-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/09/2016 07:51 AM, Brian J. Murrell wrote: > On Tue, 2016-11-08 at 18:31 -0500, Brian J. Murrell wrote: >> >> Ahh. OK. I will see about getting an upgrade under way. > > Done, and the IPv6 policy does load but I just want to confirm if > the routing is as expected. Given the providers: > > CGCO 1 0x100 - 6to4-cableco ::192.8.9.1 > balance,nohostroute - DSL > 2 0x200 - pppoe-wan1 - > balance,nohostroute - Squid 3 0x400 - > br-lan fd31:aeb1:48df:0:214:d1ff:fe13:45ac loose,notrack HENET > 4 > 0x300 - 6in4-henet 2001:123:aa:ccc::1 balance,nohostroute > - > > My routing looks like: > > # ip -6 rule ls 0: from all lookup 128 1: from all lookup local > 999: from all lookup main 2000: from all to 2001:888:0:18::119 > lookup CGCO 2000: from all to 2001:4de0:2101:119e::20 lookup DSL > 2000: from all to 2001:4de0:2101:119e::21 lookup DSL 10000: from > all fwmark 0x100/0xff00 lookup CGCO 10001: from all fwmark > 0x200/0xff00 lookup DSL 10002: from all fwmark 0x400/0xff00 lookup > Squid 10003: from all fwmark 0x300/0xff00 lookup 4 11000: from > 2002:aaaa:bbbb::/64 lookup CGCO 11000: from > 2607:aaa:bbb:cccc::/64:/64 lookup DSL 11000: from > 2001:123:ab:ccc::/64 lookup 4 20000: from > 2607:f2c0:a000:13d:3c09:c77f:a0bd:cf6b lookup DSL 20000: from > 2001:123:aa:ccc::2 lookup 4 32765: from all lookup balance 32767: > from all lookup default 4200000000: from 2002:aaaa:bbbb::1/60 iif > br-lan unreachable 4200000000: from 2001:123:ab:cc::1/64 iif br-lan > unreachable 4200000000: from 2607:aaa:bbb:cccc::/64:1/60 iif br-lan > unreachable 4200000001: from all iif lo failed_policy 4200000001: > from all iif lo failed_policy 4200000040: from all iif br-guest > failed_policy 4200000040: from all iif br-guest failed_policy > 4200000042: from all iif br-lan failed_policy 4200000042: from all > iif br-lan failed_policy 4200000045: from all iif eth0.2 > failed_policy 4200000045: from all iif eth0.2 failed_policy > 4200000046: from all iif pppoe-wan1 failed_policy 4200000046: from > all iif pppoe-wan1 failed_policy 4200000046: from all iif > pppoe-wan1 failed_policy 4200000046: from all iif pppoe-wan1 > failed_policy 4200000049: from all iif 6to4-cableco failed_policy > 4200000049: from all iif 6to4-cableco failed_policy 4200000050: > from all iif 6in4-henet failed_policy 4200000050: from all iif > 6in4-henet failed_policy > > # ip -6 route ls table main default from 2001:123:aa:ccc::/64 dev > 6in4-henet proto static metric 1024 default from > 2001:123:ab:ccc::/64 dev 6in4-henet proto static metric 1024 > default from 2002:aaaa:bbbb::/48 via ::192.8.9.1 dev 6to4-cableco > proto static metric 1024 default from 2002::/16 via ::192.8.9.1 > dev 6to4-cableco proto static metric 1024 ... > > # ip -6 route ls table balance default via 2001:123:aa:ccc::1 dev > 6in4-henet metric 1024 > > # ip -6 route ls table default # >
That doesn't look right. Please tar up your /etc/shorewall6/ directory (with a capabilities file), ans send it to me privately. > > On the subject of preferring an IPv6 provider, is there really any > way that can work given that all providers are given to hosts in > the LAN by way of RAs and it's the clients that choose provider > with source address selection. > > To truly have provider selection/preference at the shorewall > router wouldn't we need ip6tables NAT there to rewrite the source > address that the LAN host selected? Or is there another way to do > provider preference that is less of a hack? You *always* need SNAT on a router that can direct traffic to one provider or another. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYI079AAoJEJbms/JCOk0QKnEQAIzGK6vd39vkU/1RPtViSS9b dXZVrfCAJ71OuQdnqueNi+NiLAx2fqFHTuQ0+WusmXHytD7nyLvm4J26BkhNZRph Well9qMaMsXgdlRJvstOkNvyBriPhJdav4W8GqHy7BMbqi8/9Ai1DDwU8AaVP3lr e4XIoHCwsHwRlWfs4Zfj3ryA7+P+l6G/4N5wehiEOMqiwhRv8P+W7ic/cHgKBShX oPJnsXQCYDTlHjQllUZXadvatj/Bt//2tHxbKyQf6MfBR5eP2JooLOXvqExYcd06 IZzoRioxkB13E3LIMDVwPNRxVTlzIDCG6SgdMfPMS0+3JJIolDDEqvSknWLaemmY nwgjwCAbUFlgJ4fjL+Vv+3bwZ/5akxA2xGLGGRjdxz7xFfYoI6jrQP54hK8K4/x7 +PicRj3Y/azMOgrC2Fp3Oyy7LyunTn4+ZPOADFQZAumuXwRA41xdTTB0fjZwerUN r4qcaRUaySc6VY5ylrtxXOjSWqB1BCa2sOYmmHaeOBOwAXWNq7e5gG5YVjCFrGqc JiBo9TAah/RnHsTfgTX/C6c5yIjUlkhRmHXQmKgUUhRBoBA/2VRhliwuV9YXEFhC BUTjxDLUaLpdbPiCluyhlaH+v1mdbD97NK3PNn7AejFVMqA7Rvs3M01avwsLopaD QVUfiIZJ+HV+Dyx9Nafh =0MQb -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
