Feels like I'm finally close to getting this all working at the same time.
I'm still missing the last piece -- ping6 from LAN to 'NET
(1) router
ip -6 addr show
...
EXT 2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
qlen 1000
inet6 2600:yyyy:yyyy:zzzz::53/128 scope global dynamic
noprefixroute
valid_lft 2876sec preferred_lft 2876sec
inet6 fe80::e310:84ed:bda1:a330/64 scope link
valid_lft forever preferred_lft forever
INT 3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
qlen 1000
inet6 2600:yyyy:yyyy:yyyy::1/64 scope global dynamic
noprefixroute
valid_lft 2876sec preferred_lft 2876sec
inet6 fd81:17:15::128/116 scope global
valid_lft forever preferred_lft forever
inet6 fe80::e310:84ed:bda1:a331/64 scope link
valid_lft forever preferred_lft forever
ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2600:yyyy:yyyy:yyyy::/64 dev enp3s0 proto dhcp metric 1003 pref
medium
fd81:17:15::/116 dev enp3s0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0 proto kernel metric 256 pref medium
fe80::/64 dev enp3s0 proto kernel metric 256 pref medium
default via fe80::4e12:65ff:fe9c:e3e0 dev enp2s0 metric 1024
pref medium
(2) desktop
ip -6 addr show
...
4: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
qlen 1000
inet6 2600:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:23e1/64 scope
global dynamic mngtmpaddr noprefixroute
valid_lft 86391sec preferred_lft 14391sec
inet6 fd81:17:15::7/116 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6d9:xxxx:xxxx:23e1/64 scope link
valid_lft forever preferred_lft forever
ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2600:yyyy:yyyy:yyyy::/64 dev enp5s0 proto ra metric 1024
expires 86397sec pref medium
fd81:17:15::/116 dev enp5s0 proto kernel metric 256 pref medium
fd81:17:15::/116 dev enp5s0 proto ra metric 1024 expires
86397sec pref medium
fe80::/64 dev enp5s0 proto kernel metric 256 pref medium
default proto static metric 1024 pref medium
nexthop via fd81:17:15::128 dev enp5s0 weight 1
onlink
nexthop via fe80::e310:84ed:bda1:a331 dev
enp5s0 weight 1
ON desktop, I
*CAN* ping6
@desktop
2600:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:23e1
fd81:17:15::7
@router, INT
2600:yyyy:yyyy:yyyy::1
fd81:17:15::128
@router, EXT
2600:yyyy:yyyy:zzzz::53
can *NOT* ping6
@desktop
fe80::6d9:xxxx:xxxx:23e1
@router, INT
fe80::e310:84ed:bda1:a331
@router, EXT
fe80::e310:84ed:bda1:a330
google.com
2607:f8b0:4008:803::200e
ON router, I
*CAN* ping6
@desktop
2600:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:23e1
fd81:17:15::7
@router, INT
2600:yyyy:yyyy:yyyy::1
fd81:17:15::128
@router, EXT
2600:yyyy:yyyy:zzzz::53
and,
can *NOT* ping6
@desktop
fe80::6d9:xxxx:xxxx:23e1
@router, INT
fe80::e310:84ed:bda1:a331
@router, EXT
fe80::e310:84ed:bda1:a330
BUT, I
*CAN* ping6
google.com
2607:f8b0:4008:803::200e
I.e., ping6
router -> google.com OK
dekstop -> google.com FAIL
Any hints about what the missing piece is?
Is it a route, rule, policy or other Shorewall config that I need?
Thanks,
Thad
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
