[ previous ] [ next ] [ threads ]
 From:  Nil Einne <m0n0wall at lty dot my>
 To:  Everyone on m0n0wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AICCU broken in 1.3b16?
 Date:  Tue, 05 May 2009 03:02:14 +1200
I've been using m0n0wall with AICCU for several months and it's been
working well until now. I recently upgraded to 1.3b16 and it seems to
have broken AICCU support. Downgrading to 1.3b15 confirms this problem 
started with 1.3b16. Basically the problem is that it's not receiving 
the proper v6-IP on the WAN side instead stays with a link-local 
address. More details if necessary below.

What seems to happen is this:

When I first connect to the internet, I get something like this in the
interfaces tab:

IPv6 address  	 fe80::240:caff:fe14:c908%ng0/64

A link local IPv6 address.

After a short while, m0n0wall contacts the PoP successful and get this:

IPv6 address  	 fe80::240:caff:fe14:c908%ng0/64
IPv6 gateway 	2001:4428:XX:XX::1

For privacy reasons, I've removed the full gateway IP. But as you can
see, the problem appears to be that while it is getting the gateway
information, it's not getting an IP for the WAN side instead it's stuck
with link-local addresses. Obviously this isn't going to work and sure
enough a ping or traceroute from the WAN side doesn't work. And it's not 
possible to assign the WAN IP with AICCU (I'm not sure but perhaps it 
was in an older version but it definitely isn't now or in 1.3b15).

I downgraded back to 1.3b15 and it works fine. It doesn't actually show
the IPv6 address in ther interfaces tab, instead just the gateway. But
when you ping or traceroute from the WAN side you get
traceroute6 to ipv6.l.google.com (2001:4860:c003::68) from
2001:4428:XX:XX::2, 18 hops max, 12 byte packets

which shows the right v6-IP (since it should be ::2 of the gateway). I'm
not sure whether it's receiving this IP from the PoP or simply guessing
it but regardless it works.

BTW, I didn't change any config options between 1.3b16 and 1.3b15. I
looked at the config and it doesn't look like anything need's changing
(well the 'Send IPv6 router advertisements' is now available on the WAN
side). Also I looked in the log but there doesn't seem to be anything of
use, actually nothing about IPv6 at all.

I found out that if you change the LAN IP to the WAN IP (i.e. the tunnel 
IP) 2001:4428:XX:XX::2 you can ping/traceroute from m0n0wall whether WAN 
or LAN but it doesn't work on actual LAN clients since LAN clients 
receive IPs in the tunnel range which is not allowed under SixXs (see
https://www.sixxs.net/forum/?msg=setup-136867). Well perhaps if you 
manually configure hosts in the LAN but obviously that's not desired. 
You can't set up the right range under DHCP because that's out of the range.

A little background. Not really that important but just as a way of 
thanks/feedback to the m0n0wall devs and it may also help to understand 
some of the above. I've been using m0n0wall's recent addition of IPv6 
support and it's been working well, except perhaps for the annoyance of 
no traffic shaper support. Originally I used 6to4 but that didn't work 
that well because either the 6to4 gateway or my ISP was severely shaping 
any traffic so my IPv6 was very slow. I had hoped to use SixXs as there 
is a local PoP and in my tests bypassing m0n0wall it seemed to work 
well. I even e-mailed about this once. So once AICCU - heartbeat support 
was added I jumped at the opportunity. After some initial set up hickups 
I worked out how to set up a tunnel for my m0n0wall router (/64) and a 
subnet for my LAN (/48). Well this is according to the way SixXs works, 
they don't allow you to allocate IPs from the tunnel to the LAN.

Cheers and thanks for m0n0wall