Vin și eu cu o întrebare - dacă prefixele în LAN le iei cu PD, și sunt relativ random (partea din IP dată de provider), cum faci cu regulile de forward din firewall ASUS? Le rescrii la fiecare reboot când se schimbă IP-ul v6 din LAN?
On Sat, Jan 11, 2020 at 11:54 PM Mihai Osian <mihai.os...@gmail.com> wrote: > Nu auzisem de OMV pana acum. Pare intersant - la prima vedere e cam > echivalent cu FreeNAS. > Dar am peste 3TB de date stocate sub ZFS si mai multe mashini virtuale > (unele pt business projects). Chestia cu IPv6 e un moft de al meu, nu se > justifica... > > Mihai > > > > On 1/11/20 9:59 PM, Adrian Minta wrote: > > Da, OpenMediaVault. > > > > On 1/11/20 9:45 PM, Mihai Osian wrote: > >> Mersi, o sa ma uit. Ce e OMV ? OpenMediaVault ? > >> > >> Mihai > >> > >> > >> On 1/11/20 6:33 PM, Adrian Minta wrote: > >>> Vad ca sunt mai multi care au probleme cu FreeNAS și ipv6: > >>> > >>> https://www.google.com/search?q=freenas+ipv6 > >>> > >>> > https://gist.github.com/nightspotlight/1e2800de29efcfb68a3293b30a80a574 > >>> > >>> Vezi daca nu te descurci mai bine cu OMV. > >>> > >>> > >>> On 1/11/20 1:19 PM, Mihai Osian wrote: > >>>> Mersi de info. Pornind de la ce mi-ai zis anterior de > >>>> multicasting/neighbor discovery am pornit un wireshark pe desktopul > >>>> linux si am inceput sa sniffuiesc icmpv6. Am facut asa: > >>>> > >>>> - am scos inregistrarea aia manuala "ip -6 neigh add <server>" de > >>>> pe router > >>>> - asteptat un minut > >>>> - ping6 din exterior catre jail > >>>> ==> vad un Neighbor Solicitation broadcast venind de la router, > >>>> cautand adresa jailului. > >>>> - nu vad nici un raspuns (dar presupun ca Neighbor Advertisement in > >>>> cazul asta e unicast si nu ajunge pana la desktopul meu Linux, deci > >>>> nu inseamna nimic) > >>>> > >>>> Am incercat sa fac un "tcpdump icmp6" din jailul FreeBSD, insa > >>>> imi zice 'tcpdump: (there are no BPF devices)'. Aparent trebuie > >>>> mapate devfs si facut ceva voodoo in configuratia jail-ului. Am > >>>> gasit pe Google niste raspunsuri la intrebarea "tcpdump in iocage" > >>>> - ceva cu setat devfs.rules si bpf=yes, dar la mine nu functioneaza > >>>> (sau nu inca), in sensul ca "iocage get -a <jail>" imi confirma ce > >>>> am setat, dar cand execut jailul nu vad nici un /dev/bpf. > >>>> Deocamdata cu tcpdump in jail m-am blocat. > >>>> > >>>> Am rulat tcpdump din host, si cand dau ping6 din exterior > >>>> (nl.traceroute6.net) catre jailul meu (2a02:<cenzurat>::3) vad asa: > >>>> > >>>> root@freenas:~ # tcpdump -i bridge0 icmp6 > >>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol > >>>> decode > >>>> listening on bridge0, link-type EN10MB (Ethernet), capture size > >>>> 262144 bytes > >>>> 12:04:59.055588 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length 32 > >>>> 12:05:00.055630 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length 32 > >>>> 12:05:01.055500 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length 32 > >>>> 12:05:02.729031 IP6 fe80::e23f:49ff:fe24:68a8 > > >>>> ip6-allnodes.