On 6/5/20 3:12 PM, PGNet Dev wrote: > On 6/2/20 9:24 PM, Tom Eastep wrote: >> I know nothing about Wireguard, but this article seems relevant (note >> the 'Required key not available): >> >> https://bbs.archlinux.org/viewtopic.php?id=232754 > > good hint! > > adding @local, > > /etc/wireguard/wg0 > > + AllowedIPs = 2000::/3 > > *AND* @remote, > > /etc/wireguard/wg0 > > + PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > + PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE >
That rule will be wiped out the next time you 'shorewall6 reload' or 'shorewall6 restart'. > does the trick -- without the 'active participation' of SW on either end; the > 'ip6tables' _could_ be added to SW config .. The fact that you had to add the rule to eth0 suggests that your IPv6 traffic is being routed out of that interface rather than out of wg0. > > pin6 from @local -> 'net, now works, > > ping6 -c1 google.com > PING google.com(sfo03s18-in-x0e.1e100.net > (2607:f8b0:4005:80b::200e)) 56 data bytes > 64 bytes from sfo03s18-in-x0e.1e100.net > (2607:f8b0:4005:80b::200e): icmp_seq=1 ttl=57 time=27.8 ms > > --- google.com ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 27.774/27.774/27.774/0.000 ms > > what does _not_ yet is same from any IPv6 boxes on the LAN _behind_ @local > > LAN -> @local is ok, > > ping6 -c1 fd80:16:8::100 > PING fd80:16:8::100(fd80:16:8::100) 56 data bytes > 64 bytes from fd80:16:8::100: icmp_seq=1 ttl=64 time=0.551 ms > > --- fd80:16:8::100 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 0.551/0.551/0.551/0.000 ms > > but not even so far as LAN -> @remote > > ping6 -c1 fd80:16:7::100 > PING fd80:16:7::100(fd80:16:7::100) 56 data bytes > From fd80:16:8::73 icmp_seq=1 Destination unreachable: Address > unreachable > > --- fd80:16:7::100 ping statistics --- > 1 packets transmitted, 0 received, +1 errors, 100% packet loss, > time 0ms > > need to start @ my previous OpenVPN configs to see if that is wg-config as > well, or best within SW. > > -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
