Shorewall users - Jul 2009 - Unable to have ipv6 connectivity on client once shorewall6 is started

Hi,

I''m currently facing a rather strange problem.

I did order a dedicated server at a hosting company.

This server is provided with ipv4 and ipv6 connectivity.

The default ipv6 gateway is given through radvd (from what i''ve seen in
tcpdump logs):

21:17:25.260848 IP6 fe80::215:2cff:fe6e:b000 > ip6-allnodes: ICMP6, 
router advertisement, length 64

default via fe80::215:2cff:fe6e:b000 dev eth0  proto kernel  metric 1024 
  expires 1797sec mtu 1500 advmss 1440 hoplimit 64

If I start shorewall, this default route immediately disappears thus 
preventing any ipv6 communication.

I think my setup might block ipv6 router advertisment messages.

$ shorewall6 dump (attached file)


To get connectivity again I have to disable shorewall6 and restart the box.

Thanks for your help.


------------------------------------------------------------------------------

Laurent CARON wrote:
> Hi,
> 
> I''m currently facing a rather strange problem.
> 
> I did order a dedicated server at a hosting company.
> 
> This server is provided with ipv4 and ipv6 connectivity.
> 
> The default ipv6 gateway is given through radvd (from what i''ve
seen in
> tcpdump logs):
> 
> 21:17:25.260848 IP6 fe80::215:2cff:fe6e:b000 > ip6-allnodes: ICMP6,
> router advertisement, length 64
> 
> default via fe80::215:2cff:fe6e:b000 dev eth0  proto kernel  metric 1024
>  expires 1797sec mtu 1500 advmss 1440 hoplimit 64
> 
> If I start shorewall, this default route immediately disappears thus
> preventing any ipv6 communication.
> 
> I think my setup might block ipv6 router advertisment messages.
Unless you explicitly block these messages, Shorewall allows them.

The system that I am writing this on runs Shorewall6 and gets its IPV6
address via autoconfiguration and its default route via radv:

teastep@ursa:~/shorewall/trunk/Shorewall/Perl$ ip -6 route ls
2002:ce7c:92b4:1::/64 dev eth1  proto kernel  metric 256  expires
2591978sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440
hoplimit 4294967295
default via fe80::2a0:ccff:fedb:31c4 dev eth1  proto kernel  metric 1024
 expires 8816sec mtu 1500 advmss 1440 hoplimit 64
teastep@ursa:~/shorewall/trunk/Shorewall/Perl$

What I have found is that neighbor discovery sometimes breaks down. I
don''t understand why that happens but it really doesn''t seem
to have
anything to do with Shorewall6.

When communication fails, I suggest that you execute this command on
both the Shorewall box and on the router (assuming that it runs Linux):

	ip -6 neigh ls

Each display should show the other host. If not, let us know.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Tom Eastep wrote:
> Laurent CARON wrote:
>> Hi,
>>
>> I''m currently facing a rather strange problem.
>>
>> I did order a dedicated server at a hosting company.
>>
>> This server is provided with ipv4 and ipv6 connectivity.
>>
>> The default ipv6 gateway is given through radvd (from what
i''ve seen in
>> tcpdump logs):
>>
>> 21:17:25.260848 IP6 fe80::215:2cff:fe6e:b000 > ip6-allnodes: ICMP6,
>> router advertisement, length 64
>>
>> default via fe80::215:2cff:fe6e:b000 dev eth0  proto kernel  metric
1024
>>  expires 1797sec mtu 1500 advmss 1440 hoplimit 64
>>
>> If I start shorewall, this default route immediately disappears thus
>> preventing any ipv6 communication.
>>
>> I think my setup might block ipv6 router advertisment messages.
> 
> Unless you explicitly block these messages, Shorewall allows them.
You can look at /usr/share/shorewall6/action.AllowICMPs to see the icmp6
 types that Shorewall allows.

