M-am uitat la rfc4890, că eu cu el am avut probleme, dar pare ok. Următoarea bănuială pe care o am e că routerul face el ceva smart și deschide / închide dinamic firewallul. Prin logurile routerului apare ceva relevant?
Ce-aș mai face în locul tău ar fi să mă uit cu tcpdump sau wireshark la traficul v6 de pe ambele interfețe ale routerului în ambele situații să văd ce se schimbă (atenție și la icmpv6, nu doar la tcp). Dar din câte înțeleg problema e că ip forwarding e resetat de $ceva la 0. On Tue, 31 Dec 2019, 18:09 Mihai Osian, <[email protected]> wrote: > Am zis ca "pare ok". Arata asa: > > ASUSWRT-Merlin RT-AC68U 384.14-0 Sat Dec 14 00:39:28 UTC 2019 > admin@RT-AC68U-68A8:/tmp/home/root# ip6tables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all anywhere anywhere state NEW > ACCEPT all anywhere anywhere state NEW > DROP all anywhere anywhere state INVALID > ACCEPT ipv6-nonxt anywhere anywhere length 40 > ACCEPT all anywhere anywhere > ACCEPT all anywhere anywhere > ACCEPT udp anywhere anywhere udp > spt:547 dpt:546 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > destination-unreachable > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > packet-too-big > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > time-exceeded > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > parameter-problem > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > echo-request > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 130 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 131 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 132 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > router-solicitation > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > router-advertisement > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > neighbour-solicitation > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > neighbour-advertisement > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 141 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 142 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 143 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 148 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 149 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 151 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 152 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 153 > DROP all anywhere anywhere > > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT all anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all anywhere anywhere > ACCEPT all anywhere anywhere > DROP all anywhere anywhere state INVALID > ACCEPT ipv6-nonxt anywhere anywhere length 40 > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > destination-unreachable > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > packet-too-big > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > time-exceeded > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > parameter-problem > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp > echo-request > ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply > ACCEPT tcp anywhere 2a02:1807:<cenzurat>:<cenzurat>::3/128 > state NEW tcp dpt:www > ACCEPT tcp anywhere 2a02:1807:<cenzurat>:<cenzurat>::3/128 > state NEW tcp dpt:https > DROP all anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain NSFW (0 references) > target prot opt source destination > RETURN all anywhere anywhere > > Chain PControls (0 references) > target prot opt source destination > ACCEPT all anywhere anywhere > > Chain UPNP (0 references) > target prot opt source destination > > Chain logaccept (0 references) > target prot opt source destination > LOG all anywhere anywhere state NEW LOG level > warning tcp-sequence tcp-options ip-options prefix "ACCEPT " > ACCEPT all anywhere anywhere > > Chain logdrop (0 references) > target prot opt source destination > LOG all anywhere anywhere state NEW LOG level > warning tcp-sequence tcp-options ip-options prefix "DROP " > DROP all anywhere anywhere > admin@RT-AC68U-68A8:/tmp/home/root# > > > > > > On 12/31/19 4:52 PM, Petru Rațiu wrote: > > De ip6tables n-ai zis nimic... > > > > On Tue, 31 Dec 2019, 17:15 Mihai Osian, <[email protected]> wrote: > > > >> Salut, > >> > >> Am un home server pe care vreau sa il fac vizibil pe ipv6 (din motiv > >> de prea mult timp liber de sarbatori). Serverul e situat in spatele unui > >> router Asus RT-AC68U cu firmware Asuswrt-Merlin. Am configurat atat > >> routerul cat si serverul dupa puterile mele, rezultatul fiind ceva de > >> genul (copy-paste din ce raporteaza routerul): > >> > >> IPv6 Connection Type: Native with DHCP-PD > >> *WAN IPv6 Address: 2a02:181f:zzz:d0b3* > >> WAN IPv6 Gateway: fe80::217:10ff:fe87:a589 > >> *LAN IPv6 Address: 2a02:1807:xxx:yyy::1/56* > >> LAN IPv6 link-local Address: fe80::e23f:49ff:fe24:68a8/64 > >> DHCP-PD: Enabled > >> *LAN IPv6 Prefix: 2a02:1807:xxx:yyy::/56* > >> > >> Partea cu 2a02:1807:xxx:yyy::/56 e obtinuta prin DHCP6 si corespunde cu > >> ce mi-a comunicat ISP-ul ca ar fi adresa mea statica IPv6.