Re: [rlug] Webserver pe IPv6

Fri, 10 Jan 2020 12:33:50 -0800
  Mi-am revenit dupa socul anului nou si am mai sapat in jurul problemei. Am aflat ca adresa MAC a serverului e pastrata in cache-ul ARP al routerului doar un timp limitat. Imediat dupa ping inregistrarea ARP apare ca "REACHABLE", in decurs de 20 de secunde se transforma in "STALE", iar dupa 1 minut dispare de tot. Ceve de genul: 

   admin@RT-AC68U-68A8:/tmp/home/root# ping6 2a02:<cenzurat>::3
   PING 2a02:<cenzurat>::3 (2a02:<cenzurat>::3): 56 data bytes
   64 bytes from 2a02:<cenzurat>::3: seq=0 ttl=64 time=10.386 ms
   64 bytes from 2a02:<cenzurat>::3: seq=1 ttl=64 time=0.385 ms
   64 bytes from 2a02:<cenzurat>::3: seq=2 ttl=64 time=0.414 ms
   ^C
   --- 2a02:<cenzurat>::3 ping statistics ---
   3 packets transmitted, 3 packets received, 0% packet loss
   round-trip min/avg/max = 0.385/3.728/10.386 ms

   admin@RT-AC68U-68A8:/tmp/home/root# watch ip -6 neigh | grep '::3'
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE
   [...]
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE
   [~1 minut ==> dispare]
   ^C
   admin@RT-AC68U-68A8:/tmp/home/root#

Solutia pare a fi o inregistrare manuala:

   admin@RT-AC68U-68A8:/tmp/home/root# ip -6 neigh add
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24
   admin@RT-AC68U-68A8:/tmp/home/root# ip -6 neigh
   2a02:<cenzurat>:3df4 dev br0 lladdr b8:ae:ed:ea:5f:12 STALE
   2a02:<cenzurat>::4 dev br0 lladdr 70:85:c2:59:dc:19 REACHABLE
   2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 *PERMANENT*
   [...]


Si serverul meu de web e acum vizibil pe IPv6. Cel putin pana cand se ia 
curentul sau rebootez routerul....


Mihai



On 12/31/19 5:41 PM, Petru Rațiu wrote:

M-am uitat la rfc4890, că eu cu el am avut probleme, dar pare ok.
Următoarea bănuială pe care o am e că routerul face el ceva smart și
deschide / închide dinamic firewallul. Prin logurile routerului apare ceva
relevant?

Ce-aș mai face în locul tău ar fi să mă uit cu tcpdump sau wireshark la
traficul v6 de pe ambele interfețe ale routerului în ambele situații să văd
ce se schimbă (atenție și la icmpv6, nu doar la tcp). Dar din câte înțeleg
problema e că ip forwarding e resetat de $ceva la 0.

On Tue, 31 Dec 2019, 18:09 Mihai Osian, <mihai.os...@gmail.com> wrote:


    Am zis ca "pare ok". Arata asa:

ASUSWRT-Merlin RT-AC68U 384.14-0 Sat Dec 14 00:39:28 UTC 2019
admin@RT-AC68U-68A8:/tmp/home/root# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere state RELATED,ESTABLISHED
ACCEPT     all      anywhere             anywhere state NEW
ACCEPT     all      anywhere             anywhere state NEW
DROP       all      anywhere             anywhere state INVALID
ACCEPT     ipv6-nonxt    anywhere             anywhere length 40
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere
ACCEPT     udp      anywhere             anywhere             udp
spt:547 dpt:546
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
parameter-problem
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 130
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 131
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 132
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
router-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
router-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
neighbour-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
neighbour-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 141
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 142
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 143
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 148
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 149
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 151
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 152
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmptype 153
DROP       all      anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere state RELATED,ESTABLISHED
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere
DROP       all      anywhere             anywhere state INVALID
ACCEPT     ipv6-nonxt    anywhere             anywhere length 40
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
parameter-problem
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp
echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere ipv6-icmp echo-reply
ACCEPT     tcp      anywhere 2a02:1807:<cenzurat>:<cenzurat>::3/128
state NEW tcp dpt:www
ACCEPT     tcp      anywhere 2a02:1807:<cenzurat>:<cenzurat>::3/128
state NEW tcp dpt:https
DROP       all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain NSFW (0 references)
target     prot opt source               destination
RETURN     all      anywhere             anywhere

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere

Chain UPNP (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere state NEW LOG level
warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all      anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere state NEW LOG level
warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all      anywhere             anywhere
admin@RT-AC68U-68A8:/tmp/home/root#





On 12/31/19 4:52 PM, Petru Rațiu wrote:

De ip6tables n-ai zis nimic...

