On 11/12/2014 4:14 PM, PGNd wrote: > I'm starting to troubleshoot loss of tunnelbroker-provided IPv6 on an edge, > shorewall6-lite box; need a hand. > > On the shorewall machine, @eth0, the external interface, > > ifconfig eth0 | grep "inet6 addr" | grep "Scope:Global" > inet6 addr: 2001:XXX:XXX4:XXX::2/64 Scope:Global > > and > > shorewall6-lite show routing | egrep "^2001|^default" > 2001:XXX:XXX5:XXX::/64 dev eth1 proto kernel metric 256 > 2001:XXX:XXX4:XXX::/64 dev sit1 proto kernel metric 256 > 2001:XXX:XXX4:XXX::/64 dev eth0 proto kernel metric 256 > default via 2001:XXX:XXX4:XXX::1 dev sit1 metric 1024 > > In my shorewall6-lite rules, I have added > > Ping(ACCEPT) net:[2001:XXX:XXX4:XXX::2]/64,[2001:XXX:XXX5:XXX::]/64 > all > Ping(ACCEPT) net > all - - - - 5/sec:100 > > On the shorewall machine, ping6 to self > > ping6 -c1 2001:XXX:XXX4:XXX::2 > PING 2001:XXX:XXX4:XXX::2(2001:XXX:XXX4:XXX::2) 56 data bytes > 64 bytes from 2001:XXX:XXX4:XXX::2: icmp_seq=1 ttl=64 > time=0.157 ms > > --- 2001:XXX:XXX4:XXX::2 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 0.157/0.157/0.157/0.000 ms > > but, to the other end of the tunnel > > ping6 -c1 2001:XXX:XXX4:XXX::1 > PING 2001:XXX:XXX4:XXX::1(2001:XXX:XXX4:XXX::1) 56 data bytes > From 2001:XXX:XXX4:XXX::2 icmp_seq=1 Destination unreachable: > Address unreachable > > --- 2001:XXX:XXX4:XXX::1 ping statistics --- > 0 packets transmitted, 0 received, +1 errors > > and in shorewall log > > ... > Nov 12 15:47:38 test kernel: [ 976.493756] SW:[P6]OUTPUT:REJECT IN= > OUT=eth0 SRC=2001:0XXX:XXX4:XXX0:0000:0000:0000:0002 > DST=2001:0XXX:XXX4:XXX0:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 > FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3994 SEQ=1 > ... > > To my read, the "Ping(ACCEPT)" above should be allowing that traffic, not > REJECTing it. I can't manage to see the problem. > > What's wrong here? What additional diagnostic can/should I look at?
You have the same /64 routed out of both sit1 and eth0 -- that won't fly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
