Re: [Shorewall-users] Second attempt at IPv6, no default routes

2016-09-21 Thread Tom Eastep 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 09/19/2016 07:50 PM, Steven Kiehl wrote:
> 
> So I adding that address as a hard-coded gateway in the 
> shorewall/providers configuration.  I basically followed the
> multi-isp directions and skipped the multi part of it.  Seems
> functional, for now.
> 
> So, I can get to ipv6.google.com  and most
> of the tests seem to work right, but it's not ideal. I don't want
> to have to re-determine the gateway address every time it magically
> changes.  I haven't learned of any way to pull it down through any
> sort of console command.  At least I can say I've got it 90% of the
> way there.  And TWC still has no IPv6-only DNS either, all
> delivered over IPv4.
> 
> So I've got everything working except automatic detection of the
> default gateway.  Using "DETECT" in the providers throws an error
> about not being able to find the default gateway, even though it's
> DHCP.  By adding the default gateway address, it does list an
> additional route to 'ip -6 route' for the external interface.
> 
> I'll keep searching around for an automated solution, but for now
> adding a provider like the following seems to work:
> 
> TWC1   1  -   enp1s0f0$IPV6_GATEWAY
> track
> 
> 

You can keep using that approach, only set IPV6_GATEWAY to the
link-local address of the router; that won't change, even if the
delegated subnet does.


- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJX4waqAAoJEJbms/JCOk0Q5FcP/3Svxp4sVLIDSTlOhzTiBj4b
d4uQjGE2vhwEkfJujqpVRhM/JAfYRwvouWDatR2N+lfyLc/1MqAzToobK2OKDAI9
oJ8F5eA9YG9Vh2gISuZdgDHca0eoUNX1lP5AmVqzEDNy6FBnfIADDQLK9sbWcHto
lEnVvAiPAi8pIYxxhzFIfAYkK1okPq7bWz+BjZwNn5fsryKX4pwNewtVNC2ArBH1
eApa651GO2xqBdHJU8effUzpXlbwdAZlX4TugUXd72cDaaYjvWzhS+8M7l5irFpH
yvrlXGdNLmujLx4al13RWSNOMNIzgk09DWFORpDdY2VVy4932RLBi4PfaapJz6aC
QIAhuML3etQl+MIxtQWGdYfRha3aUimO2J+sG2CotIhebsuo8YPF5MEs7/q/JMhe
mR8ynvZgsZiJ8leVDW7isz9LqsOO1oqm0Uv+m2qxnZC/g7R4dsa4NNnFlmB3pXRj
Nxc3GOgACmblHPhAyRqlKPAdR0cbmendX44aWLEi/Nh5tdX0nThigKvSu+8S6EaP
ojSg7n4wMg1bYJXhZWAkt2L0Zy8/XnlZh4Crm7P3DQPL/2VSiH0ieYA8Wu7PrGS6
yfvFQqEwH07NsyM2k8Gszyn+FzFi0MHX++gqIP88c+WeA8g+LixnqwDQpjtFSC7C
HFn9MXuOD8rKDa2e3REn
=0M6z
-END PGP SIGNATURE-

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Second attempt at IPv6, no default routes

2016-09-20 Thread Simon Hobson 
Steven Kiehl  wrote:

> Thanks for the response, Simon.  Like everyone else in the world, it's Time 
> Warner service.  It's all negotiated over DHCP/DHCPv6. Do I need to unblock 
> something for RA services perhaps?

Yes, you will need to be able to receive RAs in order to get your gateway. The 
design of IPv6 has some significant differences from IPv4 and this is one of 
them - DHCP does not provide router information in IPv6.
The reason I've read is that in large organisations, DHCP and routing are 
managed by different groups - therefore it's easier to have the routing group 
take care of advertising routes, and not have to have the interaction between 
them and the DHCP group any time the routers change. Personally I think this is 
a bit bogus, and I don't like the fact that it pushes routing decisions down to 
the individual devices rather than managing them at the router level.

Anyway, the Router Advertisements provide information on the routers available, 
what destinations they can reach, what prefixes are on this link, and what 
prefixes are considered "local" - they also indicate if the link is "managed" 
which is an indication for the client to attempt DHCP rather than 
autoconfiguration. Assuming the ISP kit is providing them, and you are 
receiving them, then routing setup should be automagic.

> I found that I can get things working by taking the steps of hooking a 
> Windows machine up first, grabbing the default IPv6 gateway.

That's a reasonable way to do it for initial testing.

> Tried asking TWC support about all this and they blamed my modem, saying 
> "your modem is showing an IPv6 address" "talk to your modem manufacturer." 
> Worst answer I've ever received from them ever.

I really am not surprised.

> So I adding that address as a hard-coded gateway in the shorewall/providers 
> configuration.  I basically followed the multi-isp directions and skipped the 
> multi part of it.

