On Thursday 19 July 2007 13:56:23 Etaoin Shrdlu wrote: > Ok, just some shots in the dark: > > - Do the hosts also get the default router, along with the ipv6 address? > You can check with "ip -6 route". You should get, among the others, a > default route pointing to the ipv6 link local (fe80:) address of the > router's interface on the link.
Yep, they get a default route via the link local address of the firewall interface local to themselves. Same happens if I subsitute it for the global address (blah:blah:blah:137::11). > - Also, although I don't think this is the source of your problems, every > internal router interface should recognize (and be configured to use) > the "subnet router anycast address" for that subnet, that is, usually, > the plain /64 subnet address (eg, dead:beef:2:136::/64). This anycast > address has to be manually configured on the interface ("ip addr add > dead:beef:2:136::/64 dev bond2"). > Is this the address that internal hosts are able to ping on the firewall, > or did you assign another, or are you referring to the link local > address? I hadn't configured the "subnet router anycast address", but I can still ping it. Again makes no difference if it's specified or not. > - Are you using native ipv6 connectivity with your provider or through a > (SIT/6to4) tunnel? This is important because it affects the MTU of the > Internet-facing interface. It's native IPv6. > Seeing the actual radvd.conf file could help better here. interface bond2 { AdvSendAdvert on; prefix dead:beef:2:136::/64 { AdvOnLink on; AdvAutonomous on; }; }; interface bond4 { AdvSendAdvert on; prefix dead:beef:2:137::/64 { AdvOnLink on; AdvAutonomous on; }; }; interface bond1 { AdvSendAdvert on; prefix dead:beef:2:131::/64 { AdvOnLink on; AdvAutonomous on; }; }; The order makes no difference. > > sendmsg: Invalid argument ?? > > It's the same definition as for bond2 (136), with the interface and > > prefix changed. Does the same with or without any other definitions. > > All but bond2 fail, but I've no idea what's so special about bond2. > > The machine is amd64, and using radvd-1.0-r1. > > Are these bondX regular single ethernet interfaces or are they of some > other kind? It's an ethernet link, just not a single one :) > Ok, it seems forwarding is enabled then. Are you giving default routes > pointing to global addresses? You should try using link-local addresses > instead. As above, no difference. I've even tried using the link-local address of the upstream router for the default route out of the firewall. > IIUC, icmpv6 echo request packets enter the router/firewall from the > bond2 interface, and leave the box using the bond0 interface (confirming > that forwarding works). But, the router/firewall is trying to get the > link-layer address of the interface whose ipv6 global address is > dead:beef:2:136:204:23ff:fed7:e86a (thus an internal host), but for some > reason it sends these neighbor solicitation messages out of the Internet > interface. Not surprisingly, it gets no answers. Ahh, so I was understanding the output right. > Are the internal hosts using ip6tables? They might be blocking icmpv6 > messages. Nope, no ip6tables rules anywhere. > Try posting more config info (radvd), debug info (ip -6 route and ip -6 > neigh on the internal hosts and on the router) and the scripts (if any) > you use to handle the connection (Internet side and internal side). radvd config above, routing and neighbour info here: relevant routing info # ip -6 route show dead:beef:2::/64 dev bond0 metric 1 expires 21253232sec mtu 1500 advmss 1440 hoplimit 4294967295 dead:beef:2::/64 dev bond0 metric 256 expires 21254724sec mtu 1500 advmss 1440 hoplimit 4294967295 dead:beef:2:131::/64 dev bond1 metric 256 expires 21256488sec mtu 1500 advmss 1440 hoplimit 4294967295 dead:beef:2:136::/64 dev bond2 metric 256 expires 21252676sec mtu 1500 advmss 1440 hoplimit 4294967295 dead:beef:2:137::/64 dev bond4 metric 256 expires 21255086sec mtu 1500 advmss 1440 hoplimit 4294967295 default via fe80::214:f600:b67e:b4db dev bond0 metric 1 expires 21334235sec mtu 1500 advmss 1440 hoplimit 4294967295 firewall # ip -6 neigh fe80::214:f600:b67e:b4db dev bond0 lladdr 00:14:f6:7e:b4:db router STALE dead:beef:2:136:204:23ff:fed7:e86a dev bond2 lladdr 00:04:23:d7:e8:6a REACHABLE fe80::204:23ff:fed7:e86a dev bond2 lladdr 00:04:23:d7:e8:6a STALE host # ip -6 neigh dead:beef:2:136::11 dev bond0 lladdr 00:04:23:d7:f3:32 router REACHABLE fe80::204:23ff:fed7:f332 dev bond0 lladdr 00:04:23:d7:f3:32 router REACHABLE The host has bonded ethernet connections too. Thanks -- Mike Williams -- [EMAIL PROTECTED] mailing list