Uncategorized

Native IPV6 with TWC – part 2

I kept at it, and got it to work without any static configuration (but still have to use NAT)

I still need the NAT rule, and what’s strange is that the workstation gets IP address from /56 prefix (which is configured as the WAN prefix on the modem):

my pfSense receives this IP via DHCPV6:

IA_NA address: 2605:e000:855b:de00::xxxxxxxx pltime=3600 vltime=3600
update a prefix 2605:e000:855b:def0::/60 pltime=3600, vltime=3600

The prefix pfSense gets is OUTSIDE of the DHCPv6 range configured on the LAN side of the modem (2605:e000:855b:de00::/64)

Uncategorized

Native IPV6 via pfSense on Charter/Spectrum/TimeWarner

I’ve had cable Internet from Spectrum for about 3 years now, and about a year ago I started using pfSense as additional firewall (it’s easier for me with many VPN’s that I use, since I can terminate IPSec and OpenVPN on the pfSense).

Thing is, the IPV6 never worked for me via pfSense for some reason.

Time has come to solve it, and after 2 evenings, success (and I’m 90% satisfied, but that has to do for now).

Some facts:

  • Arris modem from Spectrum DOES give proper IPV6 via DHCPv6 to its direct clients
  • My pfSense on the WAN interface, when set up with either “None” or “/56” as IPV6 prefix DOES get IPV6 address from the modem.
  • Following various guides, it should be as simple as setting my LAN interface on pfSense to “track” the WAN interface, but to no avail, my clients behind pfSense cannot receive IP address, and I’ve tried all options: default settings, DHCPv6 Relay, DHCPV6 Server and RA with various settings.

Arris modem gets its “WAN” ip address with prefix of /56 and has prefix delegation set to /64, so that should leave me with plenty of /64 subnets to give away.

The catch – pfSense on its WAN interface (DHCPv6) gets its prefix as /128 – so that leaves me with nothing to hand over further.
I tried various settings, checking the prefix hints etc, with no luck.

Then time came for Static IPV6, so I’ve set my WAN address on pfSense to some address within the range (it’s perfectly fine to set it to whatever you’d get via DHCPV6) but with smaller subnet prefix, /96 in my case , then set LAN address to another IP address (also with /96 prefix, but in a non-colliding subnet to the WAN address, I’ve simply set the 5th hextet/group to ffff with my WAN’s hextet starting with c… ).

2 more things I needed to set, was to enable DHCPv6 server on pfSense, with range to having last 2 hextets empty (::), that’s enough IP’s for my home, then in the the Router Advertisements, set Router Mode to Assisted.

Second thing (which is why I’m not 100% happy) was to enable IPV6 NAT, since I’m effectively bypassing any prefix delegation etc. That was a simple IPV6 NAT rule and voila, we have connectivity.

Hardware, UNIX

NetBSD on Airport Express

Leave a comment

Just stumbled on this article https://jcs.org/2018/06/12/airport_ssh and I just had to try it out on my Airport Express, even though the method was for the Extreme.
It worked like a charm, as easy as:

python -m acp -t 192.168.234.189 -p xxx --setprop dbug 0x3000
python -m acp -t 192.168.234.189 -p xxx --reboot

Dmesg:


ry = 49844 KB
mainbus0 (root)
cpu0 at mainbus0: Marvell 88F6183 rev 2 (ARMv5TE core) [88F6183 Rev 3]
cpu0: WB enabled EABT
cpu0: 32KB/32B 1-way Instruction cache
cpu0: 32KB/32B 4-way write-back Data cache
cpu0: This kernel does not fully support this CPU.
cpu0: Recompile with "options CPU_ARMV5TE" to correct this.
mbus0 at mainbus0 base 0xf1020000 irq 0: AHB to MBUS Bridge
mvaud0 at mbus0audio0 at mvaud0: full duplex, mmap, independent
mv_audiodec_init: bypassed
mvdevb0 at mbus0 target 1, irq 15: Device Bus
com0 at mvdevb0 offset 0x2000, irq 3: ns16550a, working fifo
com0: console
com1 at mvdevb0 offset 0x2100, irq 4: ns16550a, working fifo
mvtwsi0 at mvdevb0 offset 0x1000, irq 5: Two Wire Serial Interface
mvtwsi0: I2C clocked at 94.696 Khz
iic0 at mvtwsi0: I2C bus
stdflash_orion_match: flash width 4213/0
stdflash0 at mvdevb0 DevCS1: Onboard SPIBootFlash
this is a spansion part...we should check the spansion specific subid (6 entries)
FLASH look for .... 0) 1/2018/20/2018
FLASH look for .... 1) 1/2018/c2/2017
FLASH look for .... 2) 1/2018/c2/2018
FLASH look for .... 3) 1/2018/c2/2013
FLASH look for .... 4) 1/2018/ef/4018
FLASH look for .... 5) 1/2018/1/2018
FLASH SUPPORTED.... 1/2018/5/0
flash0 at stdflash0 00000000-00700000, untranslated, read/write
flash1 at stdflash0 00700000-00e00000, untranslated, read/write
flash2 at stdflash0 00e00000-00f40000, translated, read/write
flash3 at stdflash0 00f40000-00f80000, untranslated, read/write
flash4 at stdflash0 00f80000-01000000, untranslated, read/write
applgpio0 at mvdevb0 offset 0x0000GPIO_interrupt_pin_ex: flipping pin 17.
GPIO_interrupt_pin_ex: flipping pin 3.
(board-revision=-1)
mvgec0 at mbus0 target 7, irq 22: Gigabit Ethernet Global Controller
gec0 at mvgec0 unit 0, irq 18: Gigabit Ethernet Controller, Unit 0
gec0: MAC address: 00:16:cb:00:51:81
makphy0 at gec0 phy 8: Marvell 88E3016 Gigabit PHY, rev. 0
makphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
mvusb0 at mbus0 target 5, irq 16: ARC USB-HS Host/Device Controller
mvusb0: Core revision 4.0
ehci0 at mvusb0 irq 17, host mode: USB Host Controller
ehci0: EHCI version 1.0
usb0 at ehci0: USB revision 2.0, available bus power 500 mA
uhub0 at usb0
uhub0: ARC USB-HS Core EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
ehci0: self-powered device addr 1 (config 1) power 0 mA. Available power 500 mA (root)
uhub0: 1 port with 1 removable, self powered
mvpcie0 at mbus0 target 4, irq 10: PCI Express Controller
mvpcie_attach() - bus_num = 0, if_num = 0.
PEX0 interface detected Link X1
mvpcie0: INTn interrupting on irq 11
pci0 at mvpcie0 bus 0
pci0: i/o space, memory space enabled
mv0 at pci0 dev 1 function 0
mv0: interrupting at INTA
mv0: load firmware image (96740 bytes)
wlan: mac acl policy registered
mv0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
mv0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
mv0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
mv0: 11na MCS: 15Mbps 30Mbps 45Mbps 60Mbps 90Mbps 120Mbps 135Mbps 150Mbps 30Mbps 60Mbps 90Mbps 120Mbps 180Mbps 240Mbps 270Mbps 300Mbps
mv0: 11ng MCS: 15Mbps 30Mbps 45Mbps 60Mbps 90Mbps 120Mbps 135Mbps 150Mbps 30Mbps 60Mbps 90Mbps 120Mbps 180Mbps 240Mbps 270Mbps 300Mbps
mv0: versions [driver 0.8.7.0 hw 5 fw 3.7.2.2] (regioncode 16)
mv0: multi-bss support
mvidma0 at mbus0 target 6, irq 24: IDMA Controller
mvidma0: DMA Assist enabled for copyin/copyout and copy/zero page on channel 3
mvaud1 at mbus0 target 5audio1 at mvaud1: full duplex, mmap, independent
mv_audiodec_init: bypassed
clock: hz=100 stathz=0 profhz=0
md0: internal 10240 KB image area
IPsec: Initialized Security Association Processing.
boot device:
root on md0a dumps on md0b
root file system type: ffs
WARNING: no TOD clock present
WARNING: using filesystem time
WARNING: CHECK AND RESET THE DATE!

Filesystem:

Filesystem Size Used Avail Capacity Mounted on
/dev/md0a 9.7M 7.7M 2.0M 79% /
/dev/flash2a 1.1M 41K 1.0M 3% /mnt/Flash
mfs:141 15M 512B 14M 0% /mnt/Memory

Running processes (with airtunes enabled):

