[Firewall] Some questions regarding IPv6/IPv4 dual stack

Gustin Johnson gustin at meganerd.ca
Mon Oct 28 18:44:29 CET 2013


On Mon, Oct 28, 2013 at 9:50 AM, Lonnie Abelbeck
<lists at lonnie.abelbeck.com>wrote:

> Hi Gustin,
>
> First, I assume you had a typo and meant:
> --
> INET_FORWARD_TCP="::/0>2001:1234:b:11c:aaaa:bbbb:cccc:dddd~22,443"
>

Correct, this was a typo.  There is no ">" at the end.

> --
> BTW, "0/0" will work equally well as "::/0"
>
Your setup looks very similar to mine, your AIF configuration looks good to
> me.  Try...
>
> $ ip6tables -nvL EXT_FORWARD_IN_CHAIN
>
> and see if you are getting any 'hits' on your INET_FORWARD_TCP rules.
>
> There are some hits, though not many:
 8   832 ACCEPT     icmpv6    he-ipv6 !he-ipv6  ::/0                 2001:
1234:b:11c::/64


> Question, is the (phony) 2001:1234:b:11c::/64 prefix assigned on one of
> the AIF box's interfaces or is it "hidden" downstream ?  If so you need a
> static route on the AIF box on how to reach the 2001:1234:b:11c::/64
> network.  Something like:
> --
>
I statically assigned an IP from the /64 to the "internal" NIC.  This is my
home and thus is a pretty flat (and reasonably simple) network.

ip -6 route add 2001:1234:b:11c::1/64 via 2001:1234:b:a::2 dev eth1 metric 1
> --
> Do you have a /64 or /48 prefix from your provider ?
>
> /64.

> My guess you have a routing issue, your AIF config looks good at first
> blush.
>
> I will check again, thanks for the tips.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20131028/4a293209/attachment.html>


More information about the Firewall mailing list