SixXS::Sunset 2017-06-06

Synology: IPv6 tunnel working, cannot get it to route
[gb] Shadow Hawkins on Wednesday, 15 October 2014 01:56:13
I've sucessfully connected my Synology DS211J to a SixXS tunnel, and can ping IPv6 sites from it. I've installed radvd which is sucessfully handing out internal addresses to my LAN, however, hosts on my LAN can't talk to the outside world. ifconfig on synology: eth0 Link encap:Ethernet HWaddr 00:11:32:0D:C9:A2 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 2a01:348:6:87a8::2/64 Scope:Global inet6 addr: fe80::211:32ff:fe0d:c9a2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:81876 errors:0 dropped:0 overruns:0 frame:0 TX packets:157737 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:532 RX bytes:15434969 (14.7 MiB) TX bytes:158959964 (151.5 MiB) Interrupt:11 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:7745 errors:0 dropped:0 overruns:0 frame:0 TX packets:7745 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1099933 (1.0 MiB) TX bytes:1099933 (1.0 MiB) sixxs Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet6 addr: 2a01:348:6:7a8::2/64 Scope:Global inet6 addr: fe80::48:6:7a8:2/64 Scope:Link UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1 RX packets:95 errors:0 dropped:0 overruns:0 frame:0 TX packets:294 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:49504 (48.3 KiB) TX bytes:64102 (62.5 KiB) ipconfig on Windows client: Connection-specific DNS Suffix . : home.lum.uk IPv6 Address. . . . . . . . . . . : 2a01:348:6:87a8:6db2:dc2e:43c2:b78d Temporary IPv6 Address. . . . . . : 2a01:348:6:87a8:c97d:cfa1:51ae:70e9 Link-local IPv6 Address . . . . . : fe80::6db2:dc2e:43c2:b78d%3 IPv4 Address. . . . . . . . . . . : 192.168.1.20 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::211:32ff:fe0d:c9a2%3 192.168.1.1 /opt/etc/aiccu.conf: username SGC14-SIXXS password ***************** #protocol <tic|tsp|l2tp> #server <server to use> ipv6_interface sixxs tunnel_id T****** verbose false daemonize true automatic true requiretls false pidfile /var/run/aiccu.pid defaultroute true #setupscript /opt/bin/aiccu-subnets.sh makebeats true #noconfigure true #behindnat true #local_ipv4_override /etc/radvd.conf: interface eth0 { AdvSendAdvert on; AdvLinkMTU 1428; MaxRtrAdvInterval 300; prefix 2a01:348:6:87a8::/64 { AdvOnLink on; AdvAutonomous on; }; }; startup script for aiccu: #!/bin/sh for i in x_tables.ko ip_tables.ko iptable_filter.ko nf_conntrack.ko \ ipt_LOG.ko xt_multiport.ko xt_tcpudp.ko xt_state.ko xt_limit.ko \ nf_conntrack.ko ip6_tables.ko ip6table_filter.ko \ nf_conntrack_ipv6.ko ip6t_LOG.ko tun.ko do /sbin/insmod /lib/modules/$i done aiccu start script that runs after aiccu starts: #!/bin/sh # Enable IPv6 forwarding echo "1" > /proc/sys/net/ipv6/conf/all/forwarding # Set up the LAN prefix and enable SLAAC radvd start # Set up IPv6 firewall rules for the NAS and the LAN #ip6tables -A INPUT -m rt --rt-type 0 -j DROP #ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP #ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A INPUT -i sixxs -p tcp --dport 22 -d 2a01:348:6:7a8::2 -j ACCEPT ip6tables -A INPUT -i sixxs -p icmpv6 -j ACCEPT ip6tables -A INPUT -i sixxs -j DROP Note I've also tried it without any ip6tables entries. Any idea where I'm going wrong here? from the Synology: purr> ping6 www.google.com PING www.google.com (2a00:1450:4009:800::1011): 56 data bytes 64 bytes from 2a00:1450:4009:800::1011: seq=0 ttl=57 time=14.607 ms 64 bytes from 2a00:1450:4009:800::1011: seq=1 ttl=57 time=15.831 ms ^C --- www.google.com ping statistics --- 3 packets transmitted, 2 packets received, 33% packet loss round-trip min/avg/max = 14.607/15.219/15.831 ms from Windows: C:\Users\lum>ping -6 -n 1 www.google.com Pinging www.google.com [2a00:1450:4009:80c::1011] with 32 bytes of data: Request timed out. Ping statistics for 2a00:1450:4009:80c::1011: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Synology: IPv6 tunnel working, cannot get it to route
[ch] Jeroen Massar SixXS Staff on Wednesday, 15 October 2014 10:16:42
The gateway address is reachable, that is a first good step: 12 2a01:348:6:87a8::2 (2a01:348:6:87a8::2) 38.363 ms 38.374 ms 40.557 ms Btw, you might be interested in getting Debian up and running on your host: http://kristof.vanhertum.be/?p=132 [..]
AdvSendAdvert on; AdvLinkMTU 1428;
Why are you setting a MTU here? Ethernet MTU is 1500. Note that the tunnel MTU might be different. Per default the tunnel MTU is 1280, which is also what your tunnel is configured at. You just need something like this: interface eth0 { AdvSendAdvert on; prefix 2001:db8::/64 { }; }; Nothing else. All default parameters are fine.
[..]
/sbin/insmod /lib/modules/$i
Why are you manually insmodding these modules? Most kernels properly autoload them. Are you also really sure you want connection tracking?