<cenzurat>.com: ICMP6, router advertisement, length > >>>> 112 > >>>> 12:05:03.055592 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length 32 > >>>> 12:05:04.055579 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length 32 > >>>> 12:05:05.055507 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length 32 > >>>> 12:05:06.428319 IP6 fe80::d6c4:2650:5902:a71b > ff02::1:ff00:0: > >>>> ICMP6, neighbor solicitation, who has ::, length 32 > >>>> (etc, more of the same) > >>>> > >>>> unde "fe80::e23f:49ff:fe24:68a8" e adresa LAN link-local a > >>>> routerului. Nu vad nici un neighbor advertisement care sa mearga > >>>> inapoi. > >>>> > >>>> Daca dau ping6 de la desktopul Linux (adresa cu ::4 in coada) la > >>>> jail (adresa cu ::3): > >>>> > >>>> root@freenas:~ # tcpdump -i bridge0 icmp6 > >>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol > >>>> decode > >>>> listening on bridge0, link-type EN10MB (Ethernet), capture size > >>>> 262144 bytes > >>>> 12:05:47.734743 IP6 fe80::e23f:49ff:fe24:68a8 > > >>>> ip6-allnodes.<cenzurat>.com: ICMP6, router advertisement, length > >>>> 112 > >>>> 12:05:48.089230 IP6 *2a02:<cenzurat>::4 > ff02::1:ff00:3: ICMP6, > >>>> neighbor solicitation,* who has 2a02:<cenzurat>::3, length 32 > >>>> 12:05:48.089309 IP6 *2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > >>>> ICMP6, > >>>> neighbor advertisement*, tgt is 2a02:<cenzurat>::3, length 32 > >>>> 12:05:48.089433 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: ICMP6, > >>>> echo request, seq 1, length 64 > >>>> 12:05:48.089458 IP6 fe80::d6c4:2650:5902:a71b > ff02::1:ff00:0: > >>>> ICMP6, neighbor solicitation, who has ::, length 32 > >>>> 12:05:48.089527 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: ICMP6, > >>>> echo reply, seq 1, length 64 > >>>> 12:05:49.096104 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: ICMP6, > >>>> echo request, seq 2, length 64 > >>>> 12:05:49.096197 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: ICMP6, > >>>> echo reply, seq 2, length 64 > >>>> 12:05:50.120100 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: ICMP6, > >>>> echo request, seq 3, length 64 > >>>> 12:05:50.120187 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: ICMP6, > >>>> echo reply, seq 3, length 64 > >>>> > >>>> Diferenta e ca routerul trimite neighbor solicitation de la adresa > >>>> lui link-local, iar desktopul Linux de la adresa globala. Nu pricep > >>>> de ce ar conta. > >>>> > >>>> Mihai > >>>> > >>>> PS: providerul meu nu e RDS, dar mecanismul de alocare e > >>>> intr-adevar DHCPv6-PD. Providerul imi cere un "DUID" (dhcp unique > >>>> identifier), care dupa sapaturi arheologice am aflat ca e > >>>> 00:03:00:01 plus the MAC address. Iar dupa aia am convins clientul > >>>> odhcp6c de pe router sa trimita asta ca si "clientid", findca by > >>>> default nu o facea. Acum routerul imi da intr-adevar pentru reteaua > >>>> interna subnetul/prefixul promis de provider (confirmat de > >>>> interfata grafica precum si de "ip -6 route"). Partea aia e in regula. > >>>> > >>>> > >>>> > >>>> On 1/11/20 10:57 AM, Adrian Minta wrote: > >>>>> Salut, > >>>>> > >>>>> Pe FreeBSD exista mai multe tipuri de firewall. S-ar putea sa ai > >>>>> reguli făcute cu PF: > >>>>> https://forum.netgate.com/topic/23288/ipfw-vs-pf-knowledge-article > >>>>> > >>>>> Ca sa meargă ND-ul trebuie sa permiți ICMPv6: > >>>>> https://blog.apnic.net/2019/10/18/how-to-ipv6-neighbor-discovery/ > >>>>> > >>>>> Pentru teste eu as dezactiva orice urma de firewall de pe servere > >>>>> și as verifica cu un laptop adăugat în rețea. Astfel acesta poți > >>>>> vedea dacă probleme e de la router sau de la server. > >>>>> > >>>>> De asemenea, la routerul ASUS e mai bine