Thanks Tom actually it works as you suggested El 07/12/12 16:37, Tom Eastep escribió: > On 12/07/2012 10:00 AM, German Molano wrote: >> Hi there, i am getting some trouble using proxyndp on shorewall6. I >> cannot access to the ipv6 internet from the host inside my local >> network or ping this internal host from outside networks. >> >> This is my setup: >> >> Firewall >> >> eth0 2801:0:100::2/48 >> GW=2801:0:100::1 >> eth1=not initialized only local ipv6 link fe80:xxxx ... >> >> SHOREWALL6 versión 4.5.9.3 >> >> interfaces >> net eth0 tcpflags,forward=1 >> loc eth1 tcpflags,forward=1 >> >> zone >> fw firewall >> loc ipv6 >> net ipv6 >> >> policy >> loc net ACCEPT >> net all DROP info >> fw all ACCEPT >> all all REJECT info >> >> rules >> ACCEPT net fw ipv6-icmp >> SSH(ACCEPT) net:<2001:xxxxx:2> $FW >> ACCEPT net loc:<2801:0:100::58> ipv6-icmp >> >> proxyndp >> #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT >> 2801:0:100::58 eth1 eth0 >> >> sysctl -a | grep proxy_ndp >> net.ipv6.conf.all.proxy_ndp = 1 >> net.ipv6.conf.default.proxy_ndp = 0 >> net.ipv6.conf.lo.proxy_ndp = 0 >> net.ipv6.conf.eth0.proxy_ndp = 0 >> net.ipv6.conf.eth1.proxy_ndp = 1 >> >> sysctl -a | grep forwarding >> net.ipv6.conf.all.forwarding = 1 >> net.ipv6.conf.all.mc_forwarding = 0 >> net.ipv6.conf.default.forwarding = 1 >> net.ipv6.conf.default.mc_forwarding = 0 >> net.ipv6.conf.lo.forwarding = 1 >> net.ipv6.conf.lo.mc_forwarding = 0 >> net.ipv6.conf.eth0.forwarding = 1 >> net.ipv6.conf.eth0.mc_forwarding = 0 >> net.ipv6.conf.eth1.forwarding = 1 >> net.ipv6.conf.eth1.mc_forwarding = 0 >> >> Neighbors discovered on firewall: >> 2801:0:100::58 dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE >> fe80::204:23ff:fe88:ed1d dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE >> (local ipv6 link on internal host) >> 2801:0:100::1 dev eth0 lladdr e0:5f:b9:26:b0:80 router STALE >> fe80::e25f:b9ff:fe26:b080 dev eth0 lladdr e0:5f:b9:26:b0:80 router >> REACHABLE (local ipv6 link on router) >> fe80::210:dcff:fefe:d05f dev eth0 lladdr 00:10:dc:fe:d0:5f REACHABLE >> (local ipv6 link on host on external network) >> >> Host IPv6's config inside my network >> >> eth0=2801:0:100::58/48 >> GWIPv6=2801:0:100::1 > If you are going to configure it that way, then you need to proxyndp > 2801:0:100::1 on eth1. >> When I try to look the neighbors address on the internal host I get this: >> ip -6 neigh show >> 2801:0:100::12 dev eth0 INCOMPLETE >> 2801:0:100::1 dev eth0 FAILED >> fe80::210:4bff:fe0b:e07d dev eth0 lladdr 00:10:4b:0b:e0:7d router REACHABLE >> >> The internal host cannot answer pings comming from outside networks or >> access outside networks ... >> >> What am i missing or misconfigured? > Note that even if you add the second proxyndp, 2801:0:100:1 will be the > only host in 2801:0:100::/48 that the internal host will be able to > communicate with. > > If I were you, I would configure an address on eth1 with a small subnet, > use that as the default gateway for the internal host, and use the same > small subnet (/120 or smaller) on the internal host. The ISP setup the router to only publish prefix /48 so there will a challenge to setup the linux box as router/firewall for prefix /64. > > Here's how I use proxyndp; note the /126s on the two 6to4 interfaces. > > 10: mac: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state > UNKNOWN > link/sit 172.20.1.254 peer 172.20.0.11 > inet6 2001:470:b:227::19/126 scope global > valid_lft forever preferred_lft forever > inet6 fe80::ac14:1fe/128 scope link > valid_lft forever preferred_lft forever > 11: hp: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state > UNKNOWN > link/sit 172.20.1.254 peer 172.20.1.191 > inet6 2001:470:b:227::21/126 scope global > valid_lft forever preferred_lft forever > inet6 fe80::ac14:1fe/128 scope link > valid_lft forever preferred_lft forever > 12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state > UNKNOWN > link/ether 02:1b:e8:cb:b4:60 brd ff:ff:ff:ff:ff:ff > inet 70.90.191.121/32 scope global br0 > inet 172.20.2.254/24 brd 172.20.2.255 scope global br0:1 > inet6 2001:470:b:227::1/64 scope global > valid_lft forever preferred_lft forever > inet6 2001:470:b:227::41/124 scope global > valid_lft forever preferred_lft forever > inet6 fe80::c006:1fff:febe:c298/64 scope link > valid_lft forever preferred_lft forever > > /etc/shorewall6/proxyndp: > > #ADDRESS INTERFACE EXTERNAL > HAVEROUTE PERSISTENT > 2001:470:b:227::18 - br0 Yes > Yes > 2001:470:b:227::21 - br0 Yes > Yes > > -Tom
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
