Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 33 replies
  • Subscribers 6 subscribers
  • Views 14230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipv6 for hosts behind UTM

Daniel Huhardeaux

Hi list,

I got an ipv6 /48 from my provider. I gave an ipv6 address to the UTM interface connected to the provider, a second one to the internal interface of UTM with ipv6 GW being the UTM interface connected to provider. I don't use Prefix Advertisement which is limited to /64. BTW, would it work if I use another mask like /96 or so ?

My Setup: host with Linux Debian9 and libvirt/kvm. UTM is software in a VM v9.510-5. A second VM act as server for OpenVPN, DHCP, DNS, aso. Everything is working fine with ipv4. I create a FW rule to allow all ipv6 to ipv6 for all services. I setted manually ipv6 address to a host behind the UTM -which means connected to the internal interface- and from here I can ping, ssh or telnet to outside, all is good.

Problem is that I can't connect/reach the other way, outside to internal. I can ping the UTM provider interface, that's all. What is also possible is to ssh an outside port redirected to the ipv6 of the host, but session doesn't finish properly. With tshark I can see the traffic coming and on the client side (ssh -vvv) I have after a while:

debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by <UTM external ipv6 addr> port <ssh port>

Client is a VM in DC with same set up (Host Debian9, VM Debian9, ipv6 in /64 subnet). From the host behind UTM I can ping, ssh, telnet this client.

Any clue on that ?

Daniel



This thread was automatically locked due to age.
Parents
  • 0

    Nobody on this ? Does anyone use ipv6 behind UTM ?

    I restarted all the setup, everything is now in a /64 including the ISP interface. From inside, it's almost working (see *), I can ping all hosts including the UTM on the internal interface. Hosts with no ipv6 fixed ip get's one from prefix advertisement, all is good. Problem is that I can't ping the UTM ISP interface ipv6 :(

    From outside the same, I can ping the ISP ipv6 but none of the internal ! From the UTM, using Support => Tools, I can ping an outside ipv6 using nearest routing -which means ISP interface- but not if I set the internal interface.

    It seems that the firewall is blocking internal ipv6 to external and vice versa. I even try to give an ipv6 GW to internal interface (ISP interface), no changes. Also I see in ip -6 r of UTM

    2a01:xxxx:yyyy::1 dev eth0.1002 metric 1024   ; ISP ipv6 GW
    2a01:xxxx:yyyy::2 dev eth2 metric 1024           ; ISP interface
    2a01:xxxx:yyyy::10:254 dev eth2 metric 1024  ; *** This entry should not be here, that's the ip of the second VM ! *** Internal ipv6 is ::10:1
    2a01:xxxx:yyyy::/64 dev eth2 proto kernel metric 256
    2a01:xxxx:yyyy::/64 dev eth0.1002 proto kernel metric 256
    fe80::/64 dev eth2 proto kernel metric 256
    fe80::/64 dev eth0 proto kernel metric 256
    fe80::/64 dev eth0.1002 proto kernel metric 256
    fe80::/64 dev eth0.1001 proto kernel metric 256
    fe80::/64 dev eth0.100 proto kernel metric 256
    fe80::/64 dev eth0.2 proto kernel metric 256
    fe80::/64 dev eth0.1000 proto kernel metric 256
    fe80::/64 dev eth0.210 proto kernel metric 256
    fe80::/64 dev ifb0 proto kernel metric 256

    Any help or tip is appreciated.

    (*) the second VM can only be reached by the UTM VM and the physical host. Other way it's working like a charm. But that's another story.

     

    Daniel

  • 0 in reply to Daniel Huhardeaux

    Me again ;)

    what I see in logs is that neighbor sollicitation for external ipv6 get never answered (capture on internal interface)

    19:01:35.455562 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:35.578057 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:36.474502 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:36.602368 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:37.498390 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:37.626370 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:38.522412 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:39.034301 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:39.546318 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:40.058373 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:40.457457 IP6 fe80::xyz:ff:zyx:1234 > 2a01:xxxx:yyyy::10:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::10:254, length 32
    19:01:40.457574 IP6 2a01:xxxx:yyyy::10:254 > fe80::xyz:ff:zyx:1234: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy::10:254, length 24

    but is for internal ipv6 (2 last lines).

    Is there a rule to add on firewall to allow those neighbor solicitations/advertisement ?

    Daniel

  • 0 in reply to Daniel Huhardeaux

    This sounds to me like a routing issue. 

    Can you filter your TCPDump per interface and check to see if it is going out the correct one?

