1 |
Hey all, |
2 |
|
3 |
I was hoping we've got some IPv6 experts around, as I've got some "issues" |
4 |
I've been banging my head against for 2 days. |
5 |
|
6 |
Very briefly our network is a gentoo firewall box with 5 interfaces, 1 to the internet, |
7 |
and 4 to private networks (192.168.xxx.0/24). What I would like to do is |
8 |
assign a /64 to each "internal" network. |
9 |
|
10 |
Our host has assigned us a /48, and added dead:beef:2::1/48 to their router as |
11 |
our gateway. |
12 |
I can add dead:beef:2::11/64 (yes, /64) to the internet side of router/firewall, a |
13 |
default route via dead:beef:2::1 and then happily ping ipv6 things on the internet. |
14 |
Starting on one of the "internal" networks I add dead:beef:2:136::11/64, run |
15 |
radvd on that interface, and the hosts on that network get v6 addresses. All |
16 |
of them can ping the firewall, but cannot ping our ISPs router. |
17 |
OK, so I figured I try another "internal" network, 137. Same process as above, |
18 |
but this time radvd won't work: |
19 |
|
20 |
# radvd -d5 -mstderr |
21 |
[Jul 19 12:02:30] radvd: version 1.0 started |
22 |
[Jul 19 12:02:30] radvd: inet_pton returned 1 |
23 |
[Jul 19 12:02:30] radvd: mtu for bond4 is 1500 |
24 |
[Jul 19 12:02:30] radvd: hardware type for bond4 is 1 |
25 |
[Jul 19 12:02:30] radvd: link layer token length for bond4 is 48 |
26 |
[Jul 19 12:02:30] radvd: prefix length for bond4 is 64 |
27 |
[Jul 19 12:02:30] radvd: interface definition for bond4 is ok |
28 |
[Jul 19 12:02:30] radvd: sending RA on bond4 |
29 |
[Jul 19 12:02:30] radvd: sendmsg: Invalid argument |
30 |
[Jul 19 12:02:30] radvd: setting timer: 16.00 secs |
31 |
[Jul 19 12:02:30] radvd: setting timer: 16 secs 0 usecs |
32 |
[Jul 19 12:02:30] radvd: calling schedule_timer from set_timer context |
33 |
[Jul 19 12:02:30] radvd: calling alarm: 15 secs, 999929 usecs |
34 |
|
35 |
sendmsg: Invalid argument ?? |
36 |
It's the same definition as for bond2 (136), with the interface and prefix |
37 |
changed. Does the same with or without any other definitions. All but bond2 |
38 |
fail, but I've no idea what's so special about bond2. |
39 |
The machine is amd64, and using radvd-1.0-r1. |
40 |
|
41 |
Anyway, I can add one or two addresses manually. I do so using iproute2 |
42 |
and CIDR notation, so the local route is added for me, and hosts on the 137 |
43 |
network can ping each other, and hosts on the 136 network after I give them |
44 |
a default route via the v6 address on the firewall interface on their network, so |
45 |
the firewall is properly forwarding traffic. |
46 |
However, none of the hosts on the "internal" networks can ping any of the |
47 |
hosts the firewall can ping. |
48 |
I caught the following traffic with tcpdump on the firewall: |
49 |
|
50 |
# tcpdump -i bond2 ip6 |
51 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
52 |
listening on bond2, link-type EN10MB (Ethernet), capture size 96 bytes |
53 |
12:24:02.204882 IP6 dead:beef:2:136:204:23ff:fed7:e86a > beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length 64 |
54 |
12:24:03.208737 IP6 dead:beef:2:136:204:23ff:fed7:e86a > beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length 64 |
55 |
|
56 |
# tcpdump -i bond0 ip6 |
57 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
58 |
listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes |
59 |
12:24:02.205409 IP6 dead:beef:2:136:204:23ff:fed7:e86a > beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length 64 |
60 |
12:24:02.516433 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32 |
61 |
12:24:03.208748 IP6 dead:beef:2:136:204:23ff:fed7:e86a > beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length 64 |
62 |
12:24:03.517294 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32 |
63 |
12:24:04.517504 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32 |
64 |
|
65 |
bond0 and beef:dead:1f0:1::/64 are the internet side, bond2 and dead:beef:2:136::/64 |
66 |
the "internal" side. |
67 |
I can't understand why the firewall isn't answering/forwarding the solicitation, it knows |
68 |
who dead:beef:2:136:204:23ff:fed7:e86a is. |
69 |
The firewall has no netfilter rules at all, everything is default accept. |
70 |
|
71 |
Am I just doing something stupid, or have I asked our host to set it up wrong? |
72 |
Would really like to know what radvd is up to too... |
73 |
|
74 |
Cheers |
75 |
|
76 |
-- |
77 |
Mike Williams |
78 |
-- |
79 |
gentoo-user@g.o mailing list |