through remote's external interface. almost there ... routing issue?

Tom Eastep Mon, 01 Jun 2020 16:53:19 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 5/30/20 7:11 PM, PGNet Dev wrote:
> hi,
>
> i've got two linux machines
>
> uname -rm 5.6.15-24.gfe7831e-default x86_64 iptables -V iptables
> v1.8.4 (legacy)
>
> connected via a wireguard VPN.
>
> shorewall{,6}-lite, v5.2.4.5 runs on both.
>
> The two machines are config'd as
>
> (1) remote ext intfc = eth0 ip4   = AA.AA.AA.AA ip6   =
> 2600:...:1111
>
> virt: intfc = dummy0 ip4   = 172.16.7.100 ip6   = fd80:16:7::100
>
> vpn intfc = wg0 ip4   = 10.254.254.1 ip6   = fd10:254:254::1
>
> (2) local ext intfc = enp2s0 ip4   = BB.BB.BB.BB
>
> int intfc = enp3s0 ip4   = 176.16.8.100 ip6   = fd80:16:8::100
>
> vpn intfc = wg0 ip4   = 10.254.254.2 ip6   = fd10:254:254::2
>
>
> "local" has no IPv6 service provided by ISP; <local:ext> has no
> IPv6 address
>
> I'm attempting to push ALL ipv6 traffic from my local/lan, through
> the VPN, and out to the 'net via the remote -- which DOES have IPv6
> service.
>
> my shorewall6 config on "local" for this redirection includes,
>
> /interfaces ?FORMAT 2 net EXT_IF
>
optional,physical=wg0,forward=1,tcpflags,nosmurfs,accept_ra=1,sourceroute=0
>
>
lan INT_IF           physical=enp3s0,forward=1,tcpflags
> loc lo
>
> with that^^,  from machine (2), "remote", I can successfully,
>
> ping externally,
>
> ping6 google.com
>
> locally,
>
> ping6 <remote:eth0> ping6 <remote:virt> ping6 <remote:vpn>
>
> and, over the vpn,
>
> ping6 <local:int> ping6 <local:vpn>
>
>
>
> from machine (1), "local", I can successfully,
>
> ping locally,
>
> ping6 <local:int> ping6 <local:vpn>
>
> and to the other vpn endpoint,
>
> ping6 <remote:vpn>
>
> BUT, beyond that, either
>
> ping6 <remote:ext> ping6 google.com
>
> FAILs, returning
>
> ping: connect: Network is unreachable
>
>
> I assume it's routing ... ??
>
> atm, I've
>
> @ local
>
> ip -6 route show ::1 dev lo proto kernel metric 256 pref medium
> fd10:254:254::/116 dev wg0 proto kernel metric 256 pref medium
> fd80:16:7::/116 dev wg0 metric 1024 pref medium fd80:16:8::/116 dev
> enp3s0 proto kernel metric 256 pref medium fd80:16:8::a000/116 dev
> enp3s0 proto kernel metric 256 pref medium fe80::/64 dev enp3s0
> proto kernel metric 256 pref medium


You are missing a default route: via fd10:254:254::1 dev wg0
>
> @ remote
>
> ip -6 route show ::1 dev lo proto kernel metric 256 pref medium
> 2600:...::/64 dev eth0 proto ra metric 1024 pref medium
> fd10:254:254::/116 dev wg0 proto kernel metric 256 pref medium
> fd80:16:7::/116 dev dummy0 proto kernel metric 256 pref medium
> fd80:16:8::/116 dev wg0 metric 1024 pref medium

That route is incorrect -- it should be via fd10:254:254::1 dev wg0.

> fe80::/64 dev dummy0 proto kernel metric 256 pref medium fe80::/64
> dev eth0 proto kernel metric 256 pref medium default via fe80::1
> dev eth0 proto ra metric 1024 mtu 1500 pref medium
>
> To get my local/lan IPv6 traffic routing to the 'net,
>
> Do I need a change to shorewall interfaces, rules &/or routes? Or
> something external to SW?
>
>

- -Tom

- -- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl7VlIgACgkQluaz8kI6
TRBDGg//Zv891JQw/7JVsmXxSlaQqSrHue+vecMbOeuMR9LhyD37hG8JcIOM+CB6
bS5kpih+fAgD0YmIkjLlTWosEuIOyMMjNgyI+p7/EI5BzpFMd8hdjhUDAXvDk+/o
bivzdMogbE6sVlCCGon08WGrZ9qRYjltcioDWaJE5JdUl3UStOTTlbyqRDg+LRL9
Wz+izz93R0n1OcHVaC9UAmBzSYIMBCV9OpUPcRu6LLEdZ5xwXIwfn2alN/qFEDJ/
5e826yzV101ijYAz6CC7rrUdr8EKmgmZq/rpl/mHPE19NUx/BUM07Xi3xJQu07AS
JvCXdOpDqare0K6AppubQxSQzEX3z2wf42swQrzGaQ70mAN2H2EnikGtzHROE8OX
az5bmNSaysW4kJBYVVYYZlpjRkeMRzN4IkITqrRrdPvkS5WkZrZRP6YIHTTWtDqL
rJzOi5UOn9e2eTPfNZI36VjKQdu0kC15x2gy1d9bFkagv7CBqWXFo8L1T+NQdpOJ
0WDkwDIjwf7z6B1J4fSrLdgRUX4+/dEx6a9q1vMhDO3Uf1RT40Y2QhHz4HX4XcJp
hHAQdOeTyoaNzsXAe3Jrj3Q9/R0SMil1OAjd4YjVo03G/tBN0iqZs9lQQXzHcnOi
Hin0ov9j64j7+N9ZdLfi1IqN2DvIXPe+lZpusojfjQYS1KOkUQo=
=FFvM
-----END PGP SIGNATURE-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] redirecting ALL ipv6 local/lan traffic over a wireguard VPN to/through remote's external interface. almost there ... routing issue?

Reply via email to