Discussion:
[Shorewall-users] IPV6 + Routing
Sam
2017-06-28 20:38:49 UTC
Permalink
Howdy,

I'm embarrassed that I have to ask for help as I've been using shorewall
for 10+ years, but I've wasted a lot of time trying to add IPV6
capability to my small home network (mainly for fun). My home net is
similar to this: http://shorewall.org/XenMyWay.html only I'm using KVM.

ISP is ATT with adsl2 and the nvg510 modem. It normally only supports
handing out IPV6 addresses via 6rd. The network that is handed out is a
/60 but by default the modem only adds a single /64 route. Since one can
get root access on the modem, I've added additional /64 routes. So one
network goes to my wan interface, and the other to my lan interface.

From the shorewall box, I can use ping6 just fine and I can wget ipv6
only web sites as well. I can also ping devices on the lan and the
interface on the modem. But from my lan I can only get as far as ping
the eth0 and eth1 interfaces on the shorewall box. Using tcpdump, I can
see packets going out from eth0 -> eth1 but then there is some weird
link local address solicitation going on between the modem and eth1. See
the attached notes.txt where I show all interfaces and shorewall traces
of a laptop on lan trying to ping cnn.com. You can see the packets going
out, but on return, the modem doesn't know where to send them. And then
also attached the configs.

Probably an idiot mistake, but I'm looking forward to seeing what I did
wrong :)

Regards,
Samuel Smith
Sam
2017-06-29 03:08:38 UTC
Permalink
Post by Sam
Howdy,
I'm embarrassed that I have to ask for help as I've been using shorewall
for 10+ years, but I've wasted a lot of time trying to add IPV6
capability to my small home network (mainly for fun). My home net is
similar to this: http://shorewall.org/XenMyWay.html only I'm using KVM.
ISP is ATT with adsl2 and the nvg510 modem. It normally only supports
handing out IPV6 addresses via 6rd. The network that is handed out is a
/60 but by default the modem only adds a single /64 route. Since one can
get root access on the modem, I've added additional /64 routes. So one
network goes to my wan interface, and the other to my lan interface.
From the shorewall box, I can use ping6 just fine and I can wget ipv6
only web sites as well. I can also ping devices on the lan and the
interface on the modem. But from my lan I can only get as far as ping
the eth0 and eth1 interfaces on the shorewall box. Using tcpdump, I can
see packets going out from eth0 -> eth1 but then there is some weird
link local address solicitation going on between the modem and eth1. See
the attached notes.txt where I show all interfaces and shorewall traces
of a laptop on lan trying to ping cnn.com. You can see the packets going
out, but on return, the modem doesn't know where to send them. And then
also attached the configs.
Probably an idiot mistake, but I'm looking forward to seeing what I did
wrong :)
Regards,
Samuel Smith
So I've been digging a little bit more. I don't think the issue lies
with shorewall, but if someone still wants to give me some tips, that
would be great.

As I mentioned, I'm using the modem's built in ipv6 6rd feature. I could
bring the tunnel into shorewall, but I'd rather keep it at the modem and
that way it will feel more like I have native ipv6 (at least from
shorewall's perspective).

The modem's wan is br2, lan is br1, and then tunnel is defined by:
sit1: ipv6/ip remote 12.83.49.81 local 192.168.254.254 ttl 64
6rd-prefix 2602:300::/28 6rd-relay_addr 12.83.49.81 anti-spoof-enable

The problem is I can't get forwarding to work from the tunnel (I think).
Stuff that is link-local with the modem works fine (basically just
shorowall eth1). But once addresses from behind shorewall start coming
through, the modem tries to look them up using the "neighbor
solicitation multicast address".

In the bottom of my attachment in the other email, you'll see it as:

The outgoing packet:
2602:314:b51b:6088:2677:3ff:fe26:3a98 > 2a04:4e42:200::323

And for the return the modem tries to do a link local look up (instead
of just forwarding?):

fe80::7ebf:b1ff:fe72:8920 > ff02::1:ff26:3a98

"ff02::1:ff26:3a98" is not link local to the modem so of course my eth1
doesn't respond and nothing flows back through shorewall to my lan.

