Allow from LAN to WAN + track Deny from WAN to LAN + log On Tue, Jan 21, 2020 at 9:39 AM Adrian Popa <[email protected]> wrote:
> Vin și eu cu o întrebare - dacă prefixele în LAN le iei cu PD, și sunt > relativ random (partea din IP dată de provider), cum faci cu regulile de > forward din firewall ASUS? Le rescrii la fiecare reboot când se schimbă > IP-ul v6 din LAN? > > On Sat, Jan 11, 2020 at 11:54 PM Mihai Osian <[email protected]> > wrote: > > > Nu auzisem de OMV pana acum. Pare intersant - la prima vedere e cam > > echivalent cu FreeNAS. > > Dar am peste 3TB de date stocate sub ZFS si mai multe mashini virtuale > > (unele pt business projects). Chestia cu IPv6 e un moft de al meu, nu se > > justifica... > > > > Mihai > > > > > > > > On 1/11/20 9:59 PM, Adrian Minta wrote: > > > Da, OpenMediaVault. > > > > > > On 1/11/20 9:45 PM, Mihai Osian wrote: > > >> Mersi, o sa ma uit. Ce e OMV ? OpenMediaVault ? > > >> > > >> Mihai > > >> > > >> > > >> On 1/11/20 6:33 PM, Adrian Minta wrote: > > >>> Vad ca sunt mai multi care au probleme cu FreeNAS și ipv6: > > >>> > > >>> https://www.google.com/search?q=freenas+ipv6 > > >>> > > >>> > > https://gist.github.com/nightspotlight/1e2800de29efcfb68a3293b30a80a574 > > >>> > > >>> Vezi daca nu te descurci mai bine cu OMV. > > >>> > > >>> > > >>> On 1/11/20 1:19 PM, Mihai Osian wrote: > > >>>> Mersi de info. Pornind de la ce mi-ai zis anterior de > > >>>> multicasting/neighbor discovery am pornit un wireshark pe desktopul > > >>>> linux si am inceput sa sniffuiesc icmpv6. Am facut asa: > > >>>> > > >>>> - am scos inregistrarea aia manuala "ip -6 neigh add <server>" de > > >>>> pe router > > >>>> - asteptat un minut > > >>>> - ping6 din exterior catre jail > > >>>> ==> vad un Neighbor Solicitation broadcast venind de la router, > > >>>> cautand adresa jailului. > > >>>> - nu vad nici un raspuns (dar presupun ca Neighbor Advertisement in > > >>>> cazul asta e unicast si nu ajunge pana la desktopul meu Linux, deci > > >>>> nu inseamna nimic) > > >>>> > > >>>> Am incercat sa fac un "tcpdump icmp6" din jailul FreeBSD, insa > > >>>> imi zice 'tcpdump: (there are no BPF devices)'. Aparent trebuie > > >>>> mapate devfs si facut ceva voodoo in configuratia jail-ului. Am > > >>>> gasit pe Google niste raspunsuri la intrebarea "tcpdump in iocage" > > >>>> - ceva cu setat devfs.rules si bpf=yes, dar la mine nu functioneaza > > >>>> (sau nu inca), in sensul ca "iocage get -a <jail>" imi confirma ce > > >>>> am setat, dar cand execut jailul nu vad nici un /dev/bpf. > > >>>> Deocamdata cu tcpdump in jail m-am blocat. > > >>>> > > >>>> Am rulat tcpdump din host, si cand dau ping6 din exterior > > >>>> (nl.traceroute6.net) catre jailul meu (2a02:<cenzurat>::3) vad asa: > > >>>> > > >>>> root@freenas:~ # tcpdump -i bridge0 icmp6 > > >>>> tcpdump: verbose output suppressed, use -v or -vv for full > protocol > > >>>> decode > > >>>> listening on bridge0, link-type EN10MB (Ethernet), capture size > > >>>> 262144 bytes > > >>>> 12:04:59.055588 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length > 32 > > >>>> 12:05:00.055630 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length > 32 > > >>>> 12:05:01.055500 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length > 32 > > >>>> 12:05:02.729031 IP6 fe80::e23f:49ff:fe24:68a8 > > > >>>> ip6-allnodes.