    Neighbor solicitation is done within the same broadcast domain so if you have two interfaces with the overlapping networks that could be the issue. 

    I would suggest opening a support case for this issue if everything seems correct after doing the above. 

Reply
  • 0 in reply to Daniel Huhardeaux

    This sounds to me like a routing issue. 

    Can you filter your TCPDump per interface and check to see if it is going out the correct one?

    Neighbor solicitation is done within the same broadcast domain so if you have two interfaces with the overlapping networks that could be the issue. 

    I would suggest opening a support case for this issue if everything seems correct after doing the above. 

Children
  • 0 in reply to MasterRoshi

    Hi MasterRoshi,

    above logs are on internal interface and this traffic does not appear on the external interface.

    I followed your advice to split the network (it's a /48 given by ISP): the external interface has a netmask of /64 (despite the /48) and the internal interface has a /64 which is not overlapping.

    Now:

    . from the UTM tools I can ping any any outside IPv6
    . from outside I can ping the external IPv6
    . from inside I can ping any inside IPv6
    . from inside I can ping the external IPv6 ; this is new since changes I made

    What I still can't:

    . from inside ping the outside router IPv6 address nor any other outside IPv6
    . from outside I can't ping any nternal IPv6 addresses

    On the external interface I have default GW to IPv6 of the ISP router, on internal interface I gave the one of external interface.

    More ideas ?

    Daniel

  • 0 in reply to Daniel Huhardeaux

    What is the netmask of the clients on the internal side?

    That seems likely to be the issue. Make sure the new default gateway in the /64 is showing up and they are also in the /64.

  • 0 in reply to MasterRoshi

    Those are the internal IPv6:

    VM UTM internal 2a01:xxxx:yyyy:10::1/64, GW UTM external 2a01:xxxx:yyyy::2

    VM DNS  inet6 2a01:xxxx:yyyy:10::254  prefixlen 64, GW UTM internal 2a01:xxxx:yyyy:10::1

    Real Host inet6 2a01:xxxx:yyyy:10::250  prefixlen 64, GW UTM internal 2a01:xxxx:yyyy:10::1

     

    External IPv6

    VM UTM external 2a01:xxxx:yyyy::2/64, GW ISP router 2a01:xxxx:yyyy::1

     

    Daniel

  • 0 in reply to Daniel Huhardeaux

    So the networking/routing seems fine now.

    Can you paste the output of "ip route show table all" in ssh?

    We would need packet captures to see what is happening. 

    Can you run a capture for ipv6 when pinging from the internal vm to 2a01:xxxx:yyyy::1?

    Can you run a capture for ipv6 when pinging from the internal vm to 2a01:xxxx:yyyy:10::1?

    Perhaps a firewall rule is missing for the IPV6 outbound traffic is my guess. 

