Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail
‐‐‐ Original Message ‐‐‐ On April 6, 2018 2:32 PM, Tom Eastep wrote: > > > On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote: > > > ‐‐‐ Original Message ‐‐‐ > > > > On April 6, 2018 11:58 AM, colony.th...@protonmail.ch wrote: > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote: > > > > > > > > After shorewall6 clear, ping6 just hangs. > > > > > > > > > > ping6 google.com > > > > > > > > > > > > > > > PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) > > > > > 56 data bytes > > > > > > > > > > ^C > > > > > > > > > > --- google.com ping statistics --- > > > > > > > > > > 20 packets transmitted, 0 received, 100% packet loss, time 19000ms > > > > > > > > You routing is all screwed up. You are trying to use the same /64 on > > > > > > > > three different networks. When you get a tunnel from HE, you get two /64 > > > > > > > > networks: one on the sit device, and one to use in your local > > > > network(s). > > > > > > > > You can subdivide the second /64 between multiple networks, but then the > > > > > > > > prefix length for those networks must be > 64 and you cannot use > > > > > > > > stateless autoconfiguration. > > > > > > > > -Tom > > > > > > > > Tom Eastep \ Q: What do you get when you cross a mobster with > > > > > > > > Shoreline, \ an international standard? > > > > > > > > Washington, USA \ A: Someone who makes you an offer you can't > > > > > > > > http://shorewall.org \ understand > > > > > > Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, > > > and for the LAN I've set 2001:470:b:c3::/64 like they say. > > > > > > ip -6 route > > > === > > > > > > unreachable ::/96 dev lo metric 1024 error -113 > > > > > > unreachable :::0.0.0.0/96 dev lo metric 1024 error -113 > > > > > > 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256 > > > > > > 2001:470:b:c3::/64 dev eth1 proto kernel metric 256 > > > > > > 2001:470:b:c3::/64 dev eth2 proto kernel metric 256 > > > > > > unreachable 2002:a00::/24 dev lo metric 1024 error -113 > > > > > > unreachable 2002:7f00::/24 dev lo metric 1024 error -113 > > > > > > unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 > > > > > > unreachable 2002:ac10::/28 dev lo metric 1024 error -113 > > > > > > unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 > > > > > > unreachable 2002:e000::/19 dev lo metric 1024 error -113 > > > > > > unreachable 3ffe:::/32 dev lo metric 1024 error -113 > > > > > > fe80::/64 dev eth1 proto kernel metric 256 > > > > > > fe80::/64 dev eth2 proto kernel metric 256 > > > > > > fe80::/64 dev eth0 proto kernel metric 256 > > > > > > fe80::/64 dev he-ipv6 proto kernel metric 256 > > > > > > default dev he-ipv6 metric 1024 > > > > > > True I don't have a gateway set on eth1, but that -is- the LAN gateway. > > > > > > To set up the tunnel I'm using the systemd service copied almost > > > word-for-word from the Arch doc: > > > > > > [Unit] > > > > > > Description=he.net IPv6 tunnel > > > > > > After=network.target > > > > > > [Service] > > > > > > Type=oneshot > > > > > > RemainAfterExit=yes > > > > > > ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 > > > local 50.47.100.167 ttl 255 > > > > > > ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480 > > > > > > ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6 > > > > > > ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6 > > > > > > ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6 > > > > > > ExecStop=/usr/sbin/ip link set he-ipv6 down > > > > > > ExecStop=/usr/sbin/ip tunnel del he-ipv6 > > > > > > [Install] > > > > > > WantedBy=multi-user.target > > > > I must be being dense here. Can someone please explain what Ton is telling > > me here? > > What I am telling you is that you have these two routes: > > fe80::/64 dev eth2 proto kernel metric 256 > > fe80::/64 dev eth1 proto kernel metric 256 > > So the hosts connected to one of those are going to be unreachable. You > > need to configure the IP addresses on those devices as /72, not /64, > > which means that you will have to assign IP addresses to hosts connected > > to those interfaces manually or using DHCPv6. You will not be able to > > use stateless auto configuration. > > You have not told us where you are trying to ping from -- firewall or > > host behind the firewall? But you are not allowing Ping from any pkace > > to any other place in this configuration; AllowICMPs does not allow > > ping; it only allows those ICMPs specified by RFC 4890 as 'must allow' > > by routers. That explains the errors when Shorewall is started. But it > > doesn't explain the issue when Shorewall is cleared. With Shorewall > > cleared, can you ping 2001:470:a:c3::1? > > -Tom > > >
Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail
On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote: > > ‐‐‐ Original Message ‐‐‐ > > On April 6, 2018 11:58 AM, wrote: > >> >> >> ‐‐‐ Original Message ‐‐‐ >> >> On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote: >> After shorewall6 clear, ping6 just hangs. ping6 google.com PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 56 data bytes ^C --- google.com ping statistics --- 20 packets transmitted, 0 received, 100% packet loss, time 19000ms >>> >>> You routing is all screwed up. You are trying to use the same /64 on >>> >>> three different networks. When you get a tunnel from HE, you get two /64 >>> >>> networks: one on the sit device, and one to use in your local network(s). >>> >>> You can subdivide the second /64 between multiple networks, but then the >>> >>> prefix length for those networks must be > 64 and you cannot use >>> >>> stateless autoconfiguration. >>> >>> -Tom >>> >>> Tom Eastep \ Q: What do you get when you cross a mobster with >>> >>> Shoreline, \ an international standard? >>> >>> Washington, USA \ A: Someone who makes you an offer you can't >>> >>> http://shorewall.org \ understand >> >> Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, and >> for the LAN I've set 