Page MenuHomeDevCentral
Create Task
Maniphest T1854

Provide IPv6 outgoing connectivity on router-001
Closed, ResolvedPublic
Actions

Description

Use case: from Complector / db-A-001 / db-B-001, connect to a resource in IPv6.

Plan:

  • on router-001, use a native OVH IP and configure GW
  • on private machines, use the IP assigned to router-001 as gateway (on what card? a dedicated one for IPv6 or the vmx0 one currently use to connect with router-001?)
  • ignore Docker engines, as they already use HE tunnels (but see T1853 for web-001 connectivity, could be to ignore too)
  • ensure we can't connect to the private machines from outside

Revisions and Commits

rOPS Nasqueron Operations
D3081rOPSb982f802d065 Assign IPv6 to router-001

Related Objects

Event Timeline

dereckson claimed this task.May 7 2023, 09:43
dereckson triaged this task as Normal priority.
dereckson created this task.
dereckson added a comment.EditedMay 7 2023, 11:07

We need f998535a66b9 to work around ND discovery as the gateway doesn't belong to our prefix.

The same configuration through OVH gateway 2001:41d0:303:d9ff:ff:ff:ff:ff/64 (NetBox):

  • works on web-001 (FreeBSD 13.2)
  • doesn't work on router-001 (FreeBSD 13.1)

Also:

$ freebsd-update fetch
[...]
No updates needed to update system to 13.1-RELEASE-p7.

WARNING: FreeBSD 13.1-RELEASE-p3 is approaching its End-of-Life date.
It is strongly recommended that you upgrade to a newer
release within the next 2 months.
dereckson raised the priority of this task from Normal to High.May 7 2023, 11:10
dereckson mentioned this in T1856: Servers logs eagerly resolve external differential links.May 7 2023, 11:17
dereckson mentioned this in T1853: Setup IPv6 connectivity on web-001.May 7 2023, 11:43
dereckson added a comment.May 7 2023, 12:59

Upgrade to FreeBSD 13.2 ongoing:

root@router-001:~ # freebsd-update install
Creating snapshot of existing boot environment... done.
Installing updates...
Kernel updates have been installed.  Please reboot and run
"/usr/sbin/freebsd-update install" again to finish installing updates.

We need a maintenance window as the reboot will disrupt access to databases and Vault.

To avoid that, we should provision router-002 and use blue/green deployment for this.
Or immutable artifacts and prepare router-0xx.

dereckson added a comment.May 7 2023, 21:12

Rebooted, some issues noticed: T1857 and T1858.

Userland currently updating from 13.1p7 to 13.2.

dereckson added a comment.May 7 2023, 22:13

Okay, update works.

IPv6 configuration works too locally:

router-001
$ ifconfig vmx0 inet6 2001:41d0:303:d971::6a7e prefixlen 64

$ route -6 add 2001:41d0:0303:d9ff:00ff:00ff:00ff:00ff -iface vmx0
add host 2001:41d0:0303:d9ff:00ff:00ff:00ff:00ff: gateway vmx0

$ ping 2001:41d0:0303:d9ff:00ff:00ff:00ff:00ff
PING6(56=40+8+8 bytes) 2001:41d0:303:d971::6a7e --> 2001:41d0:303:d9ff:ff:ff:ff:ff
16 bytes from 2001:41d0:303:d9ff:ff:ff:ff:ff, icmp_seq=0 hlim=64 time=1.810 ms
16 bytes from 2001:41d0:303:d9ff:ff:ff:ff:ff, icmp_seq=1 hlim=64 time=0.830 ms
^C

$ route -6 add default 2001:41d0:0303:d9ff:00ff:00ff:00ff:00ff
add net default: gateway 2001:41d0:0303:d9ff:00ff:00ff:00ff:00ff

$ ping ipv6.google.com
PING6(56=40+8+8 bytes) 2001:41d0:303:d971::6a7e --> 2a00:1450:400e:803::200e
16 bytes from 2a00:1450:400e:803::200e, icmp_seq=5 hlim=114 time=9.962 ms
16 bytes from 2a00:1450:400e:803::200e, icmp_seq=6 hlim=114 time=9.972 ms
16 bytes from 2a00:1450:400e:803::200e, icmp_seq=7 hlim=114 time=9.907 ms
16 bytes from 2a00:1450:400e:803::200e, icmp_seq=8 hlim=114 time=9.953 ms
16 bytes from 2a00:1450:400e:803::200e, icmp_seq=9 hlim=114 time=9.956 ms
^C
--- ipv6.l.google.com ping6 statistics ---
10 packets transmitted, 5 packets received, 50.0% packet loss
round-trip min/avg/max/std-dev = 9.907/9.950/9.972/0.023 ms

$ ping ipv6.google.com
PING6(56=40+8+8 bytes) 2001:41d0:303:d971::6a7e --> 2a00:1450:4007:80c::200e
16 bytes from 2a00:1450:4007:80c::200e, icmp_seq=0 hlim=115 time=5.040 ms
16 bytes from 2a00:1450:4007:80c::200e, icmp_seq=1 hlim=115 time=5.006 ms
16 bytes from 2a00:1450:4007:80c::200e, icmp_seq=2 hlim=115 time=5.017 ms
16 bytes from 2a00:1450:4007:80c::200e, icmp_seq=3 hlim=115 time=5.020 ms
16 bytes from 2a00:1450:4007:80c::200e, icmp_seq=4 hlim=115 time=5.010 ms
16 bytes from 2a00:1450:4007:80c::200e, icmp_seq=5 hlim=115 time=4.965 ms
16 bytes from 2a00:1450:4007:80c::200e, icmp_seq=6 hlim=115 time=5.000 ms
^C
--- ipv6.l.google.com ping6 statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 4.965/5.008/5.040/0.021 ms
dereckson added a project: IPv6.May 7 2023, 23:04
dereckson added a revision: D3081: Assign IPv6 to router-001.May 8 2023, 01:02
dereckson added a commit: rOPSb982f802d065: Assign IPv6 to router-001.May 8 2023, 01:06
dereckson lowered the priority of this task from High to Normal.May 8 2023, 01:08

Decreasing priority as we've assigned a direct IP to web-001 without any need to use router-001.

dereckson removed dereckson as the assignee of this task.May 8 2023, 01:12
dereckson moved this task from Working on to Backlog - Monitoring / misc on the Operations sprints (Ignite Alkane Propulsion) board.
dereckson closed this task as Resolved.May 13 2023, 10:11
dereckson claimed this task.

router-001 IPv6

router-001 has a correct IPv6 and so can:

  • accept GRE or VPN connections with IPv6 resources if we've a machine IPv6-only
  • reach IPv6 packages mirrors, sites

Outgoing IPv6 for other VMs

We currently aren't comfortable with the ideas behind IPv6.

The topology "a private IPv4 network for services" mostly prevent us from bruteforce attacks.

IPv6 wants to supersede that with "just firewall it" (ok, scan IPv6 ranges will be complicated),
and this is not something we want to explore at that stage.

Also, it's a YAGNI: complector/db-A-001/db-B-001/web-001 are happy to use IPv4 to get packages and other files.

When there is a need there, we can reopen this task and firewall them.

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator