On 06/28/2017 03:38 PM, Sam wrote:
Howdy,
I'm embarrassed that I have to ask for help as I've been using shorewall
for 10+ years, but I've wasted a lot of time trying to add IPV6
capability to my small home network (mainly for fun). My home net is
similar to this: http://shorewall.org/XenMyWay.html only I'm using KVM.
ISP is ATT with adsl2 and the nvg510 modem. It normally only supports
handing out IPV6 addresses via 6rd. The network that is handed out is a
/60 but by default the modem only adds a single /64 route. Since one can
get root access on the modem, I've added additional /64 routes. So one
network goes to my wan interface, and the other to my lan interface.
From the shorewall box, I can use ping6 just fine and I can wget ipv6
only web sites as well. I can also ping devices on the lan and the
interface on the modem. But from my lan I can only get as far as ping
the eth0 and eth1 interfaces on the shorewall box. Using tcpdump, I can
see packets going out from eth0 -> eth1 but then there is some weird
link local address solicitation going on between the modem and eth1. See
the attached notes.txt where I show all interfaces and shorewall traces
of a laptop on lan trying to ping cnn.com. You can see the packets going
out, but on return, the modem doesn't know where to send them. And then
also attached the configs.
Probably an idiot mistake, but I'm looking forward to seeing what I did
wrong :)
Regards,
Samuel Smith
So I've been digging a little bit more. I don't think the issue lies
with shorewall, but if someone still wants to give me some tips, that
would be great.
As I mentioned, I'm using the modem's built in ipv6 6rd feature. I could
bring the tunnel into shorewall, but I'd rather keep it at the modem and
that way it will feel more like I have native ipv6 (at least from
shorewall's perspective).
The modem's wan is br2, lan is br1, and then tunnel is defined by:
sit1: ipv6/ip remote 12.83.49.81 local 192.168.254.254 ttl 64
6rd-prefix 2602:300::/28 6rd-relay_addr 12.83.49.81 anti-spoof-enable
The problem is I can't get forwarding to work from the tunnel (I think).
Stuff that is link-local with the modem works fine (basically just
shorowall eth1). But once addresses from behind shorewall start coming
through, the modem tries to look them up using the "neighbor
solicitation multicast address".
In the bottom of my attachment in the other email, you'll see it as:
The outgoing packet:
2602:314:b51b:6088:2677:3ff:fe26:3a98 > 2a04:4e42:200::323
And for the return the modem tries to do a link local look up (instead
of just forwarding?):
fe80::7ebf:b1ff:fe72:8920 > ff02::1:ff26:3a98
"ff02::1:ff26:3a98" is not link local to the modem so of course my eth1
doesn't respond and nothing flows back through shorewall to my lan.
So I'm actually at a loss here.
cat /proc/sys/net/ipv6/conf/*/forwarding gives me all 1's if that
matters. I guess that only leaves the routes, which I have:
2602:314:b51b:6088::/64 dev br1
Seems like it should work.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