# Enable IPv6 forwarding
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
This only enables forwarding for already configured interfaces. You need to set it for 'default' too. You will want to use something like /etc/sysctl.d/tweaks.conf (change/comment the ones you do not need). # Enable forwarding net.ipv4.conf.default.forwarding=1 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1 net.ipv6.conf.all.forwarding=1 # Do not accept RA ever net.ipv6.conf.default.accept_ra=0 net.ipv6.conf.all.accept_ra=0 # Use the proper interface for ICMP net.ipv4.icmp_errors_use_inbound_ifaddr=1
# Set up the LAN prefix and enable SLAAC
radvd start
Does your system not have a normal init script that launches radvd?
ip6tables -A INPUT -i sixxs -p tcp --dport 22 -d 2a01:348:6:7a8::2 -j ACCEPT
ip6tables -A INPUT -i sixxs -p icmpv6 -j ACCEPT
ip6tables -A INPUT -i sixxs -j DROP
That is not a lot you are allowing there. Are you sure that those rules are correct? What are the active rules?
Note I've also tried it without any ip6tables entries.
You'll have to check the active rules. As you are loading NAT components, check those too. And don't forget to check both IPv4 and IPv6 rules.
from Windows:
C:\Users\lum>ping -6 -n 1 www.google.com
The better question is what route those packets want to take and what the source address that it is selecting. ipconfig /all Check *all* interfaces. Windows tends to autoconfigure a few. netstat -rn should show a good part of this. Otherwise check with "netsh" how things are configured.
Synology: IPv6 tunnel working, cannot get it to route
[gb] Shadow Hawkins on Wednesday, 15 October 2014 13:50:27
Jeroen Massar wrote:
Btw, you might be interested in getting Debian up and running on your host: http://kristof.vanhertum.be/?p=132
The 211j is the cut-down slow version for home users with only a couple of clients. Much as I love Debian, I think I'm best off sticking with Synology's OS for now.
Why are you setting a MTU here? Ethernet MTU is 1500. Note that the tunnel MTU might be different. Per default the tunnel MTU is 1280, which is also what your tunnel is configured at.
I thought I'd set the tunnel MTU to match, but apparently I hadn't, now fixed (I thought my IPv4 MTU was 1500, but apparently its now 1492, tunnel adjusted to 1420 to compensate)
Why are you manually insmodding these modules? Most kernels properly autoload them. Are you also really sure you want connection tracking?
This one doesn't, it doesn't even have modprobe! :( No I'm not sure I want connection tracking, it just got added while I was trying to make forwarding work. New list: x_tables.ko ip_tables.ko iptable_filter.ko ipt_LOG.ko xt_multiport.ko xt_tcpudp.ko xt_state.ko xt_limit.ko ip6_tables.ko ip6table_filter.ko ip6t_LOG.ko tun.ko
# Do not accept RA ever net.ipv6.conf.default.accept_ra=0 net.ipv6.conf.all.accept_ra=0
This was the killer, I figured this out late last night, that it was adding its own IP address in addition to the default route set up by aiccu, however I couldn't figure out how to stop it, so just deleted that route by hand. Now I know how to do it properly! There's no sysctl stuff on this system, but the echo commands work well enough :)
Does your system not have a normal init script that launches radvd?
Synology init scripts are weird and I've not fully figured them out yet. Once I have the system working from a single command (currently /usr/local/bin/aiccu-start) then I'll dig into the init scripts.
And don't forget to check both IPv4 and IPv6 rules.
IPv4 I'm leaving to the ISP supplied router. It may be a bit crappy but it works well enough for this. and, with these changes, I'm now up and running: C:\Users\lum>ping -6 -l 1380 ipv6.google.com Pinging ipv6.l.google.com [2a00:1450:4009:800::1008] with 1380 bytes of data: Reply from 2a00:1450:4009:800::1008: time=12ms Reply from 2a00:1450:4009:800::1008: time=21ms Reply from 2a00:1450:4009:800::1008: time=11ms Reply from 2a00:1450:4009:800::1008: time=11ms Ping statistics for 2a00:1450:4009:800::1008: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 11ms, Maximum = 21ms, Average = 13ms Now all I need to do is figure out why "setupscript /opt/bin/aiccu-subnets.sh" does nothing, and I have to run it manually, and figure out how Synology init scripts work. Thank you for all the help!
Synology: IPv6 tunnel working, cannot get it to route
[ch] Jeroen Massar SixXS Staff on Wednesday, 15 October 2014 15:26:18
Why are you setting a MTU here? Ethernet MTU is 1500. Note that the tunnel MTU might be different. Per default the tunnel MTU is 1280, which is also what your tunnel is configured at.
I thought I'd set the tunnel MTU to match, but apparently I hadn't, now fixed (I thought my IPv4 MTU was 1500, but apparently its now 1492, tunnel adjusted to 1420 to compensate)
1420 sounds okay for an AYIYA tunnel over a network that has a MTU of 1492. But what did you configure the MTU of the local ethernet interface to (eth0)?
Why are you manually insmodding these modules? Most kernels properly autoload them.
Are you also really sure you want connection tracking?
This one doesn't, it doesn't even have modprobe! :(
As it does not have modprobe, the autoloading also fails. Sounds like a broken platform to me though.
No I'm not sure I want connection tracking, it just got added while I was trying to make forwarding work.
Loading modules that are not being used is not a good idea, especially on a platform with those kind of low resources.
# Do not accept RA ever
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_ra=0
This was the killer, I figured this out late last night, that it was adding its own IP address in addition to the default route set up by aiccu, however I couldn't figure out how to stop it, so just deleted that route by hand. Now I know how to do it properly!
What other address where you seeing? Which router was advertising that?
IPv4 I'm leaving to the ISP supplied router. It may be a bit crappy but it works well enough for this.
Then why are you loading IPv4 related modules?

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker