Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[thad17]

Hello Alexander,

On Thu, May 20, 2021, at 7:33 AM, Alexander Stoll wrote:
> When you recieve only a /64 subnet, this gets gets realy complicated and
> depends on every involved software which has to support subnets smaller
> than /64.
> In this situation you may be better off with a NAT solution.


Here, with ATT as my upstream, the MODEM, which sits in front of the ROUTER, 
_serves_ a delegation via DHCP6 via its ROUTER-facing interface.

That "IPv6 Addressing Subnet (including length)", apparently configured from 
upstream, is a /64.

THAT is what the ROUTER gets.

As far as I tell, that can't be changed.  At least not in the UI.  Maybe 
there's a 'hidden' setting you can set via SSH session;  I sure haven't found 
it yet.

Internally, the LAN clients get delegated assignments from radvd, using a 
"prefix ::/64 {" advertisement.  I _might_ be able to safely expand that beyond 
the /64 -- I just am not sure.

Since I (1) don't get a /56, and (2) control _none_ of the upstream, sounds 
like NAT is my best bet.  Even if 'ugly'.

Thanks!

Thad


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[Alexander Stoll]

Am 20.05.2021 um 13:04 schrieb tha...@letterboxes.org:


So with this I end up with NAT'd IPv6.  Which I thought you weren't
supposed to do.

yes, this is ugly and something to avoid when ever possible...


But I guess if I'm going to have private internal IPv6 addresses,
either static &/or delegated, then I have to do this somehow.

It depends how ipv6 address space is delegated to you.
Her in germany our biggest telco delegates dynamically a /56 subnet
which is plenty space for almost everything.
Because it is dynamically allocated via dhcp on every new connect, for
static service allocation in internal nets we are forced to use ULA
address space for internal services and delegate derived subnets from
the provider global unicast delegation to clients for internet access.



I keep thinking there's a routing solution that solves this, but I
can't figure it out.  And your NAT suggestion does fix it for now.

When you recieve only a /64 subnet, this gets gets realy complicated and
depends on every involved software which has to support subnets smaller
than /64.
In this situation you may be better off with a NAT solution.

Best wishes



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[thad17]

Hello,

>   SNAT([2600:::::53])  [2600:::::]/64  enp2s0
> 
> with that, you should now see the 'echo reply'.

Wow, that worked!

I just assumed that since I wasn't seeing DROP/REJECT of packets, that I didn't 
have a problem like that.  Never thought that the packets weren't even getting 
back.

So with this I end up with NAT'd IPv6.  Which I thought you weren't supposed to 
do.

But I guess if I'm going to have private internal IPv6 addresses, either static 
&/or delegated, then I have to do this somehow.

I keep thinking there's a routing solution that solves this, but I can't figure 
it out.  And your NAT suggestion does fix it for now.

I checked speedtests, and even with the IPv6 NATing like above my IPv6 up/down 
speeds checked @DESKTOP are ~25% better than IPv4.

I'll take that.

Thanks!

Thad


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[PGNet Dev]

thad,

look with tcpdump @ icmp6 traffic across your ext router interface while you 
ping6 from your lan; for your setup



tcpdump -n -i enp2s0 icmp6



you'll likely see 'echo request' going out, from your desktop IP address, but 
no 'echo reply' returning.

the "net" needs to know to return back to your modem's public-facing address -- 
not the internal, delegated IP handed out by radvd.



one way around this in SW is to declare an IPv6 SNAT rule.



in /snat,



SNAT()   



trying to follow back through your posts :-/, that should be



SNAT([2600:::::53])  [2600:::::]/64  enp2s0



with that, you should now see the 'echo reply'.

the in-place IPv6 routing should take care of the rest, routing the packet back 
to your desktop, and ping6 -- and general access -- from the lan should work to 
the net.



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[thad17]

Matt,

On Wed, May 19, 2021, at 3:15 PM, Matt Darfeuille wrote:
> To ensure that Shorewall is the issue:
> 
> $ shorewall6 clear
> 
> Is everything working if you disable ('cleared') the firewall?

If I do that^^ clear, nothing changes.  I can ping everywhere, just like 
before, EXCEPT from DESKTOP/LAN to the 'NET.

But doesn't that just tell me that Shorewall hasn't been setup properly by me 
-- to set the routes, rules, whatever?  Not that Shorewall's doing something 
wrong?

> Does it work if you remove your library file and set IP_FORWARDING=Yes
> in shorewall6.conf?

No difference; same behavior as before.

> Is traffic allowed from your desktop to the net (policy/rules file)?

I thought it is.  Open to finding out I'm wrong.

