Thanks for the response, Simon.  Like everyone else in the world, it's Time
Warner service.  It's all negotiated over DHCP/DHCPv6. Do I need to unblock
something for RA services perhaps?  I found that I can get things working
by taking the steps of hooking a Windows machine up first, grabbing the
default IPv6 gateway.  Tried asking TWC support about all this and they
blamed my modem, saying "your modem is showing an IPv6 address" "talk to
your modem manufacturer." Worst answer I've ever received from them ever.

So I adding that address as a hard-coded gateway in the shorewall/providers
configuration.  I basically followed the multi-isp directions and skipped
the multi part of it.  Seems functional, for now.

So, I can get to and most of the tests seem to work right,
but it's not ideal. I don't want to have to re-determine the gateway
address every time it magically changes.  I haven't learned of any way to
pull it down through any sort of console command.  At least I can say I've
got it 90% of the way there.  And TWC still has no IPv6-only DNS either,
all delivered over IPv4.

So I've got everything working except automatic detection of the default
gateway.  Using "DETECT" in the providers throws an error about not being
able to find the default gateway, even though it's DHCP.  By adding the
default gateway address, it does list an additional route to 'ip -6 route'
for the external interface.

I'll keep searching around for an automated solution, but for now adding a
provider like the following seems to work:

TWC    1       1      -           enp1s0f0    $IPV6_GATEWAY    track

On Sun, Sep 18, 2016 at 9:21 AM, Simon Hobson <>

> Steven Kiehl <> wrote:
> > So, after several months, I've decided to take another crack at
> upgrading to IPv6.  I followed the directions on the shorewall IPv6 support
> page as far as I can tell, and also dug well into the Linux documentation
> noted in that article. Thanks for all your efforts in putting that page
> together, btw.
> >
> > I'm attempting a simple two-interface firewall setup. I've gotten as far
> as being able to connect to the firewall from the insides, resolve DNS, but
> all IPv6 traffic leaving the outside interface seems to fail with "Network
> unreachable" messages, trying both ping6 and traceroute6 and verifying no
> REJECT/DROP errors in the logs.  I can confirm that IPv6 is working on the
> ISP by hooking up a Windows box to the cable modem (only problem there is
> the ISP doesn't have an IPv6 DNS server, but otherwise all is well).
> >
> > But, try as I have tweaking the network/interfaces and
> shorewall/shorewall6 configurations and even attempting to add routes
> directly to the tables, I can't seem to get any traffic to move.  I have a
> DHCP-issued IPv6 address from the ISP, but running 'ip -6 route' shows no
> default routes.  I do have default routes on IPv4, and disabling IPv6 on my
> clients does result in successful IPv4 connections and data transmission.
> But, IPv6 remains unreachable for some mysterious reason.
> >
> > Attempted to get some support from the ISP, but they are just following
> script as usual.
> Yes, so many support departments do tend to do that.
> The starting point is that you don't need Shorewall (or rather,
> Shorewall6) to do IPv6. So start without Shorewall - but bear in mind that
> you will be rather exposed between getting IPv6 working and setting up the
> firewall.
> Starting from the basics, which ISP is it - someone may know how they
> manage stuff ? Failing that, how are they handing out the IPv6 information
> - DHCPv6, PPP, something else ? Does this ISP have any support forums where
> you could ask - if there are any power users in there then they are the
> most likely to know just how to do it with that ISP ?
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Shorewall-users mailing list
Shorewall-users mailing list

Reply via email to