| 1 |
On Thursday 19 July 2007 13:45, Mike Williams wrote: |
| 2 |
|
| 3 |
> I can add dead:beef:2::11/64 (yes, /64) to the internet side of |
| 4 |
> router/firewall, a default route via dead:beef:2::1 and then happily |
| 5 |
> ping ipv6 things on the internet. |
| 6 |
|
| 7 |
Ok, so your ipv6 link to your provider (and to the ipv6 Internet) is |
| 8 |
working. |
| 9 |
|
| 10 |
> Starting on one of the "internal" networks I add |
| 11 |
> dead:beef:2:136::11/64, run radvd on that interface, and the hosts on |
| 12 |
> that network get v6 addresses. All of them can ping the firewall, but |
| 13 |
> cannot ping our ISPs router. |
| 14 |
|
| 15 |
Ok, just some shots in the dark: |
| 16 |
|
| 17 |
- Do the hosts also get the default router, along with the ipv6 address? |
| 18 |
You can check with "ip -6 route". You should get, among the others, a |
| 19 |
default route pointing to the ipv6 link local (fe80:) address of the |
| 20 |
router's interface on the link. |
| 21 |
|
| 22 |
- Also, although I don't think this is the source of your problems, every |
| 23 |
internal router interface should recognize (and be configured to use) |
| 24 |
the "subnet router anycast address" for that subnet, that is, usually, |
| 25 |
the plain /64 subnet address (eg, dead:beef:2:136::/64). This anycast |
| 26 |
address has to be manually configured on the interface ("ip addr add |
| 27 |
dead:beef:2:136::/64 dev bond2"). |
| 28 |
Is this the address that internal hosts are able to ping on the firewall, |
| 29 |
or did you assign another, or are you referring to the link local |
| 30 |
address? |
| 31 |
|
| 32 |
- Are you using native ipv6 connectivity with your provider or through a |
| 33 |
(SIT/6to4) tunnel? This is important because it affects the MTU of the |
| 34 |
Internet-facing interface. |
| 35 |
|
| 36 |
Seeing the actual radvd.conf file could help better here. |
| 37 |
|
| 38 |
> sendmsg: Invalid argument ?? |
| 39 |
> It's the same definition as for bond2 (136), with the interface and |
| 40 |
> prefix changed. Does the same with or without any other definitions. |
| 41 |
> All but bond2 fail, but I've no idea what's so special about bond2. |
| 42 |
> The machine is amd64, and using radvd-1.0-r1. |
| 43 |
|
| 44 |
Are these bondX regular single ethernet interfaces or are they of some |
| 45 |
other kind? |
| 46 |
|
| 47 |
> Anyway, I can add one or two addresses manually. I do so using |
| 48 |
> iproute2 and CIDR notation, so the local route is added for me, and |
| 49 |
> hosts on the 137 network can ping each other, and hosts on the 136 |
| 50 |
> network after I give them a default route via the v6 address on the |
| 51 |
> firewall interface on their network, so the firewall is properly |
| 52 |
> forwarding traffic. |
| 53 |
|
| 54 |
Ok, it seems forwarding is enabled then. Are you giving default routes |
| 55 |
pointing to global addresses? You should try using link-local addresses |
| 56 |
instead. |
| 57 |
|
| 58 |
> However, none of the hosts on the "internal" networks can ping any of |
| 59 |
> the hosts the firewall can ping. |
| 60 |
> I caught the following traffic with tcpdump on the firewall: |
| 61 |
> |
| 62 |
> # tcpdump -i bond2 ip6 |
| 63 |
> tcpdump: verbose output suppressed, use -v or -vv for full protocol |
| 64 |
> decode listening on bond2, link-type EN10MB (Ethernet), capture size |
| 65 |
> 96 bytes 12:24:02.204882 IP6 dead:beef:2:136:204:23ff:fed7:e86a > |
| 66 |
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length |
| 67 |
> 64 12:24:03.208737 IP6 dead:beef:2:136:204:23ff:fed7:e86a > |
| 68 |
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length |
| 69 |
> 64 |
| 70 |
> |
| 71 |
> # tcpdump -i bond0 ip6 |
| 72 |
> tcpdump: verbose output suppressed, use -v or -vv for full protocol |
| 73 |
> decode listening on bond0, link-type EN10MB (Ethernet), capture size |
| 74 |
> 96 bytes 12:24:02.205409 IP6 dead:beef:2:136:204:23ff:fed7:e86a > |
| 75 |
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length |
| 76 |
> 64 12:24:02.516433 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: |
| 77 |
> ICMP6, neighbor solicitation, who has |
| 78 |
> dead:beef:2:136:204:23ff:fed7:e86a, length 32 12:24:03.208748 IP6 |
| 79 |
> dead:beef:2:136:204:23ff:fed7:e86a > |
| 80 |
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length |
| 81 |
> 64 12:24:03.517294 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: |
| 82 |
> ICMP6, neighbor solicitation, who has |
| 83 |
> dead:beef:2:136:204:23ff:fed7:e86a, length 32 12:24:04.517504 IP6 |
| 84 |
> fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor |
| 85 |
> solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32 |
| 86 |
|
| 87 |
IIUC, icmpv6 echo request packets enter the router/firewall from the |
| 88 |
bond2 interface, and leave the box using the bond0 interface (confirming |
| 89 |
that forwarding works). But, the router/firewall is trying to get the |
| 90 |
link-layer address of the interface whose ipv6 global address is |
| 91 |
dead:beef:2:136:204:23ff:fed7:e86a (thus an internal host), but for some |
| 92 |
reason it sends these neighbor solicitation messages out of the Internet |
| 93 |
interface. Not surprisingly, it gets no answers. |
| 94 |
|
| 95 |
> The firewall has no netfilter rules at all, everything is default |
| 96 |
> accept. |
| 97 |
|
| 98 |
Are the internal hosts using ip6tables? They might be blocking icmpv6 |
| 99 |
messages. |
| 100 |
|
| 101 |
> Am I just doing something stupid, or have I asked our host to set it |
| 102 |
> up wrong? Would really like to know what radvd is up to too... |
| 103 |
|
| 104 |
Try posting more config info (radvd), debug info (ip -6 route and ip -6 |
| 105 |
neigh on the internal hosts and on the router) and the scripts (if any) |
| 106 |
you use to handle the connection (Internet side and internal side). |
| 107 |
-- |
| 108 |
gentoo-user@g.o mailing list |
Archives