Da' just to be safe, am resetat toate regulile:
admin@RT-AC68U-68A8:/tmp/home/root# ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain NSFW (0 references) target prot opt source destination Chain PControls (0 references) target prot opt source destination Chain UPNP (0 references) target prot opt source destination Chain logaccept (0 references) target prot opt source destination Chain logdrop (0 references) target prot opt source destination admin@RT-AC68U-68A8:/tmp/home/root#Comportamentul e acelasi - http://http://nl.traceroute6.net/ imi zice "Destination unreachable". Daca dau ping6 de pe router catre server (si il opresc imediat) atunci se creaza o fereastra de circa 10-15 secunde in care pingul din exterior ajunge la server.
Mihai On 12/31/19 5:05 PM, Mihai Osian wrote:
Am zis ca "pare ok". Arata asa: ASUSWRT-Merlin RT-AC68U 384.14-0 Sat Dec 14 00:39:28 UTC 2019 admin@RT-AC68U-68A8:/tmp/home/root# ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destinationACCEPT all anywhere anywhere state RELATED,ESTABLISHEDACCEPT all anywhere anywhere state NEW ACCEPT all anywhere anywhere state NEW DROP all anywhere anywhere state INVALID ACCEPT ipv6-nonxt anywhere anywhere length 40 ACCEPT all anywhere anywhere ACCEPT all anywhere anywhereACCEPT udp anywhere anywhere udp spt:547 dpt:546 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-replyACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 130 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 131 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 132ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisementACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 141 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 142 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 143 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 148 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 149 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 151 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 152 ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 153 DROP all anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destinationACCEPT all anywhere anywhere state RELATED,ESTABLISHEDACCEPT all anywhere anywhere ACCEPT all anywhere anywhere DROP all anywhere anywhere state INVALID ACCEPT ipv6-nonxt anywhere anywhere length 40ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply ACCEPT tcp anywhere 2a02:1807:<cenzurat>:<cenzurat>::3/128 state NEW tcp dpt:www ACCEPT tcp anywhere 2a02:1807:<cenzurat>:<cenzurat>::3/128 state NEW tcp dpt:httpsDROP all anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain NSFW (0 references) target prot opt source destination RETURN all anywhere anywhere Chain PControls (0 references) target prot opt source destination ACCEPT all anywhere anywhere Chain UPNP (0 references) target prot opt source destination Chain logaccept (0 references) target prot opt source destinationLOG all anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "ACCEPT all anywhere anywhere Chain logdrop (0 references) target prot opt source destinationLOG all anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "DROP all anywhere anywhere admin@RT-AC68U-68A8:/tmp/home/root# On 12/31/19 4:52 PM, Petru Rațiu wrote:De ip6tables n-ai zis nimic... On Tue, 31 Dec 2019, 17:15 Mihai Osian, <[email protected]> wrote:Salut,Am un home server pe care vreau sa il fac vizibil pe ipv6 (din motiv de prea mult timp liber de sarbatori). Serverul e situat in spatele unuirouter Asus RT-AC68U cu firmware Asuswrt-Merlin. Am configurat atat routerul cat si serverul dupa puterile mele, rezultatul fiind ceva de genul (copy-paste din ce raporteaza routerul): IPv6 Connection Type: Native with DHCP-PD *WAN IPv6 Address: 2a02:181f:zzz:d0b3* WAN IPv6 Gateway: fe80::217:10ff:fe87:a589 *LAN IPv6 Address: 2a02:1807:xxx:yyy::1/56* LAN IPv6 link-local Address: fe80::e23f:49ff:fe24:68a8/64 DHCP-PD: Enabled *LAN IPv6 Prefix: 2a02:1807:xxx:yyy::/56* Partea cu 2a02:1807:xxx:yyy::/56 e obtinuta prin DHCP6 si corespunde cu ce mi-a comunicat ISP-ul ca ar fi adresa mea statica IPv6.* *Serverul in sine e o mashina virtuala (bsd jail) care ruleaza pe FreeBSDsi e configurat static: root@erebus:/ # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: loepair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0mtu 1500 options=8<VLAN_MTU> ether 08:62:66:2d:5e:24 hwaddr 02:9d:d0:00:09:0binet 192.168.0.3 netmask 0xffffff00 broadcast 192.168.0.255* inet6 2a02:1807:xxx:yyy::3 prefixlen 56* nd6 options=1<PERFORMNUD> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active groups: epair Baiul este ca routerul nu pare sa faca forward la pachetele din exterior. Folosind http://nl.traceroute6.net, ping6 imi zice asa: 2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes From *2a02:181f:zzz:d0b3* icmp_seq=2 Destination unreachable: Address unreachable From *2a02:181f:zzz:d0b3* icmp_seq=3 Destination unreachable: Address unreachable From *2a02:181f:zzz:d0b3* icmp_seq=5 Destination unreachable: Address unreachable --- 2a02:1807:xxx:yyy::3 ping statistics ---5 packets transmitted, 0 received, +3 errors, 100% packet loss, time4000ms Adresa 2a02:181f:zzz:d0b3 e routerul insusi (IP-ul extern). Pot sa fac ping6 cu succes de la router la server, de la statia mea de lucru la server, de la server la orice adresa ipv6 interna/externa, dar nu din exterior la server. Deci pare sa fie ceva legat de forwarding. Routerul are un firewall ipv6 pe care l-am inspectat atat din gui cat si din linia de comanda (ip6tables) si pare ok - are forwarding la adresa ipv6 a serverului meu. Ce ma nelamureste cu adevarat este urmatoarea chestie:1. ma conectez la router si dau din linia de comanda ping6 la serverul meu:admin@RT-AC68U-68A8:/proc/sys/net/ipv6/conf# ping6 2a02:1807:xxx:yyy::3 PING 2a02:1807:xxx:yyy::3 (2a02:1807:xxx:yyy::3): 56 data bytes 64 bytes from 2a02:1807:xxx:yyy::3: seq=0 ttl=64 time=5.275 ms 64 bytes from 2a02:1807:xxx:yyy::3: seq=1 ttl=64 time=0.472 ms 2. opresc ping6 de pe router3. in decurs de cateva secunde, ma duc la http://nl.traceroute6.net, dauping6 la serverul meu si functioneaza: PING 2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes 64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=1 ttl=53 time=20.5 ms 64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=2 ttl=54 time=20.9 ms 64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=3 ttl=54 time=21.7 msAm verificat si cu alte tool-uri online si porturile porturile 80 si 443(http/https) sunt de asemenea accesibile. 4. Insa nici ping6 nici http-ul nu functioneaza pentru mult timp - in decurs de 10 secunde situatia revine la "Destination unreachable: Address unreachable". Am inspectat /proc/sys/net/ipv6/conf/*/forwarding de pe router si toateinterfetele au forwarding pe 1, cu exceptia interfetei WAN, care e pe 0.Daca o pun pe 1: admin@RT-AC68U-68A8:/proc/sys/net/ipv6/conf# echo 1 > ./eth0/forwarding atunci http://nl.traceroute6.net zice scurt: PING 2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes --- 2a02:1807:xxx:yyy::3 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4000msNu ma pricep la IPv6. Stie cineva sa imi dea un indiciu ce am configurataiurea ? Routerul e un embedded Linux, pot sa verific din linia de comanda toate setarile. Multumesc, Mihai _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro_______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
_______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