I have

/interfaces
netEXTIFphysical=enp2s0,tcpflags,forward=1,accept_ra=1,nosmurfs
-  INTIFphysical=enp3s0,tcpflags,forward=1,accept_ra=1

/hosts
lanINTIF:[fd81:17:15::]/116
lan2   INTIF:[2600:::::]/64

/zones
fw firewall
netipv6
lanipv6
lan2   ipv6

/policy
$FW$FW ACCEPTerr
$FWall+ACCEPTerr

lanlan ACCEPTerr
lanlan2ACCEPTerr
lannet ACCEPTerr
lan$FW ACCEPTerr

lan2   lan2ACCEPTerr
lan2   lan ACCEPTerr
lan2   net ACCEPTerr
lan2   $FW ACCEPTerr

netall DROP  debug
allall REJECTdebug


where,

ip -6 addr show enp3s0

3: enp3s0:  mtu 1500 state UP qlen 1000
inet6 2600:::::1/64 scope global dynamic 
noprefixroute
valid_lft 2876sec preferred_lft 2876sec
inet6 fd81:17:15::128/116 scope global
valid_lft forever preferred_lft forever
inet6 fe80::e310:84ed:bda1:a331/64 scope link
valid_lft forever preferred_lft forever


> In shorewall.conf are ipv6 packets not disabled (looks like it isn't)?

Sorry I don't understand this one.  What setting am I looking for?

Thad


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[Matt Darfeuille]

On 5/19/2021 7:31 PM, tha...@letterboxes.org wrote:
> Hello Matt,
> 
> On Wed, May 19, 2021, at 1:17 PM, Matt Darfeuille wrote:
>>> sysctl -a | grep ipv6 | grep "\.forwarding"
>>>  net.ipv6.conf.all.forwarding = 1
>>>  net.ipv6.conf.default.forwarding = 1
>>>  net.ipv6.conf.enp2s0.forwarding = 1
>>>  net.ipv6.conf.enp3s0.forwarding = 1
>>>  net.ipv6.conf.lo.forwarding = 1
>>>
>>
>> Did you set it via Shorewall, if no,, please ensure that IP_FORWARDING
>> is set to keep/yes in shorewall[6].conf
> 
> 
> I have it set with
> 
>  grep -i forwarding /etc/sysctl.d/90-override.conf
>   net.ipv6.conf.all.forwarding = 1
>   net.ipv4.conf.all.forwarding = 1
> 
> in Shorewall lib.private I have
> 
>   setup_sysctls() {
>   echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
>   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>   echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>   echo 0 > /proc/sys/net/ipv4/ip_dynaddr
>   echo 1 > /proc/sys/net/ipv4/ip_forward
>   echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>   echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>   echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
>   echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
>   echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
>   echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
>   }
> 
> and in shorewall6.conf
> 
>   IP_FORWARDING=Keep
> 
> 
> As I understand it this is something that I should be able to setup just in 
> Shorewall.
> But just in case I also posted the question more generally @ stackexchange,
> 
> https://unix.stackexchange.com/questions/650410/setting-up-an-ipv6-router-with-two-interfaces-why-is-only-my-configs-lan-n
> 
> I've tried a bunch of various route additions.  I'm just guessing at it.  So 
> far nothing I did gets me 'out' that last leg.
> 

I can't help you with routes but here are some hints:

To ensure that Shorewall is the issue:

$ shorewall6 clear

Is everything working if you disable ('cleared') the firewall?

Does it work if you remove your library file and set IP_FORWARDING=Yes
in shorewall6.conf?

Is traffic allowed from your desktop to the net (policy/rules file)?

In shorewall.conf are ipv6 packets not disabled (looks like it isn't)?

1)  https://shorewall.org/SharedConfig.html


HTH.

-- 
Matt Darfeuille 
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[thad17]

Hello Matt,

On Wed, May 19, 2021, at 1:17 PM, Matt Darfeuille wrote:
> > sysctl -a | grep ipv6 | grep "\.forwarding"
> >  net.ipv6.conf.all.forwarding = 1
> >  net.ipv6.conf.default.forwarding = 1
> >  net.ipv6.conf.enp2s0.forwarding = 1
> >  net.ipv6.conf.enp3s0.forwarding = 1
> >  net.ipv6.conf.lo.forwarding = 1
> > 
> 
> Did you set it via Shorewall, if no,, please ensure that IP_FORWARDING
> is set to keep/yes in shorewall[6].conf


I have it set with

 grep -i forwarding /etc/sysctl.d/90-override.conf
  net.ipv6.conf.all.forwarding = 1
  net.ipv4.conf.all.forwarding = 1

in Shorewall lib.private I have

setup_sysctls() {
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
}

and in shorewall6.conf

IP_FORWARDING=Keep


As I understand it this is something that I should be able to setup just in 
Shorewall.
But just in case I also posted the question more generally @ stackexchange,

https://unix.stackexchange.com/questions/650410/setting-up-an-ipv6-router-with-two-interfaces-why-is-only-my-configs-lan-n

I've tried a bunch of various route additions.  I'm just guessing at it.  So 
far nothing I did gets me 'out' that last leg.