That's a lot of work/complication for what is a very simple task !
Assuming you have the ip tools installed (which should be the default on any 
modern distro) then you just need to "ip route add ..." to install a route.
As I said, Shorewall isn't needed at all to get the IPv6 working - but it is 
needed as soon as you do get it working. It's often best to get the network 
working without the firewall as it removes the "is it the network or the 
firewall that's blocking stuff" problem - at a time when you have a lot of 
variables to get sorted before it all works.


> I don't want to have to re-determine the gateway address every time it 
> magically changes.  I haven't learned of any way to pull it down through any 
> sort of console command.

AFAIK, receiving RAs is the only way to do it.
BTW - as well as not blocking RAs, there are a number of ICMP6 packets that you 
must not block or it breaks several IPv6 basic/mandatory features (such as 
path-MTU detection).

> And TWC still has no IPv6-only DNS either, all delivered over IPv4.

That doesn't really matter, as long as they actually resolve  queries.


I've had a quick search for '"time warner" ipv6 linux' and it's thwon up a few 
interesting looking articles. In particular, this one 
http://www.kloepfer.org/ipv6-homenet.html caught my eye - it raises some valid 
points.

Lastly, what DHCP client are you using ? When I tested native IPv6 through a 
trial my ISP (Plusnet in the UK) ran, I used Dibbler - I can't remember if 
there was a reason for not using the ISC DHCP6 client but I assume there was. 
In this case, using the DHCP client was only for "triggering" the ISP stuff (ie 
getting the ISP kit to route the traffic) as the assignments were all static.
I think having a dynamic prefix will be "interesting" and the preponderance of 
people on the standards bodies that defined IPv6 being used to "big networks 
and static assignments" shows. Personally I think this is a valid use case for 
prefix translation (multiple providers is another) and with the right 
standardisation could be done without the pitfalls of NAPT as used in IPv4.


--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Second attempt at IPv6, no default routes

2016-09-19 Thread Steven Kiehl 
Thanks for the response, Simon.  Like everyone else in the world, it's Time
Warner service.  It's all negotiated over DHCP/DHCPv6. Do I need to unblock
something for RA services perhaps?  I found that I can get things working
by taking the steps of hooking a Windows machine up first, grabbing the
default IPv6 gateway.  Tried asking TWC support about all this and they
blamed my modem, saying "your modem is showing an IPv6 address" "talk to
your modem manufacturer." Worst answer I've ever received from them ever.

So I adding that address as a hard-coded gateway in the shorewall/providers
configuration.  I basically followed the multi-isp directions and skipped
the multi part of it.  Seems functional, for now.

So, I can get to ipv6.google.com and most of the tests seem to work right,
but it's not ideal. I don't want to have to re-determine the gateway
address every time it magically changes.  I haven't learned of any way to
pull it down through any sort of console command.  At least I can say I've
got it 90% of the way there.  And TWC still has no IPv6-only DNS either,
all delivered over IPv4.

So I've got everything working except automatic detection of the default
gateway.  Using "DETECT" in the providers throws an error about not being
able to find the default gateway, even though it's DHCP.  By adding the
default gateway address, it does list an additional route to 'ip -6 route'
for the external interface.

I'll keep searching around for an automated solution, but for now adding a
provider like the following seems to work:

TWC1   1  -   enp1s0f0$IPV6_GATEWAYtrack


On Sun, Sep 18, 2016 at 9:21 AM, Simon Hobson 
wrote:

> Steven Kiehl  wrote:
>
> > So, after several months, I've decided to take another crack at
> upgrading to IPv6.  I followed the directions on the shorewall IPv6 support
> page as far as I can tell, and also dug well into the Linux documentation
> noted in that article. Thanks for all your efforts in putting that page
> together, btw.
> >
> > I'm attempting a simple two-interface firewall setup. I've gotten as far
> as being able to connect to the firewall from the insides, resolve DNS, but
> all IPv6 traffic leaving the outside interface seems to fail with "Network
> unreachable" messages, trying both ping6 and traceroute6 and verifying no
> REJECT/DROP errors in the logs.  I can confirm that IPv6 is working on the
> ISP by hooking up a Windows box to the cable modem (only problem there is
> the ISP doesn't have an IPv6 DNS server, but otherwise all is well).
> >
> > But, try as I have tweaking the network/interfaces and
> shorewall/shorewall6 configurations and even attempting to add routes
> directly to the tables, I can't seem to get any traffic to move.  I have a
> DHCP-issued IPv6 address from the ISP, but running 'ip -6 route' shows no
> default routes.  I do have default routes on IPv4, and disabling IPv6 on my
> clients does result in successful IPv4 connections and data transmission.
> But, IPv6 remains unreachable for some mysterious reason.
> >
> > Attempted to get some support from the ISP, but they are just following
> script as usual.
>
> Yes, so many support departments do tend to do that.
>
> The starting point is that you don't need Shorewall (or rather,
> Shorewall6) to do IPv6. So start without Shorewall - but bear in mind that
> you will be rather exposed between getting IPv6 working and setting up the
> firewall.
>
> Starting from the basics, which ISP is it - someone may know how they
> manage stuff ? Failing that, how are they handing out the IPv6 information
> - DHCPv6, PPP, something else ? Does this ISP have any support forums where
> you could ask - if there are any power users in there then they are the
> most likely to know just how to do it with that ISP ?
>
>
> 
> --
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Second attempt at IPv6, no default routes

