On 03/04/2018 04:23 PM, Tom Eastep wrote: > On 03/04/2018 04:01 PM, Udo Schacht-Wiegand wrote: >> Hello, >> >> this is my first post to this list, and I hope I can reply to an already >> existing thread. >> >> I think I'm facing the same problem as this user reported: >>> From: Brian J. Murrell <brian@in...> - 2017-11-29 17:33:24 >>> I have a shorewall6/shorewall6-lite installation where the router has >> multiple IPv6 connections to the Internet. >>> [...] I see major packet loss on the eth0.2 provider: >> >> My shorewall6 version is 5.0.4 (on Ubuntu 16.04 LTS). The providers file: >> ############################################################################################################# >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >> OPTIONS COPY >> mkn 1 - - eth0 >> 2001:xxxx:xxx::1 track,primary >> htp 2 - - eth1 >> fe80::464e:6dff:fe15:789a track,fallback >> >> I x'ed out our businesses public IPv6. "htp" is not a typo of "http", >> but the name of our secondary provider. As their addresses are dynamic, >> I use the link local address as gateway. When our primary provider 'mkn' >> should go down, fallback on 'htp' will be done. I use a script to detect >> the link, and can initiate a failover. This setup works fine. >> The gateway is a Cisco router/DSL modem of the provider #1 in our >> premisses, where I have no acces on. >> >> However I'm facing massive packet losses (>50%, only on IPv6) on >> provider #1 using this setup. If I leave out the providers file, there >> are no losses, same as Brian reported above. To test the connection I >> usually do a "ping6 google.com <http://google.com>" or so. After a >> "shorewall6 restart" ping6s initially go through, but then stops (after >> about 10 to 40 pings). When I do a "ping6 gateway-address" from another >> terminal, the pings to google will continue to go through. >> >> So I built this as workaround: I send continuous pings (by a cronjob) >> against the router, then there are next to no losses. To me this looks >> very similar to the problem described >> here: https://forums.gentoo.org/viewtopic-t-855990-start-0.html >> >> I tried to open shorewall6 for all ipv6-icmp traffic to and from the >> router, but it didn't do much of a difference, as ipv6-icmp was allowed >> anyway. >> >> Would appreciate any help ... >> Cheers >> Udo > > Be sure that your Kernel is fully patched. This sounds like a problem > that I, along with a number of others, have experienced; it was > corrected in a subsequent kernel update. The problem is that the kernel > ignores NDP who-has requests, which will kills the link. The constant > pinging keeps the upstream router from issuing those requests. I > employed that same workaround until the problem was finally resolved. >
One correction -- it is NDP neighbor solicitation requests that are being ignored; 'who-has' requests are part of (IPv4) ARP. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
