Hi there, i am getting some trouble using proxyndp on shorewall6. I cannot access to the ipv6 internet from the host inside my local network or ping this internal host from outside networks. This is my setup: Firewall eth0 2801:0:100::2/48 GW=2801:0:100::1 eth1=not initialized only local ipv6 link fe80:xxxx ... SHOREWALL6 versión 4.5.9.3 interfaces net eth0 tcpflags,forward=1 loc eth1 tcpflags,forward=1 zone fw firewall loc ipv6 net ipv6 policy loc net ACCEPT net all DROP info fw all ACCEPT all all REJECT info rules ACCEPT net fw ipv6-icmp SSH(ACCEPT) net:<2001:xxxxx:2> $FW ACCEPT net loc:<2801:0:100::58> ipv6-icmp proxyndp #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 2801:0:100::58 eth1 eth0 sysctl -a | grep proxy_ndp net.ipv6.conf.all.proxy_ndp = 1 net.ipv6.conf.default.proxy_ndp = 0 net.ipv6.conf.lo.proxy_ndp = 0 net.ipv6.conf.eth0.proxy_ndp = 0 net.ipv6.conf.eth1.proxy_ndp = 1 sysctl -a | grep forwarding net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.lo.forwarding = 1 net.ipv6.conf.lo.mc_forwarding = 0 net.ipv6.conf.eth0.forwarding = 1 net.ipv6.conf.eth0.mc_forwarding = 0 net.ipv6.conf.eth1.forwarding = 1 net.ipv6.conf.eth1.mc_forwarding = 0 Neighbors discovered on firewall: 2801:0:100::58 dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE fe80::204:23ff:fe88:ed1d dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE (local ipv6 link on internal host) 2801:0:100::1 dev eth0 lladdr e0:5f:b9:26:b0:80 router STALE fe80::e25f:b9ff:fe26:b080 dev eth0 lladdr e0:5f:b9:26:b0:80 router REACHABLE (local ipv6 link on router) fe80::210:dcff:fefe:d05f dev eth0 lladdr 00:10:dc:fe:d0:5f REACHABLE (local ipv6 link on host on external network) Host IPv6''s config inside my network eth0=2801:0:100::58/48 GWIPv6=2801:0:100::1 When I try to look the neighbors address on the internal host I get this: ip -6 neigh show 2801:0:100::12 dev eth0 INCOMPLETE 2801:0:100::1 dev eth0 FAILED fe80::210:4bff:fe0b:e07d dev eth0 lladdr 00:10:4b:0b:e0:7d router REACHABLE The internal host cannot answer pings comming from outside networks or access outside networks ... What am i missing or misconfigured? Thanks for your help. German Molano ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/07/2012 10:00 AM, German Molano wrote:> Hi there, i am getting some trouble using proxyndp on shorewall6. I > cannot access to the ipv6 internet from the host inside my local > network or ping this internal host from outside networks. > > This is my setup: > > Firewall > > eth0 2801:0:100::2/48 > GW=2801:0:100::1 > eth1=not initialized only local ipv6 link fe80:xxxx ... > > SHOREWALL6 versión 4.5.9.3 > > interfaces > net eth0 tcpflags,forward=1 > loc eth1 tcpflags,forward=1 > > zone > fw firewall > loc ipv6 > net ipv6 > > policy > loc net ACCEPT > net all DROP info > fw all ACCEPT > all all REJECT info > > rules > ACCEPT net fw ipv6-icmp > SSH(ACCEPT) net:<2001:xxxxx:2> $FW > ACCEPT net loc:<2801:0:100::58> ipv6-icmp > > proxyndp > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 2801:0:100::58 eth1 eth0 > > sysctl -a | grep proxy_ndp > net.ipv6.conf.all.proxy_ndp = 1 > net.ipv6.conf.default.proxy_ndp = 0 > net.ipv6.conf.lo.proxy_ndp = 0 > net.ipv6.conf.eth0.proxy_ndp = 0 > net.ipv6.conf.eth1.proxy_ndp = 1 > > sysctl -a | grep forwarding > net.ipv6.conf.all.forwarding = 1 > net.ipv6.conf.all.mc_forwarding = 0 > net.ipv6.conf.default.forwarding = 1 > net.ipv6.conf.default.mc_forwarding = 0 > net.ipv6.conf.lo.forwarding = 1 > net.ipv6.conf.lo.mc_forwarding = 0 > net.ipv6.conf.eth0.forwarding = 1 > net.ipv6.conf.eth0.mc_forwarding = 0 > net.ipv6.conf.eth1.forwarding = 1 > net.ipv6.conf.eth1.mc_forwarding = 0 > > Neighbors discovered on firewall: > 2801:0:100::58 dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE > fe80::204:23ff:fe88:ed1d dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE > (local ipv6 link on internal host) > 2801:0:100::1 dev eth0 lladdr e0:5f:b9:26:b0:80 router STALE > fe80::e25f:b9ff:fe26:b080 dev eth0 lladdr e0:5f:b9:26:b0:80 router > REACHABLE (local ipv6 link on router) > fe80::210:dcff:fefe:d05f dev eth0 lladdr 00:10:dc:fe:d0:5f REACHABLE > (local ipv6 link on host on external network) > > Host IPv6''s config inside my network > > eth0=2801:0:100::58/48 > GWIPv6=2801:0:100::1If you are going to configure it that way, then you need to proxyndp 2801:0:100::1 on eth1.> > When I try to look the neighbors address on the internal host I get this: > ip -6 neigh show > 2801:0:100::12 dev eth0 INCOMPLETE > 2801:0:100::1 dev eth0 FAILED > fe80::210:4bff:fe0b:e07d dev eth0 lladdr 00:10:4b:0b:e0:7d router REACHABLE > > The internal host cannot answer pings comming from outside networks or > access outside networks ... > > What am i missing or misconfigured?Note that even if you add the second proxyndp, 2801:0:100:1 will be the only host in 2801:0:100::/48 that the internal host will be able to communicate with. If I were you, I would configure an address on eth1 with a small subnet, use that as the default gateway for the internal host, and use the same small subnet (/120 or smaller) on the internal host. Here''s how I use proxyndp; note the /126s on the two 6to4 interfaces. 10: mac: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN link/sit 172.20.1.254 peer 172.20.0.11 inet6 2001:470:b:227::19/126 scope global valid_lft forever preferred_lft forever inet6 fe80::ac14:1fe/128 scope link valid_lft forever preferred_lft forever 11: hp: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN link/sit 172.20.1.254 peer 172.20.1.191 inet6 2001:470:b:227::21/126 scope global valid_lft forever preferred_lft forever inet6 fe80::ac14:1fe/128 scope link valid_lft forever preferred_lft forever 12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/ether 02:1b:e8:cb:b4:60 brd ff:ff:ff:ff:ff:ff inet 70.90.191.121/32 scope global br0 inet 172.20.2.254/24 brd 172.20.2.255 scope global br0:1 inet6 2001:470:b:227::1/64 scope global valid_lft forever preferred_lft forever inet6 2001:470:b:227::41/124 scope global valid_lft forever preferred_lft forever inet6 fe80::c006:1fff:febe:c298/64 scope link valid_lft forever preferred_lft forever /etc/shorewall6/proxyndp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 2001:470:b:227::18 - br0 Yes Yes 2001:470:b:227::21 - br0 Yes Yes -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
Thanks Tom actually it works as you suggested El 07/12/12 16:37, Tom Eastep escribió:> On 12/07/2012 10:00 AM, German Molano wrote: >> Hi there, i am getting some trouble using proxyndp on shorewall6. I >> cannot access to the ipv6 internet from the host inside my local >> network or ping this internal host from outside networks. >> >> This is my setup: >> >> Firewall >> >> eth0 2801:0:100::2/48 >> GW=2801:0:100::1 >> eth1=not initialized only local ipv6 link fe80:xxxx ... >> >> SHOREWALL6 versión 4.5.9.3 >> >> interfaces >> net eth0 tcpflags,forward=1 >> loc eth1 tcpflags,forward=1 >> >> zone >> fw firewall >> loc ipv6 >> net ipv6 >> >> policy >> loc net ACCEPT >> net all DROP info >> fw all ACCEPT >> all all REJECT info >> >> rules >> ACCEPT net fw ipv6-icmp >> SSH(ACCEPT) net:<2001:xxxxx:2> $FW >> ACCEPT net loc:<2801:0:100::58> ipv6-icmp >> >> proxyndp >> #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT >> 2801:0:100::58 eth1 eth0 >> >> sysctl -a | grep proxy_ndp >> net.ipv6.conf.all.proxy_ndp = 1 >> net.ipv6.conf.default.proxy_ndp = 0 >> net.ipv6.conf.lo.proxy_ndp = 0 >> net.ipv6.conf.eth0.proxy_ndp = 0 >> net.ipv6.conf.eth1.proxy_ndp = 1 >> >> sysctl -a | grep forwarding >> net.ipv6.conf.all.forwarding = 1 >> net.ipv6.conf.all.mc_forwarding = 0 >> net.ipv6.conf.default.forwarding = 1 >> net.ipv6.conf.default.mc_forwarding = 0 >> net.ipv6.conf.lo.forwarding = 1 >> net.ipv6.conf.lo.mc_forwarding = 0 >> net.ipv6.conf.eth0.forwarding = 1 >> net.ipv6.conf.eth0.mc_forwarding = 0 >> net.ipv6.conf.eth1.forwarding = 1 >> net.ipv6.conf.eth1.mc_forwarding = 0 >> >> Neighbors discovered on firewall: >> 2801:0:100::58 dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE >> fe80::204:23ff:fe88:ed1d dev eth1 lladdr 00:04:23:88:ed:1d REACHABLE >> (local ipv6 link on internal host) >> 2801:0:100::1 dev eth0 lladdr e0:5f:b9:26:b0:80 router STALE >> fe80::e25f:b9ff:fe26:b080 dev eth0 lladdr e0:5f:b9:26:b0:80 router >> REACHABLE (local ipv6 link on router) >> fe80::210:dcff:fefe:d05f dev eth0 lladdr 00:10:dc:fe:d0:5f REACHABLE >> (local ipv6 link on host on external network) >> >> Host IPv6''s config inside my network >> >> eth0=2801:0:100::58/48 >> GWIPv6=2801:0:100::1 > If you are going to configure it that way, then you need to proxyndp > 2801:0:100::1 on eth1. >> When I try to look the neighbors address on the internal host I get this: >> ip -6 neigh show >> 2801:0:100::12 dev eth0 INCOMPLETE >> 2801:0:100::1 dev eth0 FAILED >> fe80::210:4bff:fe0b:e07d dev eth0 lladdr 00:10:4b:0b:e0:7d router REACHABLE >> >> The internal host cannot answer pings comming from outside networks or >> access outside networks ... >> >> What am i missing or misconfigured? > Note that even if you add the second proxyndp, 2801:0:100:1 will be the > only host in 2801:0:100::/48 that the internal host will be able to > communicate with. > > If I were you, I would configure an address on eth1 with a small subnet, > use that as the default gateway for the internal host, and use the same > small subnet (/120 or smaller) on the internal host.The ISP setup the router to only publish prefix /48 so there will a challenge to setup the linux box as router/firewall for prefix /64.> > Here''s how I use proxyndp; note the /126s on the two 6to4 interfaces. > > 10: mac: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state > UNKNOWN > link/sit 172.20.1.254 peer 172.20.0.11 > inet6 2001:470:b:227::19/126 scope global > valid_lft forever preferred_lft forever > inet6 fe80::ac14:1fe/128 scope link > valid_lft forever preferred_lft forever > 11: hp: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state > UNKNOWN > link/sit 172.20.1.254 peer 172.20.1.191 > inet6 2001:470:b:227::21/126 scope global > valid_lft forever preferred_lft forever > inet6 fe80::ac14:1fe/128 scope link > valid_lft forever preferred_lft forever > 12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state > UNKNOWN > link/ether 02:1b:e8:cb:b4:60 brd ff:ff:ff:ff:ff:ff > inet 70.90.191.121/32 scope global br0 > inet 172.20.2.254/24 brd 172.20.2.255 scope global br0:1 > inet6 2001:470:b:227::1/64 scope global > valid_lft forever preferred_lft forever > inet6 2001:470:b:227::41/124 scope global > valid_lft forever preferred_lft forever > inet6 fe80::c006:1fff:febe:c298/64 scope link > valid_lft forever preferred_lft forever > > /etc/shorewall6/proxyndp: > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 2001:470:b:227::18 - br0 Yes Yes > 2001:470:b:227::21 - br0 Yes Yes > > -Tom------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d