On Thursday 19 July 2007 13:56:23 Etaoin Shrdlu wrote:
> Ok, just some shots in the dark:
>
> - Do the hosts also get the default router, along with the ipv6 address?
> You can check with "ip -6 route". You should get, among the others, a
> default route pointing to the ipv6 link local (fe80:) address of the
> router's interface on the link.
Yep, they get a default route via the link local address of the firewall
interface local to themselves. Same happens if I subsitute it for the global
address (blah:blah:blah:137::11).
> - Also, although I don't think this is the source of your problems, every
> internal router interface should recognize (and be configured to use)
> the "subnet router anycast address" for that subnet, that is, usually,
> the plain /64 subnet address (eg, dead:beef:2:136::/64). This anycast
> address has to be manually configured on the interface ("ip addr add
> dead:beef:2:136::/64 dev bond2").
> Is this the address that internal hosts are able to ping on the firewall,
> or did you assign another, or are you referring to the link local
> address?
I hadn't configured the "subnet router anycast address", but I can still ping
it. Again makes no difference if it's specified or not.
> - Are you using native ipv6 connectivity with your provider or through a
> (SIT/6to4) tunnel? This is important because it affects the MTU of the
> Internet-facing interface.
It's native IPv6.
> Seeing the actual radvd.conf file could help better here.
interface bond2
{
AdvSendAdvert on;
prefix dead:beef:2:136::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
interface bond4
{
AdvSendAdvert on;
prefix dead:beef:2:137::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
interface bond1
{
AdvSendAdvert on;
prefix dead:beef:2:131::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
The order makes no difference.
> > sendmsg: Invalid argument ??
> > It's the same definition as for bond2 (136), with the interface and
> > prefix changed. Does the same with or without any other definitions.
> > All but bond2 fail, but I've no idea what's so special about bond2.
> > The machine is amd64, and using radvd-1.0-r1.
>
> Are these bondX regular single ethernet interfaces or are they of some
> other kind?
It's an ethernet link, just not a single one :)
> Ok, it seems forwarding is enabled then. Are you giving default routes
> pointing to global addresses? You should try using link-local addresses
> instead.
As above, no difference. I've even tried using the link-local address of the
upstream router for the default route out of the firewall.
> IIUC, icmpv6 echo request packets enter the router/firewall from the
> bond2 interface, and leave the box using the bond0 interface (confirming
> that forwarding works). But, the router/firewall is trying to get the
> link-layer address of the interface whose ipv6 global address is
> dead:beef:2:136:204:23ff:fed7:e86a (thus an internal host), but for some
> reason it sends these neighbor solicitation messages out of the Internet
> interface. Not surprisingly, it gets no answers.
Ahh, so I was understanding the output right.
> Are the internal hosts using ip6tables? They might be blocking icmpv6
> messages.
Nope, no ip6tables rules anywhere.
> Try posting more config info (radvd), debug info (ip -6 route and ip -6
> neigh on the internal hosts and on the router) and the scripts (if any)
> you use to handle the connection (Internet side and internal side).
radvd config above, routing and neighbour info here:
relevant routing info
# ip -6 route show
dead:beef:2::/64 dev bond0 metric 1 expires 21253232sec mtu 1500 advmss 1440
hoplimit 4294967295
dead:beef:2::/64 dev bond0 metric 256 expires 21254724sec mtu 1500 advmss
1440 hoplimit 4294967295
dead:beef:2:131::/64 dev bond1 metric 256 expires 21256488sec mtu 1500 advmss
1440 hoplimit 4294967295
dead:beef:2:136::/64 dev bond2 metric 256 expires 21252676sec mtu 1500 advmss
1440 hoplimit 4294967295
dead:beef:2:137::/64 dev bond4 metric 256 expires 21255086sec mtu 1500 advmss
1440 hoplimit 4294967295
default via fe80::214:f600:b67e:b4db dev bond0 metric 1 expires 21334235sec
mtu 1500 advmss 1440 hoplimit 4294967295
firewall # ip -6 neigh
fe80::214:f600:b67e:b4db dev bond0 lladdr 00:14:f6:7e:b4:db router STALE
dead:beef:2:136:204:23ff:fed7:e86a dev bond2 lladdr 00:04:23:d7:e8:6a REACHABLE
fe80::204:23ff:fed7:e86a dev bond2 lladdr 00:04:23:d7:e8:6a STALE
host # ip -6 neigh
dead:beef:2:136::11 dev bond0 lladdr 00:04:23:d7:f3:32 router REACHABLE
fe80::204:23ff:fed7:f332 dev bond0 lladdr 00:04:23:d7:f3:32 router REACHABLE
The host has bonded ethernet connections too.
Thanks
--
Mike Williams
--
[EMAIL PROTECTED] mailing list