PID TTY STAT TIME COMMAND
0 ? DKs 0:00.01 [swapper]
1 ? Is 0:00.02 init
2 ? DK 0:05.30 [stdflash0]
3 ? DK 0:00.00 [usb0]
4 ? DK 0:00.00 [usbtask-hc]
5 ? DK 0:00.00 [usbtask-dr]
6 ? DK 0:00.01 [pagedaemon]
7 ? DK 0:00.04 [ioflush]
8 ? DK 0:00.01 [aiodoned]
9 ? DK 0:00.01 [sfdaemon]
18 ? DK 0:00.02 [physiod]
96 ? Ia 0:00.03 /sbin/sntpd -client=time.apple.com
97 ? I 0:00.35 /sbin/wpa_supplicant -K -M -F /var/log/hostap_wlan1.log -D net80211 -i wlan1 -c /etc/hostap_wlan1.conf
99 ? I 0:00.01 /sbin/iCloudd
141 ? Ss 0:00.03 mount_mfs -s 32768 swap /mnt/Memory
164 ? Ia 0:00.02 /sbin/airtunesd -i bridge0
175 ? Is 0:00.00 /usr/sbin/inetd -l
183 ? Is 0:00.01 /usr/sbin/cron
245 ? Sa 0:01.54 /sbin/mDNSResponder -d
253 ? I 0:00.74 /usr/sbin/sshd -D -e
271 ? Ss 0:00.87 sshd: root@ttyp0
415 ? I 0:00.03 /sbin/link_local bridge0
467 ? I 0:00.04 /sbin/dhclient -q -d
505 ? I 0:00.06 /sbin/snmpd -f -DALL -c /etc/snmpd.conf -p /var/run/snmpd.pid
539 ? Ia 0:00.22 /sbin/printd -i -d local.
604 ttyp0 R+ 0:00.00 ps -ax
627 ttyp0 Ss 0:00.05 -sh
94 tty00- S 0:00.06 svscan /var/sv
107 tty00- Ia 0:08.53 /sbin/ACPd -nofork
108 tty00- I 0:00.02 supervise dnscache
110 tty00- I 0:00.01 supervise walldns
112 tty00- I 0:00.01 supervise log
113 tty00- I 0:00.01 supervise log
116 tty00- I 0:00.01 cat -
118 tty00- I 0:00.02 cat -
184 tty00 Is+ 0:00.04 -sh
186 tty01 Is+ 0:00.05 -sh

It runs SNMP daemon:

snmpwalk -c public 192.168.234.189| head

SNMPv2-MIB::sysDescr.0 = STRING: Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.255
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2064754916) 238 days, 23:25:49.16
SNMPv2-MIB::sysContact.0 = STRING: default_user@contact.domain
SNMPv2-MIB::sysName.0 = STRING: airport-express
SNMPv2-MIB::sysLocation.0 = STRING: defaultlocation
SNMPv2-MIB::sysServices.0 = INTEGER: 12
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (3) 0:00:00.03
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB

It seems to have racoon installed, pppoe.
PF is enabled by default:

airport-express# pfctl -s all
FILTER RULES:
block drop all
pass on lo0 all flags S/SA keep state
pass out proto tcp from any to any port = domain flags S/SA keep state
pass out proto udp from any to any port = domain keep state
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass out inet6 proto ipv6-icmp all icmp6-type routersol keep state
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass in inet6 proto ipv6-icmp all icmp6-type routeradv keep state
pass out inet proto icmp all icmp-type echoreq keep state
No queue in use

Interesting huh?

UNIX

IPsec (OSX to Linux) with Certificates

Leave a comment

Got around to setting up IPSec between my OSX and Linux server, it worked just fine with PSK (pre-shared key), but failed when using certificates, the error on the server side was:

generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]

I enabled debugging of racoon on OSX (add the 2 lines to file /etc/racoon/racoon.conf)

log debug;
path logfile "/var/log/racoon.log”;

and got:

Jul  3 10:33:48  racoon[19904] : created CERT payload
Jul  3 10:33:48  racoon[19904] : use ID type of DER_ASN1_DN09000000 3032310b 30090603 55040613 02504c31 0d300b06 0355040a 13044b75
62613114 30120603 55040313 0b4b7562 61206950 686f6e65
Jul  3 10:33:48  racoon[19904] : hmac(hmac_sha2_256)
Jul  3 10:33:48  racoon[19904] : error -25308 errSecInteractionNotAllowed.
Jul  3 10:33:48  racoon[19904] : failed to sign.
Jul  3 10:33:48  racoon[19904] : failed to get sign
Jul  3 10:33:48  racoon[19904] : failed to allocate send buffer
Jul  3 10:33:48  racoon[19904] : IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).
Jul  3 10:33:48  racoon[19904] : sending vpn_control ike failed message - code=65535  from=local.
Jul  3 10:33:48  racoon[19904] : failed to process packet.
Jul  3 10:33:48  racoon[19904] : Phase 1 negotiation failed.

The error seemed to indicate issues signing the message, so I started poking around, and realised that racoon may simply have no permissions to my private key, the fix was easy:

in Keychain Access, find the private key portion of your certificate, double click on the private key and in the “Access Control” tab, add a new application to the permission list, you may need to press Command+Shift+G to open “go to location”, enter “/usr/sbin” and then find a “racoon” binary.

Save and you should be good to go.