  • 0 in reply to MasterRoshi

    dh@keewi:/etc/network$ sudo ip r show table all
    default via 192.168.10.1 dev lan onlink
    10.0.70.0/24 via 10.99.0.49 dev tun0
    10.1.58.0/24 via 10.99.0.49 dev tun0
    10.2.70.0/24 via 10.99.0.49 dev tun0
    10.99.0.49 dev tun0 proto kernel scope link src 10.99.0.52
    10.99.0.64/28 dev tun0 scope link
    10.99.3.0/24 via 10.99.0.49 dev tun0
    172.16.30.0/24 dev tap0 proto kernel scope link src 172.16.30.104
    192.168.10.0/24 dev lan proto kernel scope link src 192.168.10.254
    192.168.12.0/24 dev eth1 proto kernel scope link src 192.168.12.254
    192.168.16.0/24 via 172.16.30.254 dev tap0
    192.168.210.0/24 dev eth2 proto kernel scope link src 192.168.210.254
    local 10.99.0.52 dev tun0 table local proto kernel scope host src 10.99.0.52
    broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
    local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
    local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
    broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
    broadcast 172.16.30.0 dev tap0 table local proto kernel scope link src 172.16.30.104
    local 172.16.30.104 dev tap0 table local proto kernel scope host src 172.16.30.104
    broadcast 172.16.30.255 dev tap0 table local proto kernel scope link src 172.16.30.104
    broadcast 192.168.10.0 dev lan table local proto kernel scope link src 192.168.10.254
    local 192.168.10.254 dev lan table local proto kernel scope host src 192.168.10.254
    broadcast 192.168.10.255 dev lan table local proto kernel scope link src 192.168.10.254
    broadcast 192.168.12.0 dev eth1 table local proto kernel scope link src 192.168.12.254
    local 192.168.12.254 dev eth1 table local proto kernel scope host src 192.168.12.254
    broadcast 192.168.12.255 dev eth1 table local proto kernel scope link src 192.168.12.254
    broadcast 192.168.210.0 dev eth2 table local proto kernel scope link src 192.168.210.254
    local 192.168.210.254 dev eth2 table local proto kernel scope host src 192.168.210.254
    broadcast 192.168.210.255 dev eth2 table local proto kernel scope link src 192.168.210.254
    2a01:xxxx:yyyy:10::/64 dev lan proto kernel metric 256 pref medium
    fe80::/64 dev lan proto kernel metric 256 pref medium
    fe80::/64 dev eth1 proto kernel metric 256 pref medium
    fe80::/64 dev eth2 proto kernel metric 256 pref medium
    fe80::/64 dev tun0 proto kernel metric 256 pref medium
    fe80::/64 dev tap0 proto kernel metric 256 pref medium
    default via 2a01:xxxx:yyyy:10::1 dev lan metric 1024 pref medium
    unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
    local ::1 dev lo table local proto none metric 0 pref medium
    local 2a01:xxxx:yyyy:10:: dev lo table local proto none metric 0 pref medium
    local 2a01:xxxx:yyyy:10::254 dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80:: dev lo table local proto none metric 0 pref medium
    local fe80::48d7:82ff:fe5d:5b92 dev lo table local proto none metric 0 pref medium
    local fe80::5054:ff:fe12:3511 dev lo table local proto none metric 0 pref medium
    local fe80::5054:ff:fe12:3512 dev lo table local proto none metric 0 pref medium
    local fe80::5054:ff:fe12:3513 dev lo table local proto none metric 0 pref medium
    local fe80::6eea:f1f4:abcb:60e0 dev lo table local proto none metric 0 pref medium
    ff00::/8 dev lan table local metric 256 pref medium
    ff00::/8 dev eth1 table local metric 256 pref medium
    ff00::/8 dev eth2 table local metric 256 pref medium
    ff00::/8 dev tun0 table local metric 256 pref medium
    ff00::/8 dev tap0 table local metric 256 pref medium
    unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium

    dh@deex:~$ sudo tcpdump -r internal2gw.pcap (capture of IPv6 ping)
    reading from file internal2gw.pcap, link-type EN10MB (Ethernet)
    18:15:45.894870 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 1, length 64
    18:15:45.895027 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 1, length 64
    18:15:45.981862 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:46.922778 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 2, length 64
    18:15:46.922864 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 2, length 64
    18:15:46.972108 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:47.946848 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 3, length 64
    18:15:47.947000 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 3, length 64
    18:15:47.972141 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:48.970784 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 4, length 64
    18:15:48.970852 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 4, length 64
    18:15:49.578936 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:49.994831 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 5, length 64
    18:15:49.994953 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 5, length 64
    18:15:50.572134 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:51.572164 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ff02::1:ff00:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:51.925371 IP6 fe80::5054:ff:fe12:3458 > 2a01:xxxx:yyyy:10::254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    18:15:51.925653 IP6 2a01:xxxx:yyyy:10::254 > fe80::5054:ff:fe12:3458: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::254, length 24

    dh@deex:~$ sudo tcpdump -r internal2router.pcap (capture of IPv6 ping)
    reading from file internal2router.pcap, link-type EN10MB (Ethernet)
    18:16:24.083760 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 1, length 64
    18:16:25.098926 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 2, length 64
    18:16:26.122887 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 3, length 64
    18:16:27.146846 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 4, length 64
    18:16:28.170846 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 5, length 64
    18:16:28.792470 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ctr-nue17.atlas.ripe.net: ICMP6, echo request, seq 197, length 28
    18:16:29.098899 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    18:16:29.098931 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    18:16:29.194855 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 6, length 64
    18:16:29.793761 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ctr-nue17.atlas.ripe.net: ICMP6, echo request, seq 198, length 28
    18:16:30.122828 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    18:16:30.122860 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    18:16:30.218859 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 7, length 64
    18:16:30.795642 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ctr-nue17.atlas.ripe.net: ICMP6, echo request, seq 199, length 28
    18:16:31.146869 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    18:16:31.146911 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    18:16:31.242927 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 8, length 64

    FYI I already have a firewall rule saying that all source ipv6 for any services to any ipv6 are allowed

    Thanks for your support.

