[Shorewall-users] Fwd: some ICMPv6 messages don't make it through SNAT

Wed, 13 Mar 2024 07:39:04 -0700 

Good afternoon,
first, the mandatory information; for brevity since the problem lies in ipV6, for V6 only: 

shorewall6 version
5.2.8

ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
6: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::385e:4fff:fe69:a73f/64 scope link
       valid_lft forever preferred_lft forever
7: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:a00:f010::fb/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::2e2:69ff:fe7a:85a2/64 scope link
       valid_lft forever preferred_lft forever
8: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:a00:f010:3300::fb/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::6a:d7ff:fe82:82e5/64 scope link
       valid_lft forever preferred_lft forever
10: vmbr3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:a00:f010:1000::fb/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::2e2:69ff:fe7a:85a2/64 scope link
       valid_lft forever preferred_lft forever

12: WAR0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:95:1:0:f8/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::e838:6fb3:cef7:372c/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

13: LON6: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:16:2:0:f7/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::cd5d:26c1:b9d:b64c/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

14: NUR7: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:62:3:0:35/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::b364:f254:bdcf:b1c7/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

15: ZUR8: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:89:3:0:30/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a392:109f:83e0:efad/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

16: AMS2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:48::35/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::2317:f225:5833:e2d4/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

17: STO4: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:65:1:0:f8/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::d4b0:4540:2123:6963/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

19: ERF9: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:11::3b/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::3dcd:ddfb:8e0c:a6/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

21: NEW5: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:20:3:0:f3/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::61c6:6de1:fd65:b5af/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

44: ROT1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:30:2:0:f1/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::3955:ef24:ab32:6c9a/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

45: RIG10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:27:3:0:f2/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::caaa:442f:7a71:57c3/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

46: OSL11: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state 
UNKNOWN qlen 500

    inet6 fdbf:1d37:bbe0:0:23:2:0:20/112 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::46bf:d4e4:319:5fd3/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

ip -6 route show

2a01:4f9:4b:44c2::2 via fdbf:1d37:bbe0:0:48::1 dev AMS2 metric 1024 pref 
medium

2a02:a00:f010::/64 dev vmbr1 proto kernel metric 256 pref medium
2a02:a00:f010:1000::/64 dev vmbr3 proto kernel metric 256 pref medium

2a02:a00:f010:3300::111 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::112 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::113 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::115 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::116 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::117 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::118 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::119 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::120 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::121 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium
2a02:a00:f010:3300::122 dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium

2a02:a00:f010:3300::/64 dev vmbr2 proto kernel metric 256 pref medium

2a02:26f0:280:183::356e via fdbf:1d37:bbe0:0:30:2:0:1 dev ROT1 metric 
1024 pref medium
2a02:26f0:280:18d::356e via fdbf:1d37:bbe0:0:30:2:0:1 dev ROT1 metric 
1024 pref medium
2a02:26f0:280:190::356e via fdbf:1d37:bbe0:0:30:2:0:1 dev ROT1 metric 
1024 pref medium
2a02:26f0:280:192::356e via fdbf:1d37:bbe0:0:30:2:0:1 dev ROT1 metric 
1024 pref medium
2a02:26f0:280:193::356e via fdbf:1d37:bbe0:0:30:2:0:1 dev ROT1 metric 
1024 pref medium

fdbf:1d37:bbe0:0:11::/112 dev ERF9 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:16:2::/112 dev LON6 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:20:3::/112 dev NEW5 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:23:2::/112 dev OSL11 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:27:3::/112 dev RIG10 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:30:2::/112 dev ROT1 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:48::/112 dev AMS2 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:62:3::/112 dev NUR7 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:65:1::/112 dev STO4 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:89:3::/112 dev ZUR8 proto kernel metric 256 pref medium
fdbf:1d37:bbe0:0:95:1::/112 dev WAR0 proto kernel metric 256 pref medium
fe80::/64 dev vmbr0 proto kernel metric 256 pref medium
fe80::/64 dev vmbr2 proto kernel metric 256 pref medium
fe80::/64 dev vmbr1 proto kernel metric 256 pref medium
fe80::/64 dev vmbr3 proto kernel metric 256 pref medium
fe80::/64 dev WAR0 proto kernel metric 256 pref medium
fe80::/64 dev LON6 proto kernel metric 256 pref medium
fe80::/64 dev NUR7 proto kernel metric 256 pref medium
fe80::/64 dev ZUR8 proto kernel metric 256 pref medium
fe80::/64 dev AMS2 proto kernel metric 256 pref medium
fe80::/64 dev STO4 proto kernel metric 256 pref medium
fe80::/64 dev ERF9 proto kernel metric 256 pref medium
fe80::/64 dev NEW5 proto kernel metric 256 pref medium
fe80::/64 dev ROT1 proto kernel metric 256 pref medium
fe80::/64 dev RIG10 proto kernel metric 256 pref medium
fe80::/64 dev OSL11 proto kernel metric 256 pref medium

default via 2a02:a00:f010::fd dev vmbr1 proto kernel metric 1024 onlink 
pref medium


Problem:


I am trying to route and SNAT all ipV6 traffic from a specific server 
(2a02:a00:f010:3300::113) behind interface vmbr2 through a vpn tunnel 
(Interface AMS2).

for this I have:
-----------------------------
ip -6 rule show
...
32756:  from 2a02:a00:f010:3300::113 lookup pp6_table2
...
-----------------------------
ip -6 route show table pp6_table2
::1 dev lo metric 1024 pref medium
2a02:a00:f010::/64 dev vmbr1 metric 1024 pref medium

2a02:a00:f010:3300::113 dev vmbr2 proto kernel src 
fdbf:1d37:bbe0:0:48::35 metric 1024 pref medium
fdbf:1d37:bbe0:0:48::1 dev AMS2 proto kernel src fdbf:1d37:bbe0:0:48::35 
metric 1024 pref medium

default dev AMS2 metric 1024 pref medium
-----------------------------
and in /etc/shorewall6/snat:
-----------------------------
...
MASQUERADE  2a02:a00:f010::/48       AMS2
...
-----------------------------

This appears to work for "normal traffic" and "normal pings".
Example: ping from server with the 2a02:a00:f010:3300::113 IP:
-----------------------------
ping -6  -I 2a02:a00:f010:3300::113 heise.de

PING heise.de(redirector.heise.de (2a02:2e0:3fe:1001:302::)) from 
2a02:a00:f010:3300::113 : 56 data bytes
64 bytes from redirector.heise.de (2a02:2e0:3fe:1001:302::): icmp_seq=1 
ttl=53 time=22.5 ms
64 bytes from redirector.heise.de (2a02:2e0:3fe:1001:302::): icmp_seq=2 
ttl=53 time=22.5 ms

...
-----------------------------

However, not all icmp messages make it back to the originating ip 
(2a02:a00:f010:3300::113)

for instance I see this on the vpn-tunnel interface:
-----------------------------

tcpdump -vvv -n -i AMS2 '(ip6 and icmp6 and ip6[40] = 2) or (ip6 and tcp 
port 80)'

...

10:44:03.689758 IP6 (hlim 240, next-header ICMPv6 (58) payload length: 
1240) 2001:470:1:18::3:1280 > fdbf:1d37:bbe0:0:48::35: [bad icmp6 cksum 
0xa86c -> 0xbb23!] ICMP6, packet too big, mtu 1280

...
-----------------------------
but not on the interface vmbr2 to which 2a02:a00:f010:3300::113 is connected
-----------------------------
ip -6 route get 2a02:a00:f010:3300::113

2a02:a00:f010:3300::113 from :: dev vmbr2 proto kernel src 
2a02:a00:f010:3300::fb metric 1024 pref medium

-----------------------------
The above tcpdump shows nothing arriving there.

Since normal traffic and pings do arrive there and get SNATted 
correctly, I wonder what keeps these "packet too big" icmps away.




testing ipV6v connectivity on https://test-ipv6.com also informs me of 
this issue:



Check your firewall to make sure that ICMPv6 messages are allowed (in 
particular, Type 2 or Packet Too Big)


Am I missing something obvious here? I can't find the reason.

There have been similar questions about this in the past, but none of 
the possible solutions seem to apply in my case.


Kind regards,

Uwe


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to