On Tue, 31 Dec 2019, 17:15 Mihai Osian, <mihai.os...@gmail.com> wrote:


     Salut,

     Am un home server pe care vreau sa il fac vizibil pe ipv6 (din motiv
de prea mult timp liber de sarbatori). Serverul e situat in spatele unui
router Asus RT-AC68U cu firmware Asuswrt-Merlin. Am configurat atat
routerul cat si serverul dupa puterile mele, rezultatul fiind ceva de
genul (copy-paste din ce raporteaza routerul):

      IPv6 Connection Type: Native with DHCP-PD
      *WAN IPv6 Address: 2a02:181f:zzz:d0b3*
      WAN IPv6 Gateway: fe80::217:10ff:fe87:a589
      *LAN IPv6 Address: 2a02:1807:xxx:yyy::1/56*
      LAN IPv6 link-local Address: fe80::e23f:49ff:fe24:68a8/64
      DHCP-PD: Enabled
      *LAN IPv6 Prefix: 2a02:1807:xxx:yyy::/56*

Partea cu 2a02:1807:xxx:yyy::/56 e obtinuta prin DHCP6 si corespunde cu
ce mi-a comunicat ISP-ul ca ar fi adresa mea statica IPv6.*
*


Serverul in sine e o mashina virtuala (bsd jail) care ruleaza pe FreeBSD
si e configurat static:

      root@erebus:/ # ifconfig
      lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
      options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
               inet6 ::1 prefixlen 128
               inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
               inet 127.0.0.1 netmask 0xff000000
               nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
               groups: lo
      epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric

0

      mtu 1500
               options=8<VLAN_MTU>
               ether 08:62:66:2d:5e:24
               hwaddr 02:9d:d0:00:09:0b
               inet 192.168.0.3 netmask 0xffffff00 broadcast

192.168.0.255

      *        inet6 2a02:1807:xxx:yyy::3 prefixlen 56*
               nd6 options=1<PERFORMNUD>
               media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
               status: active
               groups: epair

Baiul este ca routerul nu pare sa faca forward la pachetele din
exterior. Folosind http://nl.traceroute6.net, ping6 imi zice asa:

      2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes
       From *2a02:181f:zzz:d0b3* icmp_seq=2 Destination unreachable:
      Address unreachable
       From *2a02:181f:zzz:d0b3* icmp_seq=3 Destination unreachable:
      Address unreachable
       From *2a02:181f:zzz:d0b3* icmp_seq=5 Destination unreachable:
      Address unreachable

      --- 2a02:1807:xxx:yyy::3 ping statistics ---
      5 packets transmitted, 0 received, +3 errors, 100% packet loss,

time

      4000ms

Adresa 2a02:181f:zzz:d0b3 e routerul insusi (IP-ul extern). Pot sa fac
ping6 cu succes de la router la server, de la statia mea de lucru la
server, de la server la orice adresa ipv6 interna/externa, dar nu din
exterior la server. Deci pare sa fie ceva legat de forwarding. Routerul
are un firewall ipv6 pe care l-am inspectat atat din gui cat si din
linia de comanda (ip6tables) si pare ok - are forwarding la adresa ipv6
a serverului meu.


Ce ma nelamureste cu adevarat este urmatoarea chestie:

1. ma conectez la router si dau din linia de comanda ping6 la serverul

meu:

      admin@RT-AC68U-68A8:/proc/sys/net/ipv6/conf# ping6
2a02:1807:xxx:yyy::3
      PING 2a02:1807:xxx:yyy::3 (2a02:1807:xxx:yyy::3): 56 data bytes
      64 bytes from 2a02:1807:xxx:yyy::3: seq=0 ttl=64 time=5.275 ms
      64 bytes from 2a02:1807:xxx:yyy::3: seq=1 ttl=64 time=0.472 ms

2. opresc ping6 de pe router

3. in decurs de cateva secunde, ma duc la http://nl.traceroute6.net,

dau

ping6 la serverul meu si functioneaza:

      PING 2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes

      64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=1 ttl=53 time=20.5 ms
      64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=2 ttl=54 time=20.9 ms
      64 bytes from 2a02:1807:xxx:yyy::3: icmp_seq=3 ttl=54 time=21.7 ms


Am verificat si cu alte tool-uri online si porturile porturile 80 si 443
(http/https) sunt de asemenea accesibile.

4. Insa nici ping6 nici http-ul nu functioneaza pentru mult timp - in
decurs de 10 secunde situatia revine la "Destination unreachable:
Address unreachable".


Am inspectat /proc/sys/net/ipv6/conf/*/forwarding de pe router si toate
interfetele au forwarding pe 1, cu exceptia interfetei WAN, care e pe 0.
Daca o pun pe 1:

       admin@RT-AC68U-68A8:/proc/sys/net/ipv6/conf# echo 1 >
./eth0/forwarding

atunci http://nl.traceroute6.net zice scurt:

      PING 2a02:1807:xxx:yyy::3(2a02:1807:xxx:yyy::3) 56 data bytes

      --- 2a02:1807:xxx:yyy::3 ping statistics ---
      5 packets transmitted, 0 received, 100% packet loss, time 4000ms


Nu ma pricep la IPv6. Stie cineva sa imi dea un indiciu ce am configurat
aiurea ? Routerul e un embedded Linux, pot sa verific din linia de
comanda toate setarile.

Multumesc,
Mihai









_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro


_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro



_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro


_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro



_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro






















					Raspunde prin e-mail lui