Scuze, am crezut că vrei să dai permit pentru http/https pe ipv6 dinspre WAN. Și nu știam cum o să faci managementul IP-ului dinamic v6 din LAN în firewall.
On Tue, Jan 21, 2020 at 11:35 AM Adrian M <[email protected]> wrote: > Allow from LAN to WAN + track > Deny from WAN to LAN + log > > On Tue, Jan 21, 2020 at 9:39 AM Adrian Popa <[email protected]> > wrote: > > > Vin și eu cu o întrebare - dacă prefixele în LAN le iei cu PD, și sunt > > relativ random (partea din IP dată de provider), cum faci cu regulile de > > forward din firewall ASUS? Le rescrii la fiecare reboot când se schimbă > > IP-ul v6 din LAN? > > > > On Sat, Jan 11, 2020 at 11:54 PM Mihai Osian <[email protected]> > > wrote: > > > > > Nu auzisem de OMV pana acum. Pare intersant - la prima vedere e cam > > > echivalent cu FreeNAS. > > > Dar am peste 3TB de date stocate sub ZFS si mai multe mashini virtuale > > > (unele pt business projects). Chestia cu IPv6 e un moft de al meu, nu > se > > > justifica... > > > > > > Mihai > > > > > > > > > > > > On 1/11/20 9:59 PM, Adrian Minta wrote: > > > > Da, OpenMediaVault. > > > > > > > > On 1/11/20 9:45 PM, Mihai Osian wrote: > > > >> Mersi, o sa ma uit. Ce e OMV ? OpenMediaVault ? > > > >> > > > >> Mihai > > > >> > > > >> > > > >> On 1/11/20 6:33 PM, Adrian Minta wrote: > > > >>> Vad ca sunt mai multi care au probleme cu FreeNAS și ipv6: > > > >>> > > > >>> https://www.google.com/search?q=freenas+ipv6 > > > >>> > > > >>> > > > > https://gist.github.com/nightspotlight/1e2800de29efcfb68a3293b30a80a574 > > > >>> > > > >>> Vezi daca nu te descurci mai bine cu OMV. > > > >>> > > > >>> > > > >>> On 1/11/20 1:19 PM, Mihai Osian wrote: > > > >>>> Mersi de info. Pornind de la ce mi-ai zis anterior de > > > >>>> multicasting/neighbor discovery am pornit un wireshark pe > desktopul > > > >>>> linux si am inceput sa sniffuiesc icmpv6. Am facut asa: > > > >>>> > > > >>>> - am scos inregistrarea aia manuala "ip -6 neigh add <server>" de > > > >>>> pe router > > > >>>> - asteptat un minut > > > >>>> - ping6 din exterior catre jail > > > >>>> ==> vad un Neighbor Solicitation broadcast venind de la router, > > > >>>> cautand adresa jailului. > > > >>>> - nu vad nici un raspuns (dar presupun ca Neighbor Advertisement > in > > > >>>> cazul asta e unicast si nu ajunge pana la desktopul meu Linux, > deci > > > >>>> nu inseamna nimic) > > > >>>> > > > >>>> Am incercat sa fac un "tcpdump icmp6" din jailul FreeBSD, insa > > > >>>> imi zice 'tcpdump: (there are no BPF devices)'. Aparent trebuie > > > >>>> mapate devfs si facut ceva voodoo in configuratia jail-ului. Am > > > >>>> gasit pe Google niste raspunsuri la intrebarea "tcpdump in iocage" > > > >>>> - ceva cu setat devfs.rules si bpf=yes, dar la mine nu > functioneaza > > > >>>> (sau nu inca), in sensul ca "iocage get -a <jail>" imi confirma ce > > > >>>> am setat, dar cand execut jailul nu vad nici un /dev/bpf. > > > >>>> Deocamdata cu tcpdump in jail m-am blocat. > > > >>>> > > > >>>> Am rulat tcpdump din host, si cand dau ping6 din exterior > > > >>>> (nl.traceroute6.net) catre jailul meu (2a02:<cenzurat>::3) vad > asa: > > > >>>> > > > >>>> root@freenas:~ # tcpdump -i bridge0 icmp6 > > > >>>> tcpdump: verbose output suppressed, use -v or -vv for full > > protocol > > > >>>> decode > > > >>>> listening on bridge0, link-type EN10MB (Ethernet), capture size > > > >>>> 262144 bytes > > > >>>> 12:04:59.055588 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, > length > > 32 > > > >>>> 12:05:00.055630 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, > length > > 32 > > > >>>> 12:05:01.055500 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, > length > > 32 > > > >>>> 12:05:02.729031 IP6 fe80::e23f:49ff:fe24:68a8 > > > > >>>> ip6-allnodes.