outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Tuesday, 03 February 2009 18:36:25
hi,
i just managed to get a working setup of my assigned subnet for my local network, for one machine at this time, actually.
unfortunately after a very short time i loose the ability to reach the outside world. after pinging my sixxs ipv6 address it is working again.
watch this seaburg ~ # ping6 -I eth0 ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes
^C
--- ipv6.google.com ping statistics ---
24 packets transmitted, 0 received, 100% packet loss, time 23048ms
seaburg ~ # ping6 -I eth0 2001:15c0:65ff:204::2
PING 2001:15c0:65ff:204::2(2001:15c0:65ff:204::2) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes
64 bytes from 2001:15c0:65ff:204::2: icmp_seq=1 ttl=64 time=2.57 ms
64 bytes from 2001:15c0:65ff:204::2: icmp_seq=2 ttl=64 time=0.253 ms
64 bytes from 2001:15c0:65ff:204::2: icmp_seq=3 ttl=64 time=0.280 ms
64 bytes from 2001:15c0:65ff:204::2: icmp_seq=4 ttl=64 time=0.249 ms
^C
--- 2001:15c0:65ff:204::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.249/0.838/2.572/1.001 ms
seaburg ~ # ping6 -I eth0 ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes
64 bytes from 2001:4860:0:1001::68: icmp_seq=1 ttl=56 time=162 ms
64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=56 time=212 ms
64 bytes from 2001:4860:0:1001::68: icmp_seq=3 ttl=56 time=211 ms
64 bytes from 2001:4860:0:1001::68: icmp_seq=4 ttl=56 time=199 ms
^C
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 162.145/196.504/212.460/20.452 ms
seaburg ~ #
what could be causing this?
thanks in advance for the help && kind regards
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Tuesday, 03 February 2009 20:15:36
What kind of tunnel do you have? If it is ayiya, do you have the heartbeat enabled?
outside world only reachable after pinging gateway ?!?!
Jeroen Massar on Tuesday, 03 February 2009 20:42:08
See the FAQ - My tunnel goes down after some idletime. My tunnelendpoint also is a NAT/Connection Tracker
64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=56 time=212 ms
200+ ms to Google, I wonder how your routing goes as that is a lot of latency to that wellc connected place.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Tuesday, 03 February 2009 20:55:22
thanks for your replies.
my tunnel is static.
the latency to ipv6.google.com is now around 65 ms.
the tunnel itself is still working, i did not state that in my initial post.
only the connectivity from the local network computers is lost. i can still ping6 from my firewall.
any ideas what could be causing this?
ahuemer@seaburg ~ % ping6 -c3 ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes
--- ipv6.google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2014ms
ahuemer@seaburg ~ % ssh wall ping6 -c 3 ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes
64 bytes from 2001:4860:0:1001::68: icmp_seq=1 ttl=57 time=70.8 ms
64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=57 time=68.4 ms
64 bytes from 2001:4860:0:1001::68: icmp_seq=3 ttl=57 time=67.0 ms
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 67.037/68.777/70.848/1.573 ms
ahuemer@seaburg ~ % ping6 -c3 ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes
--- ipv6.google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2009ms
ahuemer@seaburg ~ % ping6 -c3 2001:15c0:65ff:204::2
PING 2001:15c0:65ff:204::2(2001:15c0:65ff:204::2) 56 data bytes
64 bytes from 2001:15c0:65ff:204::2: icmp_seq=1 ttl=64 time=2.57 ms
64 bytes from 2001:15c0:65ff:204::2: icmp_seq=2 ttl=64 time=0.230 ms
64 bytes from 2001:15c0:65ff:204::2: icmp_seq=3 ttl=64 time=0.190 ms
--- 2001:15c0:65ff:204::2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.190/0.997/2.572/1.113 ms
ahuemer@seaburg ~ % ping6 -c3 ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes
64 bytes from 2001:4860:0:1001::68: icmp_seq=1 ttl=56 time=70.3 ms
64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=56 time=62.4 ms
64 bytes from 2001:4860:0:1001::68: icmp_seq=3 ttl=56 time=65.0 ms
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 62.468/65.950/70.331/3.285 ms
ahuemer@seaburg ~ %
seaburg is my workstation, wall is my firewall.
2001:15c0:65ff:204::2 is the address of the sixxs interface on my firewall.
outside world only reachable after pinging gateway ?!?!
