Op 7-1-2011 17:30, nothingness schreef:
Here goes:
I can see the ping6 traffic from client to mirror.switch.ch traverse
internal, then tunnel, then external (as encap) but I can't see pflog
dropping it:
internal if:
casper ~ # tcpdump -i dc0 | grep -v domain | grep -v arp | grep -v www |
grep -v ssh
17:25:35.169734 fe80::280:adff:fe75:1760> fe80::224:d6ff:fe3b:588c:
icmp6: neighbor adv: tgt is casper.nineinchnetworks.ch
17:25:35.583289 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request
17:25:36.583473 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request
17:25:37.583653 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request
17:25:38.583846 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request
tunnel :
casper ~ # tcpdump -i gif0
tcpdump: listening on gif0, link-type NULL
17:24:34.582415 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request
17:24:35.582591 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request
17:24:36.582766 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request
17:24:37.582957 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request
external:
casper ~ # tcpdump -i bge0 | grep -v irc | grep -v www | grep -v domain
| grep -v arp | grep -v 1194
17:25:22.581100 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request (encap)
17:25:23.581277 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request (encap)
17:25:24.581480 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request (encap)
17:25:25.581666 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request (encap)
17:25:26.581829 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request (encap)
17:25:27.581991 2001:1620:f2e1:0:20d:b9ff:fe17:bfec>
mimas-nxge0.switch.ch: icmp6: echo request (encap)
firewall stuff:
casper ~ # tcpdump -i pflog0
tcpdump: listening on pflog0, link-type PFLOG
17:24:18.636473 85-218-12-1.dclient.lsne.ch> ALL-SYSTEMS.MCAST.NET:
igmp query [ttl 1]
17:24:52.493304 c-98-221-40-44.hsd1.pa.comcast.net.57053>
85-218-10-62.dclient.lsne.ch.52680: udp 42
17:26:24.144277 85-218-12-1.dclient.lsne.ch> ALL-SYSTEMS.MCAST.NET:
igmp query [ttl 1]
17:28:29.649077 85-218-12-1.dclient.lsne.ch> ALL-SYSTEMS.MCAST.NET:
igmp query [ttl 1]
------------------------------------------------------------------------------------------------------------------------------------
And the routing tables :
client:
charybde ~ # netstat -rnf inet6
Routing tables
Internet6:
Destination Gateway
Flags Refs Use Mtu Prio Iface
::/104 ::1
UGRS 0 0 - 8 lo0
::/96 ::1
UGRS 0 0 - 8 lo0
default fe80::280:adff:fe75:1760%vr0
UG 0 36 - 4 vr0
::1 ::1
UH 14 0 33200 4 lo0
::127.0.0.0/104 ::1
UGRS 0 0 - 8 lo0
::224.0.0.0/100 ::1
UGRS 0 0 - 8 lo0
::255.0.0.0/104 ::1
UGRS 0 0 - 8 lo0
::ffff:0.0.0.0/96 ::1
UGRS 0 0 - 8 lo0
2001:1620:f2e1::/64 link#1
UC 1 0 - 4 vr0
2001:1620:f2e1::1 00:80:ad:75:17:60
UHLc 0 2 - 4 vr0
2001:1620:f2e1:0:20d:b9ff:fe17:bfec 00:0d:b9:17:bf:ec
UHL 0 0 - 4 lo0
2002::/24 ::1
UGRS 0 0 - 8 lo0
2002:7f00::/24 ::1