2016-09-18 Thread Simon Hobson 
Steven Kiehl  wrote:

> So, after several months, I've decided to take another crack at upgrading to 
> IPv6.  I followed the directions on the shorewall IPv6 support page as far as 
> I can tell, and also dug well into the Linux documentation noted in that 
> article. Thanks for all your efforts in putting that page together, btw.
> 
> I'm attempting a simple two-interface firewall setup. I've gotten as far as 
> being able to connect to the firewall from the insides, resolve DNS, but all 
> IPv6 traffic leaving the outside interface seems to fail with "Network 
> unreachable" messages, trying both ping6 and traceroute6 and verifying no 
> REJECT/DROP errors in the logs.  I can confirm that IPv6 is working on the 
> ISP by hooking up a Windows box to the cable modem (only problem there is the 
> ISP doesn't have an IPv6 DNS server, but otherwise all is well).
> 
> But, try as I have tweaking the network/interfaces and shorewall/shorewall6 
> configurations and even attempting to add routes directly to the tables, I 
> can't seem to get any traffic to move.  I have a DHCP-issued IPv6 address 
> from the ISP, but running 'ip -6 route' shows no default routes.  I do have 
> default routes on IPv4, and disabling IPv6 on my clients does result in 
> successful IPv4 connections and data transmission.  But, IPv6 remains 
> unreachable for some mysterious reason.
> 
> Attempted to get some support from the ISP, but they are just following 
> script as usual.

Yes, so many support departments do tend to do that.

The starting point is that you don't need Shorewall (or rather, Shorewall6) to 
do IPv6. So start without Shorewall - but bear in mind that you will be rather 
exposed between getting IPv6 working and setting up the firewall.

Starting from the basics, which ISP is it - someone may know how they manage 
stuff ? Failing that, how are they handing out the IPv6 information - DHCPv6, 
PPP, something else ? Does this ISP have any support forums where you could ask 
- if there are any power users in there then they are the most likely to know 
just how to do it with that ISP ?


--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Second attempt at IPv6, no default routes

2016-09-17 Thread Steven Kiehl 
Woops. sorry, let me try attaching this again.  Seem to have attached the
stopped-state dump.  Attached here is the started-state dump with all the
active changes and whatnot.

By the way, do you accept these dumps via GitHub Gists, or just via
attached gz/bzip2s?

- Steve Kiehl



On Sat, Sep 17, 2016 at 6:22 PM, Steven Kiehl  wrote:

> Hi again!
>
> So, after several months, I've decided to take another crack at upgrading
> to IPv6.  I followed the directions on the shorewall IPv6 support page as
> far as I can tell, and also dug well into the Linux documentation noted in
> that article. Thanks for all your efforts in putting that page together,
> btw.
>
> I'm attempting a simple two-interface firewall setup. I've gotten as far
> as being able to connect to the firewall from the insides, resolve DNS, but
> all IPv6 traffic leaving the outside interface seems to fail with "Network
> unreachable" messages, trying both ping6 and traceroute6 and verifying no
> REJECT/DROP errors in the logs.  I can confirm that IPv6 is working on the
> ISP by hooking up a Windows box to the cable modem (only problem there is
> the ISP doesn't have an IPv6 DNS server, but otherwise all is well).
>
> But, try as I have tweaking the network/interfaces and
> shorewall/shorewall6 configurations and even attempting to add routes
> directly to the tables, I can't seem to get any traffic to move.  I have a
> DHCP-issued IPv6 address from the ISP, but running 'ip -6 route' shows no
> default routes.  I do have default routes on IPv4, and disabling IPv6 on my
> clients does result in successful IPv4 connections and data transmission.
> But, IPv6 remains unreachable for some mysterious reason.
>
> Attempted to get some support from the ISP, but they are just following
> script as usual.
>
> I've attached the shorewall6 dump to this message. Let me know if any
> other info is needed.
>
> Thanks for any help you can provide!
>
> - Steve Kiehl
>


shorewall6_dump_started.txt.bz2
Description: BZip2 compressed data
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users