[Shorewall-users] Second attempt at IPv6, no default routes

Discussion:

Steven Kiehl

2016-09-17 22:22:27 UTC

Hi again!

So, after several months, I've decided to take another crack at upgrading
to IPv6. I followed the directions on the shorewall IPv6 support page as
far as I can tell, and also dug well into the Linux documentation noted in
that article. Thanks for all your efforts in putting that page together,
btw.

I'm attempting a simple two-interface firewall setup. I've gotten as far as
being able to connect to the firewall from the insides, resolve DNS, but
all IPv6 traffic leaving the outside interface seems to fail with "Network
unreachable" messages, trying both ping6 and traceroute6 and verifying no
REJECT/DROP errors in the logs. I can confirm that IPv6 is working on the
ISP by hooking up a Windows box to the cable modem (only problem there is
the ISP doesn't have an IPv6 DNS server, but otherwise all is well).

But, try as I have tweaking the network/interfaces and shorewall/shorewall6
configurations and even attempting to add routes directly to the tables, I
can't seem to get any traffic to move. I have a DHCP-issued IPv6 address
from the ISP, but running 'ip -6 route' shows no default routes. I do have
default routes on IPv4, and disabling IPv6 on my clients does result in
successful IPv4 connections and data transmission. But, IPv6 remains
unreachable for some mysterious reason.

Attempted to get some support from the ISP, but they are just following
script as usual.

I've attached the shorewall6 dump to this message. Let me know if any other
info is needed.

Thanks for any help you can provide!

- Steve Kiehl

Steven Kiehl

2016-09-17 22:30:25 UTC

Permalink

Woops. sorry, let me try attaching this again. Seem to have attached the
stopped-state dump. Attached here is the started-state dump with all the
active changes and whatnot.

By the way, do you accept these dumps via GitHub Gists, or just via
attached gz/bzip2s?

- Steve Kiehl

Post by Steven Kiehl
Hi again!
So, after several months, I've decided to take another crack at upgrading
to IPv6. I followed the directions on the shorewall IPv6 support page as
far as I can tell, and also dug well into the Linux documentation noted in
that article. Thanks for all your efforts in putting that page together,
btw.
I'm attempting a simple two-interface firewall setup. I've gotten as far
as being able to connect to the firewall from the insides, resolve DNS, but
all IPv6 traffic leaving the outside interface seems to fail with "Network
unreachable" messages, trying both ping6 and traceroute6 and verifying no
REJECT/DROP errors in the logs. I can confirm that IPv6 is working on the
ISP by hooking up a Windows box to the cable modem (only problem there is
the ISP doesn't have an IPv6 DNS server, but otherwise all is well).
But, try as I have tweaking the network/interfaces and
shorewall/shorewall6 configurations and even attempting to add routes
directly to the tables, I can't seem to get any traffic to move. I have a
DHCP-issued IPv6 address from the ISP, but running 'ip -6 route' shows no
default routes. I do have default routes on IPv4, and disabling IPv6 on my
clients does result in successful IPv4 connections and data transmission.
But, IPv6 remains unreachable for some mysterious reason.
Attempted to get some support from the ISP, but they are just following
script as usual.
I've attached the shorewall6 dump to this message. Let me know if any
other info is needed.
Thanks for any help you can provide!
- Steve Kiehl

Simon Hobson

2016-09-18 13:21:18 UTC

Permalink

So, after several months, I've decided to take another crack at upgrading to IPv6. I followed the directions on the shorewall IPv6 support page as far as I can tell, and also dug well into the Linux documentation noted in that article. Thanks for all your efforts in putting that page together, btw.
I'm attempting a simple two-interface firewall setup. I've gotten as far as being able to connect to the firewall from the insides, resolve DNS, but all IPv6 traffic leaving the outside interface seems to fail with "Network unreachable" messages, trying both ping6 and traceroute6 and verifying no REJECT/DROP errors in the logs. I can confirm that IPv6 is working on the ISP by hooking up a Windows box to the cable modem (only problem there is the ISP doesn't have an IPv6 DNS server, but otherwise all is well).
But, try as I have tweaking the network/interfaces and shorewall/shorewall6 configurations and even attempting to add routes directly to the tables, I can't seem to get any traffic to move. I have a DHCP-issued IPv6 address from the ISP, but running 'ip -6 route' shows no default routes. I do have default routes on IPv4, and disabling IPv6 on my clients does result in successful IPv4 connections and data transmission. But, IPv6 remains unreachable for some mysterious reason.
Attempted to get some support from the ISP, but they are just following script as usual.

Yes, so many support departments do tend to do that.

The starting point is that you don't need Shorewall (or rather, Shorewall6) to do IPv6. So start without Shorewall - but bear in mind that you will be rather exposed between getting IPv6 working and setting up the firewall.