UGRS 0 0 - 8 lo0
2002:e000::/20 ::1
UGRS 0 0 - 8 lo0
2002:ff00::/24 ::1
UGRS 0 0 - 8 lo0
fe80::/10 ::1
UGRS 0 0 - 8 lo0
fe80::%vr0/64 link#1
UC 1 0 - 4 vr0
fe80::20d:b9ff:fe17:bfec%vr0 00:0d:b9:17:bf:ec
UHL 1 0 - 4 lo0
fe80::280:adff:fe75:1760%vr0 00:80:ad:75:17:60
UHLc 1 12 - 4 vr0
fe80::%lo0/64 fe80::1%lo0
U 0 0 - 4 lo0
fe80::1%lo0 link#6
UHL 0 0 - 4 lo0
fec0::/10 ::1
UGRS 0 0 - 8 lo0
ff01::/16 ::1
UGRS 0 0 - 8 lo0
ff01::%vr0/32 link#1
UC 0 0 - 4 vr0
ff01::%lo0/32 ::1
UC 0 0 - 4 lo0
ff02::/16 ::1
UGRS 0 0 - 8 lo0
ff02::%vr0/32 link#1
UC 0 0 - 4 vr0
ff02::%lo0/32 ::1
UC 0 0 - 4 lo0
router/firewall:
casper ~ # netstat -rnf inet6
Routing tables
Internet6:
Destination Gateway
Flags Refs Use Mtu Prio Iface
::/104 ::1
UGRS 0 0 - 8 lo0
::/96 ::1
UGRS 0 0 - 8 lo0
default 2001:1620:f00:56::1
UGS 1 124576 - 8 gif0
::1 ::1
UH 14 0 33200 4 lo0
::127.0.0.0/104 ::1
UGRS 0 0 - 8 lo0
::224.0.0.0/100 ::1
UGRS 0 0 - 8 lo0
::255.0.0.0/104 ::1
UGRS 0 0 - 8 lo0
::ffff:0.0.0.0/96 ::1
UGRS 0 0 - 8 lo0
2001:1620:f00:56::1 2001:1620:f00:56::2
UH 1 20 - 4 gif0
2001:1620:f00:56::2 link#7
UHL 0 0 - 4 lo0
2001:1620:f2e1::/64 link#2
UC 2 0 - 4 dc0
2001:1620:f2e1::1 00:80:ad:75:17:60
UHL 1 214 - 4 lo0
2001:1620:f2e1:0:20d:b9ff:fe17:bfec 00:0d:b9:17:bf:ec
UHLc 0 7 - 4 dc0
2001:1620:f2e1:0:224:d6ff:fe3b:588c 00:24:d6:3b:58:8c
UHLc 1 3953 - 4 dc0
2001:1620:f2e3::/64 link#8
UC 0 0 - 4 tun1
2001:1620:f2e3::1 fe:e1:ba:d2:ff:03
UHL 0 0 - 4 lo0
2002::/24 ::1
UGRS 0 0 - 8 lo0
2002:7f00::/24 ::1
UGRS 0 0 - 8 lo0
2002:e000::/20 ::1
UGRS 0 0 - 8 lo0
2002:ff00::/24 ::1
UGRS 0 0 - 8 lo0
fe80::/10 ::1
UGRS 0 0 - 8 lo0
fe80::%bge0/64 link#1
UC 0 0 - 4 bge0
fe80::20d:9dff:fe9b:70d2%bge0 00:0d:9d:9b:70:d2
HL 0 0 - 4 lo0
fe80::%dc0/64 link#2
UC 2 0 - 4 dc0
fe80::20d:b9ff:fe17:bfec%dc0 00:0d:b9:17:bf:ec
UHLc 0 12 - 4 dc0
fe80::224:d6ff:fe3b:588c%dc0 00:24:d6:3b:58:8c
UHLc 0 27237 - 4 dc0
fe80::280:adff:fe75:1760%dc0 00:80:ad:75:17:60
UHL 0 0 - 4 lo0
fe80::%lo0/64 fe80::1%lo0
U 0 0 - 4 lo0
fe80::1%lo0 link#4
UHL 0 0 - 4 lo0
fe80::%gif0/64 link#7
UC 0 0 - 4 gif0
fe80::20d:9dff:fe9b:70d2%gif0 link#7
UHL 0 0 - 4 lo0
fe80::%tun1/64 link#8
UC 1 0 - 4 tun1
fe80::18c5:75ff:fed2:2ca6%tun1 1a:c5:75:d2:2c:a6
UHLc 0 10 - 4 tun1
fe80::fce1:baff:fed2:ff03%tun1 fe:e1:ba:d2:ff:03
HL 0 0 - 4 lo0
fe80::%tun2/64 link#9
UC 0 0 - 4 tun2
fe80::fce1:baff:fed4:7555%tun2 fe:e1:ba:d4:75:55
HL 0 0 - 4 lo0
fe80::%tun3/64 link#10
UC 0 0 - 4 tun3
fe80::fce1:baff:fed6:c574%tun3 fe:e1:ba:d6:c5:74
HL 0 0 - 4 lo0
fec0::/10 ::1
UGRS 0 0 - 8 lo0
ff01::/16 ::1
UGRS 0 0 - 8 lo0
ff01::%bge0/32 link#1
UC 0 0 - 4 bge0
ff01::%dc0/32 link#2
UC 0 0 - 4 dc0
ff01::%lo0/32 ::1
UC 0 0 - 4 lo0
ff01::%gif0/32 link#7
UC 0 0 - 4 gif0
ff01::%tun1/32 link#8
UC 0 0 - 4 tun1
ff01::%tun2/32 link#9
UC 0 0 - 4 tun2
ff01::%tun3/32 link#10
UC 0 0 - 4 tun3
ff02::/16 ::1
UGRS 3 0 - 8 lo0
ff02::%bge0/32 link#1
UC 0 0 - 4 bge0
ff02::%dc0/32 link#2
UC 0 0 - 4 dc0
ff02::%lo0/32 ::1
UC 0 0 - 4 lo0
ff02::%gif0/32 link#7
UC 0 0 - 4 gif0
ff02::%tun1/32 link#8
