I have two Debian 6 x64 VMs running under ESXi4.1_U1. One of the VMs is acting as an ipv4 and ipv6 firewall/router using shorewall and has three virtual NICs, LAN, WAN and DMZ. I''ve set up a 6in4 ipv6 tunnel from Hurricane Electric on the router but have a peculiar problem. The router can ping ipv6.google.com without problem, however any other VMs or physical boxes on the LAN can''t ping ipv6.google.com until I ping the box from the router. The sequence of events is: higgers@ubuntu904:~$ ping6 ipv6.google.com PING ipv6.google.com(2a00:1450:8006::63) 56 data bytes1. ubuntu904 is client VM that sits behind the router VM. There is no feedback from ping6 command other than what you see above. root@debian6:/etc/shorewall# ping6 ubipv6 PING ubipv6(2001:blah:blah:blah:blah:29ff:feb3:490f) 56 data bytes 64 bytes from 2001:blah:blah:blah:blah:29ff:feb3:490f: icmp_seq=1 ttl=64 time=3.57 ms etc etc etc debian6 is the router VM. As soon as it pings ubuntu904 (ipv6 AAAA record on my internal DNS server uses the name ubipv6) I start getting responses from the ping6 on ubuntu904: higgers@ubuntu904:~$ ping6 ipv6.google.com PING ipv6.google.com(2a00:1450:8006::63) 56 data bytes 64 bytes from 2a00:1450:8006::63: icmp_seq=141 ttl=53 time=321 ms 64 bytes from 2a00:1450:8006::63: icmp_seq=142 ttl=53 time=321 ms 64 bytes from 2a00:1450:8006::63: icmp_seq=143 ttl=53 time=321 ms 64 bytes from 2a00:1450:8006::63: icmp_seq=144 ttl=53 time=322 ms Happy days! The client VM can ping6 google! I''ve verified the same behaviour on a physical client machine running ubuntu 10.10. I''d like to test the behaviour on my opensolaris box but I can''t find out how to enable ipv6 on it without rebooting it. It''s hosting the NFS share that the VM images sit on and it''s a bit of a ball ache to reboot it, especially when it hosts the image for the main router for the LAN and I''m currently offsite. ipv6 addresses are issued using radvd on the router VM. Hurricane Electric have assigned me a /64 subnet and the router/firewall creates a 6in4 tunnel with the ::1/64 address on the subnet as the HE endpoint of the tunnel and the ::2/64 address as my endpoint of the tunnel. I use radvd on the router to hand out addresses in the same subnet to the clients on the LAN. So, all the devices on my LAN end up with an address on my /64 Hurricane Electric subnet meaning they should all be externally accessible without any need for NAT. Hurricane electric assign two /64 subnets, one for the tunnel and one for the local network, they refer to this second subnet as the routed network. If I configure radvd to hand addresses out on the routed network I get the same issue, clients can''t ping external sites until the router has pinged the client. Any ideas what I should check? ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
On 25/02/11 11:04, shorewall shorewall wrote:> I have two Debian 6 x64 VMs running under ESXi4.1_U1. One of the VMs > is acting as an ipv4 and ipv6 firewall/router using shorewall and has > three virtual NICs, LAN, WAN and DMZ. I''ve set up a 6in4 ipv6 tunnel > from Hurricane Electric on the router but have a peculiar problem. The > router can ping ipv6.google.com <http://ipv6.google.com> without > problem, however any other VMs or physical boxes on the LAN can''t ping > ipv6.google.com <http://ipv6.google.com> until I ping the box from the > router. > > The sequence of events is: > > higgers@ubuntu904:~$ ping6 ipv6.google.com <http://ipv6.google.com> > PING ipv6.google.com <http://ipv6.google.com>(2a00:1450:8006::63) 56 > data bytes1. > > > ubuntu904 is client VM that sits behind the router VM. There is no > feedback from ping6 command other than what you see above. > > root@debian6:/etc/shorewall# ping6 ubipv6 > PING ubipv6(2001:blah:blah:blah:blah:29ff:feb3:490f) 56 data bytes > 64 bytes from 2001:blah:blah:blah:blah:29ff:feb3:490f: icmp_seq=1 > ttl=64 time=3.57 ms > etc > etc > etc > > > debian6 is the router VM. As soon as it pings ubuntu904 (ipv6 AAAA > record on my internal DNS server uses the name ubipv6) I start getting > responses from the ping6 on ubuntu904:I have had this kind of behaviour when I''ve forgotten to add an entry in /etc/shorewall/tunnels. The exact manifestation depends on your zone-zone policies, but if you have logging on rejects and that is showing rejected proto 41 packets coming in, then that could be the problem. ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
On Fri, Feb 25, 2011 at 12:09 PM, Dominic Benson <dominic@lenny.cus.org>wrote:> On 25/02/11 11:04, shorewall shorewall wrote: > > I have two Debian 6 x64 VMs running under ESXi4.1_U1. One of the VMs is > acting as an ipv4 and ipv6 firewall/router using shorewall and has three > virtual NICs, LAN, WAN and DMZ. I''ve set up a 6in4 ipv6 tunnel from > Hurricane Electric on the router but have a peculiar problem. The router can > ping ipv6.google.com without problem, however any other VMs or physical > boxes on the LAN can''t ping ipv6.google.com until I ping the box from the > router. > > The sequence of events is: > > higgers@ubuntu904:~$ ping6 ipv6.google.com > PING ipv6.google.com(2a00:1450:8006::63) 56 data bytes1. > > > ubuntu904 is client VM that sits behind the router VM. There is no > feedback from ping6 command other than what you see above. > > root@debian6:/etc/shorewall# ping6 ubipv6 > PING ubipv6(2001:blah:blah:blah:blah:29ff:feb3:490f) 56 data bytes > 64 bytes from 2001:blah:blah:blah:blah:29ff:feb3:490f: icmp_seq=1 ttl=64 > time=3.57 ms > etc > etc > etc > > > debian6 is the router VM. As soon as it pings ubuntu904 (ipv6 AAAA record > on my internal DNS server uses the name ubipv6) I start getting responses > from the ping6 on ubuntu904: > > > I have had this kind of behaviour when I''ve forgotten to add an entry in > /etc/shorewall/tunnels. The exact manifestation depends on your zone-zone > policies, but if you have logging on rejects and that is showing rejected > proto 41 packets coming in, then that could be the problem. >I''ve got the following in /etc/shorewall/tunnels: ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE 6to4 net Regards, Steve.>> > ------------------------------------------------------------------------------ > Free Software Download: Index, Search & Analyze Logs and other IT data in > Real-Time with Splunk. Collect, index and harness all the fast moving IT > data > generated by your applications, servers and devices whether physical, > virtual > or in the cloud. Deliver compliance at lower cost and gain new business > insights. http://p.sf.net/sfu/splunk-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
On 2/25/11 3:04 AM, shorewall shorewall wrote:> Any ideas what I should check?I''ll give you the same advice that I give everyone else. When installing IPv6, you should install Shorewall and Shorewall6 *last* after IPv6 is working. Given that IPv6 has no need for NAT, Shorewall6 is not required to get communication working and it gives you two less sources of potential causes when you encounter problems. Once IPv6 is working perfectly, *then* install Shorewall and Shorewall6. If there are problems then, at least you know that the problems are really associated with the firewall configurations. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev