092012-02-21T03:11:21ZSeth Mosseth.mos@dds.nl
<ul><li><strong>File</strong> <a href="/attachments/518">firewall traffic pass srd0.PNG</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/518/firewall%20traffic%20pass%20srd0.PNG">firewall traffic pass srd0.PNG</a> added</li></ul> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=85452012-04-01T13:47:58ZSeth Mosseth.mos@dds.nl
<ul><li><strong>File</strong> <a href="/attachments/576">6rd-2.pcap</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/576/6rd-2.pcap">6rd-2.pcap</a> added</li><li><strong>File</strong> <a href="/attachments/577">6rd.pcap</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/577/6rd.pcap">6rd.pcap</a> added</li></ul><p>Ok, I've switched the tree back to the modified stf device which does receive IPv6 packets by proto 41 and can also send packets by IP proto 41.</p>
<p>However, 2 way comms still does not work. No replies inbound, no replies outbound.<br />2 packet captures. 1 for proto 41 traffic in general. Another against the 6rd host.</p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=85922012-04-06T07:01:04ZSeth Mosseth.mos@dds.nl
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>More debugging revealed the following, SwissCom and ATT do not filter inbound IPv6 traffic for IPv4 space they do not own.<br />So inbound always works, but the reply traffic is dropped by SwissCom and ATT.</p>
<p>However, not all is lost, because Charter and Sakura do not filter their 6rd relay traffic at all.</p>
<p>Charter is <a class="external" href="http://www.myaccount.charter.com/customers/Support.aspx?SupportArticleID=2665#ipv6prep">http://www.myaccount.charter.com/customers/Support.aspx?SupportArticleID=2665#ipv6prep</a><br />2602:100::/32 -> 68.114.165.1<br />16 bytes from 2a00:1450:400c:c01::63, icmp_seq=0 hlim=51 time=215.957 ms</p>
<p>Sakura is <a class="external" href="http://research.sakura.ad.jp/6rd-trial/">http://research.sakura.ad.jp/6rd-trial/</a><br />2001:e41::/32 -> 61.211.224.125<br />16 bytes from 2a00:1450:400c:c01::63, icmp_seq=0 hlim=50 time=507.456 ms</p>
<p>That should suffice for basic testing.</p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=86692012-04-16T10:03:59ZSeth Mosseth.mos@dds.nl
<ul></ul><p>Add a Enable 6rd checkbox on the 6rd or DHCP4 settings to automatically configure 6rd from DHCP option 212.</p>
<p><a class="external" href="http://forum.pfsense.org/index.php/topic,48116.msg255523.html#msg255523">http://forum.pfsense.org/index.php/topic,48116.msg255523.html#msg255523</a></p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=88402012-05-07T18:06:40ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> changed from <i>8</i> to <i>2.1</i></li></ul> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=103862013-01-25T13:55:28ZErmal Luçieri@pfsense.org
<ul></ul><p>Variable prefix for ipv4 has been committed.<br />GUI fixes are needed to be done now to allow this to be configured.</p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=110352013-03-05T21:28:53ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=110422013-03-06T03:15:56ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>New</i></li><li><strong>Target version</strong> changed from <i>2.1</i> to <i>2.2</i></li></ul><p>this wasn't for 6rd in general as I thought, rather a diff type.</p> pfSense - Feature #2117: 6RD support for ISPs like Swisscomhttps://redmine.pfsense.org/issues/2117?journal_id=145672014-08-22T10:40:36ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> deleted (<del><i>2.2</i></del>)</li></ul>