UC 10 0 - 4 tun1
ff02::1:ff0b:7c7b%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ff36:b079%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ff3a:2938%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ff48:37d6%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ff4c:1dd9%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ff52:4e02%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ff6a:b2d1%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ffb8:41a3%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ffbf:b353%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::1:ffd2:2ca6%tun1 link#8
UHLc 0 0 - 4 tun1
ff02::%tun2/32 link#9
UC 0 0 - 4 tun2
ff02::%tun3/32 link#10
UC 0 0 - 4 tun3
So to conclude... could it simply be that my uplink provider isn't
routing traffic from my /64 (well it's a /48 but I subdivided it)?
Cheers for your patience,
Noth
Paul de Weerd wrote:
On Tue, Jan 04, 2011 at 05:49:08PM +0100, nothingness wrote:
<SNIP all sysctl output>
So are you sure rtadvd is working as it should ? Can you show the
configuration of one of your client interfaces ? Also the routing
table of your client and your router (netstat -rnf inet6).
Try to ping6 something on the internet from a host in your LAN and
tcpdump on the internal interface of your router, the tunnel interface
of your router, the external interface of your router and pflog0.
What do you see ?
Paul 'WEiRD' de Weerd
$ traceroute6 2001:1620:f2e1:0:20d:b9ff:fe17:bfec
traceroute6 to 2001:1620:f2e1:0:20d:b9ff:fe17:bfec
(2001:1620:f2e1:0:20d:b9ff:fe17:bfec) from 2001:610:600:3ed::2, 64 hops
max, 12 byte packets
sendto: No route to host
1 traceroute6: wrote 2001:1620:f2e1:0:20d:b9ff:fe17:bfec 12 chars, ret=-1
*sendto: No route to host
traceroute6: wrote 2001:1620:f2e1:0:20d:b9ff:fe17:bfec 12 chars, ret=-1
Seems that the route to your network is the problem.
My aiccu.conf:
username bla
password blabla
protocol tic
server tic.sixxs.net
ipv6_interface tun5
tunnel_id T12345
verbose false
daemonize true
automatic true
requiretls true
For you it would be wise to turn verbose on and see what is going on,
maybe don't daemonize.
My relevant part of pf.conf:
ipv6tunnel="tun5"
block in on $ipv6tunnel all
pass in log quick on $ipv6tunnel inet6 proto ipv6-icmp all keep state
block return-rst in log quick on $ipv6tunnel proto tcp from any to any
port = 113
block return-rst in log quick on $ipv6tunnel proto tcp from any to any
block in log quick on $ipv6tunnel inet6 all
block out inet6 all
block out on $ipv6tunnel all
pass out log quick on $ipv6tunnel inet6 proto ipv6 from $meipv6 to any
keep state
pass out log quick on $ipv6tunnel inet6 proto tcp from $ipv6range to
any keep stat
e
pass out log quick on $ipv6tunnel inet6 proto udp from $ipv6range to
any keep stat
e
pass out log quick on $ipv6tunnel inet6 proto ipv6-icmp from $meipv6 to
any keep s
tate
pass out log quick on $ipv6tunnel inet6 proto ipv6-icmp from $ipv6range
to any kee
p state
block out log quick on $ipv6tunnel inet6 all
HTH