Starting from the basics, which ISP is it - someone may know how they manage stuff ? Failing that, how are they handing out the IPv6 information - DHCPv6, PPP, something else ? Does this ISP have any support forums where you could ask - if there are any power users in there then they are the most likely to know just how to do it with that ISP ?

------------------------------------------------------------------------------

Steven Kiehl

2016-09-20 02:50:18 UTC

Permalink

Thanks for the response, Simon. Like everyone else in the world, it's Time
Warner service. It's all negotiated over DHCP/DHCPv6. Do I need to unblock
something for RA services perhaps? I found that I can get things working
by taking the steps of hooking a Windows machine up first, grabbing the
default IPv6 gateway. Tried asking TWC support about all this and they
blamed my modem, saying "your modem is showing an IPv6 address" "talk to
your modem manufacturer." Worst answer I've ever received from them ever.

So I adding that address as a hard-coded gateway in the shorewall/providers
configuration. I basically followed the multi-isp directions and skipped
the multi part of it. Seems functional, for now.

So, I can get to ipv6.google.com and most of the tests seem to work right,
but it's not ideal. I don't want to have to re-determine the gateway
address every time it magically changes. I haven't learned of any way to
pull it down through any sort of console command. At least I can say I've
got it 90% of the way there. And TWC still has no IPv6-only DNS either,
all delivered over IPv4.

So I've got everything working except automatic detection of the default
gateway. Using "DETECT" in the providers throws an error about not being
able to find the default gateway, even though it's DHCP. By adding the
default gateway address, it does list an additional route to 'ip -6 route'
for the external interface.

I'll keep searching around for an automated solution, but for now adding a
provider like the following seems to work:

TWC 1 1 - enp1s0f0 $IPV6_GATEWAY track

Post by Steven Kiehl
So, after several months, I've decided to take another crack at

upgrading to IPv6. I followed the directions on the shorewall IPv6 support
page as far as I can tell, and also dug well into the Linux documentation
noted in that article. Thanks for all your efforts in putting that page
together, btw.

Post by Steven Kiehl
I'm attempting a simple two-interface firewall setup. I've gotten as far

as being able to connect to the firewall from the insides, resolve DNS, but
all IPv6 traffic leaving the outside interface seems to fail with "Network
unreachable" messages, trying both ping6 and traceroute6 and verifying no
REJECT/DROP errors in the logs. I can confirm that IPv6 is working on the
ISP by hooking up a Windows box to the cable modem (only problem there is
the ISP doesn't have an IPv6 DNS server, but otherwise all is well).

Post by Steven Kiehl
But, try as I have tweaking the network/interfaces and

shorewall/shorewall6 configurations and even attempting to add routes
directly to the tables, I can't seem to get any traffic to move. I have a
DHCP-issued IPv6 address from the ISP, but running 'ip -6 route' shows no
default routes. I do have default routes on IPv4, and disabling IPv6 on my
clients does result in successful IPv4 connections and data transmission.
But, IPv6 remains unreachable for some mysterious reason.

Post by Steven Kiehl
Attempted to get some support from the ISP, but they are just following

script as usual.
Yes, so many support departments do tend to do that.
The starting point is that you don't need Shorewall (or rather,
Shorewall6) to do IPv6. So start without Shorewall - but bear in mind that
you will be rather exposed between getting IPv6 working and setting up the
firewall.
Starting from the basics, which ISP is it - someone may know how they
manage stuff ? Failing that, how are they handing out the IPv6 information
- DHCPv6, PPP, something else ? Does this ISP have any support forums where
you could ask - if there are any power users in there then they are the
most likely to know just how to do it with that ISP ?
------------------------------------------------------------
------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Simon Hobson

2016-09-20 09:58:43 UTC

Permalink

Thanks for the response, Simon. Like everyone else in the world, it's Time Warner service. It's all negotiated over DHCP/DHCPv6. Do I need to unblock something for RA services perhaps?

Yes, you will need to be able to receive RAs in order to get your gateway. The design of IPv6 has some significant differences from IPv4 and this is one of them - DHCP does not provide router information in IPv6.
The reason I've read is that in large organisations, DHCP and routing are managed by different groups - therefore it's easier to have the routing group take care of advertising routes, and not have to have the interaction between them and the DHCP group any time the routers change. Personally I think this is a bit bogus, and I don't like the fact that it pushes routing decisions down to the individual devices rather than managing them at the router level.

Anyway, the Router Advertisements provide information on the routers available, what destinations they can reach, what prefixes are on this link, and what prefixes are considered "local" - they also indicate if the link is "managed" which is an indication for the client to attempt DHCP rather than autoconfiguration. Assuming the ISP kit is providing them, and you are receiving them, then routing setup should be automagic.

I found that I can get things working by taking the steps of hooking a Windows machine up first, grabbing the default IPv6 gateway.

That's a reasonable way to do it for initial testing.

