# FreeBSD Ipv6 Gateway with two network interfaces



## fdevilish (Aug 11, 2014)

Hi everybody,

I am trying to configure an IPv6 gateway. I would like to have two different interfaces (internal and external) and route my IPv6 network over them. My operator has given me an xxxx:e581:8::/64 address range, which I wish to split into smaller network segments (/80). Therefore I have set the external adapter (em0) address to xxxx:e581:8::4/80 (to the first segment where the service provider's gateway is too) and the internal adapter address (em1) xxxx:e581:8:0:1::4 (to the second segment). My idea is that computers on the internal network would receive an address from the segment xxxx:e581:8:0:1::, such as xxxx:e581:8:0:1::5/80. I have also configured anycast address  xxxx:e581:8:: prefixlen 64 anycast to the external interface to aggregate all available addresses (I am not sure if this is the way, how I should do it).

Here is my interface configuration on the gateway computer: 


```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:31:70:1f
        inet xx.175.98.38 netmask 0xfffffff0 broadcast xx.175.98.47
        inet6 fe80::20c:29ff:fe31:701f%em0 prefixlen 64 scopeid 0x1
        inet6 xxxx:e581:8::4 prefixlen 80
        inet6 xxxx:e581:8:: prefixlen 64 anycast
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:31:70:29
        inet 172.16.20.1 netmask 0xffffff00 broadcast 172.16.20.255
        inet6 fe80::20c:29ff:fe31:7029%em1 prefixlen 64 scopeid 0x2
        inet6 xxxx:e581:8:0:1::4 prefixlen 80
        inet6 xxxx:e581:8:0:1:: prefixlen 80 anycast
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
```

The routing table on the gateway looks as follows:

```
Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0 =>
default                           xxxx:e581:8::1                UGS         em0
::1                               link#3                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
xxxx:e581:8::                     link#1                        UHS         lo0 =>
xxxx:e581:8::/80                  link#1                        U           em0 =>
xxxx:e581:8::/64                  link#1                        U           em0
xxxx:e581:8::4                    link#1                        UHS         lo0
xxxx:e581:8:0:1::                 link#2                        UHS         lo0 =>
xxxx:e581:8:0:1::/80              link#2                        U           em1
xxxx:e581:8:0:1::4                link#2                        UHS         lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%em0/64                     link#1                        U           em0
fe80::20c:29ff:fe31:701f%em0      link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::20c:29ff:fe31:7029%em1      link#2                        UHS         lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
ff01::%em0/32                     fe80::20c:29ff:fe31:701f%em0  U           em0
ff01::%em1/32                     fe80::20c:29ff:fe31:7029%em1  U           em1
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%em0/32                     fe80::20c:29ff:fe31:701f%em0  U           em0
ff02::%em1/32                     fe80::20c:29ff:fe31:7029%em1  U           em1
ff02::%lo0/32                     ::1                           U           lo0
```

Ping6 from the gateway machine to an external network work fine: 


```
PING6(56=40+8+8 bytes) xxxx:e581:8::4 --> 2a01:258:8:2::4
16 bytes from 2a01:258:8:2::4, icmp_seq=0 hlim=54 time=41.072 ms
16 bytes from 2a01:258:8:2::4, icmp_seq=1 hlim=54 time=41.136 ms
```

Ping6 from the gateway to a machine in the internal network works fine:


```
PING6(56=40+8+8 bytes) xxxx:e581:8:0:1::4 --> xxxx:e581:8:0:1::5
16 bytes from xxxx:e581:8:0:1::5, icmp_seq=0 hlim=64 time=0.247 ms
```

Ping6 from the internal machine to the gateway computer (IPv6 address of em0) works too:


```
PING6(56=40+8+8 bytes) xxxx:e581:8:0:1::5 --> xxxx:e581:8::4
16 bytes from xxxx:e581:8::4, icmp_seq=0 hlim=64 time=0.142 ms
16 bytes from xxxx:e581:8::4, icmp_seq=1 hlim=64 time=0.159 ms
```

When I try to `ping` an external IPv6 address (such as our service provider's IPv6 gateway) from a machine in the internal network, pings are not going through:


```
PING6(56=40+8+8 bytes) xxxx:e581:8:0:1::5 --> xxxx:e581:8::1
^C
--- xxxx:e581:8::1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
```
The next I checked `tcpdump -i em0` IPv6 output from the gateway (what happens when the service provider's gateway is being pinged). Here is the output:


```
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:32:14.274473 IP6 fe80::5e5e:abff:fe8:7560 > ff02::12: ip-proto-112 40
19:32:15.101784 IP6 xxxx:e581:8:0:1::5 > xxxx:e581:8::1: ICMP6, echo request, seq 0, length 16
19:32:15.233471 IP6 fe80::5e5e:abff:fe8:7560 > ff02::12: ip-proto-112 40
19:32:15.257284 IP6 xxxx:e581:8::1 > ff02::1:ff00:5: ICMP6, neighbor solicitation, who has xxxx:e581:8:0:1::5, length 32
19:32:16.034560 IP6 fe80::5e5e:abff:fe8:7560 > ff02::12: ip-proto-112 40
19:32:16.150601 IP6 xxxx:e581:8:0:1::5 > xxxx:e581:8::1: ICMP6, echo request, seq 1, length 16
19:32:16.260027 IP6 xxxx:e581:8::1 > ff02::1:ff00:5: ICMP6, neighbor solicitation, who has xxxx:e581:8:0:1::5, length 32
```
I guess, neighbor solicitation fails because my server won't answer the message above?  If I read the output right, xxxx:e581:8::1 is asking who owns xxxx:e581:8:0:1::5? What do I need to do in order to get my server to answer?

Here is what I got in sysctl:


```
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 1
net.inet6.icmp6.rediraccept: 1
```

I have tried this one, but no help.

```
net.inet6.ip6.accept_rtadv: 1
```

PF rules:


```
extif="em0"

pass in on $extif proto icmp6 all keep state
pass out on $extif proto icmp6 all keep state
```

I have installed the PF firewall which lets through all ICMP6 packets at the moment. I have also tried to disable the firewall, but it doesn't help. 

Do you have ideas, how do I get this work? 

Best regards,
Mika


----------



## obsigna (Aug 11, 2014)

fdevilish said:
			
		

> ...
> Here is what I got in sysctl:
> 
> ```
> ...


The following note will quite probably not resolve your issue, but anyway it is worth to mention it. Since FreeBSD 9.2, it is no more sufficient to put the gateway options directly into the file /etc/sysctl, because devd is overwriting this everytime something changes with the interfaces, and devd is judging the correct settings for the gateway sysctl's based on the gateway_enable and ipv6_gateway_enable settings which need to go into /etc/rc.conf. So, I suggest to remove  net.inet.ip.forwarding and net.inet6.ip6.forwarding from file /etc/sysctl and add the following to /etc/rc.conf:

```
gateway_enable="YES"
ipv6_gateway_enable="YES
```


----------



## fdevilish (Aug 13, 2014)

obsigna said:
			
		

> fdevilish said:
> 
> 
> 
> ...



I have the following lines in rc.conf:


```
gateway_enable="YES"
ipv6_gateway_enable="YES"
```


----------



## SirDice (Aug 13, 2014)

fdevilish said:
			
		

> ```
> inet6 xxxx:e581:8:: prefixlen 64 anycast
> ```


I'm not sure if it's going to help but this IP address should be removed. It's the network address and should not be used as an IP address.


----------