  • 0 in reply to Daniel Huhardeaux

    The Default gateway route seems incorrect.

    default via 2a01:xxxx:yyyy:10::1 dev lan metric 1024 pref medium

    Can you send us screenshots of the interface configuration?

    Also when taking tcpdump use the -s0 and -veni flags so the mac addresses are captured (Ex. tcpdump -s0 -veni <interfaceid> ip6

  • 0 in reply to MasterRoshi

    Ah I just realized you did the ip route command in your VM, not the UTM. Can you give the output from the UTM?

    The TCPDUMP's should be done on the UTM as well. 

  • 0 in reply to MasterRoshi

    For me the internal default GW 2a01:xxxx:yyyy:10::1 is OK, it's the ipv6 of the internal interface. Others datas taken from UTM:

    guava:/root # ip route show table all
    default via 192.168.10.254 dev eth2 table 1 proto policy onlink
    default via 109.xxxx.yyyy.gwip dev eth0.1002 table 220 proto kernel onlink
    default via 78.xxxx.yyyy.gwip dev eth0.1001 table 221 proto kernel onlink
    default via 192.168.10.199 dev eth2 table 222 proto kernel onlink
    default table default proto kernel metric 20
    nexthop via 109.xxxx.yyyy.gwip dev eth0.1002 weight 1 onlink
    nexthop via 78.xxxx.yyyy.gwip dev eth0.1001 weight 1 onlink
    nexthop via 192.168.10.199 dev eth2 weight 1 onlink
    10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1
    109.xxxx.yyyy.netip/28 dev eth0.1002 proto kernel scope link src 109.xxxx.yyyy.zzzz
    127.0.0.0/8 dev lo scope link
    192.168.0.0/24 via 192.168.10.254 dev eth2 proto static metric 5 onlink
    192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1
    192.168.1.0/24 via 192.168.10.254 dev eth2 proto static metric 5 onlink
    192.168.2.0/24 via 192.168.10.254 dev eth2 proto static metric 5 onlink
    192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.1
    192.168.11.0/24 via 192.168.10.254 dev eth2 proto static metric 5 onlink
    192.168.12.0/24 dev eth0.2 proto kernel scope link src 192.168.12.1
    192.168.49.0/24 via 192.168.10.254 dev eth2 proto static metric 5 onlink
    192.168.67.0/24 via 192.168.10.254 dev eth2 proto static metric 5 onlink
    192.168.100.0/24 dev eth0.1000 proto kernel scope link src 192.168.100.1
    192.168.210.0/24 dev eth0.210 proto kernel scope link src 192.168.210.1
    broadcast 10.0.0.0 dev eth2 table local proto kernel scope link src 10.0.0.1
    local 10.0.0.1 dev eth2 table local proto kernel scope host src 10.0.0.1
    broadcast 10.0.0.255 dev eth2 table local proto kernel scope link src 10.0.0.1
    local 78.xxxx.yyyy.zzzz dev eth0.1001 table local proto kernel scope host src 78.xxxx.yyyy.zzzz
    local 78.xxxx.yyyy.zzzz dev eth0.100 table local proto kernel scope host src 78.xxxx.yyyy.zzzz
    broadcast 109.237.252.176 dev eth0.1002 table local proto kernel scope link src 109.xxxx.yyyy.zzzz
    local 109.xxxx.yyyy.zzzz dev eth0.1002 table local proto kernel scope host src 109.xxxx.yyyy.zzzz
    broadcast 109.237.252.191 dev eth0.1002 table local proto kernel scope link src 109.xxxx.yyyy.zzzz
    broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
    local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
    local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
    broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
    broadcast 192.168.1.0 dev eth2 table local proto kernel scope link src 192.168.1.1
    local 192.168.1.1 dev eth2 table local proto kernel scope host src 192.168.1.1
    broadcast 192.168.1.255 dev eth2 table local proto kernel scope link src 192.168.1.1
    broadcast 192.168.10.0 dev eth2 table local proto kernel scope link src 192.168.10.1
    local 192.168.10.1 dev eth2 table local proto kernel scope host src 192.168.10.1
