| 1 |
Hey all, |
| 2 |
|
| 3 |
I was hoping we've got some IPv6 experts around, as I've got some "issues" |
| 4 |
I've been banging my head against for 2 days. |
| 5 |
|
| 6 |
Very briefly our network is a gentoo firewall box with 5 interfaces, 1 to the internet, |
| 7 |
and 4 to private networks (192.168.xxx.0/24). What I would like to do is |
| 8 |
assign a /64 to each "internal" network. |
| 9 |
|
| 10 |
Our host has assigned us a /48, and added dead:beef:2::1/48 to their router as |
| 11 |
our gateway. |
| 12 |
I can add dead:beef:2::11/64 (yes, /64) to the internet side of router/firewall, a |
| 13 |
default route via dead:beef:2::1 and then happily ping ipv6 things on the internet. |
| 14 |
Starting on one of the "internal" networks I add dead:beef:2:136::11/64, run |
| 15 |
radvd on that interface, and the hosts on that network get v6 addresses. All |
| 16 |
of them can ping the firewall, but cannot ping our ISPs router. |
| 17 |
OK, so I figured I try another "internal" network, 137. Same process as above, |
| 18 |
but this time radvd won't work: |
| 19 |
|
| 20 |
# radvd -d5 -mstderr |
| 21 |
[Jul 19 12:02:30] radvd: version 1.0 started |
| 22 |
[Jul 19 12:02:30] radvd: inet_pton returned 1 |
| 23 |
[Jul 19 12:02:30] radvd: mtu for bond4 is 1500 |
| 24 |
[Jul 19 12:02:30] radvd: hardware type for bond4 is 1 |
| 25 |
[Jul 19 12:02:30] radvd: link layer token length for bond4 is 48 |
| 26 |
[Jul 19 12:02:30] radvd: prefix length for bond4 is 64 |
| 27 |
[Jul 19 12:02:30] radvd: interface definition for bond4 is ok |
| 28 |
[Jul 19 12:02:30] radvd: sending RA on bond4 |
| 29 |
[Jul 19 12:02:30] radvd: sendmsg: Invalid argument |
| 30 |
[Jul 19 12:02:30] radvd: setting timer: 16.00 secs |
| 31 |
[Jul 19 12:02:30] radvd: setting timer: 16 secs 0 usecs |
| 32 |
[Jul 19 12:02:30] radvd: calling schedule_timer from set_timer context |
| 33 |
[Jul 19 12:02:30] radvd: calling alarm: 15 secs, 999929 usecs |
| 34 |
|
| 35 |
sendmsg: Invalid argument ?? |
| 36 |
It's the same definition as for bond2 (136), with the interface and prefix |
| 37 |
changed. Does the same with or without any other definitions. All but bond2 |
| 38 |
fail, but I've no idea what's so special about bond2. |
| 39 |
The machine is amd64, and using radvd-1.0-r1. |
| 40 |
|
| 41 |
Anyway, I can add one or two addresses manually. I do so using iproute2 |
| 42 |
and CIDR notation, so the local route is added for me, and hosts on the 137 |
| 43 |
network can ping each other, and hosts on the 136 network after I give them |
| 44 |
a default route via the v6 address on the firewall interface on their network, so |
| 45 |
the firewall is properly forwarding traffic. |
| 46 |
However, none of the hosts on the "internal" networks can ping any of the |
| 47 |
hosts the firewall can ping. |
| 48 |
I caught the following traffic with tcpdump on the firewall: |
| 49 |
|
| 50 |
# tcpdump -i bond2 ip6 |
| 51 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
| 52 |
listening on bond2, link-type EN10MB (Ethernet), capture size 96 bytes |
| 53 |
12:24:02.204882 IP6 dead:beef:2:136:204:23ff:fed7:e86a > beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length 64 |
| 54 |
12:24:03.208737 IP6 dead:beef:2:136:204:23ff:fed7:e86a > beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length 64 |
| 55 |
|
| 56 |
# tcpdump -i bond0 ip6 |
| 57 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
| 58 |
listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes |
| 59 |
12:24:02.205409 IP6 dead:beef:2:136:204:23ff:fed7:e86a > beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length 64 |
| 60 |
12:24:02.516433 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32 |
| 61 |
12:24:03.208748 IP6 dead:beef:2:136:204:23ff:fed7:e86a > beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length 64 |
| 62 |
12:24:03.517294 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32 |
| 63 |
12:24:04.517504 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32 |
| 64 |
|
| 65 |
bond0 and beef:dead:1f0:1::/64 are the internet side, bond2 and dead:beef:2:136::/64 |
| 66 |
the "internal" side. |
| 67 |
I can't understand why the firewall isn't answering/forwarding the solicitation, it knows |
| 68 |
who dead:beef:2:136:204:23ff:fed7:e86a is. |
| 69 |
The firewall has no netfilter rules at all, everything is default accept. |
| 70 |
|
| 71 |
Am I just doing something stupid, or have I asked our host to set it up wrong? |
| 72 |
Would really like to know what radvd is up to too... |
| 73 |
|
| 74 |
Cheers |
| 75 |
|
| 76 |
-- |
| 77 |
Mike Williams |
| 78 |
-- |
| 79 |
gentoo-user@g.o mailing list |
Archives