Jeroen Massar on Tuesday, 03 February 2009 21:04:52
The connection tracking portion of your 'firewall', as when it doesn't find any packets going in/outbound anymore for a while it will loose the connection entry in its tracking tables and start blocking packets, until you send a packet outbound as then there is a valid entry in the table again. See the FAQ item.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Tuesday, 03 February 2009 21:51:17
thanks for your reply.
i checked the FAQ. unfortunately i did not find anything that helped me.
which item are referring to?
thanks.
outside world only reachable after pinging gateway ?!?!
Jeroen Massar on Tuesday, 03 February 2009 21:53:08
From the message above: See the FAQ - My tunnel goes down after some idletime. My tunnelendpoint also is a NAT/Connection Tracker
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Wednesday, 04 February 2009 12:54:12
i went through this FAQ entry and found out that the first way
iptables -t nat -A POSTROUTING --proto ! 41 -o [Your IPv4 Interface] -j MASQUERADE
works for me.
the second way
iptables -t raw -A PREROUTING --proto 41 -j NOTRACK
does NOT, although i have NOTRACK support. now i wonder why this could be the case. any ideas? my existing iptables setup is nothing uncommon. i can post the obfuscated rules if that's necessary.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Wednesday, 04 February 2009 13:05:30
ok, my last post was too early.
it does actually NOT work with the first rule.
without pinging the outside ipv6 address i loose connectivity.
what's wrong here?
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Wednesday, 04 February 2009 19:59:36
Can you post your iptables and ip6tables rules?
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Wednesday, 04 February 2009 22:26:07 # iptables -t filter -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5800 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5500:5519 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4665
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4672
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:12413
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2234 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:222 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:70 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1099 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2000 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4080 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5800 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5500:5519 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4665
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4672
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:12413
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2234 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901 state NEW
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 192.168.0.1 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 172.17.118.95 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpts:6881:6889 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpts:6881:6889 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:4662 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:4662 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5900 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5900 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5800 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5800 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpts:5500:5519 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpts:5500:5519 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:4665 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:4665 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:4672 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:4672 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:12413 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:12413 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:2234 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:2234 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:3389 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:3389 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:3389 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:3389 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5902 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5902 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5901 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5901 to:192.168.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpts:6881:6889 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:4662 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5900 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5800 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpts:5500:5519 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:2234 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:3389 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5902 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5901 to:192.168.0.1
MASQUERADE !41 -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK !tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK !tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
# iptables -t raw -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
i do not have ip6tables right now.
thanks for your time.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Wednesday, 04 February 2009 23:49:49
Nice set of rules you have there.
Try adding:
iptables -A INPUT -i <wan.interface> -p ipv6 -s <your sixxs ipv4 endpoint>/32 -j ACCEPT
to your INPUT chain.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Thursday, 05 February 2009 10:55:57
thanks for your reply, but this does not work either.
in case my sixxs ipv4 endpoint is my outside ipv4 address from the ISP.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Friday, 06 February 2009 06:51:58
hi all,
i'm intrested in this thread too. i habe the same problem.
- i can ping6 my gateway from internal network
- i can ping6 from my gateway to ipv6.google.com
- but i CAN'T ping6 to google through my gateway unless i pinged my gateway
i'm using radvd to publish my subnet through the internal interface.
this works fine i think...
but the hosts take the link-local address of my gateway as the default route and not my ipv6-subnet address of the internal interface of my gateway. anybody knows this is correct?
when i reach office i will try out the 2 iptables rules reg. conntrack and will let you know.
cheers,
chris
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Friday, 06 February 2009 08:30:33
With the sixxs ipv4 endpoint I meant the address from the other side of the tunnel, not your own.
But maybe you should also take a look at the radvd config that was posted by Christoph.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Friday, 06 February 2009 10:10:03
i am sorry, but i still don't get which address you mean.
you were talking about a ipv4 address, but in the next post of the tunnel endpoint address on the sixxs side, but this is an ipv6 address.
please, take the time and describe further which address we are talking about.
i tried that radvd config with my subnet prefix. nothing changed so far.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Friday, 06 February 2009 12:21:15
hi,
ipv4-pings should not be your problem. i think if you would drop icmp's from the ipv4-entpoint at sixxs you should not be able to ping6 ipv6.google.com from your gateway.
changes of radvd.conf will take a while...