    broadcast 192.168.10.255 dev eth2 table local proto kernel scope link src 192.168.10.1
    broadcast 192.168.12.0 dev eth0.2 table local proto kernel scope link src 192.168.12.1
    local 192.168.12.1 dev eth0.2 table local proto kernel scope host src 192.168.12.1
    broadcast 192.168.12.255 dev eth0.2 table local proto kernel scope link src 192.168.12.1
    broadcast 192.168.100.0 dev eth0.1000 table local proto kernel scope link src 192.168.100.1
    local 192.168.100.1 dev eth0.1000 table local proto kernel scope host src 192.168.100.1
    broadcast 192.168.100.255 dev eth0.1000 table local proto kernel scope link src 192.168.100.1
    broadcast 192.168.210.0 dev eth0.210 table local proto kernel scope link src 192.168.210.1
    local 192.168.210.1 dev eth0.210 table local proto kernel scope host src 192.168.210.1
    broadcast 192.168.210.255 dev eth0.210 table local proto kernel scope link src 192.168.210.1
    default via 2a01:xxxx:yyyy:10::254 dev eth2 table 1 proto policy metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    default via 2a01:xxxx:yyyy::1 dev eth0.1002 table 220 proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    default via 2a01:xxxx:yyyy::2 dev eth2 table 221 proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    default via 2a01:xxxx:yyyy::1 dev eth0.1002 table default proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    2a01:xxxx:yyyy::1 dev eth0.1002 metric 1024
    2a01:xxxx:yyyy::2 dev eth2 metric 1024
    2a01:xxxx:yyyy:10::254 dev eth2 metric 1024
    2a01:xxxx:yyyy::/64 dev eth0.1002 proto kernel metric 256
    2a01:xxxx:yyyy:10::/64 dev eth2 proto kernel metric 256
    fe80::/64 dev eth0 proto kernel metric 256
    fe80::/64 dev eth0.1002 proto kernel metric 256
    fe80::/64 dev eth0.1001 proto kernel metric 256
    fe80::/64 dev eth0.100 proto kernel metric 256
    fe80::/64 dev eth0.2 proto kernel metric 256
    fe80::/64 dev eth0.1000 proto kernel metric 256
    fe80::/64 dev eth0.210 proto kernel metric 256
    fe80::/64 dev ifb0 proto kernel metric 256
    fe80::/64 dev eth2 proto kernel metric 256
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    local ::1 dev lo table local proto unspec metric 0
    local 2a01:xxxx:yyyy:: dev lo table local proto unspec metric 0
    local 2a01:xxxx:yyyy::2 dev lo table local proto unspec metric 0
    local 2a01:xxxx:yyyy:10:: dev lo table local proto unspec metric 0
    local 2a01:xxxx:yyyy:10::1 dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80:: dev lo table local proto unspec metric 0
    local fe80::2c84:4dff:fe47:49bd dev lo table local proto unspec metric 0
    local fe80::5054:ff:fe12:3456 dev lo table local proto unspec metric 0
    local fe80::5054:ff:fe12:3456 dev lo table local proto unspec metric 0
    local fe80::5054:ff:fe12:3456 dev lo table local proto unspec metric 0
    local fe80::5054:ff:fe12:3456 dev lo table local proto unspec metric 0
    local fe80::5054:ff:fe12:3456 dev lo table local proto unspec metric 0
    local fe80::5054:ff:fe12:3456 dev lo table local proto unspec metric 0
    local fe80::5054:ff:fe12:3456 dev lo table local proto unspec metric 0
    local fe80::5054:ff:fe12:3458 dev lo table local proto unspec metric 0
    ff00::/8 dev eth0 table local metric 256
    ff00::/8 dev eth0.1002 table local metric 256
    ff00::/8 dev eth0.1001 table local metric 256
    ff00::/8 dev eth0.100 table local metric 256
    ff00::/8 dev eth0.2 table local metric 256
    ff00::/8 dev eth0.1000 table local metric 256
    ff00::/8 dev eth0.210 table local metric 256
    ff00::/8 dev ifb0 table local metric 256
    ff00::/8 dev eth2 table local metric 256
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101