<cenzurat>.com: ICMP6, router advertisement, length > > >>>> 112 > > >>>> 12:05:03.055592 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length > 32 > > >>>> 12:05:04.055579 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length > 32 > > >>>> 12:05:05.055507 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, length > 32 > > >>>> 12:05:06.428319 IP6 fe80::d6c4:2650:5902:a71b > ff02::1:ff00:0: > > >>>> ICMP6, neighbor solicitation, who has ::, length 32 > > >>>> (etc, more of the same) > > >>>> > > >>>> unde "fe80::e23f:49ff:fe24:68a8" e adresa LAN link-local a > > >>>> routerului. Nu vad nici un neighbor advertisement care sa mearga > > >>>> inapoi. > > >>>> > > >>>> Daca dau ping6 de la desktopul Linux (adresa cu ::4 in coada) la > > >>>> jail (adresa cu ::3): > > >>>> > > >>>> root@freenas:~ # tcpdump -i bridge0 icmp6 > > >>>> tcpdump: verbose output suppressed, use -v or -vv for full > protocol > > >>>> decode > > >>>> listening on bridge0, link-type EN10MB (Ethernet), capture size > > >>>> 262144 bytes > > >>>> 12:05:47.734743 IP6 fe80::e23f:49ff:fe24:68a8 > > > >>>> ip6-allnodes.<cenzurat>.com: ICMP6, router advertisement, length > > >>>> 112 > > >>>> 12:05:48.089230 IP6 *2a02:<cenzurat>::4 > ff02::1:ff00:3: ICMP6, > > >>>> neighbor solicitation,* who has 2a02:<cenzurat>::3, length 32 > > >>>> 12:05:48.089309 IP6 *2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > > >>>> ICMP6, > > >>>> neighbor advertisement*, tgt is 2a02:<cenzurat>::3, length 32 > > >>>> 12:05:48.089433 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: > ICMP6, > > >>>> echo request, seq 1, length 64 > > >>>> 12:05:48.089458 IP6 fe80::d6c4:2650:5902:a71b > ff02::1:ff00:0: > > >>>> ICMP6, neighbor solicitation, who has ::, length 32 > > >>>> 12:05:48.089527 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > ICMP6, > > >>>> echo reply, seq 1, length 64 > > >>>> 12:05:49.096104 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: > ICMP6, > > >>>> echo request, seq 2, length 64 > > >>>> 12:05:49.096197 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > ICMP6, > > >>>> echo reply, seq 2, length 64 > > >>>> 12:05:50.120100 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: > ICMP6, > > >>>> echo request, seq 3, length 64 > > >>>> 12:05:50.120187 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > ICMP6, > > >>>> echo reply, seq 3, length 64 > > >>>> > > >>>> Diferenta e ca routerul trimite neighbor solicitation de la adresa > > >>>> lui link-local, iar desktopul Linux de la adresa globala. Nu pricep > > >>>> de ce ar conta. > > >>>> > > >>>> Mihai > > >>>> > > >>>> PS: providerul meu nu e RDS, dar mecanismul de alocare e > > >>>> intr-adevar DHCPv6-PD. Providerul imi cere un "DUID" (dhcp unique > > >>>> identifier), care dupa sapaturi arheologice am aflat ca e > > >>>> 00:03:00:01 plus the MAC address. Iar dupa aia am convins clientul > > >>>> odhcp6c de pe router sa trimita asta ca si "clientid", findca by > > >>>> default nu o facea. Acum routerul imi da intr-adevar pentru reteaua > > >>>> interna subnetul/prefixul promis de provider (confirmat de > > >>>> interfata grafica precum si de "ip -6 route"). Partea aia e in > regula. > > >>>> > > >>>> > > >>>> > > >>>> On 1/11/20 10:57 AM, Adrian Minta wrote: > > >>>>> Salut, > > >>>>> > > >>>>> Pe FreeBSD exista mai multe tipuri de firewall. S-ar putea sa ai > > >>>>> reguli făcute cu PF: > > >>>>> https://forum.netgate.com/topic/23288/ipfw-vs-pf-knowledge-article > > >>>>> > > >>>>> Ca sa meargă ND-ul trebuie sa permiți ICMPv6: > > >>>>> https://blog.apnic.net/2019/10/18/how-to-ipv6-neighbor-discovery/ > > >>>>> > > >>>>> Pentru teste eu as dezactiva orice urma de firewall de pe servere > > >>>>> și as verifica cu un laptop adăugat în rețea. Astfel acesta poți > > >>>>> vedea dacă probleme e de la