Re: can't route traffic from lan out via the aiccu connection

Fri, 07 Jan 2011 16:44:04 -0800 

On Fri, Jan 07, 2011 at 05:30:47PM +0100, nothingness wrote:
| Here goes:
| 
| I can see the ping6 traffic from client to mirror.switch.ch  traverse
| internal, then tunnel, then external (as encap) but I can't see pflog
| dropping it:

First off, some basic stuff (not directly relevant but may be useful
anyway).  `grep -v X | grep -v Y | grep -v Z` is functionally
equivalent to `grep -v -e X -e Y -e Z` or `egrep -v '(X|Y|Z)'` (read
the grep manpage for more details).  But that whole grepping business
is not necessary since you can let tcpdump do the filtering: `tcpdump
-i <IF> icmp6` will only show ICMPv6 traffic (what we're interested in
here, again, read the tcpdump manpage for more details).

| internal if:
| casper ~ # tcpdump -i dc0 | grep -v domain | grep -v arp | grep -v www |
| grep -v ssh
| 17:25:35.583289 2001:1620:f2e1:0:20d:b9ff:fe17:bfec >
| mimas-nxge0.switch.ch: icmp6: echo request

So v6 traffic flows from your LAN client out through your gif
interface towards your tunnelprovider.  That's good.

| So to conclude... could it simply be that my uplink provider isn't
| routing traffic from my /64 (well it's a /48 but I subdivided it)?

It very much looks like that is the case.  Are you sure your tunnel
provider (Init7) gave you that /48 ?  Whois has nothing more specific
than the /32 (this is in no way definitive proof that this is the IP
space assigned to you, it would've worked the other way around), so
perhaps you made a typo in the F2E1 part ?  Further confirmation could
be found with traceroute6 from your lan client, if Init7 does not send
that /48 to your tunnel endpoint, the last hop that will reply will be
your router.  Tracerouting from my home network towards the IP address
in your tcpdump (2001:1620:f2e1:0:20d:b9ff:fe17:bfec) ends up at
r1zur2.core.init7.net, so we're getting close to your machine ;)

So...

        1. try traceroute6 -n www.sixxs.net
        2. verify your allocation is 2001:1620:f2e1::/48
        3. talk to your provider

Otherwise, your setup looks fine from what you've shown so far.

Viel Glueck!

Paul 'WEiRD' de Weerd

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to