2001:470:b:c3::/64 like they say. >> >> ip -6 route >> === >> >> unreachable ::/96 dev lo metric 1024 error -113 >> >> unreachable :::0.0.0.0/96 dev lo metric 1024 error -113 >> >> 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256 >> >> 2001:470:b:c3::/64 dev eth1 proto kernel metric 256 >> >> 2001:470:b:c3::/64 dev eth2 proto kernel metric 256 >> >> unreachable 2002:a00::/24 dev lo metric 1024 error -113 >> >> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 >> >> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 >> >> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 >> >> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 >> >> unreachable 2002:e000::/19 dev lo metric 1024 error -113 >> >> unreachable 3ffe:::/32 dev lo metric 1024 error -113 >> >> fe80::/64 dev eth1 proto kernel metric 256 >> >> fe80::/64 dev eth2 proto kernel metric 256 >> >> fe80::/64 dev eth0 proto kernel metric 256 >> >> fe80::/64 dev he-ipv6 proto kernel metric 256 >> >> default dev he-ipv6 metric 1024 >> >> True I don't have a gateway set on eth1, but that -is- the LAN gateway. >> >> To set up the tunnel I'm using the systemd service copied almost >> word-for-word from the Arch doc: >> >> [Unit] >> >> Description=he.net IPv6 tunnel >> >> After=network.target >> >> [Service] >> >> Type=oneshot >> >> RemainAfterExit=yes >> >> ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 >> local 50.47.100.167 ttl 255 >> >> ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480 >> >> ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6 >> >> ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6 >> >> ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6 >> >> ExecStop=/usr/sbin/ip link set he-ipv6 down >> >> ExecStop=/usr/sbin/ip tunnel del he-ipv6 >> >> [Install] >> >> WantedBy=multi-user.target > > > I must be being dense here. Can someone please explain what Ton is telling > me here? > What I am telling you is that you have these two routes: fe80::/64 dev eth2 proto kernel metric 256 fe80::/64 dev eth1 proto kernel metric 256 So the hosts connected to one of those are going to be unreachable. You need to configure the IP addresses on those devices as /72, not /64, which means that you will have to assign IP addresses to hosts connected to those interfaces manually or using DHCPv6. You will not be able to use stateless auto configuration. You have not told us where you are trying to ping from -- firewall or host behind the firewall? But you are not allowing Ping from any pkace to any other place in this configuration; AllowICMPs does *not* allow ping; it only allows those ICMPs specified by RFC 4890 as 'must allow' by routers. That explains the errors when Shorewall is started. But it doesn't explain the issue when Shorewall is cleared. With Shorewall cleared, can you ping 2001:470:a:c3::1? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/s
Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail
‐‐‐ Original Message ‐‐‐ On April 6, 2018 11:58 AM, wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote: > > > > After shorewall6 clear, ping6 just hangs. > > > > > > ping6 google.com > > > > > > > > > PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 56 > > > data bytes > > > > > > ^C > > > > > > --- google.com ping statistics --- > > > > > > 20 packets transmitted, 0 received, 100% packet loss, time 19000ms > > > > You routing is all screwed up. You are trying to use the same /64 on > > > > three different networks. When you get a tunnel from HE, you get two /64 > > > > networks: one on the sit device, and one to use in your local network(s). > > > > You can subdivide the second /64 between multiple networks, but then the > > > > prefix length for those networks must be > 64 and you cannot use > > > > stateless autoconfiguration. > > > > -Tom > > > > Tom Eastep \ Q: What do you get when you cross a mobster with > > > > Shoreline, \ an international standard? > > > > Washington, USA \ A: Someone who makes you an offer you can't > > > > http://shorewall.org \ understand > > Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, and > for the LAN I've set 2001:470:b:c3::/64 like they say. > > ip -6 route > === > > unreachable ::/96 dev lo metric 1024 error -113 > > unreachable :::0.0.0.0/96 dev lo metric 1024 error -113 > > 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256 > > 2001:470:b:c3::/64 dev eth1 proto kernel metric 256 > > 2001:470:b:c3::/64 dev eth2 proto kernel metric 256 > > unreachable 2002:a00::/24 dev lo metric 1024 error -113 > > unreachable 2002:7f00::/24 dev lo metric 1024 error -113 > > unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 > > unreachable 2002:ac10::/28 dev lo metric 1024 error -113 > > unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 > > unreachable 2002:e000::/19 dev lo metric 1024 error -113 > > unreachable 3ffe:::/32 dev lo metric 1024 error -113 > > fe80::/64 dev eth1 proto kernel metric 256 > > fe80::/64 dev eth2 proto kernel metric 256 > > fe80::/64 dev eth0 proto kernel metric 256 > > fe80::/64 dev he-ipv6 proto kernel metric 256 > > default dev he-ipv6 metric 1024 > > True I don't have a gateway set on eth1, but that -is- the LAN gateway. > > To set up the tunnel I'm using the systemd service copied almost > word-for-word from the Arch doc: > > [Unit] > > Description=he.net IPv6 tunnel > > After=network.target > > [Service] > > Type=oneshot > > RemainAfterExit=yes > > ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 > local 50.47.100.167 ttl 255 > > ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480 > > ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6 > > ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6 > > ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6 > > ExecStop=/usr/sbin/ip link set he-ipv6 down > > ExecStop=/usr/sbin/ip tunnel del he-ipv6 > > [Install] > > WantedBy=multi-user.target I must be being dense here. Can someone please explain what Ton is telling me here? -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users