Forum - Clients in subnet can't ping hosts outside :: SixXS

Clients in subnet can't ping hosts outside

Shadow Hawkins on Thursday, 02 October 2014 22:51:00

Dear people, i'm spinning around... please Help... my config: Gateway SuSE 12.2 x64 with AICCU is up. (T87658) External fixed ipv4 address (eth1) Internal on eth0 manually configured: inet6 addr: 2001:7b8:2ff:8431::1/64 Scope:Global ping6 works: from gw box to outside (i.g. ipv6.google.com). also from outside (vhost 2a03:f80:ed15:149:154:152:128:1) to the box on external: 2001:7b8:2ff:431::2/64 (tunnel endpoint) also to my gw internal (eth0): 2001:7b8:2ff:8431::1 Internal windows client to gw, internal and external. so i guess, the firewall (SuSEfirewall) on the gw could not be the issue!? (i've tried to shut it down for tests) but... no ping6 from the windows7 client to ipv6.google.com or my vhost (www6.ctw.at) no matter if i try to give the w7 client a manually ip addr (such 2001:7b8:2ff:8431::1234 and gateway **:2) or get an addr from radvd: prefix 2001:7b8:2ff:8431::/64 from radvd the w7 client always get a fe80:** :-( ipv6 forward is enabled on sysctl routes on the gw: ++++++++++++++++++++ filter-2013:~ # ip -6 ro show ::/96 via :: dev sit0 metric 256 2001:7b8:2ff:431::/64 dev sixxs proto kernel metric 256 2001:7b8:2ff:8431::/64 dev eth0 proto kernel metric 256 unreachable fe80::/64 dev lo proto kernel metric 256 error -101 fe80::/64 dev eth0 proto kernel metric 256 fe80::/64 dev eth1 proto kernel metric 256 fe80::/64 dev sixxs proto kernel metric 256 default via 2001:7b8:2ff:431::1 dev sixxs metric 1024 +++++++++++++++++++ w7: (ipv6's from radvd) Ethernet-Adapter LAN-J45: Verbindungsspezifisches DNS-Suffix: j45.ctw.at IPv6-Adresse. . . . . . . . . . . : 2001:7b8:2ff:8431:c5ad:8e3c:ea1f:c336 Temporre IPv6-Adresse. . . . . . : 2001:7b8:2ff:8431:c9f5:bac2:d181:e65a Verbindungslokale IPv6-Adresse . : fe80::c5ad:8e3c:ea1f:c336%12 Standortlokale IPv6-Adresse . . . : fec0::c5ad:8e3c:ea1f:c336%1 IPv4-Adresse . . . . . . . . . . : 192.168.240.210 Subnetzmaske . . . . . . . . . . : 255.255.255.0 Standardgateway . . . . . . . . . : fe80::20c:29ff:fee8:608d%12 192.168.240.1 please get me out of spinning ;-) many thanks! Gerhard

Clients in subnet can't ping hosts outside

Jeroen Massar SixXS Staff

on Thursday, 02 October 2014 23:30:10

so i guess, the firewall (SuSEfirewall) on the gw could not be the issue!?

(i've tried to shut it down for tests)

What does "shut down" do, is the policy then ACCEPT or DROP? Check both:

iptables -v --list -n

and:

ip6tables -v --list -n

Also what addresses do you have on the gateway (ip -6 addr show)?

from radvd the w7 client always get a fe80:** :-(

But below you show that both a global and temp address are listed.

Standardgateway . . . . . . . . . : fe80::20c:29ff:fee8:608d%12

That matches the address on your gateway (that runs radvd) and is correct. What other routes does the client machine have?

Clients in subnet can't ping hosts outside

Shadow Hawkins on Friday, 03 October 2014 12:36:16

Jeroen Massar wrote:

> so i guess, the firewall (SuSEfirewall) on the gw could not be the issue!?

