SixXS::Sunset 2017-06-06

debian problem with subnet
[fi] Carmen Sandiego on Monday, 12 April 2004 11:27:09
Problem solved .. ipv6 didn't work over network bridge Had to add another network card with ipv6 address only $ ifconfig eth2 eth2 Link encap:Ethernet HWaddr 00:40:F4:22:3B:50 inet6 addr: 2001:14b8:136::1/64 Scope:Global inet6 addr: 2001:14b8:136:0:240:f4ff:fe22:3b50/64 Scope:Global inet6 addr: fe80::240:f4ff:fe22:3b50/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:57 errors:0 dropped:0 overruns:0 frame:0 TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15021 (14.6 KiB) TX bytes:4196 (4.0 KiB) Interrupt:10 ------------------------------ Hi. I've been trying to get this work for a while but for no success. I've configured Debian Woody as an 6to4 router using sixxs tunnel which is working. I also have a subnet 2001:14b8:136::/48 which works fine in the router machine but I cannot access ipv6 fron any machine behind the router. ROUTER: Debian Woody with kernel 2.4.25 $ ifconfig sixxs sixxs Link encap:IPv6-in-IPv4 inet6 addr: fe80::c3c5:ba52/64 Scope:Link inet6 addr: fe80::c3c5:ba53/64 Scope:Link inet6 addr: 2001:14b8:100:48::2/64 Scope:Global UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1 RX packets:22064 errors:0 dropped:0 overruns:0 frame:0 TX packets:23312 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5194103 (4.9 MiB) TX bytes:2559931 (2.4 MiB) $ ifconfig br0 br0 Link encap:Ethernet HWaddr 00:40:F4:22:3B:50 inet addr:xxx.xxx.xxx.82 Bcast:xxx.xxx.xxx.95 Mask:255.255.255.240 inet6 addr: 2001:14b8:136::1/64 Scope:Glob2001:14b8:136::1al inet6 addr: 2001:14b8:136:0:240:f4ff:fe22:3b50/64 Scope:Global inet6 addr: fe80::240:f4ff:fe22:3b50/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5862017 errors:0 dropped:0 overruns:0 frame:0 TX packets:5082996 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2110482556 (1.9 GiB) TX bytes:2300591926 (2.1 GiB) $ ip -6 route 2001:14b8:136::/64 dev br0 metric 256 mtu 1500 advmss 1440 2000::/3 via 2001:14b8:100:48::1 dev sixxs metric 1024 mtu 1280 advmss 1220 fe80::/64 via :: dev sixxs metric 256 mtu 1280 advmss 1220 fe80::/64 dev br0 metric 256 mtu 1500 advmss 1440 ff00::/8 dev sixxs metric 256 mtu 1280 advmss 1220 ff00::/8 dev br0 metric 256 mtu 1500 advmss 1440 unreachable default dev lo proto none metric -1 error -101 advmss 1220 $ cat /etc/radvd.conf interface br0 { AdvSendAdvert on; prefix 2001:14b8:136::/64 { }; }; $ iptables-save # Generated by iptables-save v1.2.6a on Sun Apr 11 14:00:08 2004 *filter :INPUT DROP [1221:182300] :FORWARD DROP [78967:26118475] :OUTPUT ACCEPT [5746107:15336410707] :block - [0:0] -A INPUT -j block -A FORWARD -j block ... -A block -s 62.78.96.38 -j ACCEPT $ sysctl -a|grep ipv6|grep conf/all net/ipv6/conf/all/router_solicitation_delay = 1 net/ipv6/conf/all/router_solicitation_interval = 4 net/ipv6/conf/all/router_solicitations = 0 net/ipv6/conf/all/dad_transmits = 1 net/ipv6/conf/all/autoconf = 0 net/ipv6/conf/all/accept_redirects = 0 net/ipv6/conf/all/accept_ra = 0 net/ipv6/conf/all/mtu = 1280 net/ipv6/conf/all/hop_limit = 64 net/ipv6/conf/all/forwarding = 1 $ ping6 2001:14b8:100:48::1 PING 2001:14b8:100:48::1(2001:14b8:100:48::1) from 2001:14b8:100:48::2 : 56 data bytes 64 bytes from 2001:14b8:100:48::1: icmp_seq=1 ttl=64 time=13.7 ms --- 2001:14b8:100:48::1 ping statistics --- 1 packets transmitted, 1 received, 0% loss, time 0ms rtt min/avg/max/mdev = 13.742/13.742/13.742/0.000 ms $ping6 2001:14b8:136::1 PING 2001:14b8:136::1(2001:14b8:136::1) from ::1 : 56 data bytes 64 bytes from 2001:14b8:136::1: icmp_seq=1 ttl=64 time=0.141 ms --- 2001:14b8:136::1 ping statistics --- 1 packets transmitted, 1 received, 0% loss, time 0ms rtt min/avg/max/mdev = 0.141/0.141/0.141/0.000 ms HOST: Debian SID with kernel 2.6.4 $ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:10:5A:E1:F0:A5 inet addr:xxx.xxx.xxx.84 Bcast:xxx.xxx.xxx.95 Mask:255.255.255.240 inet6 addr: 2001:14b8:136::2/64 Scope:Global inet6 addr: 2001:14b8:136:0:210:5aff:fee1:f0a5/64 Scope:Global inet6 addr: fe80::210:5aff:fee1:f0a5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29259785 errors:12 dropped:0 overruns:0 frame:12 TX packets:23810993 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3603479860 (3.3 GiB) TX bytes:3188948203 (2.9 GiB) Interrupt:5 Base address:0xc400 $ ip -6 route 2001:14b8:136::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 metric10 64 fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 metric10 64 ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 metric10 1 default via fe80::240:f4ff:fe22:3b50 dev eth0 proto kernel metric 1024 expires 177sec mtu 1500 advmss 1440 metric10 64 unreachable default dev lo proto none metric -1 error -101 