(radvd-)default life-time of dynamic v6-addresses is 30 days.
well you will *not* have to wait for 30 days to see any changes. but this might take some hours.
ich changed my config (without effect) yesterday at about 16.00 CET.
tomorrow morning (7.00 CET) everything works fine...
i located this problem *only* with dynamic configuration.
fix-configured hosts did not loose connection.
cheers,
chris
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Friday, 06 February 2009 08:08:38
i was al little bit too fast with my post...
sorry for that.
works for me now.
the last thing i changed was radvd yesterdy in the evening.
radvd-config before changes was simple like that:
interface eth0
{
AdvSendAdvert on;
prefix acdc:beef:dad:dead::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
now it is:
interface eth0
{
IgnoreIfMissing on;
AdvDefaultLifetime 3600;
AdvDefaultPreference high;
AdvSendAdvert on;
prefix acdc:beef:dad:dead::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
AdvValidLifetime 3600;
AdvPreferredLifetime 3600;
};
};
and tomorrow morning everything works fine.
all systems i tested are able to ping6 google and get response without pinging the gateway before.
so for me it was radvd-misconfiguration.
i have no(!) ipv6-related rules in my v4-firewall expect allowing pings to my v4-address from the other tunnel endpoint...
cheers
chris
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Saturday, 07 February 2009 02:27:09
it still does not work for me.
i am running the same radvd configuration as suggested.
my iptables rules are already here in the thread.
what else can i do?
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Sunday, 08 February 2009 20:20:37
hey just wanted to let you know that you're not alone and i have had this exact same problem on one of my machines for the last couple weeks, and it has driven me crazy.
my problem is slightly different from yours (making it less serious) as the machine that is having problems is actually 3 hops from the sixxs tunnel, and can't get out anywhere until pinging its gateway (the box 2 hops from the tunnel). it has really puzzled me as it used to work fine, and broke about the same time i used the gui to configure the ip address of the interface (Using CentOS 5.2). i usually edit the files by hand, so i don't know if configuring the ip using the gui changed anything else. it would seem like a nat issue, but i have another (almost) identically configured machine in the same place on the network that does not have this issue.
i just read this thread, so i haven't had a chance to try the thing mentioned here. i'm hoping some of the things mentioned will fix it.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Monday, 09 February 2009 16:09:33
Are you using realtek network cards? Apparently there is a bug in the driver that causes it to ignore multicast traffic (i.e. your router trying to get the MAC address of the system you are on). It works fine if you have just done a ping since your router would know your MAC address.
One description here
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Monday, 09 February 2009 21:05:20
thanks for your thoughts.
no, i am using a intel 80003ES2LAN on the client, and a adaptec ANA620xx/ANA69011A on the server.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Tuesday, 10 February 2009 16:14:21
that's weird, it seems your problem is so similar, but i wouldn't expect it with those brands. i ran tcpdump on both interfaces and noticed that the "neighbor solicitation" messages were being sent by the firewall were not being received at all by some machines.
am i correct that your firewall is also not able to ping the computer on your internal network, until that computer has pinged your firewall?
one method i used to fix the problem, though not the best method possible, was to add a permanent entry in the neighbor table of the firewall. now the firewall no longer needs to send the "neighbor solicitation" requests (that my network card driver on the internal machine was ignoring) to get the other computer's mac address. for example...
box with problem has IP 2001:db8:108::2, and mac aa:bb:cc:11:22:33
so on my firewall i ran the command:
ip neighbor change to 2001:db8:108::2 dev eth1 lladdr aa:bb:cc:11:22:33 nud permanent
now the machine on the internal network (2001:db8:108::2) is able to access remote sites without first pinging its gateway.
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Tuesday, 10 February 2009 21:14:00
the situation is even getting worse.
i had to reboot my firewall and now i cannot reach even the ipv6 interfaces of my firewall. i don't get it.