<cenzurat>.com: ICMP6, router advertisement, > length > > > >>>> 112 > > > >>>> 12:05:03.055592 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, > length > > 32 > > > >>>> 12:05:04.055579 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, > length > > 32 > > > >>>> 12:05:05.055507 IP6 fe80::e23f:49ff:fe24:68a8 > ff02::1:ff00:3: > > > >>>> ICMP6, neighbor solicitation, who has 2a02:<cenzurat>::3, > length > > 32 > > > >>>> 12:05:06.428319 IP6 fe80::d6c4:2650:5902:a71b > ff02::1:ff00:0: > > > >>>> ICMP6, neighbor solicitation, who has ::, length 32 > > > >>>> (etc, more of the same) > > > >>>> > > > >>>> unde "fe80::e23f:49ff:fe24:68a8" e adresa LAN link-local a > > > >>>> routerului. Nu vad nici un neighbor advertisement care sa mearga > > > >>>> inapoi. > > > >>>> > > > >>>> Daca dau ping6 de la desktopul Linux (adresa cu ::4 in coada) la > > > >>>> jail (adresa cu ::3): > > > >>>> > > > >>>> root@freenas:~ # tcpdump -i bridge0 icmp6 > > > >>>> tcpdump: verbose output suppressed, use -v or -vv for full > > protocol > > > >>>> decode > > > >>>> listening on bridge0, link-type EN10MB (Ethernet), capture size > > > >>>> 262144 bytes > > > >>>> 12:05:47.734743 IP6 fe80::e23f:49ff:fe24:68a8 > > > > >>>> ip6-allnodes.<cenzurat>.com: ICMP6, router advertisement, > length > > > >>>> 112 > > > >>>> 12:05:48.089230 IP6 *2a02:<cenzurat>::4 > ff02::1:ff00:3: > ICMP6, > > > >>>> neighbor solicitation,* who has 2a02:<cenzurat>::3, length 32 > > > >>>> 12:05:48.089309 IP6 *2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > > > >>>> ICMP6, > > > >>>> neighbor advertisement*, tgt is 2a02:<cenzurat>::3, length 32 > > > >>>> 12:05:48.089433 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: > > ICMP6, > > > >>>> echo request, seq 1, length 64 > > > >>>> 12:05:48.089458 IP6 fe80::d6c4:2650:5902:a71b > ff02::1:ff00:0: > > > >>>> ICMP6, neighbor solicitation, who has ::, length 32 > > > >>>> 12:05:48.089527 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > > ICMP6, > > > >>>> echo reply, seq 1, length 64 > > > >>>> 12:05:49.096104 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: > > ICMP6, > > > >>>> echo request, seq 2, length 64 > > > >>>> 12:05:49.096197 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > > ICMP6, > > > >>>> echo reply, seq 2, length 64 > > > >>>> 12:05:50.120100 IP6 2a02:<cenzurat>::4 > 2a02:<cenzurat>::3: > > ICMP6, > > > >>>> echo request, seq 3, length 64 > > > >>>> 12:05:50.120187 IP6 2a02:<cenzurat>::3 > 2a02:<cenzurat>::4: > > ICMP6, > > > >>>> echo reply, seq 3, length 64 > > > >>>> > > > >>>> Diferenta e ca routerul trimite neighbor solicitation de la adresa > > > >>>> lui link-local, iar desktopul Linux de la adresa globala. Nu > pricep > > > >>>> de ce ar conta. > > > >>>> > > > >>>> Mihai > > > >>>> > > > >>>> PS: providerul meu nu e RDS, dar mecanismul de alocare e > > > >>>> intr-adevar DHCPv6-PD. Providerul imi cere un "DUID" (dhcp unique > > > >>>> identifier), care dupa sapaturi arheologice am aflat ca e > > > >>>> 00:03:00:01 plus the MAC address. Iar dupa aia am convins clientul > > > >>>> odhcp6c de pe router sa trimita asta ca si "clientid", findca by > > > >>>> default nu o facea. Acum routerul imi da intr-adevar pentru > reteaua > > > >>>> interna subnetul/prefixul promis de provider (confirmat de > > > >>>> interfata grafica precum si de "ip -6 route"). Partea aia e in > > regula. > > > >>>> > > > >>>> > > > >>>> > > > >>>> On 1/11/20 10:57 AM, Adrian Minta wrote: > > > >>>>> Salut, > > > >>>>> > > > >>>>> Pe FreeBSD exista mai multe tipuri de firewall. S-ar putea sa ai > > > >>>>> reguli făcute cu PF: > > > >>>>> > https://forum.netgate.com/topic/23288/ipfw-vs-pf-knowledge-article > > > >>>>> > > > >>>>> Ca sa meargă ND-ul trebuie sa permiți ICMPv6: > > > >>>>> > https://blog.apnic.net/2019/10/18/how-to-ipv6-neighbor-discovery/ > > > >>>>> > > > >>>>> Pentru teste eu as dezactiva orice urma de firewall de pe servere > > > >>>>> și as verifica cu un laptop adăugat în rețea. Astfel acesta poți > > > >>>>> vedea dacă probleme e de la router sau de la server. > > > >>>>> > > > >>>>> De