sa începi cu imaginea > >>>>> originala și abia după ce totul merge perfect sa treci la altceva. > >>>>> > >>>>> > >>>>> Pentru alocarea adreselor ipv6 în LAN exista mai multe metode: > >>>>> > >>>>> 1. Folosind mecanismul SLAAC, fără server DHCPv6. > >>>>> > >>>>> 2. SLAAC plus un server DHCPv6 pentru serverele DNS sau alte > >>>>> informații care se pot transmite prin DHCP. Inițial SLAAC-ul nu > >>>>> putea da informații despre serverele DNS, de aceea a apărut acest > >>>>> mecanism. > >>>>> > >>>>> 3. Folosind un server DHCPv6 stateful, similar cu cel de la ipv4. > >>>>> Cei din zona "enterprise" vor sa controleze cine se conectează în > >>>>> rețea și au cerut implementare unui astfel de mecanism. Din păcate > >>>>> cineva de la google se pare ca tine foarte mult la "privacy". > >>>>> > >>>>> 4. Bineînțeles alocarea statica. > >>>>> > >>>>> În cazul RDS routerul tău primește o adresa ipv6 pe interfața > >>>>> PPPoE alocata prin mecanismul nativ. Routerul tău trebuie sa ceara > >>>>> apoi prin DHCPv6-PD un subnet pe care sa-l distribuie în LAN prin > >>>>> SLAAC. > >>>>> > >>>>> > >>>>> > >>>>> On 1/11/20 1:24 AM, Mihai Osian wrote: > >>>>>> Nu cred sa fie ceva defect - toate chestiile non-IPv6 merg ok. > >>>>>> Problema e undeva intre scaun si tastatura - configurez eu ceva > >>>>>> gresit. Mai e si complicatia ca serverul e un jail FreeBSD > >>>>>> (FreeNAS, mai exact), iar cunostintele mele de BSD is la fel de > >>>>>> limitate ca si cele de IPv6. De aia intreb pe lista, poate imi da > >>>>>> cineva vre-un hint :-). > >>>>>> > >>>>>> > >>>>>> Chestii pe care nu le stiu: > >>>>>> > >>>>>> 1. Cum/daca e configurat de fapt firewallul pe serverul bsd. Daca > >>>>>> rulez "ipfw" fie pe host fie in jail, zice acelasi lucru: > >>>>>> > >>>>>> root@freenas:~ # ipfw list > >>>>>> 65535 allow ip from any to any > >>>>>> > >>>>>> Insa nu bag mana in foc ca asta acopera si ipv6. Pagina de man de > >>>>>> la ipfw are vreo 20000 de linii de text, inca nu l-am descalcit. > >>>>>> > >>>>>> 2. Care e relatia intre host-ul bsd si jail (cum se > >>>>>> trateaza/forwardeaza pachetele). Jailul are o tona de optiuni de > >>>>>> configurare si pe unele nu le inteleg, de exemplu "ip6.saddrsel" > >>>>>> (google "man jail freebsd 12"). > >>>>>> > >>>>>> 3. Daca am facut bine punand static/de mana adresa de IPv6 a > >>>>>> jailului. Poate ca jailul acum tace chitic in loc sa faca > >>>>>> broadcast la adresa dumisale si ca urmare routerul nu afla de > >>>>>> existenta lui (nu stiu, imi dau cu parerea). Poate exista vre-un > >>>>>> mecanism (DHCP6 or something) prin care routerul sa asigneze > >>>>>> adrese IPv6 statice, similar cu IPv4. Problema e ca interfata web > >>>>>> a routerului meu nu are asemenea optiune - am de ales intre > >>>>>> "disabled, native, static, passthrough, tunnel6to4, etc". Am > >>>>>> incercat toate combinatiile, "native" pare cea mai promitatoare. > >>>>>> Am uitat sa mentionez - pt ISP trebuie sa furnizez un "DUID" care > >>>>>> bineinteles ca nu exista nicaieri in interfata web. Am depistat > >>>>>> cum se face dupa vreo saptamana de sapat (detalii la cerere), > >>>>>> insa nici aia nu merge decat din linia de comanda. Pe statia mea > >>>>>> Linux am configurat tot un ipv6 static, si asta pare sa mearga. > >>>>>> Zic "pare" pentru ca nu pot testa cu adevarat din exterior fara > >>>>>> sa "activez" routerul (ok, as