‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On April 6, 2018 2:32 PM, Tom Eastep <teas...@shorewall.net> wrote:

> ​​
> 
> On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote:
> 
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > 
> > On April 6, 2018 11:58 AM, colony.th...@protonmail.ch wrote:
> > 
> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > 
> > > On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote:
> > > 
> > > > > After shorewall6 clear, ping6 just hangs.
> > > > > 
> > > > > ping6 google.com
> > > > > ================
> > > > > 
> > > > > PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 
> > > > > 56 data bytes
> > > > > 
> > > > > ^C
> > > > > 
> > > > > --- google.com ping statistics ---
> > > > > 
> > > > > 20 packets transmitted, 0 received, 100% packet loss, time 19000ms
> > > > 
> > > > You routing is all screwed up. You are trying to use the same /64 on
> > > > 
> > > > three different networks. When you get a tunnel from HE, you get two /64
> > > > 
> > > > networks: one on the sit device, and one to use in your local 
> > > > network(s).
> > > > 
> > > > You can subdivide the second /64 between multiple networks, but then the
> > > > 
> > > > prefix length for those networks must be > 64 and you cannot use
> > > > 
> > > > stateless autoconfiguration.
> > > > 
> > > > -Tom
> > > > 
> > > > Tom Eastep \ Q: What do you get when you cross a mobster with
> > > > 
> > > > Shoreline, \ an international standard?
> > > > 
> > > > Washington, USA \ A: Someone who makes you an offer you can't
> > > > 
> > > > http://shorewall.org \ understand
> > > 
> > > Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, 
> > > and for the LAN I've set 2001:470:b:c3::/64 like they say.
> > > 
> > > ip -6 route
> > > ===========
> > > 
> > > unreachable ::/96 dev lo metric 1024 error -113
> > > 
> > > unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
> > > 
> > > 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256
> > > 
> > > 2001:470:b:c3::/64 dev eth1 proto kernel metric 256
> > > 
> > > 2001:470:b:c3::/64 dev eth2 proto kernel metric 256
> > > 
> > > unreachable 2002:a00::/24 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:7f00::/24 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:ac10::/28 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:e000::/19 dev lo metric 1024 error -113
> > > 
> > > unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
> > > 
> > > fe80::/64 dev eth1 proto kernel metric 256
> > > 
> > > fe80::/64 dev eth2 proto kernel metric 256
> > > 
> > > fe80::/64 dev eth0 proto kernel metric 256
> > > 
> > > fe80::/64 dev he-ipv6 proto kernel metric 256
> > > 
> > > default dev he-ipv6 metric 1024
> > > 
> > > True I don't have a gateway set on eth1, but that -is- the LAN gateway.
> > > 
> > > To set up the tunnel I'm using the systemd service copied almost 
> > > word-for-word from the Arch doc:
> > > 
> > > [Unit]
> > > 
> > > Description=he.net IPv6 tunnel
> > > 
> > > After=network.target
> > > 
> > > [Service]
> > > 
> > > Type=oneshot
> > > 
> > > RemainAfterExit=yes
> > > 
> > > ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 
> > > local 50.47.100.167 ttl 255
> > > 
> > > ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480
> > > 
> > > ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6
> > > 
> > > ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6
> > > 
> > > ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6
> > > 
> > > ExecStop=/usr/sbin/ip link set he-ipv6 down
> > > 
> > > ExecStop=/usr/sbin/ip tunnel del he-ipv6
> > > 
> > > [Install]
> > > 
> > > WantedBy=multi-user.target
> > 
> > I must be being dense here. Can someone please explain what Ton is telling 
> > me here?
> 
> What I am telling you is that you have these two routes:
> 
> fe80::/64 dev eth2 proto kernel metric 256
> 
> fe80::/64 dev eth1 proto kernel metric 256
> 
> So the hosts connected to one of those are going to be unreachable. You
> 
> need to configure the IP addresses on those devices as /72, not /64,
> 
> which means that you will have to assign IP addresses to hosts connected
> 
> to those interfaces manually or using DHCPv6. You will not be able to
> 
> use stateless auto configuration.
> 
> You have not told us where you are trying to ping from -- firewall or
> 
> host behind the firewall? But you are not allowing Ping from any pkace
> 
> to any other place in this configuration; AllowICMPs does not allow
> 
> ping; it only allows those ICMPs specified by RFC 4890 as 'must allow'
> 
> by routers. That explains the errors when Shorewall is started. But it
> 
> doesn't explain the issue when Shorewall is cleared. With Shorewall
> 
> cleared, can you ping 2001:470:a:c3::1?
> 
> -Tom
> 
> 
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> Tom Eastep \ Q: What do you get when you cross a mobster with
> 
> Shoreline, \ an international standard?
> 
> Washington, USA \ A: Someone who makes you an offer you can't
> 
> http://shorewall.org \ understand
> 
> _______________________________________________
> 
> 
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> Check out the vibrant tech community on one of the world's most
> 
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot_______________________________________________
> 
> Shorewall-users mailing list
> 
> Shorewall-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


No I can't ping6 that with shorewall6 cleared.  I've said before that this is 
on the router.  And I must have something wrong with Shorewall6 with this error 
when not cleared.

I have no control over what link-local addresses do.

But, between this mess (whatever it is) and DHCP6, I just don't have time for 
this nonsense.  I am not going to spend another week trying to make IPV6 work 
when half my devices don't support it, my ISP doesn't support it, and my 
OpenStack hoster doesn't support it.  The docs on DHCPd6 are sparse and chaotic 
so it is practically impossible to set up as I need without extensive research 
and experimentation.

I can't afford to dedicate an indefinite amount of time to decrypting this, and 
especially after 18 years it should never be necessary for anyone to hassle 
with anything about IPV6.

IPV6 is just not ready and it looks like it never will be.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to