Re: [Shorewall-users] Proxyndp issue

Fri, 07 Dec 2012 13:42:05 -0800 

On 12/07/2012 10:00 AM, German Molano wrote:
> Hi there, i am getting some trouble using proxyndp on shorewall6. I
> cannot access to the  ipv6 internet from the host inside my local
> network or ping this internal host from outside networks.
>
> This is my setup:
>
> Firewall
>
> eth0 2801:0:100::2/48
> GW=2801:0:100::1
> eth1=not initialized only local ipv6 link fe80:xxxx ...
>
> SHOREWALL6 versiĆ³n 4.5.9.3
>
> interfaces
> net     eth0     tcpflags,forward=1
> loc     eth1     tcpflags,forward=1
>
> zone
> fw      firewall
> loc     ipv6
> net     ipv6
>
> policy
> loc             net             ACCEPT
> net             all             DROP            info
> fw              all             ACCEPT
> all             all             REJECT          info
>
> rules
> ACCEPT     net     fw     ipv6-icmp
> SSH(ACCEPT)     net:<2001:xxxxx:2>             $FW
> ACCEPT     net     loc:<2801:0:100::58>     ipv6-icmp
>
> proxyndp
> #ADDRESS                INTERFACE       EXTERNAL HAVEROUTE       PERSISTENT
> 2801:0:100::58          eth1            eth0
>
> sysctl -a | grep proxy_ndp
> net.ipv6.conf.all.proxy_ndp = 1
> net.ipv6.conf.default.proxy_ndp = 0
> net.ipv6.conf.lo.proxy_ndp = 0
> net.ipv6.conf.eth0.proxy_ndp = 0
> net.ipv6.conf.eth1.proxy_ndp = 1
>
> sysctl -a | grep forwarding
> net.ipv6.conf.all.forwarding = 1
> net.ipv6.conf.all.mc_forwarding = 0
> net.ipv6.conf.default.forwarding = 1
> net.ipv6.conf.default.mc_forwarding = 0
> net.ipv6.conf.lo.forwarding = 1
> net.ipv6.conf.lo.mc_forwarding = 0
> net.ipv6.conf.eth0.forwarding = 1
> net.ipv6.conf.eth0.mc_forwarding = 0
> net.ipv6.conf.eth1.forwarding = 1
> net.ipv6.conf.eth1.mc_forwarding = 0
>
> Neighbors discovered on firewall:
> 2801:0:100::58 dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE
> fe80::204:23ff:fe88:ed1d dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE
> (local ipv6 link on internal host)
> 2801:0:100::1 dev eth0 lladdr e0:5f:b9:26:b0:80 router STALE
> fe80::e25f:b9ff:fe26:b080 dev eth0 lladdr e0:5f:b9:26:b0:80 router
> REACHABLE (local ipv6 link on router)
> fe80::210:dcff:fefe:d05f dev eth0 lladdr 00:10:dc:fe:d0:5f REACHABLE
> (local ipv6 link on host on external network)
>
> Host IPv6's config inside my network
>
> eth0=2801:0:100::58/48
> GWIPv6=2801:0:100::1

If you are going to configure it that way, then you need to proxyndp 
2801:0:100::1 on eth1.
>
> When I try to look the neighbors address on the internal host I get this:
> ip -6 neigh show
> 2801:0:100::12 dev eth0  INCOMPLETE
> 2801:0:100::1 dev eth0  FAILED
> fe80::210:4bff:fe0b:e07d dev eth0 lladdr 00:10:4b:0b:e0:7d router REACHABLE
>
> The internal host cannot answer pings comming from outside networks or
> access outside networks ...
>
> What am i missing or misconfigured?

Note that even if you add the second proxyndp, 2801:0:100:1 will be the 
only host in 2801:0:100::/48 that the internal host will be able to 
communicate with.

If I were you, I would configure an address on eth1 with a small subnet, 
use that as the default gateway for the internal host, and use the same 
small subnet (/120 or smaller) on the internal host.

Here's how I use proxyndp; note the /126s on the two 6to4 interfaces.

10: mac: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state 
UNKNOWN
     link/sit 172.20.1.254 peer 172.20.0.11
     inet6 2001:470:b:227::19/126 scope global
        valid_lft forever preferred_lft forever
     inet6 fe80::ac14:1fe/128 scope link
        valid_lft forever preferred_lft forever
11: hp: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state 
UNKNOWN
     link/sit 172.20.1.254 peer 172.20.1.191
     inet6 2001:470:b:227::21/126 scope global
        valid_lft forever preferred_lft forever
     inet6 fe80::ac14:1fe/128 scope link
        valid_lft forever preferred_lft forever
12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state 
UNKNOWN
     link/ether 02:1b:e8:cb:b4:60 brd ff:ff:ff:ff:ff:ff
     inet 70.90.191.121/32 scope global br0
     inet 172.20.2.254/24 brd 172.20.2.255 scope global br0:1
     inet6 2001:470:b:227::1/64 scope global
        valid_lft forever preferred_lft forever
     inet6 2001:470:b:227::41/124 scope global
        valid_lft forever preferred_lft forever
     inet6 fe80::c006:1fff:febe:c298/64 scope link
        valid_lft forever preferred_lft forever

/etc/shorewall6/proxyndp:

#ADDRESS                                INTERFACE       EXTERNAL        
HAVEROUTE       PERSISTENT
2001:470:b:227::18                      -               br0             Yes     
        Yes
2001:470:b:227::21                      -               br0             Yes     
        Yes

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to