here is some info:
iptables rules:
# iptables -t filter -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5800 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5500:5519 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4665
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4672
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:12413
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2234 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:222 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:70 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1099 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2000 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4080 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5800 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5500:5519 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4665
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4672
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:12413
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2234 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901 state NEW
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 192.168.0.1 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 172.17.118.95 0.0.0.0/0 state INVALID,NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
#
# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK !tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK !tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
#
# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpts:6881:6889 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpts:6881:6889 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:4662 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:4662 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5900 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5900 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5800 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5800 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpts:5500:5519 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpts:5500:5519 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:4665 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:4665 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:4672 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:4672 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:12413 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:12413 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:2234 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:2234 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:3389 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:3389 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:3389 to:192.168.0.2
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:3389 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5902 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5902 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5901 to:192.168.0.2
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5901 to:192.168.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpts:6881:6889 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:4662 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5900 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5800 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpts:5500:5519 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:2234 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:3389 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5902 to:192.168.0.1
SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5901 to:192.168.0.1
MASQUERADE !41 -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
# iptables -t raw -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
# ip6tables -t filter -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
ip6tables rules:
# ip6tables -t filter -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
# ip6tables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
#
# ip6tables -t raw -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
ipv4 routes on firewall:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.25.46.23 * 255.255.255.255 UH 0 0 0 ppp0
10.0.0.138 172.17.118.1 255.255.255.255 UGH 0 0 0 eth0
10.0.0.138 172.17.118.1 255.255.255.254 UG 2 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
172.17.118.0 * 255.255.255.0 U 2 0 0 eth0
loopback wall.home 255.0.0.0 UG 0 0 0 lo
default 172.25.46.23 0.0.0.0 UG 0 0 0 ppp0
default 172.17.118.1 0.0.0.0 UG 2 0 0 eth0
#
ipv6 routes on firewall:
# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::/96 :: Un 256 0 0 sixxs
2001:15c0:65ff:204::/64 :: U 256 0 1 sixxs
2001:15c0:66e4::1/128 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 sixxs
::/0 2001:15c0:65ff:204::1 UG 1024 0 5317 sixxs
::/0 :: !n -1 1 5439 lo
::1/128 :: Un 0 3 20 lo
::83.65.26.208/128 :: Un 0 1 0 lo
::127.0.0.1/128 :: Un 0 1 0 lo
::172.17.118.95/128 :: Un 0 1 0 lo
::192.168.0.1/128 :: Un 0 1 0 lo
2001:15c0:65ff:204::2/128 :: Un 0 1 595 lo
2001:15c0:66e4::1/128 :: Un 0 1 0 lo
fe80::200:d1ff:feed:daf9/128 :: Un 0 1 0 lo
fe80::200:d1ff:feed:dafa/128 :: Un 0 1 38 lo
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 sixxs
::/0 :: !n -1 1 5439 lo
#
ip's on firewall:
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:00:d1:ed:da:f9 brd ff:ff:ff:ff:ff:ff
inet 172.17.118.95/24 brd 172.17.118.255 scope global eth0
inet6 fe80::200:d1ff:feed:daf9/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:00:d1:ed:da:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
