[AusNOG] Fwd: Internode IPv6 Support
Mark Smith
markzzzsmith at gmail.com
Mon Oct 19 19:56:36 EST 2015
Your router ignoring RAs is another sign you have broken filtering. Don't
waste time cobbling it together, spend time making to standard mechanisms
work correctly on your router (many hundreds of people were connecting to
Internode's IPv6 services using those standard mechanisms when I left that
project, and that was back in 2010. So they're now well and truly proven 5
years later)
On 19 Oct 2015 19:41, "David Beveridge" <dave at bevhost.com> wrote:
>
>
> On Mon, Oct 19, 2015 at 3:40 PM, Mark Smith <markzzzsmith at gmail.com>
> wrote:
>
>>
>> On 19 Oct 2015 3:39 pm, "David Beveridge" <dave at bevhost.com> wrote:
>> >
>> >
>> <snip>
>> > 14:33:22 dhcp,debug,packet send pppoe-out1-internode -> ff02::1:2%85
>> > 14:33:22 dhcp,debug,packet type: solicit
>>
> <snip>
>
>> You're not getting DHCPv6 Advertise messages in response to your Solicit
>> messages. DHCPv6 will be timing out.
>>
>> It is likely that Internode are sending them, so I think it is more
>> likely you device is dropping them. You might want to do a packet capture
>> on incoming packets to confirm that they're being sent.
>>
>> DHCPv6 uses UDP ports 546 and 547, clients listen on 546, servers and
>> relays listen on 547, so you'll need to allow incoming UDP port 546.
>>
>> There might be an issue with a stateful firewall - DHCPv6 clients use
>> multicast destination addresses to reach DHCPv6 servers or relays
>> (ff02::1:2), where as the response will be a unicast. Some stateful
>> firewalls don't understand that the transaction to allow is multicast out,
>> matching unicast in (which in the case of DHCPv6, packets are matched up
>> using the transaction-id field), and therefore would drop the unicast
>> in. For example, Linux ip6tables suffers from this (or used to last I
>> looked), and would need a dhcpv6 specific handling module that would match
>> up transaction packets when their destination address is of a different
>> type.
>>
> With just these rules, I'm pretty sure that the router isn't blocking
> traffic in.
>
> /ipv6 firewall filter
> add action=log chain=forward comment="Allow safe_ip6 to forward"
> log-prefix="ipv6 forward" src-address-list=safe_ip6
> add action=log chain=input comment="Allow any to router IP"
> in-interface=pppoe-out1-internode log-prefix="ipv6 in "
> add action=log chain=output comment="Allow anything out" log-prefix="ipv6
> out" out-interface=pppoe-out1-internode
>
> 16:39:23 dhcp,debug,packet send pppoe-out1-internode -> ff02::1:2%87
> 16:39:23 dhcp,debug,packet type: solicit
> 16:39:23 dhcp,debug,packet transaction-id: dbc008
> 16:39:23 dhcp,debug,packet -> clientid: 00030001 4c5e0c6b a452
> 16:39:23 dhcp,debug,packet -> oro: 23
> 16:39:23 dhcp,debug,packet -> elapsed_time: 31
> 16:39:23 dhcp,debug,packet -> ia_pd:
> 16:39:23 dhcp,debug,packet t1: 1800
> 16:39:23 dhcp,debug,packet t2: 2880
> 16:39:23 dhcp,debug,packet id: 0x12
> 16:39:23 firewall,info ipv6 out output: in:(none)
> out:pppoe-out1-internode, proto UDP, [fe80::12]:546->[ff02::1:2]:547, len
> 54
> 16:39:24 firewall,info ipv6 in input: in:pppoe-out1-internode out:(none),
> proto ICMP (type 134, code 0), fe80::224:14ff:fe9a:bc00->ff02::1, len 56
>
> I do get some Router advertisements (ICMP134) from Internode which my
> router appears to ignore.
> Since I don't really need a public IPv6 there, I'm not so worried about
> that.
> I did use wireshark to see what was inside that packet and if I manually
> add an IPv6 address from the prefix I can ping it from the Internet.
>
> But what I really need to work is the DHCPv6-PD, and I've never seen a
> reply to the solicit, either on packet capture or firewall logs.
> I have already tried another router ( A Linksys - exactly the same
> result). Perhaps I should try a linux box.
>
> I think unless the DHCPv6-PD completes, I do not have that block routed to
> me.
>
>
> dave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151019/24d6ff2f/attachment-0001.html>
More information about the AusNOG
mailing list