<p dir="ltr">Your router ignoring RAs is another sign you have broken filtering. Don't waste time cobbling it together, spend time making to standard mechanisms work correctly on your router (many hundreds of people were connecting to Internode's IPv6 services using those standard mechanisms when I left that project, and that was back in 2010. So they're now well and truly proven 5 years later)</p>
<div class="gmail_quote">On 19 Oct 2015 19:41, "David Beveridge" <<a href="mailto:dave@bevhost.com">dave@bevhost.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div><br></div><div class="gmail_extra"><div class="gmail_quote">On Mon, Oct 19, 2015 at 3:40 PM, Mark Smith <span dir="ltr"><<a href="mailto:markzzzsmith@gmail.com" target="_blank">markzzzsmith@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><p dir="ltr"><br>
On 19 Oct 2015 3:39 pm, "David Beveridge" <<a href="mailto:dave@bevhost.com" target="_blank">dave@bevhost.com</a>> wrote:<br>
><br>
><br><snip><span><br>
> 14:33:22 dhcp,debug,packet send pppoe-out1-internode -> ff02::1:2%85 <br>
> 14:33:22 dhcp,debug,packet type: solicit <br></span></p></div></blockquote><div><snip> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><p dir="ltr">You're not getting DHCPv6 Advertise messages in response to your Solicit messages. DHCPv6 will be timing out.</p>
<p dir="ltr">It is likely that Internode are sending them, so I think it is more likely you device is dropping them. You might want to do a packet capture on incoming packets to confirm that they're being sent.<br></p>
<p dir="ltr">DHCPv6 uses UDP ports 546 and 547, clients listen on 546, servers and relays listen on 547, so you'll need to allow incoming UDP port 546.</p><p>There might be an issue with a stateful firewall - DHCPv6 clients use multicast destination addresses to reach DHCPv6 servers or relays (ff02::1:2), where as the response will be a unicast. Some stateful firewalls don't understand that the transaction to allow is multicast out, matching unicast in (which in the case of DHCPv6, packets are matched up using the <span style="color:rgb(0,0,0);font-size:13.3333px">transaction-id field)</span>, and therefore would drop the unicast in. For example, Linux ip6tables suffers from this (or used to last I looked), and would need a dhcpv6 specific handling module that would match up transaction packets when their destination address is of a different type.</p></div></blockquote><div>With just these rules, I'm pretty sure that the router isn't blocking traffic in.</div><div><br></div><div>/ipv6 firewall filter<br></div><div><div>add action=log chain=forward comment="Allow safe_ip6 to forward" log-prefix="ipv6 forward" src-address-list=safe_ip6</div><div>add action=log chain=input comment="Allow any to router IP" in-interface=pppoe-out1-internode log-prefix="ipv6 in "</div><div>add action=log chain=output comment="Allow anything out" log-prefix="ipv6 out" out-interface=pppoe-out1-internode </div></div><div><br></div><div><div>16:39:23 dhcp,debug,packet send pppoe-out1-internode -> ff02::1:2%87 </div><div>16:39:23 dhcp,debug,packet type: solicit </div><div>16:39:23 dhcp,debug,packet transaction-id: dbc008 </div><div>16:39:23 dhcp,debug,packet -> clientid: 00030001 4c5e0c6b a452 </div><div>16:39:23 dhcp,debug,packet -> oro: 23 </div><div>16:39:23 dhcp,debug,packet -> elapsed_time: 31 </div><div>16:39:23 dhcp,debug,packet -> ia_pd: </div><div>16:39:23 dhcp,debug,packet t1: 1800 </div><div>16:39:23 dhcp,debug,packet t2: 2880 </div><div>16:39:23 dhcp,debug,packet id: 0x12 </div><div>16:39:23 firewall,info ipv6 out output: in:(none) out:pppoe-out1-internode, proto UDP, [fe80::12]:546->[ff02::1:2]:547, len 54 </div><div>16:39:24 firewall,info ipv6 in input: in:pppoe-out1-internode out:(none), proto ICMP (type 134, code 0), fe80::224:14ff:fe9a:bc00->ff02::1, len 56 </div><div><br></div><div>I do get some Router advertisements (ICMP134) from Internode which my router appears to ignore.</div><div>Since I don't really need a public IPv6 there, I'm not so worried about that.</div><div>I did use wireshark to see what was inside that packet and if I manually add an IPv6 address from the prefix I can ping it from the Internet.</div><div><br></div><div>But what I really need to work is the DHCPv6-PD, and I've never seen a reply to the solicit, either on packet capture or firewall logs.</div><div>I have already tried another router ( A Linksys - exactly the same result). Perhaps I should try a linux box.</div><div><br></div><div>I think unless the DHCPv6-PD completes, I do not have that block routed to me.</div><div><br></div><div><br></div><div>dave</div></div></div></div></div>
</blockquote></div>