dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
219

jsolo1
Premium Member
join:2001-07-01
PRIL

1 recommendation

jsolo1 to SlabBulkhead

Premium Member

to SlabBulkhead

Re: ATT Fiber, Sophos UTM instead of gateway

@mrancier. See the pm. Another thought, you might need to update wpa_supplicant to 2.5 or newer. I couldn't get an older (.5 or .7something) to work on utm.

@SlabUlkhead


We'll beat this bitch into submission one way or another!@#


Dls's comment above made me think outside the box a bit.

We knows it pulls a useless /128 ip when configued as dhcpv6 for wan.

So... From the ipv6/global page it shows (still don't know how I got /60?!@#???). It was /64 after connecting through the bgw (passthrough mode). And stayed /64 for some time.

Delegated Prefix: 2600:1700:XXXX:XXX0::/60
 

Also, when set to dhcpv6 it will indicated some fe80:: gateway IP under interface, wan. Make a note of this address.

For wan interface uncheck dynamic ipv6.

I recorded the values from the ipv6 global tab when I had utm connected to the bgw210. First 4 sections mirrored the /60 DP address. Next 4 were a combination of the wan mac (cert's mac).

ipv6 7a 96:84ff:fe12:3456
mac 78:96:84:    12:34:56
 

So put together it looks like this. 12:34:56 are just place holders for digits in those positions. Note the 0 after the xxx's.

2600:1700:XXXX:XXX0:7a96:84ff:fe12:3456
netmask: 64
gateway: fe80::1234
 

This became my wan static IP. Utm itself could now ping and traceroute to ipv6 addresses.

For the local lan interface I did something different. I incremented the fourth (from the left) segment by 1 (XXX1).

ipv6 address: 2600:1700:XXXX:XXX1::1
Netmask : 64
 

Paste this ipv6 addr under ipv6/prefix advertisement. Check Stateless integrated server box then save. I was scratching my head for a good 5 min because nothing happened.

Turn off ipv6, wait about 30 sec then turn it back on. Do a wpa_cli logoff followed by a logon, or wait about a min.

Disable/re-enable your pc's nic. It should now generate a 2600:1700:XXXX:XXX1:abcd:efgh:ijkl:mnop IP addr. In my case, the ip generated had nothing to do with the mac address unlike the utm ip.

You should now have ipv6 connectivity on both utm and your pc. Ipv6-test.com reveals the above generated ipv6 address. It gets better! Turn web filtering back on. Now the test shows the utm's ipv6, web filtering log indicates activity.

All is still not well. After an hr (lease duration), ipv6 stops working. @dls, I'm still not seeing any firewall entries pertaining to blocked ipv6 icmp packets.

For icmp v6 there's many different service definitions possible. I don't see a single one that covers them all.

»i.imgur.com/kMnDEou.png
»i.imgur.com/hWQ9nmD.png

Running
chroot  /var/sec/chroot-dhcpc /usr/sbin/dhclient6 -6 -P --prefix-len-hint 60 -d -D LLT -cf /etc/eth4.conf6 -lf /var/db/eth4_na.leases6 -pf /var/run/dhclient6_na_eth4.pid eth4
 

Renews connectivity. It appears unless wan is set to dhcpv6, the dhclient6 doesn't run. Note the "-d" is missing from below. This starts the client then leaves it running in the background.

»manpages.debian.org/jess ··· .en.html For full parameter description.

chroot  /var/sec/chroot-dhcpc /usr/sbin/dhclient6 -6 -P --prefix-len-hint 60  -D LLT -cf /etc/eth4.conf6 -lf /var/db/eth4_na.leases6 -pf /var/run/dhclient6_na_eth4.pid eth4 > /dev/null 2>&1
 

Seems to get the job done. We'll find out in an hour if there's still ipv6 connectivity and/or if it renewed succesfully.
SlabBulkhead
join:2001-12-05
Dayton, OH
(Software) pfSense
Ubiquiti U6-Pro
Ubiquiti U6-LR

1 recommendation

SlabBulkhead

Member

said by jsolo1:

@SlabUlkhead


We'll beat this bitch into submission one way or another!@#

Sounds like my kind of problem solving methodology.
said by jsolo1:

Dls's comment above made me think outside the box a bit.