Tried asking TWC support about all this and they blamed my modem, saying "your modem is showing an IPv6 address" "talk to your modem manufacturer." Worst answer I've ever received from them ever.

I really am not surprised.

So I adding that address as a hard-coded gateway in the shorewall/providers configuration. I basically followed the multi-isp directions and skipped the multi part of it.

That's a lot of work/complication for what is a very simple task !
Assuming you have the ip tools installed (which should be the default on any modern distro) then you just need to "ip route add ..." to install a route.
As I said, Shorewall isn't needed at all to get the IPv6 working - but it is needed as soon as you do get it working. It's often best to get the network working without the firewall as it removes the "is it the network or the firewall that's blocking stuff" problem - at a time when you have a lot of variables to get sorted before it all works.

I don't want to have to re-determine the gateway address every time it magically changes. I haven't learned of any way to pull it down through any sort of console command.

AFAIK, receiving RAs is the only way to do it.
BTW - as well as not blocking RAs, there are a number of ICMP6 packets that you must not block or it breaks several IPv6 basic/mandatory features (such as path-MTU detection).

And TWC still has no IPv6-only DNS either, all delivered over IPv4.

That doesn't really matter, as long as they actually resolve AAAA queries.

I've had a quick search for '"time warner" ipv6 linux' and it's thwon up a few interesting looking articles. In particular, this one http://www.kloepfer.org/ipv6-homenet.html caught my eye - it raises some valid points.

Lastly, what DHCP client are you using ? When I tested native IPv6 through a trial my ISP (Plusnet in the UK) ran, I used Dibbler - I can't remember if there was a reason for not using the ISC DHCP6 client but I assume there was. In this case, using the DHCP client was only for "triggering" the ISP stuff (ie getting the ISP kit to route the traffic) as the assignments were all static.
I think having a dynamic prefix will be "interesting" and the preponderance of people on the standards bodies that defined IPv6 being used to "big networks and static assignments" shows. Personally I think this is a valid use case for prefix translation (multiple providers is another) and with the right standardisation could be done without the pitfalls of NAPT as used in IPv4.

------------------------------------------------------------------------------

Tom Eastep

2016-09-21 22:16:10 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Post by Steven Kiehl
So I adding that address as a hard-coded gateway in the
shorewall/providers configuration. I basically followed the
multi-isp directions and skipped the multi part of it. Seems
functional, for now.
So, I can get to ipv6.google.com <http://ipv6.google.com> and most
of the tests seem to work right, but it's not ideal. I don't want
to have to re-determine the gateway address every time it magically
changes. I haven't learned of any way to pull it down through any
sort of console command. At least I can say I've got it 90% of the
way there. And TWC still has no IPv6-only DNS either, all
delivered over IPv4.
So I've got everything working except automatic detection of the
default gateway. Using "DETECT" in the providers throws an error
about not being able to find the default gateway, even though it's
DHCP. By adding the default gateway address, it does list an
additional route to 'ip -6 route' for the external interface.
I'll keep searching around for an automated solution, but for now
TWC 1 1 - enp1s0f0 $IPV6_GATEWAY
track

You can keep using that approach, only set IPV6_GATEWAY to the
link-local address of the router; that won't change, even if the
delegated subnet does.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJX4waqAAoJEJbms/JCOk0Q5FcP/3Svxp4sVLIDSTlOhzTiBj4b
d4uQjGE2vhwEkfJujqpVRhM/JAfYRwvouWDatR2N+lfyLc/1MqAzToobK2OKDAI9
oJ8F5eA9YG9Vh2gISuZdgDHca0eoUNX1lP5AmVqzEDNy6FBnfIADDQLK9sbWcHto
lEnVvAiPAi8pIYxxhzFIfAYkK1okPq7bWz+BjZwNn5fsryKX4pwNewtVNC2ArBH1
eApa651GO2xqBdHJU8effUzpXlbwdAZlX4TugUXd72cDaaYjvWzhS+8M7l5irFpH
yvrlXGdNLmujLx4al13RWSNOMNIzgk09DWFORpDdY2VVy4932RLBi4PfaapJz6aC
QIAhuML3etQl+MIxtQWGdYfRha3aUimO2J+sG2CotIhebsuo8YPF5MEs7/q/JMhe
mR8ynvZgsZiJ8leVDW7isz9LqsOO1oqm0Uv+m2qxnZC/g7R4dsa4NNnFlmB3pXRj
Nxc3GOgACmblHPhAyRqlKPAdR0cbmendX44aWLEi/Nh5tdX0nThigKvSu+8S6EaP
ojSg7n4wMg1bYJXhZWAkt2L0Zy8/XnlZh4Crm7P3DQPL/2VSiH0ieYA8Wu7PrGS6
yfvFQqEwH07NsyM2k8Gszyn+FzFi0MHX++gqIP88c+WeA8g+LixnqwDQpjtFSC7C
HFn9MXuOD8rKDa2e3REn
=0M6z
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------