[Firewall] Some questions regarding IPv6/IPv4 dual stack

Gustin Johnson gustin at meganerd.ca
Tue Oct 29 10:35:43 CET 2013


I tried it again tonight and it seems to be working.  Maybe I just forgot
to re-initialize arnos script.  I had a working outbound config so I don't
think it was a routing issue, I suspect that I just needed to actually
apply the updated settings first.

Thanks again for your help,
__
Gustin


On Mon, Oct 28, 2013 at 11:44 AM, Gustin Johnson <gustin at meganerd.ca> wrote:

> On Mon, Oct 28, 2013 at 9:50 AM, Lonnie Abelbeck <
> lists at lonnie.abelbeck.com> wrote:
>
>> Hi Gustin,
>>
>> First, I assume you had a typo and meant:
>> --
>> INET_FORWARD_TCP="::/0>2001:1234:b:11c:aaaa:bbbb:cccc:dddd~22,443"
>>
>
> Correct, this was a typo.  There is no ">" at the end.
>
>> --
>> BTW, "0/0" will work equally well as "::/0"
>>
> Your setup looks very similar to mine, your AIF configuration looks good
>> to me.  Try...
>>
>> $ ip6tables -nvL EXT_FORWARD_IN_CHAIN
>>
>> and see if you are getting any 'hits' on your INET_FORWARD_TCP rules.
>>
>> There are some hits, though not many:
>  8   832 ACCEPT     icmpv6    he-ipv6 !he-ipv6  ::/0                 2001:
> 1234:b:11c::/64
>
>
>> Question, is the (phony) 2001:1234:b:11c::/64 prefix assigned on one of
>> the AIF box's interfaces or is it "hidden" downstream ?  If so you need a
>> static route on the AIF box on how to reach the 2001:1234:b:11c::/64
>> network.  Something like:
>> --
>>
> I statically assigned an IP from the /64 to the "internal" NIC.  This is
> my home and thus is a pretty flat (and reasonably simple) network.
>
> ip -6 route add 2001:1234:b:11c::1/64 via 2001:1234:b:a::2 dev eth1 metric
>> 1
>> --
>> Do you have a /64 or /48 prefix from your provider ?
>>
>> /64.
>
>> My guess you have a routing issue, your AIF config looks good at first
>> blush.
>>
>> I will check again, thanks for the tips.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20131029/0ed4243b/attachment.html>


More information about the Firewall mailing list