On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote: > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On April 6, 2018 11:58 AM, <colony.th...@protonmail.ch> wrote: > >> >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> >> On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote: >> >>>> After shorewall6 clear, ping6 just hangs. >>>> >>>> ping6 google.com >>>> ================ >>>> >>>> PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 56 >>>> data bytes >>>> >>>> ^C >>>> >>>> --- google.com ping statistics --- >>>> >>>> 20 packets transmitted, 0 received, 100% packet loss, time 19000ms >>> >>> You routing is all screwed up. You are trying to use the same /64 on >>> >>> three different networks. When you get a tunnel from HE, you get two /64 >>> >>> networks: one on the sit device, and one to use in your local network(s). >>> >>> You can subdivide the second /64 between multiple networks, but then the >>> >>> prefix length for those networks must be > 64 and you cannot use >>> >>> stateless autoconfiguration. >>> >>> -Tom >>> >>> Tom Eastep \ Q: What do you get when you cross a mobster with >>> >>> Shoreline, \ an international standard? >>> >>> Washington, USA \ A: Someone who makes you an offer you can't >>> >>> http://shorewall.org \ understand >> >> Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, and >> for the LAN I've set 2001:470:b:c3::/64 like they say. >> >> ip -6 route >> =========== >> >> unreachable ::/96 dev lo metric 1024 error -113 >> >> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 >> >> 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256 >> >> 2001:470:b:c3::/64 dev eth1 proto kernel metric 256 >> >> 2001:470:b:c3::/64 dev eth2 proto kernel metric 256 >> >> unreachable 2002:a00::/24 dev lo metric 1024 error -113 >> >> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 >> >> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 >> >> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 >> >> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 >> >> unreachable 2002:e000::/19 dev lo metric 1024 error -113 >> >> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 >> >> fe80::/64 dev eth1 proto kernel metric 256 >> >> fe80::/64 dev eth2 proto kernel metric 256 >> >> fe80::/64 dev eth0 proto kernel metric 256 >> >> fe80::/64 dev he-ipv6 proto kernel metric 256 >> >> default dev he-ipv6 metric 1024 >> >> True I don't have a gateway set on eth1, but that -is- the LAN gateway. >> >> To set up the tunnel I'm using the systemd service copied almost >> word-for-word from the Arch doc: >> >> [Unit] >> >> Description=he.net IPv6 tunnel >> >> After=network.target >> >> [Service] >> >> Type=oneshot >> >> RemainAfterExit=yes >> >> ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 >> local 50.47.100.167 ttl 255 >> >> ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480 >> >> ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6 >> >> ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6 >> >> ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6 >> >> ExecStop=/usr/sbin/ip link set he-ipv6 down >> >> ExecStop=/usr/sbin/ip tunnel del he-ipv6 >> >> [Install] >> >> WantedBy=multi-user.target > > > I must be being dense here. Can someone please explain what Ton is telling > me here? >
What I am telling you is that you have these two routes: fe80::/64 dev eth2 proto kernel metric 256 fe80::/64 dev eth1 proto kernel metric 256 So the hosts connected to one of those are going to be unreachable. You need to configure the IP addresses on those devices as /72, not /64, which means that you will have to assign IP addresses to hosts connected to those interfaces manually or using DHCPv6. You will not be able to use stateless auto configuration. You have not told us where you are trying to ping from -- firewall or host behind the firewall? But you are not allowing Ping from any pkace to any other place in this configuration; AllowICMPs does *not* allow ping; it only allows those ICMPs specified by RFC 4890 as 'must allow' by routers. That explains the errors when Shorewall is started. But it doesn't explain the issue when Shorewall is cleared. With Shorewall cleared, can you ping 2001:470:a:c3::1? -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
