hi,
i've got two linux machines
uname -rm
5.6.15-24.gfe7831e-default x86_64
iptables -V
iptables v1.8.4 (legacy)
connected via a wireguard VPN.
shorewall{,6}-lite, v5.2.4.5 runs on both.
The two machines are config'd as
(1) remote
ext
intfc = eth0
ip4 = AA.AA.AA.AA
ip6 = 2600:...:1111
virt:
intfc = dummy0
ip4 = 172.16.7.100
ip6 = fd80:16:7::100
vpn
intfc = wg0
ip4 = 10.254.254.1
ip6 = fd10:254:254::1
(2) local
ext
intfc = enp2s0
ip4 = BB.BB.BB.BB
int
intfc = enp3s0
ip4 = 176.16.8.100
ip6 = fd80:16:8::100
vpn
intfc = wg0
ip4 = 10.254.254.2
ip6 = fd10:254:254::2
"local" has no IPv6 service provided by ISP; <local:ext> has no IPv6 address
I'm attempting to push ALL ipv6 traffic from my local/lan, through the VPN, and
out to the 'net via the remote -- which DOES have IPv6 service.
my shorewall6 config on "local" for this redirection includes,
/interfaces
?FORMAT 2
net EXT_IF
optional,physical=wg0,forward=1,tcpflags,nosmurfs,accept_ra=1,sourceroute=0
lan INT_IF physical=enp3s0,forward=1,tcpflags
loc lo
with that^^, from machine (2), "remote", I can successfully,
ping externally,
ping6 google.com
locally,
ping6 <remote:eth0>
ping6 <remote:virt>
ping6 <remote:vpn>
and, over the vpn,
ping6 <local:int>
ping6 <local:vpn>
from machine (1), "local", I can successfully,
ping locally,
ping6 <local:int>
ping6 <local:vpn>
and to the other vpn endpoint,
ping6 <remote:vpn>
BUT, beyond that, either
ping6 <remote:ext>
ping6 google.com
FAILs, returning
ping: connect: Network is unreachable
I assume it's routing ... ??
atm, I've
@ local
ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
fd10:254:254::/116 dev wg0 proto kernel metric 256 pref
medium
fd80:16:7::/116 dev wg0 metric 1024 pref medium
fd80:16:8::/116 dev enp3s0 proto kernel metric 256 pref
medium
fd80:16:8::a000/116 dev enp3s0 proto kernel metric 256
pref medium
fe80::/64 dev enp3s0 proto kernel metric 256 pref medium
@ remote
ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2600:...::/64 dev eth0 proto ra metric 1024 pref medium
fd10:254:254::/116 dev wg0 proto kernel metric 256 pref
medium
fd80:16:7::/116 dev dummy0 proto kernel metric 256 pref
medium
fd80:16:8::/116 dev wg0 metric 1024 pref medium
fe80::/64 dev dummy0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 proto ra metric 1024 mtu
1500 pref medium
To get my local/lan IPv6 traffic routing to the 'net,
Do I need a change to shorewall interfaces, rules &/or routes?
Or something external to SW?
If add'l info is needed, pls let me know.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
