***: RandalSchwartz has joined #arpnetworks
-: RandalSchwartz waves at the channel
RandalSchwartz: looks like I can still get to my consoleā¦ that's a good thing
pkg upgrade done, rebooting
jbum: i could use some help if anyone's up
RandalSchwartz: what kind of help?
jbum: i did a release-upgrade yesterday. it installed a bunch of stuff and the rebooted. after the reboot it took a loooong time to come back, and i thought it was dead, so i did a reboot via the console. now it's on the rescue mode installer main menu
RandalSchwartz: is that linux?
jbum: ubuntu
RandalSchwartz: yeah, sorry, I don't run linux anywhre
jbum: np thanks!
mkb: jbum: which sort of Linux
jbum: Ubuntu 14.04
mkb: I don't know anything about Ubuntu but if they're using grub2 there's all sorts of contortions the OS must do to get a new kernel to boot
see what the kernel list looks like at boot
if it is really busted your files are probably still there at least...
RandalSchwartz: alright! distro updated to FreeBSD 9.3-RELEASE-p24
only a few weeks after the CVE came out :)
heading back to reboot my tmux + emacs + irc client
***: RandalSchwartz has quit IRC (Quit: Leaving.)
RandalSchwartz has joined #arpnetworks
RandalSchwartz: there we are.
mkb: does emacs + irc client mean erc?
RandalSchwartz: no
irc.el
older, but I know it better because I contributed to it
mkb: heh
RandalSchwartz: missing some modern features though
brycec: There's really not much "modern" to IRC though
RandalSchwartz: what's the simplest way of giving my laptop ipv6 using my arp v6 connectivity?
brycec: considering your laptop is mobile, probably OpenVPN
RandalSchwartz: ahh, that's right openvpn does v6 nw
brycec: since a gif tunnel would have you updating both sides whenever you changed external IP's. Plus gif would require external IP's on both sides.
That it does. I've used it extensively in fact - whenever I VPN to my home, I get an IPv6 address :D
From the OpenVPN side, it's as simple as adding the right server-ipv6 line to the server
(might be a route push too, can't recall its syntax though)
RandalSchwartz: what would Iuse for my v6 server address
the /64 that's already routed to my box?
inet6 2607:f2f8:3080:: prefixlen 64
or should it be a part of the /48 that's not the /64?
or wait... the whole /48 is routed to me, so I could use 2607:f2f8:3080:beef::/64, right?
brycec: Correct it will need to be a whole /64, slicked from a larger subnet
*sliced
RandalSchwartz: so like my second example?
brycec: Right
Incidentally, :beef: is the same subnet I use for my OpenVPN :D
push "route-ipv6 2000::/3"
BryceBot: That's what she said!!
brycec: BryceBot: no
BryceBot: Oh, okay... I'm sorry. 'push "route-ipv6 2000::/3"'
brycec: ^ That's the server line to default all ipv6 traffic over the openvpn connection
RandalSchwartz: Hmm. missing a route
oh - not just server-ipv6?
need both lines?
still don't have default v6 route
yeah... it didn't add the route
brycec: Yes you need both lines
With those two lines, it "Just Works" for me. You might have client-side issues, maybe? OpenVPN's -v is your friend
RandalSchwartz: where does 2000::/3 come rom
is that "all public routable"?
brycec: Yep
Aggregatable Global Unicast Addresses
RandalSchwartz: still not seeing that route
brycec: If you had ::0/0 that covers link-local traffic and the like. Some OS will still behave properly, others will not.
https://community.openvpn.net/openvpn/wiki/IPv6
guess you might need tun-ipv6 too
(which I have too, just forgot about)
RandalSchwartz: that's implied by server-ipv6
as a push or a local?
I'm getting the right /64 addrs
brycec: just local in my config
RandalSchwartz: do you have any of those rtadv things running?
brycec: For reference, this is my full openvpn server config http://sprunge.us/ZgER (It's not exactly "bare-bones" so there's lots that doesn't apply to getting ipv6 working.)