We knows it pulls a useless /128 ip when configued as dhcpv6 for wan.

So... From the ipv6/global page it shows (still don't know how I got /60?!@#???). It was /64 after connecting through the bgw (passthrough mode). And stayed /64 for some time.

Delegated Prefix: 2600:1700:XXXX:XXX0::/60
 

When you go passthrough, the BGW will only hand out a /64 no matter what hint you try to send. I tried mightily with my pfSense to request a /60 and no dice. Now that I am on Spectrum, I am able to get a /56 and delegate /64's on my LAN.
said by jsolo1:

Also, when set to dhcpv6 it will indicated some fe80:: gateway IP under interface, wan. Make a note of this address.

For wan interface uncheck dynamic ipv6.

I recorded the values from the ipv6 global tab when I had utm connected to the bgw210. First 4 sections mirrored the /60 DP address. Next 4 were a combination of the wan mac (cert's mac).

ipv6 7a 96:84ff:fe12:3456
mac 78:96:84:    12:34:56
 

So put together it looks like this. 12:34:56 are just place holders for digits in those positions. Note the 0 after the xxx's.

2600:1700:XXXX:XXX0:7a96:84ff:fe12:3456
netmask: 64
gateway: fe80::1234
 

This became my wan static IP. Utm itself could now ping and traceroute to ipv6 addresses.

For the local lan interface I did something different. I incremented the fourth (from the left) segment by 1 (XXX1).

ipv6 address: 2600:1700:XXXX:XXX1::1
Netmask : 64
 

Paste this ipv6 addr under ipv6/prefix advertisement. Check Stateless integrated server box then save. I was scratching my head for a good 5 min because nothing happened.

Turn off ipv6, wait about 30 sec then turn it back on. Do a wpa_cli logoff followed by a logon, or wait about a min.

Disable/re-enable your pc's nic. It should now generate a 2600:1700:XXXX:XXX1:abcd:efgh:ijkl:mnop IP addr. In my case, the ip generated had nothing to do with the mac address unlike the utm ip.

You should now have ipv6 connectivity on both utm and your pc. Ipv6-test.com reveals the above generated ipv6 address. It gets better! Turn web filtering back on. Now the test shows the utm's ipv6, web filtering log indicates activity.

All is still not well. After an hr (lease duration), ipv6 stops working. @dls, I'm still not seeing any firewall entries pertaining to blocked ipv6 icmp packets.

For icmp v6 there's many different service definitions possible. I don't see a single one that covers them all.

»i.imgur.com/kMnDEou.png
»i.imgur.com/hWQ9nmD.png

Running
chroot  /var/sec/chroot-dhcpc /usr/sbin/dhclient6 -6 -P --prefix-len-hint 60 -d -D LLT -cf /etc/eth4.conf6 -lf /var/db/eth4_na.leases6 -pf /var/run/dhclient6_na_eth4.pid eth4
 

Renews connectivity. It appears unless wan is set to dhcpv6, the dhclient6 doesn't run. Note the "-d" is missing from below. This starts the client then leaves it running in the background.

»manpages.debian.org/jess ··· .en.html For full parameter description.

chroot  /var/sec/chroot-dhcpc /usr/sbin/dhclient6 -6 -P --prefix-len-hint 60  -D LLT -cf /etc/eth4.conf6 -lf /var/db/eth4_na.leases6 -pf /var/run/dhclient6_na_eth4.pid eth4 > /dev/null 2>&1
 

Seems to get the job done. We'll find out in an hour if there's still ipv6 connectivity and/or if it renewed succesfully.

Looks like you're now able to utilitize the different /64's under the /60 PD allocation you can get by doing the bypass.

jsolo1
Premium Member
join:2001-07-01
PRIL

1 recommendation

jsolo1

Premium Member

Surprisingly it's all working this minute. Lease expires in about 40 min. That will be the moment of truth. If it works, then it's just a matter of writing some small code to start up the dhclient at boot and then to make sure it remains running. I have code snippets to do this for other processes, so adapting won't be too hard.

Some form of pfsense is appealing, but I dread having to redo the whole set up. There's rules for vlans, voip, and other things.