1 |
On Thursday 19 July 2007 13:45, Mike Williams wrote: |
2 |
|
3 |
> I can add dead:beef:2::11/64 (yes, /64) to the internet side of |
4 |
> router/firewall, a default route via dead:beef:2::1 and then happily |
5 |
> ping ipv6 things on the internet. |
6 |
|
7 |
Ok, so your ipv6 link to your provider (and to the ipv6 Internet) is |
8 |
working. |
9 |
|
10 |
> Starting on one of the "internal" networks I add |
11 |
> dead:beef:2:136::11/64, run radvd on that interface, and the hosts on |
12 |
> that network get v6 addresses. All of them can ping the firewall, but |
13 |
> cannot ping our ISPs router. |
14 |
|
15 |
Ok, just some shots in the dark: |
16 |
|
17 |
- Do the hosts also get the default router, along with the ipv6 address? |
18 |
You can check with "ip -6 route". You should get, among the others, a |
19 |
default route pointing to the ipv6 link local (fe80:) address of the |
20 |
router's interface on the link. |
21 |
|
22 |
- Also, although I don't think this is the source of your problems, every |
23 |
internal router interface should recognize (and be configured to use) |
24 |
the "subnet router anycast address" for that subnet, that is, usually, |
25 |
the plain /64 subnet address (eg, dead:beef:2:136::/64). This anycast |
26 |
address has to be manually configured on the interface ("ip addr add |
27 |
dead:beef:2:136::/64 dev bond2"). |
28 |
Is this the address that internal hosts are able to ping on the firewall, |
29 |
or did you assign another, or are you referring to the link local |
30 |
address? |
31 |
|
32 |
- Are you using native ipv6 connectivity with your provider or through a |
33 |
(SIT/6to4) tunnel? This is important because it affects the MTU of the |
34 |
Internet-facing interface. |
35 |
|
36 |
Seeing the actual radvd.conf file could help better here. |
37 |
|
38 |
> sendmsg: Invalid argument ?? |
39 |
> It's the same definition as for bond2 (136), with the interface and |
40 |
> prefix changed. Does the same with or without any other definitions. |
41 |
> All but bond2 fail, but I've no idea what's so special about bond2. |
42 |
> The machine is amd64, and using radvd-1.0-r1. |
43 |
|
44 |
Are these bondX regular single ethernet interfaces or are they of some |
45 |
other kind? |
46 |
|
47 |
> Anyway, I can add one or two addresses manually. I do so using |
48 |
> iproute2 and CIDR notation, so the local route is added for me, and |
49 |
> hosts on the 137 network can ping each other, and hosts on the 136 |
50 |
> network after I give them a default route via the v6 address on the |
51 |
> firewall interface on their network, so the firewall is properly |
52 |
> forwarding traffic. |
53 |
|
54 |
Ok, it seems forwarding is enabled then. Are you giving default routes |
55 |
pointing to global addresses? You should try using link-local addresses |
56 |
instead. |
57 |
|
58 |
> However, none of the hosts on the "internal" networks can ping any of |
59 |
> the hosts the firewall can ping. |
60 |
> I caught the following traffic with tcpdump on the firewall: |
61 |
> |
62 |
> # tcpdump -i bond2 ip6 |
63 |
> tcpdump: verbose output suppressed, use -v or -vv for full protocol |
64 |
> decode listening on bond2, link-type EN10MB (Ethernet), capture size |
65 |
> 96 bytes 12:24:02.204882 IP6 dead:beef:2:136:204:23ff:fed7:e86a > |
66 |
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length |
67 |
> 64 12:24:03.208737 IP6 dead:beef:2:136:204:23ff:fed7:e86a > |
68 |
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length |
69 |
> 64 |
70 |
> |
71 |
> # tcpdump -i bond0 ip6 |
72 |
> tcpdump: verbose output suppressed, use -v or -vv for full protocol |
73 |
> decode listening on bond0, link-type EN10MB (Ethernet), capture size |
74 |
> 96 bytes 12:24:02.205409 IP6 dead:beef:2:136:204:23ff:fed7:e86a > |
75 |
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length |
76 |
> 64 12:24:02.516433 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: |
77 |
> ICMP6, neighbor solicitation, who has |
78 |
> dead:beef:2:136:204:23ff:fed7:e86a, length 32 12:24:03.208748 IP6 |
79 |
> dead:beef:2:136:204:23ff:fed7:e86a > |
80 |
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length |
81 |
> 64 12:24:03.517294 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: |
82 |
> ICMP6, neighbor solicitation, who has |
83 |
> dead:beef:2:136:204:23ff:fed7:e86a, length 32 12:24:04.517504 IP6 |
84 |
> fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor |
85 |
> solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32 |
86 |
|
87 |
IIUC, icmpv6 echo request packets enter the router/firewall from the |
88 |
bond2 interface, and leave the box using the bond0 interface (confirming |
89 |
that forwarding works). But, the router/firewall is trying to get the |
90 |
link-layer address of the interface whose ipv6 global address is |
91 |
dead:beef:2:136:204:23ff:fed7:e86a (thus an internal host), but for some |
92 |
reason it sends these neighbor solicitation messages out of the Internet |
93 |
interface. Not surprisingly, it gets no answers. |
94 |
|
95 |
> The firewall has no netfilter rules at all, everything is default |
96 |
> accept. |
97 |
|
98 |
Are the internal hosts using ip6tables? They might be blocking icmpv6 |
99 |
messages. |
100 |
|
101 |
> Am I just doing something stupid, or have I asked our host to set it |
102 |
> up wrong? Would really like to know what radvd is up to too... |
103 |
|
104 |
Try posting more config info (radvd), debug info (ip -6 route and ip -6 |
105 |
neigh on the internal hosts and on the router) and the scripts (if any) |
106 |
you use to handle the connection (Internet side and internal side). |
107 |
-- |
108 |
gentoo-user@g.o mailing list |