FIB's with IPv6

mumu · Friday at 2:29 PM

I have a VPS that has a working IPv6 connection. Now I want to add Hurricane Electric(HE) to the mix, so I could have certain applications go through the VPS and and certain others through HE.

Code:

OS: FreeBSD 14.1-RELEASE
/boot/loader.conf:
net.fibs="5"
net.add_addr_allfibs="0"

For HE, here's what I've tried to do..

Code:

setfib 1 ifconfig gif0 create up
setfib 1 ifconfig gif0 tunnel 1.2.3.4 216.x.x.x mtu 1480
setfib 1 ifconfig gif0 inet6 2001:470:xx:xx::2 2001:470:xx:xx::1 prefixlen 128
setfib 1 route -6n add -host 2001:470:xx:xx::2 -iface gif0
setfib 1 route -6n add default 2001:470:xx:xx::1
add net default: gateway 2001:470:xx:xx::1 fib 1: Invalid argument <-- this error

Then I tried adding the default route this way:

Code:

setfib 1 route -6n add default -iface gif0 2001:470:xx:xx::1
add net default: gateway gif0 fib 1

However netstat -rn6F1 doesn't show the default route and obviously ping/ping6 fails with 'no route to host'.

So how can I use FIB's to add a second IPv6 gateway through HE ?

SirDice · Friday at 3:05 PM

With the HE tunnel I used to have I used a gateway like so: route -6 add default -iface gif0 The gateway doesn't really need an address, there's only one way out of the tunnel (the other tunnel end-point).

SirDice · Friday at 3:30 PM

Code:

setfib 1 route -6n add -host 2001:470:xx:xx::2 -iface gif0

Not needed. The 2001:470:xx:xx::2 address is set on the interface, this already creates an implicit route.

mumu · Friday at 4:03 PM

SirDice said:
With the HE tunnel I used to have I used a gateway like so: route -6 add default -iface gif0 The gateway doesn't really need an address, there's only one way out of the tunnel (the other tunnel end-point).

Ok, tried that, no errors, but ping still fails.

Code:

# setfib 1 netstat -rn6            
Routing tables (fib: 1)

Internet6:
Destination                  Gateway                    Flags     Netif Expire
::/96                             link#2                        URS         lo0
default                         link#6                        US           gif0
::1                                 link#2                        UHS        lo0
::ffff:0.0.0.0/96              link#2                        URS        lo0
fe80::%lo0/10               link#2                       URS         lo0
ff02::/16                        link#2                       URS         lo0

Code:

# setfib 1 ping6 2001:470:xx:xx::1
PING(56=40+8+8 bytes) 2001:470:xx:xx::2 --> 2001:470:xx:xx::1
ping6: sendmsg: No route to host
ping: wrote 2001:470:xx:xx::1 16 chars, ret=-1
ping6: sendmsg: No route to host
ping: wrote 2001:470:xx:xx::1 16 chars, ret=-1
^C
--- 2001:470:xx:xx::1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

SirDice · Friday at 4:33 PM

Right, I remember I was never able to ping the other end of the tunnel. Try something like setfib 1 ping -6 www.google.com

Also ping6(8) doesn't really exist anymore, both IPv4 and IPv6 have been rolled into one ping(8) command. /usr/sbin/ping6 still exists, but it's hardlinked to /usr/sbin/ping. If you need IPv4 or IPv6 specifically you can use ping -4 ... or ping -6 ...

mumu · Friday at 6:39 PM

SirDice said:
Right, I remember I was never able to ping the other end of the tunnel. Try something like setfib 1 ping -6 www.google.com

Also ping6(8) doesn't really exist anymore, both IPv4 and IPv6 have been rolled into one ping(8) command. /usr/sbin/ping6 still exists, but it's hardlinked to /usr/sbin/ping. If you need IPv4 or IPv6 specifically you can use ping -4 ... or ping -6 ...

I get 'ping: cannot resolve www.google.com: Name does not resolve' error.

I think this has to do with gif(4) being a virtual interface and the errors happening is probably due to gif(4) referencing the main physical interface (fib 0) which obviously won't work. Meaning FIB's only work with physical interfaces than virtual one's.

SirDice · Friday at 8:25 PM

mumu said:
I get 'ping: cannot resolve www.google.com: Name does not resolve' error.

Right, it does assume name resolving actually works (/etc/resolve.conf?). Pinging an IPv6 address might be better, ping 2001:4860:4860::8888 for example (Google's IPv6 equivalent of 8.8.8.8), at the very least an address somewhere beyond that tunnel endpoint address and your own assigned prefix. I suspect the tunnel endpoint isn't attached to anything, it's completely fictitious. You can't ping it, or use it as a gateway address. Also, the IPv6 tunnel addresses are different from the range(s) (you can get a /64 and/or a /48 prefix) you've been assigned.

mumu · Saturday at 3:32 AM

SirDice said:
Right, it does assume name resolving actually works (/etc/resolve.conf?). Pinging an IPv6 address might be better, ping 2001:4860:4860::8888 for example (Google's IPv6 equivalent of 8.8.8.8), at the very least an address somewhere beyond that tunnel endpoint address and your own assigned prefix. I suspect the tunnel endpoint isn't attached to anything, it's completely fictitious. You can't ping it, or use it as a gateway address. Also, the IPv6 tunnel addresses are different from the range(s) (you can get a /64 and/or a /48 prefix) you've been assigned.

Tried that and still failed..

Code:

# setfib 1 ping -I gif0 2001:470:xx:xx::1
PING(56=40+8+8 bytes) 2001:470:xx:xx::2 --> 2001:470:xx:xx::1
ping: sendmsg: No route to host
ping: wrote 2001:470:xx:xx::1 16 chars, ret=-1
ping: sendmsg: No route to host
ping: wrote 2001:470:xx:xx::1 16 chars, ret=-1
ping: sendmsg: No route to host
ping: wrote 2001:470:xx:xx::1 16 chars, ret=-1
^C
--- 2001:470:xx:xx::1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
# setfib 1 ping -I gif0 2001:4860:4860::8888
PING(56=40+8+8 bytes) 2001:470:xx:xx::2 --> 2001:4860:4860::8888
ping: sendmsg: No route to host
ping: wrote 2001:4860:4860::8888 16 chars, ret=-1
ping: sendmsg: No route to host
ping: wrote 2001:4860:4860::8888 16 chars, ret=-1
^C
--- 2001:4860:4860::8888 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Code:

# setfib 1 netstat -rn6                    
Routing tables (fib: 1)

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             link#2                        URS         lo0
default                           link#6                        US         gif0
::1                               link#2                        UHS         lo0
::ffff:0.0.0.0/96                 link#2                        URS         lo0
fe80::%lo0/10                     link#2                        URS         lo0
ff02::/16                         link#2                        URS         lo0
#

mumu · Saturday at 4:05 AM

Also adding this in for context..

Code:

# setfib 1 route -6n get 2001:4860:4860::8888
   route to: 2001:4860:4860::8888
destination: ::
       mask: ::
        fib: 1
  interface: gif0
      flags: <UP,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1480         1         0
#

The 'flags' is missing GATEWAY. Here's the same command on the main fib(0):

Code:

# route -6n get 2001:4860:4860::8888 
   route to: 2001:4860:4860::8888
destination: ::
       mask: ::
    gateway: 2001:dfx:yy:zz::1
        fib: 0
  interface: vtnet0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0 
#

mumu · Sunday at 6:20 PM

After further testing, I'm suspecting that FIB's don't work with virtual interfaces as it seems to somehow reference the physical interface (fib0) for outbound/inbound traffic which obviously wouldn't work.

FIB's with IPv6

mumu

SirDice

Administrator

SirDice

Administrator

mumu

SirDice

Administrator

mumu

SirDice

Administrator

mumu

mumu

mumu