[AusNOG] Fwd: Internode IPv6 Support

David Beveridge dave at bevhost.com
Mon Oct 19 19:41:21 EST 2015


On Mon, Oct 19, 2015 at 3:40 PM, Mark Smith <markzzzsmith at gmail.com> wrote:

>
> On 19 Oct 2015 3:39 pm, "David Beveridge" <dave at bevhost.com> wrote:
> >
> >
> <snip>
> > 14:33:22 dhcp,debug,packet send pppoe-out1-internode -> ff02::1:2%85
> > 14:33:22 dhcp,debug,packet type: solicit
>
<snip>

> You're not getting DHCPv6 Advertise messages in response to your Solicit
> messages. DHCPv6 will be timing out.
>
> It is likely that Internode are sending them, so I think it is more likely
> you device is dropping them. You might want to do a packet capture on
> incoming packets to confirm that they're being sent.
>
> DHCPv6 uses UDP ports 546 and 547, clients listen on 546, servers and
> relays listen on 547, so you'll need to allow incoming UDP port 546.
>
> There might be an issue with a stateful firewall - DHCPv6 clients use
> multicast destination addresses to reach DHCPv6 servers or relays
> (ff02::1:2), where as the response will be a unicast. Some stateful
> firewalls don't understand that the transaction to allow is multicast out,
> matching unicast in (which in the case of DHCPv6, packets are matched up
> using the transaction-id field), and therefore would drop the unicast in.
> For example, Linux ip6tables suffers from this (or used to last I looked),
> and would need a dhcpv6 specific handling module that would match up
> transaction packets when their destination address is of a different type.
>
With just these rules, I'm pretty sure that the router isn't blocking
traffic in.

/ipv6 firewall filter
add action=log chain=forward comment="Allow safe_ip6 to forward"
log-prefix="ipv6 forward" src-address-list=safe_ip6
add action=log chain=input comment="Allow any to router IP"
in-interface=pppoe-out1-internode log-prefix="ipv6 in "
add action=log chain=output comment="Allow anything out" log-prefix="ipv6
out" out-interface=pppoe-out1-internode

16:39:23 dhcp,debug,packet send pppoe-out1-internode -> ff02::1:2%87
16:39:23 dhcp,debug,packet type: solicit
16:39:23 dhcp,debug,packet transaction-id: dbc008
16:39:23 dhcp,debug,packet  -> clientid:  00030001 4c5e0c6b a452
16:39:23 dhcp,debug,packet  -> oro: 23
16:39:23 dhcp,debug,packet  -> elapsed_time: 31
16:39:23 dhcp,debug,packet  -> ia_pd:
16:39:23 dhcp,debug,packet    t1: 1800
16:39:23 dhcp,debug,packet    t2: 2880
16:39:23 dhcp,debug,packet    id: 0x12
16:39:23 firewall,info ipv6 out output: in:(none) out:pppoe-out1-internode,
proto UDP, [fe80::12]:546->[ff02::1:2]:547, len 54
16:39:24 firewall,info ipv6 in  input: in:pppoe-out1-internode out:(none),
proto ICMP (type 134, code 0), fe80::224:14ff:fe9a:bc00->ff02::1, len 56

I do get some Router advertisements (ICMP134) from Internode which my
router appears to ignore.
Since I don't really need a public IPv6 there, I'm not so worried about
that.
I did use wireshark to see what was inside that packet and if I manually
add an IPv6 address from the prefix I can ping it from the Internet.

But what I really need to work is the DHCPv6-PD, and I've never seen a
reply to the solicit, either on packet capture or firewall logs.
I have already tried another router ( A Linksys - exactly the same
result).  Perhaps I should try a linux box.

I think unless the DHCPv6-PD completes, I do not have that block routed to
me.


dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151019/7f92d4bf/attachment.html>


More information about the AusNOG mailing list