I’m running into an issue with IPv6 routing in my VPN. My firewall is a bit more complicated than usual, but not that crazy: (Parenthesis are (interface — zone) format) * Internet (eno2 — “net6") * Main zone (eno1 — “gige6") * DMZ for Guests (enp4s0 — “dmz6") * DMZ for LXC Containers (br0 — “lxc6") — and veth* for each LXC container. * OpenVPN (tun0 — “road6") * Wireguard VPN (wg0 — “wire6")
I’m using Wireguard for my shorewall-dump file. I can connect to the WireGuard VPN, and IPv4 is fine. From IPv6’s perspective, a VPN client can connect to the VPN, and the client can connect from itself to the VPN’s ‘wg0’ virtual interface, as well as the IPv6 addresses for en01, eno2, and enp4s0. I’m unable to connect to anything inside the ‘lxc6’, ‘gige6’, or ’net6’ zones. I have my policy for the VPN zone set so it is permissive - wire6 can connect to/from the lxc6, gige6, and net6 zones. I’ve got logging turned up, and I can see a couple of "wire6-fw6 ACCEPT” and “wire6-net6 ACCEPT” messages — but they don’t necessarily belong to the connections I’m trying for debugging). I obtained the attached shorewall6-dump using the following script let from the VPN client. (2001:7b8:666:ffff::1:42 is the IPv6 address for towel.blinkenlights.nl) $ ssh -6 pilot.pariahzero.net "sudo shorewall6 reset"; ping6 -c3 ipv6.google.com; ping6 -c3 tabletop.pariahzero.net; nc -w 30 2001:7b8:666:ffff::1:42 23; ssh -6 pilot.pariahzero.net "sudo shorewall6 dump > shorewall6-dump” Shorewall6 Counters Reset PING6(56=40+8+8 bytes) 2601:681:4100:d593::1:5 --> 2607:f8b0:400f:805::200e --- ipv6.l.google.com ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss PING6(56=40+8+8 bytes) 2601:681:4100:d593::1:5 --> 2601:681:4100:d591:216:3eff:febc:9642 --- tabletop.pariahzero.net ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss (The netcat to towel.blinkenlights.nl timed out after 30 seconds) Does anybody know why I’m not able to get the packets to route as expected? Thanks.
shorewall6-dump.bz2
Description: BZip2 compressed data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