inet6 2001:15c0:66e4::1/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::200:d1ff:feed:dafa/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:00:d1:ed:da:fb brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:00:d1:ed:da:fc brd ff:ff:ff:ff:ff:ff
6: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN
link/ether ae:05:f8:c6:24:03 brd ff:ff:ff:ff:ff:ff
7: teql0: <NOARP> mtu 1500 qdisc noop state DOWN qlen 100
link/void
8: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
9: ip6tnl0: <NOARP> mtu 1460 qdisc noop state DOWN
link/tunnel6 :: brd ::
10: wmaster0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ieee802.11 00:04:e2:80:ee:66 brd ff:ff:ff:ff:ff:ff
11: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:04:e2:80:ee:66 brd ff:ff:ff:ff:ff:ff
12: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 83.65.26.208 peer 172.25.46.23/32 scope global ppp0
13: sixxs: <NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN
link/sit 0.0.0.0 brd 0.0.0.0
inet6 2001:15c0:65ff:204::2/64 scope global
valid_lft forever preferred_lft forever
inet6 ::83.65.26.208/96 scope global
valid_lft forever preferred_lft forever
inet6 ::192.168.0.1/96 scope global
valid_lft forever preferred_lft forever
inet6 ::172.17.118.95/96 scope global
valid_lft forever preferred_lft forever
inet6 ::127.0.0.1/96 scope host
valid_lft forever preferred_lft forever
#
ip's on client:
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:e0:81:b0:83:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
inet6 2001:15c0:66e4:0:2e0:81ff:feb0:83fa/64 scope global dynamic
valid_lft 3569sec preferred_lft 3569sec
inet6 fe80::2e0:81ff:feb0:83fa/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:e0:81:b0:83:fb brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.206.1/24 brd 192.168.206.255 scope global vmnet8
inet6 fe80::250:56ff:fec0:8/64 scope link
valid_lft forever preferred_lft forever
#
ipv4 routes on the client:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 2 0 0 eth0
192.168.206.0 * 255.255.255.0 U 0 0 0 vmnet8
loopback seaburg.home 255.0.0.0 UG 0 0 0 lo
default wall 0.0.0.0 UG 2 0 0 eth0
#
ipv6 routes on client:
# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: Un 0 3 25 lo
2001:15c0:66e4:0:2e0:81ff:feb0:83fa/128 :: Un 0 1 0 lo
2001:15c0:66e4::/64 :: UAe 256 0 0 eth0
fe80::250:56ff:fec0:8/128 :: Un 0 1 0 lo
fe80::2e0:81ff:feb0:83fa/128 :: Un 0 1 0 lo
fe80::/64 :: U 256 0 0 vmnet8
fe80::/64 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 vmnet8
ff00::/8 :: U 256 0 0 eth0
::/0 fe80::200:d1ff:feed:dafa UGDAe 1024 0 7 eth0
::/0 :: !n -1 1 22 lo
#
pinging on the client:
# ping6 -I eth0 -c3 fe80::200:d1ff:feed:dafa
PING fe80::200:d1ff:feed:dafa(fe80::200:d1ff:feed:dafa) from fe80::2e0:81ff:feb0:83fa eth0: 56 data bytes
64 bytes from fe80::200:d1ff:feed:dafa: icmp_seq=1 ttl=64 time=0.343 ms
64 bytes from fe80::200:d1ff:feed:dafa: icmp_seq=2 ttl=64 time=0.236 ms
64 bytes from fe80::200:d1ff:feed:dafa: icmp_seq=3 ttl=64 time=0.277 ms
--- fe80::200:d1ff:feed:dafa ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.236/0.285/0.343/0.046 ms
# ping6 -I eth0 -c3 2001:15c0:65ff:204::2
PING 2001:15c0:65ff:204::2(2001:15c0:65ff:204::2) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes
--- 2001:15c0:65ff:204::2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms
# ping6 -I eth0 -c3 fe80::200:d1ff:feed:daf9
PING fe80::200:d1ff:feed:daf9(fe80::200:d1ff:feed:daf9) from fe80::2e0:81ff:feb0:83fa eth0: 56 data bytes
From fe80::2e0:81ff:feb0:83fa icmp_seq=1 Destination unreachable: Address unreachable
From fe80::2e0:81ff:feb0:83fa icmp_seq=2 Destination unreachable: Address unreachable
From fe80::2e0:81ff:feb0:83fa icmp_seq=3 Destination unreachable: Address unreachable
--- fe80::200:d1ff:feed:daf9 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2016ms
# ping6 -I eth0 -c3 ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes
--- ipv6.google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms
#
what the hell prevents my from enjoying the pleasures of ipv6?
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Tuesday, 10 February 2009 22:18:57 inet6 2001:15c0:66e4::1/128 scope global
Well at least one problem is that the IP on eth1 on the firewall is in a /128 subnet instead of /64, so that is preventing it from communicating with the public IP on the client. I'm not sure why that would cause this line to fail:
# ping6 -I eth0 -c3 fe80::200:d1ff:feed:daf9
But that would cause your ping to ipv6.google.com to fail since there is no route back to the client...
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Tuesday, 10 February 2009 22:30:22
of course the reason you can't ping fe80::200:d1ff:feed:daf9 from the client is because that is a link local ip address, and it is not forwarded by the firewall.
eth0 on the client can ping eth1 on the firewall, but not eth0
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Thursday, 12 February 2009 00:08:55
wow. that seems to have done the trick!!!
it was my fault that the address of eth1 hat a mask of 128. since i set it to 64 everything seems to work.
i do not even need to have one of the rules described in the faq.
can that be possible?
outside world only reachable after pinging gateway ?!?!
Shadow Hawkins on Thursday, 12 February 2009 00:35:36
i'm not certain, as i've never set up a tunnel behind nat before.
from the iptables rules you posted before, it looks like you already added one of those rules....
MASQUERADE !41 -- 0.0.0.0/0 0.0.0.0/0
that rule is only needed for the endpoint of the tunnel (that is the only time proto 41 packets are used, the rest are normal ipv6 packets)
even then, it could work for a while before it stops working. i recall recently reading a post from someone whose tunnel worked for months without that type of rule, and then suddenly stopped.
Posting is only allowed when you are logged in. |