putea, insa e mai complicat). > >>>>>> > >>>>>> Deci probleme pot fi multe, si ar putea fi legate de FreeBSD, nu > >>>>>> de Linux. Mai citesc documentatii, dar deocamdata nici nu stiu > >>>>>> sigur de unde sa incep. > >>>>>> > >>>>>> Mihai > >>>>>> > >>>>>> > >>>>>> On 1/10/20 10:08 PM, Adrian Minta wrote: > >>>>>>> Salut, > >>>>>>> > >>>>>>> la ipv6 nu se foloseste ARP ci un alt mecanism ND (Neighbor > >>>>>>> Discovery), bazat pe multicast. > >>>>>>> > >>>>>>> E posibil sa ai ceva probleme cu multicastul ? > >>>>>>> > >>>>>>> Firewall pe server sau un switch de retea defect ? > >>>>>>> > >>>>>>> > >>>>>>> On 1/10/20 10:27 PM, Mihai Osian wrote: > >>>>>>>> > >>>>>>>> Mi-am revenit dupa socul anului nou si am mai sapat in jurul > >>>>>>>> problemei. Am aflat ca adresa MAC a serverului e pastrata in > >>>>>>>> cache-ul ARP al routerului doar un timp limitat. Imediat dupa > >>>>>>>> ping inregistrarea ARP apare ca "REACHABLE", in decurs de 20 de > >>>>>>>> secunde se transforma in "STALE", iar dupa 1 minut dispare de > >>>>>>>> tot. Ceve de genul: > >>>>>>>> > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ping6 2a02:<cenzurat>::3 > >>>>>>>> PING 2a02:<cenzurat>::3 (2a02:<cenzurat>::3): 56 data bytes > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=0 ttl=64 time=10.386 ms > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=1 ttl=64 time=0.385 ms > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=2 ttl=64 time=0.414 ms > >>>>>>>> ^C > >>>>>>>> --- 2a02:<cenzurat>::3 ping statistics --- > >>>>>>>> 3 packets transmitted, 3 packets received, 0% packet loss > >>>>>>>> round-trip min/avg/max = 0.385/3.728/10.386 ms > >>>>>>>> > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# watch ip -6 neigh | grep > >>>>>>>> '::3' > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > >>>>>>>> [...] > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > >>>>>>>> [~1 minut ==> dispare] > >>>>>>>> ^C > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# > >>>>>>>> > >>>>>>>> Solutia pare a fi o inregistrare manuala: > >>>>>>>> > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ip -6 neigh add > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ip -6 neigh > >>>>>>>> 2a02:<cenzurat>:3df4 dev br0 lladdr b8:ae:ed:ea:5f:12 STALE > >>>>>>>> 2a02:<cenzurat>::4 dev br0 lladdr 70:85:c2:59:dc:19 REACHABLE > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 *PERMANENT* > >>>>>>>> [...] > >>>>>>>> > >>>>>>>> Si serverul meu de web e acum vizibil pe IPv6. Cel putin pana > >>>>>>>> cand se ia curentul sau rebootez routerul.... > >>>>>>>> > >>>>>>>> Mihai > >>>>>>>> > >>>>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> RLUG mailing list > >>>>>> RLUG@lists.lug.ro > >>>>>> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > >>>>> > >>>> > >>>> _______________________________________________ > >>>> RLUG mailing list > >>>> RLUG@lists.lug.ro > >>>> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > >>> > >> > >> > >> _______________________________________________ > >> RLUG mailing list > >> RLUG@lists.lug.ro > >> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > > > _______________________________________________ > RLUG mailing list > RLUG@lists.lug.ro > http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > _______________________________________________ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