If the default route is immediately disappearing as Shorewall6 starts,
it would be useful if you could forward a trace of Shorewall6 startup:

	shorewall6 trace start 2> trace.txt

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Tom Eastep wrote:
> Tom Eastep wrote:
>> Laurent CARON wrote:
>>> Hi,
>>>
>>> I''m currently facing a rather strange problem.
>>>
>>> I did order a dedicated server at a hosting company.
>>>
>>> This server is provided with ipv4 and ipv6 connectivity.
>>>
>>> The default ipv6 gateway is given through radvd (from what
i''ve seen in
>>> tcpdump logs):
>>>
>>> 21:17:25.260848 IP6 fe80::215:2cff:fe6e:b000 > ip6-allnodes:
ICMP6,
>>> router advertisement, length 64
>>>
>>> default via fe80::215:2cff:fe6e:b000 dev eth0  proto kernel  metric
1024
>>>  expires 1797sec mtu 1500 advmss 1440 hoplimit 64
>>>
>>> If I start shorewall, this default route immediately disappears
thus
>>> preventing any ipv6 communication.
>>>
>>> I think my setup might block ipv6 router advertisment messages.
>> Unless you explicitly block these messages, Shorewall allows them.
> 
> You can look at /usr/share/shorewall6/action.AllowICMPs to see the icmp6
>  types that Shorewall allows.
> 
> If the default route is immediately disappearing as Shorewall6 starts,
> it would be useful if you could forward a trace of Shorewall6 startup:
> 
> 	shorewall6 trace start 2> trace.txt
> 
After shorewall6 has started, also please execute this command:

	ls -a /var/lib/shorewall6/

and include the output in your response.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

On 24/07/2009 18:52, Tom Eastep wrote:
> After shorewall6 has started, also please execute this command:
>
> 	ls -a /var/lib/shorewall6/
>
> and include the output in your response.

Hi Tom,

Seems it was a misconfiguration on the client.

After setting the gateway in the network settings, everytging is fine.

Sorry for the noise.

Laurent

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On 23/07/2009 21:17, Laurent CARON wrote:
> Hi,
>
> I''m currently facing a rather strange problem.
>
> I did order a dedicated server at a hosting company.
>
> This server is provided with ipv4 and ipv6 connectivity.
>
> The default ipv6 gateway is given through radvd (from what i''ve
seen in
> tcpdump logs):
>
> 21:17:25.260848 IP6 fe80::215:2cff:fe6e:b000 > ip6-allnodes: ICMP6,
> router advertisement, length 64
>
> default via fe80::215:2cff:fe6e:b000 dev eth0 proto kernel metric 1024
> expires 1797sec mtu 1500 advmss 1440 hoplimit 64
>
> If I start shorewall, this default route immediately disappears thus
> preventing any ipv6 communication.
>
> I think my setup might block ipv6 router advertisment messages.
>
> $ shorewall6 dump (attached file)
>
Hi,

I finally found out that IPv6 routing was enabled and thus auto config 
was disabled.

Sorry for the noise.

Laurent

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Laurent CARON wrote:
> On 24/07/2009 18:52, Tom Eastep wrote:
>> After shorewall6 has started, also please execute this command:
>>
>> 	ls -a /var/lib/shorewall6/
>>
>> and include the output in your response.
>
>
> Hi Tom,
>
> Seems it was a misconfiguration on the client.
>
> After setting the gateway in the network settings, everytging is fine.
>
This problem turned out to be that Laurent was enabling forwarding on
eth0. This was reflected in the dump that he sent originally:

/proc

   /proc/version = Linux version 2.6.26-1-amd64 (Debian 2.6.26-13) ...
   /proc/sys/net/ipv6/conf/all/forwarding = 1
   /proc/sys/net/ipv6/conf/all/proxy_ndp = 0
   /proc/sys/net/ipv6/conf/default/forwarding = 1
   /proc/sys/net/ipv6/conf/default/proxy_ndp = 0
   /proc/sys/net/ipv6/conf/eth0/forwarding = 1 <===============  
/proc/sys/net/ipv6/conf/eth0/proxy_ndp = 0
   /proc/sys/net/ipv6/conf/lo/forwarding = 1
   /proc/sys/net/ipv6/conf/lo/proxy_ndp = 0

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july