Thad



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[Matt Darfeuille]

On 5/19/2021 12:42 PM, tha...@letterboxes.org wrote:
> Hi,
> 
> On Wed, May 19, 2021, at 3:34 AM, Tuomo Soini wrote:
>> I'd guess you forgot to enable ipv6 forwarding.
> 
> I already set forwarding 
> 
> sysctl -a | grep ipv6 | grep "\.forwarding"
>  net.ipv6.conf.all.forwarding = 1
>  net.ipv6.conf.default.forwarding = 1
>  net.ipv6.conf.enp2s0.forwarding = 1
>  net.ipv6.conf.enp3s0.forwarding = 1
>  net.ipv6.conf.lo.forwarding = 1
> 

Did you set it via Shorewall, if no,, please ensure that IP_FORWARDING
is set to keep/yes in shorewall[6].conf

-- 
Matt Darfeuille 
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[thad17]

Hi,

On Wed, May 19, 2021, at 3:34 AM, Tuomo Soini wrote:
> I'd guess you forgot to enable ipv6 forwarding.

I already set forwarding 

sysctl -a | grep ipv6 | grep "\.forwarding"
 net.ipv6.conf.all.forwarding = 1
 net.ipv6.conf.default.forwarding = 1
 net.ipv6.conf.enp2s0.forwarding = 1
 net.ipv6.conf.enp3s0.forwarding = 1
 net.ipv6.conf.lo.forwarding = 1

unless there's some more config you need, that's not it.

Thad


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[Tuomo Soini]

On Tue, 18 May 2021 17:57:32 -0400
tha...@letterboxes.org wrote:

> Feels like I'm finally close to getting this all working at the same
> time. I'm still missing the last piece -- ping6 from LAN to 'NET

I'd guess you forgot to enable ipv6 forwarding.

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?

[thad17]

Feels like I'm finally close to getting this all working at the same time.
I'm still missing the last piece -- ping6 from LAN to 'NET

(1) router

ip -6 addr show
...
EXT 2: enp2s0:  mtu 1500 state UP 
qlen 1000
inet6 2600:::::53/128 scope global dynamic 
noprefixroute
valid_lft 2876sec preferred_lft 2876sec
inet6 fe80::e310:84ed:bda1:a330/64 scope link
valid_lft forever preferred_lft forever
INT 3: enp3s0:  mtu 1500 state UP 
qlen 1000
inet6 2600:::::1/64 scope global dynamic 
noprefixroute
valid_lft 2876sec preferred_lft 2876sec
inet6 fd81:17:15::128/116 scope global
valid_lft forever preferred_lft forever
inet6 fe80::e310:84ed:bda1:a331/64 scope link
valid_lft forever preferred_lft forever

ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2600:::::/64 dev enp3s0 proto dhcp metric 1003 pref 
medium
fd81:17:15::/116 dev enp3s0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0 proto kernel metric 256 pref medium
fe80::/64 dev enp3s0 proto kernel metric 256 pref medium
default via fe80::4e12:65ff:fe9c:e3e0 dev enp2s0 metric 1024 
pref medium

(2) desktop

ip -6 addr show
...
4: enp5s0:  mtu 1500 state UP 
qlen 1000
inet6 2600:::::::23e1/64 scope 
global dynamic mngtmpaddr noprefixroute
valid_lft 86391sec preferred_lft 14391sec
inet6 fd81:17:15::7/116 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6d9:::23e1/64 scope link
valid_lft forever preferred_lft forever

ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2600:::::/64 dev enp5s0 proto ra metric 1024 
expires 86397sec pref medium
fd81:17:15::/116 dev enp5s0 proto kernel metric 256 pref medium
fd81:17:15::/116 dev enp5s0 proto ra metric 1024 expires 
86397sec pref medium
fe80::/64 dev enp5s0 proto kernel metric 256 pref medium
default proto static metric 1024 pref medium
nexthop via fd81:17:15::128 dev enp5s0 weight 1 
onlink
nexthop via fe80::e310:84ed:bda1:a331 dev 
enp5s0 weight 1


ON desktop, I

*CAN* ping6

@desktop
2600:::::::23e1
fd81:17:15::7
@router, INT
2600:::::1
fd81:17:15::128
@router, EXT
2600:::::53

can *NOT* ping6

@desktop
fe80::6d9:::23e1
@router, INT
fe80::e310:84ed:bda1:a331
@router, EXT
fe80::e310:84ed:bda1:a330
google.com
2607:f8b0:4008:803::200e

ON router, I

*CAN* ping6

@desktop
2600:::::::23e1
fd81:17:15::7
@router, INT
2600:::::1
fd81:17:15::128
@router, EXT
2600:::::53

and,
can *NOT* ping6

@desktop
fe80::6d9:::23e1
@router, INT
fe80::e310:84ed:bda1:a331
@router, EXT
fe80::e310:84ed:bda1:a330

BUT, I

*CAN* ping6
google.com
2607:f8b0:4008:803::200e


I.e., ping6

router  -> google.com  OK
dekstop -> google.com  FAIL


Any hints about what the missing piece is?
Is it a route, rule, policy or other Shorewall config that I need?

Thanks,

Thad


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users