asemenea, la routerul ASUS e mai bine sa începi cu imaginea > > > >>>>> originala și abia după ce totul merge perfect sa treci la > altceva. > > > >>>>> > > > >>>>> > > > >>>>> Pentru alocarea adreselor ipv6 în LAN exista mai multe metode: > > > >>>>> > > > >>>>> 1. Folosind mecanismul SLAAC, fără server DHCPv6. > > > >>>>> > > > >>>>> 2. SLAAC plus un server DHCPv6 pentru serverele DNS sau alte > > > >>>>> informații care se pot transmite prin DHCP. Inițial SLAAC-ul nu > > > >>>>> putea da informații despre serverele DNS, de aceea a apărut acest > > > >>>>> mecanism. > > > >>>>> > > > >>>>> 3. Folosind un server DHCPv6 stateful, similar cu cel de la ipv4. > > > >>>>> Cei din zona "enterprise" vor sa controleze cine se conectează în > > > >>>>> rețea și au cerut implementare unui astfel de mecanism. Din > păcate > > > >>>>> cineva de la google se pare ca tine foarte mult la "privacy". > > > >>>>> > > > >>>>> 4. Bineînțeles alocarea statica. > > > >>>>> > > > >>>>> În cazul RDS routerul tău primește o adresa ipv6 pe interfața > > > >>>>> PPPoE alocata prin mecanismul nativ. Routerul tău trebuie sa > ceara > > > >>>>> apoi prin DHCPv6-PD un subnet pe care sa-l distribuie în LAN prin > > > >>>>> SLAAC. > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>>> On 1/11/20 1:24 AM, Mihai Osian wrote: > > > >>>>>> Nu cred sa fie ceva defect - toate chestiile non-IPv6 merg ok. > > > >>>>>> Problema e undeva intre scaun si tastatura - configurez eu ceva > > > >>>>>> gresit. Mai e si complicatia ca serverul e un jail FreeBSD > > > >>>>>> (FreeNAS, mai exact), iar cunostintele mele de BSD is la fel de > > > >>>>>> limitate ca si cele de IPv6. De aia intreb pe lista, poate imi > da > > > >>>>>> cineva vre-un hint :-). > > > >>>>>> > > > >>>>>> > > > >>>>>> Chestii pe care nu le stiu: > > > >>>>>> > > > >>>>>> 1. Cum/daca e configurat de fapt firewallul pe serverul bsd. > Daca > > > >>>>>> rulez "ipfw" fie pe host fie in jail, zice acelasi lucru: > > > >>>>>> > > > >>>>>> root@freenas:~ # ipfw list > > > >>>>>> 65535 allow ip from any to any > > > >>>>>> > > > >>>>>> Insa nu bag mana in foc ca asta acopera si ipv6. Pagina de man > de > > > >>>>>> la ipfw are vreo 20000 de linii de text, inca nu l-am descalcit. > > > >>>>>> > > > >>>>>> 2. Care e relatia intre host-ul bsd si jail (cum se > > > >>>>>> trateaza/forwardeaza pachetele). Jailul are o tona de optiuni de > > > >>>>>> configurare si pe unele nu le inteleg, de exemplu "ip6.saddrsel" > > > >>>>>> (google "man jail freebsd 12"). > > > >>>>>> > > > >>>>>> 3. Daca am facut bine punand static/de mana adresa de IPv6 a > > > >>>>>> jailului. Poate ca jailul acum tace chitic in loc sa faca > > > >>>>>> broadcast la adresa dumisale si ca urmare routerul nu afla de > > > >>>>>> existenta lui (nu stiu, imi dau cu parerea). Poate exista vre-un > > > >>>>>> mecanism (DHCP6 or something) prin care routerul sa asigneze > > > >>>>>> adrese IPv6 statice, similar cu IPv4. Problema e ca interfata > web > > > >>>>>> a routerului meu nu are asemenea optiune - am de ales intre > > > >>>>>> "disabled, native, static, passthrough, tunnel6to4, etc". Am > > > >>>>>> incercat toate combinatiile, "native" pare cea mai promitatoare. > > > >>>>>> Am uitat sa mentionez - pt ISP trebuie sa furnizez un "DUID" > care > > > >>>>>> bineinteles ca nu exista nicaieri in interfata web. Am depistat > > > >>>>>> cum se face dupa vreo saptamana de sapat (detalii la cerere), > > > >>>>>> insa nici aia nu merge decat din linia de comanda. Pe statia mea > > > >>>>>> Linux am configurat tot un ipv6 static, si asta pare sa mearga. > > > >>>>>> Zic "pare" pentru ca nu pot testa cu adevarat din exterior fara > > > >>>>>> sa "activez" routerul (ok, as putea, insa e mai complicat). > > > >>>>>> > > > >>>>>> Deci probleme pot fi multe, si ar putea fi legate de FreeBSD, nu > > > >>>>>> de Linux. Mai citesc documentatii, dar deocamdata nici nu stiu > > > >>>>>> sigur de unde sa incep. > > > >>>>>> > > > >>>>>> Mihai > > > >>>>>> > > > >>>>>> > > > >>>>>> On 1/10/20 10:08 PM, Adrian Minta wrote: > > > >>>>>>> Salut, > > > >>>>>>> > > > >>>>>>> la ipv6 nu se foloseste ARP ci un alt mecanism ND (Neighbor > > > >>>>>>> Discovery), bazat pe multicast. > > > >>>>>>> > > > >>>>>>> E posibil sa ai ceva probleme cu multicastul ? > > > >>>>>>> > > > >>>>>>> Firewall pe server sau un switch de retea defect ? > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> On 1/10/20 10:27 PM, Mihai Osian wrote: > > > >>>>>>>> > > > >>>>>>>> Mi-am revenit dupa socul anului nou si am mai sapat in jurul > > > >>>>>>>> problemei. Am aflat ca adresa MAC a serverului e pastrata in > > > >>>>>>>> cache-ul ARP al routerului doar un timp limitat. Imediat dupa > > > >>>>>>>> ping inregistrarea ARP apare ca "REACHABLE", in decurs de 20 > de > > > >>>>>>>> secunde se transforma in "STALE", iar dupa 1 minut dispare de > > > >>>>>>>> tot. Ceve de genul: > > > >>>>>>>> > > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ping6 > 2a02:<cenzurat>::3 > > > >>>>>>>> PING 2a02:<cenzurat>::3 (2a02:<cenzurat>::3): 56 data bytes > > > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=0 ttl=64 time=10.386 > ms > > > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=1 ttl=64 time=0.385 > ms > > > >>>>>>>> 64 bytes from 2a02:<cenzurat>::3: seq=2 ttl=64 time=0.414 > ms > > > >>>>>>>> ^C > > > >>>>>>>> --- 2a02:<cenzurat>::3 ping statistics --- > > > >>>>>>>> 3 packets transmitted, 3 packets received, 0% packet loss > > > >>>>>>>> round-trip min/avg/max = 0.385/3.728/10.386 ms > > > >>>>>>>> > > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# watch ip -6 neigh | > grep > > > >>>>>>>> '::3' > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > > >>>>>>>> [...] > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 STALE > > > >>>>>>>> [~1 minut ==> dispare] > > > >>>>>>>> ^C > > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# > > > >>>>>>>> > > > >>>>>>>> Solutia pare a fi o inregistrare manuala: > > > >>>>>>>> > > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ip -6 neigh add > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > > > >>>>>>>> admin@RT-AC68U-68A8:/tmp/home/root# ip -6 neigh > > > >>>>>>>> 2a02:<cenzurat>:3df4 dev br0 lladdr b8:ae:ed:ea:5f:12 STALE > > > >>>>>>>> 2a02:<cenzurat>::4 dev br0 lladdr 70:85:c2:59:dc:19 > REACHABLE > > > >>>>>>>> 2a02:<cenzurat>::3 dev br0 lladdr 08:62:66:2d:5e:24 > > *PERMANENT* > > > >>>>>>>> [...] > > > >>>>>>>> > > > >>>>>>>> Si serverul meu de web e acum vizibil pe IPv6. Cel putin pana > > > >>>>>>>> cand se ia curentul sau rebootez routerul.... > > > >>>>>>>> > > > >>>>>>>> Mihai > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>> > > > >>>>>> _______________________________________________ > > > >>>>>> RLUG mailing list > > > >>>>>> [email protected] > > > >>>>>> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > >>>>> > > > >>>> > > > >>>> _______________________________________________ > > > >>>> RLUG mailing list > > > >>>> [email protected] > > > >>>> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > >>> > > > >> > > > >> > > > >> _______________________________________________ > > > >> RLUG mailing list > > > >> [email protected] > > > >> http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > > > > > > > > > > > _______________________________________________ > > > RLUG mailing list > > > [email protected] > > > http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > > > _______________________________________________ > > RLUG mailing list > > [email protected] > > http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > > > _______________________________________________ > RLUG mailing list > [email protected] > http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro > _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug_lists.lug.ro