I do, but they don't get routed over th vpn
-: brycec goes afk
RandalSchwartz: I figure at some point, I should be seeing a route to 2000::/3
but not happening
brycec: RandalSchwartz: you should see in your openvpn client's verbose output (at least --verb 4) the parsing of information from the server, including pushed routes and addresses
-: brycec goes afk for real now
RandalSchwartz: Oh! typo
push "route-ipv6 2000://3"
No buena
Ok... with the typo fixed, I can ping my server, but nothing beyond
do I need to add a default route on the server?
mnathani_: linux has ipv6 routing / forwarding setting
not sure about freebsd
RandalSchwartz: well - that's weird
yeah - I have a default outbound route that says "here arp, go find 'em"
via the link local
maybe I need to advertise the new /64 somewhere?
but I thought it automatically goes to me because of the /48
brycec: Yeah for inbound. Do you have your server setup for forwarding? Any firewalling blocking it? If you tcpdump on your external interface, do you see the ip6 traffic, indicating that everything I mentioned is working right and it's something else?
mnathani_: > /etc/rc.conf >> ipv6_router_enable="YES"
brycec: net.inet6.ip6.forwarding: 1, net.inet6.ip6.redirect: 1, etc
RandalSchwartz: ipv6_gateway_enable=YES
brycec: (I can't really help with configuring the server's OS as that get into specifics that I just don't know, sorry.)
RandalSchwartz: no parameter called router_enable
so maybe arp isn't routing the whole /48 to me
brycec: (Remember mnathani_, RandalSchwartz is running 9.x)
RandalSchwartz: mtr shows that it is
RandalSchwartz: that would make sense
hmm
well... something isn't letting it bend the corner
brycec: But seriously, check with tcpdump, see whether any ip6 traffic is being routed out or not.
Double check that the tun interface for your server has the IP's assigned too. It should, openvpn usually does that automatically. But it's worth checking.
mnathani_: is your default gateway somthing like fe80::1 ?
RandalSchwartz: yeah - they all looked good on both sides
yes
brycec: (Yeah of course it looked good on both sides - you said you could ping the server at least)
mnathani_: on the ARP server end
RandalSchwartz: yes - that would be one of the two sides. :)
brycec: If the arp end weren't configured right, then he'd have 0 traffic whatsoever
(0 ipv6 traffic, that is)
RandalSchwartz: anyway - this isn't an urgent need... I'm just working out how to upgrade my 8.x syntax to 9.x
mnathani_: I was sondering if this was still only the /64 rather than the entire /48
RandalSchwartz: and figured I'd also see if I could get the VPN to work
mnathani_: s/sond/wond
BryceBot: <mnathani_> I was wondering if this was still only the /64 rather than the entire /48
RandalSchwartz: I've got other things to do today... but thank you for the help already.
you *did* prove that something in the /48 but not the /64 is routed right?
brycec: Right
RandalSchwartz: ok - so the real question is whether I'm routing outbound then
brycec: Bingo. Hence why I keep telling you to tcpdump :P
RandalSchwartz: yeah - I'll do that next time I get curious about this. :)
that'd be dumping the fe80
brycec: I'd say "tcpdump -i em0 -nn network 2607:f2f8:3080:beef::/64" or so
Either you see the traffic leaving your box and you figure out why it's not routing correctly, check the addresses etc. Or it's not leaving your box and you have an internal configuration issue to sort out.
***: DaCa has quit IRC (Quit: WeeChat 1.0)
toeshred has quit IRC (Ping timeout: 272 seconds)
DaCa has joined #arpnetworks
toeshred has joined #arpnetworks
mnathani_ has quit IRC (Read error: Connection reset by peer)
mnathani_ has joined #arpnetworks
mnathani_ has quit IRC (Read error: Connection reset by peer)
mnathani_ has joined #arpnetworks
jbum has quit IRC (Read error: Connection reset by peer)
jbum has joined #arpnetworks