Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 33 replies
  • Subscribers 6 subscribers
  • Views 14228 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipv6 for hosts behind UTM

Daniel Huhardeaux

Hi list,

I got an ipv6 /48 from my provider. I gave an ipv6 address to the UTM interface connected to the provider, a second one to the internal interface of UTM with ipv6 GW being the UTM interface connected to provider. I don't use Prefix Advertisement which is limited to /64. BTW, would it work if I use another mask like /96 or so ?

My Setup: host with Linux Debian9 and libvirt/kvm. UTM is software in a VM v9.510-5. A second VM act as server for OpenVPN, DHCP, DNS, aso. Everything is working fine with ipv4. I create a FW rule to allow all ipv6 to ipv6 for all services. I setted manually ipv6 address to a host behind the UTM -which means connected to the internal interface- and from here I can ping, ssh or telnet to outside, all is good.

Problem is that I can't connect/reach the other way, outside to internal. I can ping the UTM provider interface, that's all. What is also possible is to ssh an outside port redirected to the ipv6 of the host, but session doesn't finish properly. With tshark I can see the traffic coming and on the client side (ssh -vvv) I have after a while:

debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by <UTM external ipv6 addr> port <ssh port>

Client is a VM in DC with same set up (Host Debian9, VM Debian9, ipv6 in /64 subnet). From the host behind UTM I can ping, ssh, telnet this client.

Any clue on that ?

Daniel



This thread was automatically locked due to age.
  • 0

    Nobody on this ? Does anyone use ipv6 behind UTM ?

    I restarted all the setup, everything is now in a /64 including the ISP interface. From inside, it's almost working (see *), I can ping all hosts including the UTM on the internal interface. Hosts with no ipv6 fixed ip get's one from prefix advertisement, all is good. Problem is that I can't ping the UTM ISP interface ipv6 :(

    From outside the same, I can ping the ISP ipv6 but none of the internal ! From the UTM, using Support => Tools, I can ping an outside ipv6 using nearest routing -which means ISP interface- but not if I set the internal interface.

    It seems that the firewall is blocking internal ipv6 to external and vice versa. I even try to give an ipv6 GW to internal interface (ISP interface), no changes. Also I see in ip -6 r of UTM

    2a01:xxxx:yyyy::1 dev eth0.1002 metric 1024   ; ISP ipv6 GW
    2a01:xxxx:yyyy::2 dev eth2 metric 1024           ; ISP interface
    2a01:xxxx:yyyy::10:254 dev eth2 metric 1024  ; *** This entry should not be here, that's the ip of the second VM ! *** Internal ipv6 is ::10:1
    2a01:xxxx:yyyy::/64 dev eth2 proto kernel metric 256
    2a01:xxxx:yyyy::/64 dev eth0.1002 proto kernel metric 256
    fe80::/64 dev eth2 proto kernel metric 256
    fe80::/64 dev eth0 proto kernel metric 256
    fe80::/64 dev eth0.1002 proto kernel metric 256
    fe80::/64 dev eth0.1001 proto kernel metric 256
    fe80::/64 dev eth0.100 proto kernel metric 256
    fe80::/64 dev eth0.2 proto kernel metric 256
    fe80::/64 dev eth0.1000 proto kernel metric 256
    fe80::/64 dev eth0.210 proto kernel metric 256
    fe80::/64 dev ifb0 proto kernel metric 256

    Any help or tip is appreciated.

    (*) the second VM can only be reached by the UTM VM and the physical host. Other way it's working like a charm. But that's another story.

     

    Daniel

  • 0 in reply to Daniel Huhardeaux

    Me again ;)

    what I see in logs is that neighbor sollicitation for external ipv6 get never answered (capture on internal interface)

    19:01:35.455562 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:35.578057 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:36.474502 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:36.602368 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:37.498390 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:37.626370 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:38.522412 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:39.034301 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:39.546318 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:40.058373 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:40.457457 IP6 fe80::xyz:ff:zyx:1234 > 2a01:xxxx:yyyy::10:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::10:254, length 32
    19:01:40.457574 IP6 2a01:xxxx:yyyy::10:254 > fe80::xyz:ff:zyx:1234: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy::10:254, length 24

    but is for internal ipv6 (2 last lines).

    Is there a rule to add on firewall to allow those neighbor solicitations/advertisement ?

    Daniel

  • 0 in reply to Daniel Huhardeaux

    This sounds to me like a routing issue. 

    Can you filter your TCPDump per interface and check to see if it is going out the correct one?

    Neighbor solicitation is done within the same broadcast domain so if you have two interfaces with the overlapping networks that could be the issue. 

    I would suggest opening a support case for this issue if everything seems correct after doing the above. 

  • 0 in reply to Daniel Huhardeaux

    This may be related to the RADVD issue I have been having for over a year:

     

    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/97554/radvd-does-not-seem-to-be-working

     

    Basically, I can get an IPv6 address on my internal network, but no one else knows how to route to me. The outside interface is a /128 because it is supposed to be the gateway to your assigned networks. I have never heard pot any solution, and after a few updates, the problem persists. If you want, you can NAT your internal network to the /128 on the outside interface and IPv6 will work, but you will be using masquerade instead of your IP.

     

    Is this related to your issue?

  • 0 in reply to MasterRoshi

    Hi MasterRoshi,

    above logs are on internal interface and this traffic does not appear on the external interface.

    I followed your advice to split the network (it's a /48 given by ISP): the external interface has a netmask of /64 (despite the /48) and the internal interface has a /64 which is not overlapping.

    Now:

    . from the UTM tools I can ping any any outside IPv6
    . from outside I can ping the external IPv6
    . from inside I can ping any inside IPv6
    . from inside I can ping the external IPv6 ; this is new since changes I made

    What I still can't:

    . from inside ping the outside router IPv6 address nor any other outside IPv6
    . from outside I can't ping any nternal IPv6 addresses

    On the external interface I have default GW to IPv6 of the ISP router, on internal interface I gave the one of external interface.

    More ideas ?

    Daniel

  • 0 in reply to Edward Reiss

    Hi Edward,

    yes, seems the same problem. NATing IPv6 ... well ! I will open a case.

    Daniel

  • 0 in reply to Daniel Huhardeaux

    What is the netmask of the clients on the internal side?

    That seems likely to be the issue. Make sure the new default gateway in the /64 is showing up and they are also in the /64.

  • 0 in reply to MasterRoshi

    Those are the internal IPv6:

    VM UTM internal 2a01:xxxx:yyyy:10::1/64, GW UTM external 2a01:xxxx:yyyy::2

    VM DNS  inet6 2a01:xxxx:yyyy:10::254  prefixlen 64, GW UTM internal 2a01:xxxx:yyyy:10::1

    Real Host inet6 2a01:xxxx:yyyy:10::250  prefixlen 64, GW UTM internal 2a01:xxxx:yyyy:10::1

     

    External IPv6

    VM UTM external 2a01:xxxx:yyyy::2/64, GW ISP router 2a01:xxxx:yyyy::1

     

    Daniel

  • 0 in reply to Daniel Huhardeaux

    So the networking/routing seems fine now.

    Can you paste the output of "ip route show table all" in ssh?

    We would need packet captures to see what is happening. 

    Can you run a capture for ipv6 when pinging from the internal vm to 2a01:xxxx:yyyy::1?

    Can you run a capture for ipv6 when pinging from the internal vm to 2a01:xxxx:yyyy:10::1?

    Perhaps a firewall rule is missing for the IPV6 outbound traffic is my guess. 

  • 0 in reply to MasterRoshi

    dh@keewi:/etc/network$ sudo ip r show table all
    default via 192.168.10.1 dev lan onlink
    10.0.70.0/24 via 10.99.0.49 dev tun0
    10.1.58.0/24 via 10.99.0.49 dev tun0
    10.2.70.0/24 via 10.99.0.49 dev tun0
    10.99.0.49 dev tun0 proto kernel scope link src 10.99.0.52
    10.99.0.64/28 dev tun0 scope link
    10.99.3.0/24 via 10.99.0.49 dev tun0
    172.16.30.0/24 dev tap0 proto kernel scope link src 172.16.30.104
    192.168.10.0/24 dev lan proto kernel scope link src 192.168.10.254
    192.168.12.0/24 dev eth1 proto kernel scope link src 192.168.12.254
    192.168.16.0/24 via 172.16.30.254 dev tap0
    192.168.210.0/24 dev eth2 proto kernel scope link src 192.168.210.254
    local 10.99.0.52 dev tun0 table local proto kernel scope host src 10.99.0.52
    broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
    local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
    local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
    broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
    broadcast 172.16.30.0 dev tap0 table local proto kernel scope link src 172.16.30.104
    local 172.16.30.104 dev tap0 table local proto kernel scope host src 172.16.30.104
    broadcast 172.16.30.255 dev tap0 table local proto kernel scope link src 172.16.30.104
    broadcast 192.168.10.0 dev lan table local proto kernel scope link src 192.168.10.254
    local 192.168.10.254 dev lan table local proto kernel scope host src 192.168.10.254
    broadcast 192.168.10.255 dev lan table local proto kernel scope link src 192.168.10.254
    broadcast 192.168.12.0 dev eth1 table local proto kernel scope link src 192.168.12.254
    local 192.168.12.254 dev eth1 table local proto kernel scope host src 192.168.12.254
    broadcast 192.168.12.255 dev eth1 table local proto kernel scope link src 192.168.12.254
    broadcast 192.168.210.0 dev eth2 table local proto kernel scope link src 192.168.210.254
    local 192.168.210.254 dev eth2 table local proto kernel scope host src 192.168.210.254
    broadcast 192.168.210.255 dev eth2 table local proto kernel scope link src 192.168.210.254
    2a01:xxxx:yyyy:10::/64 dev lan proto kernel metric 256 pref medium
    fe80::/64 dev lan proto kernel metric 256 pref medium
    fe80::/64 dev eth1 proto kernel metric 256 pref medium
    fe80::/64 dev eth2 proto kernel metric 256 pref medium
    fe80::/64 dev tun0 proto kernel metric 256 pref medium
    fe80::/64 dev tap0 proto kernel metric 256 pref medium
    default via 2a01:xxxx:yyyy:10::1 dev lan metric 1024 pref medium
    unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
    local ::1 dev lo table local proto none metric 0 pref medium
    local 2a01:xxxx:yyyy:10:: dev lo table local proto none metric 0 pref medium
    local 2a01:xxxx:yyyy:10::254 dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80::48d7:82ff:fe5d:5b92 dev lo table local proto none metric 0 pref medium
    local fe80::5054:ff:fe12:3511 dev lo table local proto none metric 0 pref medium
    local fe80::5054:ff:fe12:3512 dev lo table local proto none metric 0 pref medium
    local fe80::5054:ff:fe12:3513 dev lo table local proto none metric 0 pref medium
    local fe80::6eea:f1f4:abcb:60e0 dev lo table local proto none metric 0 pref medium
    ff00::/8 dev lan table local metric 256 pref medium
    ff00::/8 dev eth1 table local metric 256 pref medium
    ff00::/8 dev eth2 table local metric 256 pref medium
    ff00::/8 dev tun0 table local metric 256 pref medium
    ff00::/8 dev tap0 table local metric 256 pref medium
    unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium

    dh@deex:~$ sudo tcpdump -r internal2gw.pcap (capture of IPv6 ping)
    reading from file internal2gw.pcap, link-type EN10MB (Ethernet)
    18:15:45.894870 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 1, length 64
    18:15:45.895027 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 1, length 64
    18:15:45.981862 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:46.922778 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 2, length 64
    18:15:46.922864 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 2, length 64
    18:15:46.972108 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:47.946848 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 3, length 64
    18:15:47.947000 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 3, length 64
    18:15:47.972141 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:48.970784 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 4, length 64
    18:15:48.970852 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 4, length 64
    18:15:49.578936 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:49.994831 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 5, length 64
    18:15:49.994953 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 5, length 64
    18:15:50.572134 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:51.572164 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:51.925371 IP6 fe80::5054:ff:fe12:3458 > 2a01:xxxx:yyyy:10::254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:51.925653 IP6 2a01:xxxx:yyyy:10::254 > fe80::5054:ff:fe12:3458: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::254, length 24

    dh@deex:~$ sudo tcpdump -r internal2router.pcap (capture of IPv6 ping)
    reading from file internal2router.pcap, link-type EN10MB (Ethernet)
    18:16:24.083760 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 1, length 64
    18:16:25.098926 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 2, length 64
    18:16:26.122887 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 3, length 64
    18:16:27.146846 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 4, length 64
    18:16:28.170846 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 5, length 64
    18:16:28.792470 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ctr-nue17.atlas.ripe.net: ICMP6, echo request, seq 197, length 28
    18:16:29.098899 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    18:16:29.098931 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    18:16:29.194855 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 6, length 64
    18:16:29.793761 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ctr-nue17.atlas.ripe.net: ICMP6, echo request, seq 198, length 28
    18:16:30.122828 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    18:16:30.122860 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    18:16:30.218859 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 7, length 64
    18:16:30.795642 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ctr-nue17.atlas.ripe.net: ICMP6, echo request, seq 199, length 28
    18:16:31.146869 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    18:16:31.146911 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    18:16:31.242927 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 8, length 64

    FYI I already have a firewall rule saying that all source ipv6 for any services to any ipv6 are allowed

    Thanks for your support.

Unfiltered HTML