On Thursday 19 July 2007 13:45, Mike Williams wrote:
> I can add dead:beef:2::11/64 (yes, /64) to the internet side of
> router/firewall, a default route via dead:beef:2::1 and then happily
> ping ipv6 things on the internet.
Ok, so your ipv6 link to your provider (and to the ipv6 Internet) is
working.
> Starting on one of the "internal" networks I add
> dead:beef:2:136::11/64, run radvd on that interface, and the hosts on
> that network get v6 addresses. All of them can ping the firewall, but
> cannot ping our ISPs router.
Ok, just some shots in the dark:
- Do the hosts also get the default router, along with the ipv6 address?
You can check with "ip -6 route". You should get, among the others, a
default route pointing to the ipv6 link local (fe80:) address of the
router's interface on the link.
- Also, although I don't think this is the source of your problems, every
internal router interface should recognize (and be configured to use)
the "subnet router anycast address" for that subnet, that is, usually,
the plain /64 subnet address (eg, dead:beef:2:136::/64). This anycast
address has to be manually configured on the interface ("ip addr add
dead:beef:2:136::/64 dev bond2").
Is this the address that internal hosts are able to ping on the firewall,
or did you assign another, or are you referring to the link local
address?
- Are you using native ipv6 connectivity with your provider or through a
(SIT/6to4) tunnel? This is important because it affects the MTU of the
Internet-facing interface.
Seeing the actual radvd.conf file could help better here.
> sendmsg: Invalid argument ??
> It's the same definition as for bond2 (136), with the interface and
> prefix changed. Does the same with or without any other definitions.
> All but bond2 fail, but I've no idea what's so special about bond2.
> The machine is amd64, and using radvd-1.0-r1.
Are these bondX regular single ethernet interfaces or are they of some
other kind?
> Anyway, I can add one or two addresses manually. I do so using
> iproute2 and CIDR notation, so the local route is added for me, and
> hosts on the 137 network can ping each other, and hosts on the 136
> network after I give them a default route via the v6 address on the
> firewall interface on their network, so the firewall is properly
> forwarding traffic.
Ok, it seems forwarding is enabled then. Are you giving default routes
pointing to global addresses? You should try using link-local addresses
instead.
> However, none of the hosts on the "internal" networks can ping any of
> the hosts the firewall can ping.
> I caught the following traffic with tcpdump on the firewall:
>
> # tcpdump -i bond2 ip6
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode listening on bond2, link-type EN10MB (Ethernet), capture size
> 96 bytes 12:24:02.204882 IP6 dead:beef:2:136:204:23ff:fed7:e86a >
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length
> 64 12:24:03.208737 IP6 dead:beef:2:136:204:23ff:fed7:e86a >
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length
> 64
>
> # tcpdump -i bond0 ip6
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode listening on bond0, link-type EN10MB (Ethernet), capture size
> 96 bytes 12:24:02.205409 IP6 dead:beef:2:136:204:23ff:fed7:e86a >
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 1, length
> 64 12:24:02.516433 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a:
> ICMP6, neighbor solicitation, who has
> dead:beef:2:136:204:23ff:fed7:e86a, length 32 12:24:03.208748 IP6
> dead:beef:2:136:204:23ff:fed7:e86a >
> beef:dead:1f0:1:20f:3dff:feae:74c1: ICMP6, echo request, seq 2, length
> 64 12:24:03.517294 IP6 fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a:
> ICMP6, neighbor solicitation, who has
> dead:beef:2:136:204:23ff:fed7:e86a, length 32 12:24:04.517504 IP6
> fe80::214:f600:b67e:b4db > ff02::1:ffd7:e86a: ICMP6, neighbor
> solicitation, who has dead:beef:2:136:204:23ff:fed7:e86a, length 32
IIUC, icmpv6 echo request packets enter the router/firewall from the
bond2 interface, and leave the box using the bond0 interface (confirming
that forwarding works). But, the router/firewall is trying to get the
link-layer address of the interface whose ipv6 global address is
dead:beef:2:136:204:23ff:fed7:e86a (thus an internal host), but for some
reason it sends these neighbor solicitation messages out of the Internet
interface. Not surprisingly, it gets no answers.
> The firewall has no netfilter rules at all, everything is default
> accept.
Are the internal hosts using ip6tables? They might be blocking icmpv6
messages.
> Am I just doing something stupid, or have I asked our host to set it
> up wrong? Would really like to know what radvd is up to too...
Try posting more config info (radvd), debug info (ip -6 route and ip -6
neigh on the internal hosts and on the router) and the scripts (if any)
you use to handle the connection (Internet side and internal side).
--
[EMAIL PROTECTED] mailing list
