Monday, August 24, 2015

linux - Have Squid use IPv6 /48 block connected via tunnel




I have an Ubuntu 14.05 server running Squid. It has an IPv6 connection via Hurricane Electric's service. I'm trying to have every IP available to the server from the /48 they offer.



I've searched signifcantly and haven't found a working solution. I can use any address from the /48 if I set the IPs individually within /etc/network/interfaces, though attempts at blanket adding the /48 haven't worked. Heres my working conf.



auto he-ipv6
iface he-ipv6 inet6 v4tunnel
    address 2xxx:xxx:xxx:0:0:0:0:1
    netmask 64
    endpoint xx.xx.xx.xx

    local xx.xx.xx.xx
    ttl 255
    gateway 2xxx:xxx:xxxx:xxxx::1


In attempts to assign the /48 I've tried appending this to interfaces



   post-up ip -6 addr add 2001:xx:xx::/48



This question suggests using ipv6 non local bind option, or binding on the local interface, I tried this example, though I'm not certain on using the net.ipv6.ip_nonlocal_bind option.



/sbin/ip -6 addr add 2001:db8::ffff:1/64 dev lo


Testing using wget --bind-address [dress within range] google.com I get the following



--2017-02-04 15:07:26--  (try: 3)  http://ipv6.google.com/
Connecting to ipv6.google.com (ipv6.google.com)|2a00:1450:4001:814::200e|:80... failed: Cannot assign requested address.
Retrying.



No dice. Am I looking at this in the wrong way? Does anyone have a suggestion?


Answer



First of all you need to understand that the three prefixes you have received from HE are not all the same.



You have been allocated one /64 link prefix. This is the only prefix you should be using on the tunnel interface.



You have also been allocated two routed prefixes one /64 and one /48. You can read more about the difference between link prefixes and routed prefixes in this question:
IPv6: differences between "routed prefix" and "link prefix"?




The routed /64 can be used directly as a link prefix on another attached network interface. The /48 can be subdivided into other routed and link prefixes as needed.



If you need a lot of addresses on a single host you should allocate a local prefix out of one of your routed prefixes. I strongly advice against using a prefix shorter than /64 for that purpose. The local prefix can be longer than /64.



The command to add a local route could look like this example:



ip -6 route add to local 2001:db8:f918:b1e2:086a:cee6::/96 dev lo



You can read more about using local routes in this question:
Adding a whole IPv6 /64 block to an network interface on debian



Applications listening on :: will receive traffic for any IP in the prefix of your local route. If you need to explicitly bind to individual IP addresses covered by a local route, the application has to set a socket option.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...