On 03/04/2018 04:01 PM, Udo Schacht-Wiegand wrote: > Hello, > > this is my first post to this list, and I hope I can reply to an already > existing thread. > > I think I'm facing the same problem as this user reported: >> From: Brian J. Murrell <brian@in...> - 2017-11-29 17:33:24 >> I have a shorewall6/shorewall6-lite installation where the router has > multiple IPv6 connections to the Internet. >> [...] I see major packet loss on the eth0.2 provider: > > My shorewall6 version is 5.0.4 (on Ubuntu 16.04 LTS). The providers file: > ############################################################################################################# > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > mkn 1 - - eth0 > 2001:xxxx:xxx::1 track,primary > htp 2 - - eth1 > fe80::464e:6dff:fe15:789a track,fallback > > I x'ed out our businesses public IPv6. "htp" is not a typo of "http", > but the name of our secondary provider. As their addresses are dynamic, > I use the link local address as gateway. When our primary provider 'mkn' > should go down, fallback on 'htp' will be done. I use a script to detect > the link, and can initiate a failover. This setup works fine. > The gateway is a Cisco router/DSL modem of the provider #1 in our > premisses, where I have no acces on. > > However I'm facing massive packet losses (>50%, only on IPv6) on > provider #1 using this setup. If I leave out the providers file, there > are no losses, same as Brian reported above. To test the connection I > usually do a "ping6 google.com <http://google.com>" or so. After a > "shorewall6 restart" ping6s initially go through, but then stops (after > about 10 to 40 pings). When I do a "ping6 gateway-address" from another > terminal, the pings to google will continue to go through. > > So I built this as workaround: I send continuous pings (by a cronjob) > against the router, then there are next to no losses. To me this looks > very similar to the problem described > here: https://forums.gentoo.org/viewtopic-t-855990-start-0.html > > I tried to open shorewall6 for all ipv6-icmp traffic to and from the > router, but it didn't do much of a difference, as ipv6-icmp was allowed > anyway. > > Would appreciate any help ... > Cheers > Udo
Be sure that your Kernel is fully patched. This sounds like a problem that I, along with a number of others, have experienced; it was corrected in a subsequent kernel update. The problem is that the kernel ignores NDP who-has requests, which will kills the link. The constant pinging keeps the upstream router from issuing those requests. I employed that same workaround until the problem was finally resolved. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