(i've tried to shut it down for tests)

What does "shut down" do, is the policy then ACCEPT or DROP? Check both:

iptables -v --list -n

and:

ip6tables -v --list -n

filter-2013:~ # iptables -v --list -n
Chain INPUT (policy ACCEPT 7 packets, 515 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5 packets, 561 bytes)
 pkts bytes target     prot opt in     out     source               destination

filter-2013:~ # ip6tables -v --list -n
Chain INPUT (policy ACCEPT 1 packets, 1028 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 1028 bytes)
 pkts bytes target     prot opt in     out     source               destination

This output at stopped SuSEfirewall2 Also what addresses do you have on the gateway (ip -6 addr show)?

filter-2013:~ # ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:7b8:2ff:8431::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fee8:608d/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 fe80::20c:29ff:fee8:6097/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP,UP,LOWER_UP> mtu 1480
    inet6 ::10.8.0.1/96 scope global
       valid_lft forever preferred_lft forever
    inet6 ::83.64.76.132/96 scope global
       valid_lft forever preferred_lft forever
    inet6 ::192.168.240.254/96 scope global
       valid_lft forever preferred_lft forever
    inet6 ::127.0.0.1/96 scope host
       valid_lft forever preferred_lft forever
12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qlen 500
    inet6 2001:7b8:2ff:431::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::4b8:2ff:431:2/64 scope link
       valid_lft forever preferred_lft forever

from radvd the w7 client always get a fe80:** :-(

But below you show that both a global and temp address are listed.

Standardgateway . . . . . . . . . : fe80::20c:29ff:fee8:608d%12

That matches the address on your gateway (that runs radvd) and is correct. ok, i guess, the fe80* woudn't be routed, like link local adresses What other routes does the client machine have?

IPv6-Routentabelle
==============================================================
Aktive Routen:
 If Metrik Netzwerkziel             Gateway
 12    266 ::/0                     fe80::20c:29ff:fee8:608d
  1    306 ::1/128                  Auf Verbindung
 12     18 2001:7b8:2ff:8431::/64   Auf Verbindung
 12    266 2001:7b8:2ff:8431:c5ad:8e3c:ea1f:c336/128
                                    Auf Verbindung
 12    266 2001:7b8:2ff:8431:c9f5:bac2:d181:e65a/128
                                    Auf Verbindung
 12     18 2001:15c0:6788::/48      Auf Verbindung
 12    266 fe80::/64                Auf Verbindung
 15    276 fe80::/64                Auf Verbindung
 15    276 fe80::589f:1bdc:244c:cf9c/128
                                    Auf Verbindung
 12    266 fe80::c5ad:8e3c:ea1f:c336/128
                                    Auf Verbindung
 12     18 fec0::/64                Auf Verbindung
 12    266 fec0::c5ad:8e3c:ea1f:c336/128
                                    Auf Verbindung
  1    306 ff00::/8                 Auf Verbindung
 12    266 ff00::/8                 Auf Verbindung
 15    276 ff00::/8                 Auf Verbindung
==============================================================
Stndige Routen:
  Keine

another w7 client get the same config from radvd... a centOS client also get a ipv6 address, but also cannot ping outside...

filter-2013:~ # ip -6 route
::/96 via :: dev sit0  metric 256
2001:7b8:2ff:431::/64 dev sixxs  proto kernel  metric 256
2001:7b8:2ff:8431::/64 dev eth0  proto kernel  metric 256
unreachable fe80::/64 dev lo  proto kernel  metric 256  error -101
fe80::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev eth1  proto kernel  metric 256
fe80::/64 dev sixxs  proto kernel  metric 256
default via 2001:7b8:2ff:431::1 dev sixxs  metric 1024

this is status with runnig radvd and aiccu. many thanks for have a look on it!! gerhard

Clients in subnet can't ping hosts outside

Shadow Hawkins on Friday, 03 October 2014 12:21:34

Gerhard Wegl wrote:

Please note Posting is only allowed when you are logged in.