So I'm actually at a loss here.
cat /proc/sys/net/ipv6/conf/*/forwarding gives me all 1's if that
matters. I guess that only leaves the routes, which I have:

2602:314:b51b:6088::/64 dev br1

Seems like it should work.
Sam
2017-06-29 03:42:20 UTC
Permalink
Post by Sam
Howdy,
I'm embarrassed that I have to ask for help as I've been using shorewall
for 10+ years, but I've wasted a lot of time trying to add IPV6
capability to my small home network (mainly for fun). My home net is
similar to this: http://shorewall.org/XenMyWay.html only I'm using KVM.
ISP is ATT with adsl2 and the nvg510 modem. It normally only supports
handing out IPV6 addresses via 6rd. The network that is handed out is a
/60 but by default the modem only adds a single /64 route. Since one can
get root access on the modem, I've added additional /64 routes. So one
network goes to my wan interface, and the other to my lan interface.
From the shorewall box, I can use ping6 just fine and I can wget ipv6
only web sites as well. I can also ping devices on the lan and the
interface on the modem. But from my lan I can only get as far as ping
the eth0 and eth1 interfaces on the shorewall box. Using tcpdump, I can
see packets going out from eth0 -> eth1 but then there is some weird
link local address solicitation going on between the modem and eth1. See
the attached notes.txt where I show all interfaces and shorewall traces
of a laptop on lan trying to ping cnn.com. You can see the packets going
out, but on return, the modem doesn't know where to send them. And then
also attached the configs.
Probably an idiot mistake, but I'm looking forward to seeing what I did
wrong :)
Regards,
Samuel Smith
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Ok, so I think I've got it working now. Apparently I'm only used to one
type of static routing. Looking at
http://mirrors.deepspace6.net/Linux+IPv6-HOWTO/chapter-configuration-route.html

I see "Add an IPv6 route through a gateway" and "Add an IPv6 route
through an interface".

I'm obviously wanting to go through a gateway, which the right route
syntax would be:

ip -6 route add 2602:314:b51b:6088::/64 via
2602:314:b51b:6080:208:a1ff:fe05:bf34 dev br1


And now my route table on the modem is:

# ip -6 route
2602:314:b51b:6080::1 via :: dev sit1 proto kernel metric 256 mtu
1472 advmss 1412 hoplimit 4294967295

2602:314:b51b:6080::/64 dev br1 metric 1024 mtu 1472 advmss 1412
hoplimit 4294967295

2602:314:b51b:6088::/64 via 2602:314:b51b:6080:208:a1ff:fe05:bf34 dev
br1 metric 1024 mtu 1472 advmss 1412 hoplimit 4294967295

2602:300::/28 dev sit1 metric 1024 mtu 1472 advmss 1412 hoplimit
4294967295

default dev sit1 metric 1024 mtu 1472 advmss 1412 hoplimit 4294967295

I guess that is right??

Regards,
Samuel Smith
Tom Eastep
2017-06-29 22:10:41 UTC
Permalink
Post by Sam
Post by Sam
Howdy,
I'm embarrassed that I have to ask for help as I've been using shorewall
for 10+ years, but I've wasted a lot of time trying to add IPV6
capability to my small home network (mainly for fun). My home net is
similar to this: http://shorewall.org/XenMyWay.html only I'm using KVM.
ISP is ATT with adsl2 and the nvg510 modem. It normally only supports
handing out IPV6 addresses via 6rd. The network that is handed out is a
/60 but by default the modem only adds a single /64 route. Since one can
get root access on the modem, I've added additional /64 routes. So one
network goes to my wan interface, and the other to my lan interface.
From the shorewall box, I can use ping6 just fine and I can wget ipv6
only web sites as well. I can also ping devices on the lan and the
interface on the modem. But from my lan I can only get as far as ping
the eth0 and eth1 interfaces on the shorewall box. Using tcpdump, I can
see packets going out from eth0 -> eth1 but then there is some weird
link local address solicitation going on between the modem and eth1. See
the attached notes.txt where I show all interfaces and shorewall traces
of a laptop on lan trying to ping cnn.com. You can see the packets going
out, but on return, the modem doesn't know where to send them. And then
also attached the configs.
Probably an idiot mistake, but I'm looking forward to seeing what I did
wrong :)
Regards,
Samuel Smith
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Ok, so I think I've got it working now. Apparently I'm only used to one
type of static routing. Looking at
http://mirrors.deepspace6.net/Linux+IPv6-HOWTO/chapter-configuration-route.html
I see "Add an IPv6 route through a gateway" and "Add an IPv6 route
through an interface".
I'm obviously wanting to go through a gateway, which the right route
ip -6 route add 2602:314:b51b:6088::/64 via
2602:314:b51b:6080:208:a1ff:fe05:bf34 dev br1
# ip -6 route
2602:314:b51b:6080::1 via :: dev sit1 proto kernel metric 256 mtu
1472 advmss 1412 hoplimit 4294967295
2602:314:b51b:6080::/64 dev br1 metric 1024 mtu 1472 advmss 1412
hoplimit 4294967295
2602:314:b51b:6088::/64 via 2602:314:b51b:6080:208:a1ff:fe05:bf34 dev
br1 metric 1024 mtu 1472 advmss 1412 hoplimit 4294967295
2602:300::/28 dev sit1 metric 1024 mtu 1472 advmss 1412 hoplimit
4294967295
default dev sit1 metric 1024 mtu 1472 advmss 1412 hoplimit 4294967295
I guess that is right??
Yes -- that looks correct.

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Continue reading on narkive:
Loading...