metric10 255 $ sysctl -a|grep ipv6|grep conf.all net.ipv6.conf.all.max_addresses = 16 net.ipv6.conf.all.force_mld_version = 0 net.ipv6.conf.all.router_solicitation_delay = 1 net.ipv6.conf.all.router_solicitation_interval = 4 net.ipv6.conf.all.router_solicitations = 3 net.ipv6.conf.all.dad_transmits = 1 net.ipv6.conf.all.autoconf = 1 net.ipv6.conf.all.accept_redirects = 1 net.ipv6.conf.all.accept_ra = 1 net.ipv6.conf.all.mtu = 1280 net.ipv6.conf.all.hop_limit = 64 net.ipv6.conf.all.forwarding = 0 $ ping6 2001:14b8:136::1 PING 2001:14b8:136::1(2001:14b8:136::1) 56 data bytes 64 bytes from 2001:14b8:136::1: icmp_seq=1 ttl=64 time=0.519 ms --- 2001:14b8:136::1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.519/0.519/0.519/0.000 ms $ ping6 2001:14b8:100:48::1 PING 2001:14b8:100:48::1(2001:14b8:100:48::1) 56 data bytes --- 2001:14b8:100:48::1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1998ms TCPDUMP in ROUTER shows this: $ tcpdump -i sixxs ip6 tcpdump: WARNING: sixxs: no IPv4 address assigned tcpdump: listening on sixxs 14:03:13.735508 2001:14b8:136::2 > 2001:14b8:100:48::1: icmp6: echo request 14:03:13.755368 2001:14b8:100:48::1 > 2001:14b8:136::2: icmp6: echo reply $ tcpdump -i br0 ip6 tcpdump: listening on br0 14:03:53.304567 2001:14b8:136::2 > 2001:14b8:100:48::1: icmp6: echo request 14:03:53.321304 bad-hlen 0 $ tcpdump -i eth1 ip6tcpdump -i eth1 ip6 tcpdump: WARNING: eth1: no IPv4 address assigned tcpdump: listening on eth1 14:04:25.632689 2001:14b8:136::2 > 2001:14b8:100:48::1: icmp6: echo request I have no idea why this isn't working ..
Linux: IPv6 routing problem with ethernet bridging (solution: ebtables)
[de] Shadow Hawkins on Thursday, 17 June 2004 02:43:11
Problem Description: Local IPv6 subnet cannot connect outside world when the tunnel traffic is going though a network interface that is part of a linux bridge. Have you compiled "bridge netfilter" support (ebtables) into the kernel? Look for CONFIG_BRIDGE_NF_EBTABLES in your .config file. If yes, try something like this: ebtables -t broute -A BROUTING --in-interface $DEV -p ip --ip-proto ipv6 -j DROP where $DEV is your network interface which is connected to the internet and where the sixxs tunnel is coming though, eg. eth0. This enforces that the IPv6 tunnel is being routed instead of being bridged. Also make sure all network interfaces of your bridge have the same MAC address as the bridge device itself. This only needed for brouting and IPv6, otherwise neighbor discovery won't work for IPv6 traffic that is routed instead of being bridged. Try something like this: for device in <all_bridge_devices>; do ifconfig $device down ifconfig $device hw ether <MAC> ifconfig $device 0.0.0.0 up brctl addif $DEV $device done Longer description: =================== I had the same problem. It occurs in the following situation: - you are using ethernet bridging in the kernel - your internet connection is coming through an interface of the bridge - and therefore your sixxs tunnel is also coming through the bridge See http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png for an overview. the default for ethernet bridging is that a packet stays mostly in the blue zone, if it was not directed to localhost (and if the packet can be bridged). What happens if you don't use the ebtables rule: case 1: incoming sixxs IPv6 tunnel traffic, destined to localhost: - kernel/ebtables will decide whether to bridge (default) or route - since packet is destined for localhost, no bridging neccessary - the packet is not sent to the other devices, which is good - you can send and receive IPv6 from the bridging computer to the IPv6 internet case 2: incoming sixxs IPv6 tunnel traffic, destined to subnet: - kernel/ebtables will decide whether to bridge (default) or route - ebtables is confused: the sixxs tunnel packet is destined for (IPv4) localhost, but it's embedded destination (IPv6) address is somewhere not localhost - the packet it is bridged to subnet (default action, but wrong in this case), instead of being routed - you cannot receive any IPv6 internet traffic from subnet, only sending IPv6 traffic works - native IPv6 traffic within subnet and router/bridge is unaffected Solution: - add an ebtables rule that enforces routing for incoming IPv6 tunnel packets (see the rule at the very beginning) - make sure that you use the same MAC for all network interfaces of the bridge - or simply avoid that the IPv6 tunnel comes in from an interface that is part of a bridge Hope that makes any sense ... Greetings, Max PS: updated 2004-06-17 to reflect the fact that ebtables is the solution, and that the problem only occurs for certain bridging setups.

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker