IPv6, ULAs and FreeBSD

Niklaas Baudet von Gersdorff stdin at niklaas.eu
Thu May 26 21:36:02 CEST 2016 

I was eventually able to solve this issue. I asked for help on several
mailing lists. So, for reference, here are links to the relevant
threads:

https://lists.freebsd.org/pipermail/freebsd-questions/2016-May/271810.html
https://lists.freebsd.org/pipermail/freebsd-net/2016-May/045349.html
https://www.tinc-vpn.org/pipermail/tinc/2016-May/004573.html

Niklaas Baudet von Gersdorff [2016-05-24 08:17 +0200] :

> I want to serve IPv4 subnets 10.1.0.0/16 (machine A) and 10.2.0.0/16
> (machine B), and IPv6 subnets fd16:dcc0:f4cc:0:0:1::/96 (machine A) and
> fd16:dcc0:f4cc:0:0:2::/96 (machine B) respectively. The jails are
> connected on lo1.

Here lies the first problem. It seems that it's not legitimate to assign
/96 subnets when using unique local addresses (ULAs). I was right
getting some /48 subnet for my local IPv6 network; some easy way to get
one generated randomly is http://unique-local-ipv6.com/ . But instead of
assigning /96 subnets to each host, you must assign /64 subnets. I guess
(but I am not sure because I have not found any reference that mentions
this explicitly) you *must not* use any other subnet when dealing with
ULAs.

So I decided for the following two subnets for machine A and
B respectively: fd16:dcc0:f4cc:1::/64 and fd16:dcc0:f4cc:2::/64.

> The following is the tinc-up script on each machine that assignes IP
> addresses and creates routes. I commented out some variations that
> I tried but haven't had success with either:
> 
>     A $ cat /usr/local/etc/tinc/klaas/tinc-up
>     ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:0:0:1:0:1 prefixlen 80
>     route -6 add -host fd16:dcc0:f4cc:0:0:2:0:1 fd16:dcc0:f4cc:0:0:1:0:1
>     route -6 add -net  fd16:dcc0:f4cc:0:0:2::/96  fd16:dcc0:f4cc:0:0:1:0:1
>     #route -6 add -ifp $INTERFACE -host fd16:dcc0:f4cc::2:0:1    fd16:dcc0:f4cc::1:0:1
>     #route -6 add -ifp $INTERFACE -net  fd16:dcc0:f4cc::2:0:0/96 fd16:dcc0:f4cc::1:0:1
> 
>     ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0
>     route -4 add -host 10.2.0.1    10.1.0.1
>     route -4 add -net  10.2.0.0/16 10.1.0.1

In addition, it seems not sufficient to solely assign IP address, but
you must also assign a route for the respective foreign (!) subnet(s) to
the tap interface. Without these I couldn't get the connection working.
Thus, you get the following tinc-up scripts for both machines:

    A $ cat /usr/local/etc/tinc/tinc-up
    ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:1::1 prefixlen 48 alias
    ifconfig $INTERFACE 10.1.0.1 netmask 255.0.0.0 alias

    route add -inet6 -net fd16:dcc0:f4cc:2::/64 -interface $INTERFACE


    B $ cat /usr/local/etc/tinc/tinc-up
    ifconfig $INTERFACE inet6 fd16:dcc0:f4cc:2::1 prefixlen 48 alias
    ifconfig $INTERFACE 10.2.0.1 netmask 255.0.0.0 alias

    route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE

The following you should include into tinc-down to clean up the route
when the daemon is shut down (alter this for machine B respectively):

    route add -inet6 -net fd16:dcc0:f4cc:1::/64 -interface $INTERFACE

To make this complete, these are the relevant host configurations for
tinc:

    A $ cat /usr/local/etc/tinc/hosts/A
    Address = A
    Subnet = fd16:dcc0:f4cc:1::/64
    Subnet = 10.1.0.0/16

    -----BEGIN RSA PUBLIC KEY-----
    <secret>
    -----END RSA PUBLIC KEY-----


    A $ cat /usr/local/etc/tinc/hosts/B
    Address = B
    Subnet = fd16:dcc0:f4cc:2::/64
    Subnet = 10.2.0.0/16

    -----BEGIN RSA PUBLIC KEY-----
    <secret>
    -----END RSA PUBLIC KEY-----

For reference -- in hope that duckduckgo does a good job indexing this
and prevents others from struggling the same way as I did -- here are
the errors I would get from tinc if either the subnet was not set up
correctly (see above) or if I had not configured the routes:

    Cannot route packet: neighbor solicitation request for unknown address fd16:dcc0:f4cc:0:0:1:0:1

In hope that nobody else has to struggle with this as long as I did.

    Niklaas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160526/24307b1c/attachment.sig>

More information about the tinc mailing list