* > >> * > >> > >> > >> Serverul in sine e o mashina virtuala (bsd jail) care ruleaza pe FreeBSD > >> si e configurat static: > >> > >> root@erebus:/ # ifconfig > >> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > >> options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> > >> inet6 ::1 prefixlen 128 > >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > >> inet 127.0.0.1 netmask 0xff000000 > >> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > >> groups: lo > >> epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric > 0 > >> mtu 1500 > >> options=8<VLAN_MTU> > >> ether 08:62:66:2d:5e:24 > >> hwaddr 02:9d:d0:00:09:0b > >> inet 192.168.0.3 netmask 0xffffff00 broadcast > 192.168.0.255 > >> * inet6 2a02:1807:xxx:yyy::3 prefixlen 56* > >> nd6 options=1<PERFORMNUD> > >> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) > >> status: active > >> groups: epair > >> > >> Baiul este ca routerul nu pare sa faca forward la pachetele din > >> exterior. Folosind http://nl.traceroute6.net, ping6 imi zice asa: > >> > >> 2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes > >> From *2a02:181f:zzz:d0b3* icmp_seq=2 Destination unreachable: > >> Address unreachable > >> From *2a02:181f:zzz:d0b3* icmp_seq=3 Destination unreachable: > >> Address unreachable > >> From *2a02:181f:zzz:d0b3* icmp_seq=5 Destination unreachable: > >> Address unreachable > >> > >> --- 2a02:1807:xxx:yyy::3 ping statistics --- > >> 5 packets transmitted, 0 received, +3 errors, 100% packet loss, > time > >> 4000ms > >> > >> Adresa 2a02:181f:zzz:d0b3 e routerul insusi (IP-ul extern). Pot sa fac > >> ping6 cu succes de la router la server, de la statia mea de lucru la > >> server, de la server la orice adresa ipv6 interna/externa, dar nu din > >> exterior la server. Deci pare sa fie ceva legat de forwarding. Routerul > >> are un firewall ipv6 pe care l-am inspectat atat din gui cat si din > >> linia de comanda (ip6tables) si pare ok - are forwarding la adresa ipv6 > >> a serverului meu. > >> > >> > >> Ce ma nelamureste cu adevarat este urmatoarea chestie: > >> > >> 1. ma conectez la router si dau din linia de comanda ping6 la serverul > meu: > >> > >> admin@RT-AC68U-68A8:/proc/sys/net/ipv6/conf# ping6 > >> 2a02:1807:xxx:yyy::3 > >> PING 2a02:1807:xxx:yyy::3 (2a02:1807:xxx:yyy::3): 56 data bytes > >> 64 bytes from 2a02:1807:xxx:yyy::3: seq=0 ttl=64 time=5.275 ms > >> 64 bytes from 2a02:1807:xxx:yyy::3: seq=1 ttl=64 time=0.472 ms > >> > >> 2. opresc ping6 de pe router > >> > >> 3. in decurs de cateva secunde, ma duc la http://nl.traceroute6.net, > dau > >> ping6 la serverul meu si functioneaza: > >> > >> PING 2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes > >> > >> 64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=1 ttl=53 time=20.5 ms > >> 64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=2 ttl=54 time=20.9 ms > >> 64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=3 ttl=54 time=21.7 ms > >> > >> > >> Am verificat si cu alte tool-uri online si porturile porturile 80 si 443 > >> (http/https) sunt de asemenea accesibile. > >> > >> 4. Insa nici ping6 nici http-ul nu functioneaza pentru mult timp - in > >> decurs de 10 secunde situatia revine la "Destination unreachable: > >> Address unreachable". > >> > >> > >> Am inspectat /proc/sys/net/ipv6/conf/*/forwarding de pe router si toate > >> interfetele au forwarding pe 1, cu exceptia interfetei WAN, care e pe 0. > >> Daca o pun pe 1: > >> > >> admin@RT-AC68U-68A8:/proc/sys/net/ipv6/conf# echo 1 > > >> ./eth0/forwarding > >> > >> atunci http://nl.traceroute6.net zice scurt: > >> > >> PING 2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes > >> > >> --- 2a02:1807:xxx:yyy::3 ping statistics --- > >> 5 packets transmitted, 0 received, 100% packet loss, time 4000ms > >> > >> > >> Nu ma pricep la IPv6. Stie cineva sa imi dea un indiciu ce am configurat > >> aiurea ? Routerul e un embedded Linux, pot sa verific din linia de > >> comanda toate setarile. > >> > >> Multumesc, > >> Mihai > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> _______________________________________________ > >> RLUG mailing list > >> [email protected] > >> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > >> > > _______________________________________________ > > RLUG mailing list > > [email protected] > > http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > > _______________________________________________ > RLUG mailing list > [email protected] > http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