router sau de la server. > > >>>>> > > >>>>> De asemenea, la routerul ASUS e mai bine sa începi cu imaginea > > >>>>> originala și abia după ce totul merge perfect sa treci la altceva. > > >>>>> > > >>>>> > > >>>>> Pentru alocarea adreselor ipv6 în LAN exista mai multe metode: > > >>>>> > > >>>>> 1. Folosind mecanismul SLAAC, fără server DHCPv6. > > >>>>> > > >>>>> 2. SLAAC plus un server DHCPv6 pentru serverele DNS sau alte > > >>>>> informații care se pot transmite prin DHCP. Inițial SLAAC-ul nu > > >>>>> putea da informații despre serverele DNS, de aceea a apărut acest > > >>>>> mecanism. > > >>>>> > > >>>>> 3. Folosind un server DHCPv6 stateful, similar cu cel de la ipv4. > > >>>>> Cei din zona "enterprise" vor sa controleze cine se conectează în > > >>>>> rețea și au cerut implementare unui astfel de mecanism. Din păcate > > >>>>> cineva de la google se pare ca tine foarte mult la "privacy". > > >>>>> > > >>>>> 4. Bineînțeles alocarea statica. > > >>>>> > > >>>>> În cazul RDS routerul tău primește o adresa ipv6 pe interfața > > >>>>> PPPoE alocata prin mecanismul nativ. Routerul tău trebuie sa ceara > > >>>>> apoi prin DHCPv6-PD un subnet pe care sa-l distribuie în LAN prin > > >>>>> SLAAC. > > >>>>> > > >>>>> > > >>>>> > > >>>>> On 1/11/20 1:24 AM, Mihai Osian wrote: > > >>>>>> Nu cred sa fie ceva defect - toate chestiile non-IPv6 merg ok. > > >>>>>> Problema e undeva intre scaun si tastatura - configurez eu ceva > > >>>>>> gresit. Mai e si complicatia ca serverul e un jail FreeBSD > > >>>>>> (FreeNAS, mai exact), iar cunostintele mele de BSD is la fel de > > >>>>>> limitate ca si cele de IPv6. De aia intreb pe lista, poate imi da > > >>>>>> cineva vre-un hint :-). > > >>>>>> > > >>>>>> > > >>>>>> Chestii pe care nu le stiu: > > >>>>>> > > >>>>>> 1. Cum/daca e configurat de fapt firewallul pe serverul bsd. Daca > > >>>>>> rulez "ipfw" fie pe host fie in jail, zice acelasi lucru: > > >>>>>> > > >>>>>> root@freenas:~ # ipfw list > > >>>>>> 65535 allow ip from any to any > > >>>>>> > > >>>>>> Insa nu bag mana in foc ca asta acopera si ipv6. Pagina de man de > > >>>>>> la ipfw are vreo 20000 de linii de text, inca nu l-am descalcit. > > >>>>>> > > >>>>>> 2. Care e relatia intre host-ul bsd si jail (cum se > > >>>>>> trateaza/forwardeaza pachetele). Jailul are o tona de optiuni de > > >>>>>> configurare si pe unele nu le inteleg, de exemplu "ip6.saddrsel" > > >>>>>> (google "man jail freebsd 12"). > > >>>>>> > > >>>>>> 3. Daca am facut bine punand static/de mana adresa de IPv6 a > > >>>>>> jailului. Poate ca jailul acum tace chitic in loc sa faca > > >>>>>> broadcast la adresa dumisale si ca urmare routerul nu afla de > > >>>>>> existenta lui (nu stiu, imi dau cu parerea). Poate exista vre-un > > >>>>>> mecanism (DHCP6 or something) prin care routerul sa asigneze > > >>>>>> adrese IPv6 statice, similar cu IPv4. Problema e ca interfata web > > >>>>>> a routerului meu nu are asemenea optiune - am de ales intre > > >>>>>> "disabled, native, static, passthrough, tunnel6to4, etc". Am > > >>>>>> incercat toate combinatiile, "native" pare cea mai promitatoare. > > >>>>>> Am uitat sa mentionez - pt ISP trebuie sa furnizez un "DUID" care > > >>>>>> bineinteles ca nu exista nicaieri in interfata web. Am depistat > > >>>>>> cum se face dupa vreo saptamana de sapat (detalii la cerere), > > >>>>>> insa nici aia nu merge decat din linia de comanda. Pe statia mea > > >>>>>> Linux am configurat tot un ipv6 static, si asta pare sa mearga. > > >>>>>> Zic "pare" pentru ca nu pot testa cu adevarat din exterior fara > > >>>>>> sa "activez" routerul (ok, as putea, insa e mai complicat). > > >>>>>> > > >>>>>> Deci probleme pot fi multe, si ar putea fi legate de FreeBSD, nu > > >>>>>> de Linux. Mai citesc documentatii, dar deocamdata nici nu stiu > > >>>>>> sigur de unde sa incep. > > >>>>>> > > >>>>>> Mihai > > >>>>>> > > >>>>>> > > >>>>>> On 1/10/20 10:08 PM, Adrian Minta wrote: > > >>>>>>> Salut, > > >>>>>>> > > >>>>>>> la ipv6 nu se foloseste ARP ci un alt mecanism ND (Neighbor > > >>>>>>> Discovery), bazat pe multicast. > > >>>>>>> > > >>>>>>> E posibil sa ai ceva probleme cu multicastul ? > > >>>>>>> > > >>>>>>> Firewall pe server sau un switch de retea defect ? > > >>>>>>> > > >>>>>>> > > >>>>>>> On 1/10/20 10:27 PM, Mihai Osian wrote: > > >>>>>>>> > > >>>>>>>> Mi-am revenit dupa socul anului nou si am mai sapat in jurul > > >>>>>>>> problemei. Am aflat ca adresa MAC a serverului e pastrata in > > >>>>>>>> cache-ul ARP al routerului doar un timp limitat. Imediat dupa > > >>>>>>>> ping inregistrarea ARP apare ca "REACHABLE", in decurs de 20 de > > >>>>>>>> secunde se transforma in "STALE", iar dupa 1 minut dispare de > > >>>>>>>> tot. Ceve de genul: > > >>>>>>>> > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ping6 2a02:<cenzurat>::3 > > >>>>>>>> PING 2a02:<cenzurat>::3 (2a02:<cenzurat>::3): 56 data bytes > > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=0 ttl=64 time=10.386 ms > > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=1 ttl=64 time=0.385 ms > > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=2 ttl=64 time=0.414 ms > > >>>>>>>> ^C > > >>>>>>>> --- 2a02:<cenzurat>::3 ping statistics --- > > >>>>>>>> 3 packets transmitted, 3 packets received, 0% packet loss > > >>>>>>>> round-trip min/avg/max = 0.385/3.728/10.386 ms > > >>>>>>>> > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# watch ip -6 neigh | grep > > >>>>>>>> '::3' > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > >>>>>>>> [...] > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > >>>>>>>> [~1 minut ==> dispare] > > >>>>>>>> ^C > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# > > >>>>>>>> > > >>>>>>>> Solutia pare a fi o inregistrare manuala: > > >>>>>>>> > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ip -6 neigh add > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ip -6 neigh > > >>>>>>>> 2a02:<cenzurat>:3df4 dev br0 lladdr b8:ae:ed:ea:5f:12 STALE > > >>>>>>>> 2a02:<cenzurat>::4 dev br0 lladdr 70:85:c2:59:dc:19 REACHABLE > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > *PERMANENT* > > >>>>>>>> [...] > > >>>>>>>> > > >>>>>>>> Si serverul meu de web e acum vizibil pe IPv6. Cel putin pana > > >>>>>>>> cand se ia curentul sau rebootez routerul.... > > >>>>>>>> > > >>>>>>>> Mihai > > >>>>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> RLUG mailing list > > >>>>>> [email protected] > > >>>>>> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > >>>>> > > >>>> > > >>>> _______________________________________________ > > >>>> RLUG mailing list > > >>>> [email protected] > > >>>> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > >>> > > >> > > >> > > >> _______________________________________________ > > >> RLUG mailing list > > >> [email protected] > > >> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > > > > > > > _______________________________________________ > > RLUG mailing list > > [email protected] > > http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > _______________________________________________ > RLUG mailing list > [email protected] > http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