    dh@deex:~$ sudo tcpdump -r tmp/internal2gw.pcap
    reading from file tmp/internal2gw.pcap, link-type EN10MB (Ethernet)
    22:21:14.988697 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2803:3440:9003::aaf7:5f51: ICMP6, echo request, seq 14, length 56
    22:21:15.533685 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ch-qnc-as559.anchors.atlas.ripe.net: ICMP6, echo request, seq 15, length 56
    22:21:15.989434 IP6 fe80::6666:b3ff:fed1:45e0 > fe80::5054:ff:fe12:3458: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe12:3458, length 32
    22:21:15.989474 IP6 fe80::5054:ff:fe12:3458 > fe80::6666:b3ff:fed1:45e0: ICMP6, neighbor advertisement, tgt is fe80::5054:ff:fe12:3458, length 24
    22:21:17.425516 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2a00:f28:300:1::2: ICMP6, echo request, seq 17, length 56
    22:21:18.586743 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 1, length 64
    22:21:18.586935 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 1, length 64
    22:21:18.989447 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2803:3440:9003::aaf7:5f51: ICMP6, echo request, seq 15, length 56
    22:21:19.535360 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ch-qnc-as559.anchors.atlas.ripe.net: ICMP6, echo request, seq 16, length 56
    22:21:19.592365 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 2, length 64
    22:21:19.592460 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 2, length 64
    22:21:20.617014 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 3, length 64
    22:21:20.617126 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 3, length 64
    22:21:21.427997 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2a00:f28:300:1::2: ICMP6, echo request, seq 18, length 56
    22:21:21.640338 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 4, length 64
    22:21:21.640456 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 4, length 64
    22:21:22.664402 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy:10::1: ICMP6, echo request, seq 5, length 64
    22:21:22.664531 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, echo reply, seq 5, length 64
    22:21:22.990865 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2803:3440:9003::aaf7:5f51: ICMP6, echo request, seq 16, length 56
    22:21:23.218692 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2804:e00:8000::1: ICMP6, echo request, seq 1, length 48
    22:21:23.537264 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > ch-qnc-as559.anchors.atlas.ripe.net: ICMP6, echo request, seq 17, length 56
    22:21:23.589387 IP6 fe80::5054:ff:fe12:3458 > 2a01:xxxx:yyyy:10::254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::254, length 32
    22:21:23.589605 IP6 2a01:xxxx:yyyy:10::254 > fe80::5054:ff:fe12:3458: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::254, length 24

    dh@deex:~$ sudo tcpdump -r tmp/internal2router.pcap
    reading from file tmp/internal2router.pcap, link-type EN10MB (Ethernet)
    22:21:57.943024 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > Ripe-Anchor.homelab.net.au: ICMP6, echo request, seq 4, length 56
    22:21:59.176087 IP6 2404:6800:4003:c04::10c.48709 > 2a01:xxxx:yyyy:10::254.36053: UDP, length 59
    22:21:59.176347 IP6 2a01:xxxx:yyyy:10::254 > 2404:6800:4003:c04::10c: ICMP6, destination unreachable, unreachable port, 2a01:xxxx:yyyy:10::254 udp port 36053, length 115
    22:21:59.204390 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 1, length 6422:21:59.229486 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2804:e00:8000::1: ICMP6, echo request, seq 10, length 48
    22:21:59.480754 IP6 2404:6800:4003:c02::108.53736 > 2a01:xxxx:yyyy:10::254.36053: UDP, length 59
    22:21:59.480994 IP6 2a01:xxxx:yyyy:10::254 > 2404:6800:4003:c02::108: ICMP6, destination unreachable, unreachable port, 2a01:xxxx:yyyy:10::254 udp port 36053, length 115
    22:22:00.232263 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 2, length 64
    22:22:01.256186 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 3, length 64
    22:22:01.944876 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > Ripe-Anchor.homelab.net.au: ICMP6, echo request, seq 5, length 56
    22:22:02.280214 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 4, length 64
    22:22:02.946034 IP6 2404:6800:4003:c04::108.64150 > 2a01:xxxx:yyyy:10::254.36053: UDP, length 59
    22:22:02.946294 IP6 2a01:xxxx:yyyy:10::254 > 2404:6800:4003:c04::108: ICMP6, destination unreachable, unreachable port, 2a01:xxxx:yyyy:10::254 udp port 36053, length 115
    22:22:02.949285 IP6 fe80::6666:b3ff:fed1:45e0 > fe80::5054:ff:fe12:3458: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe12:3458, length 32
    22:22:02.949305 IP6 fe80::5054:ff:fe12:3458 > fe80::6666:b3ff:fed1:45e0: ICMP6, neighbor advertisement, tgt is fe80::5054:ff:fe12:3458, length 24
    22:22:03.230112 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2804:e00:8000::1: ICMP6, echo request, seq 11, length 48
    22:22:03.304277 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 5, length 64
    22:22:04.200218 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    22:22:04.200255 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    22:22:04.328213 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 6, length 64
    22:22:05.224200 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    22:22:05.224231 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    22:22:05.352232 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 7, length 64
    22:22:05.446947 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0.57016 > 2800:68:10:c3d1:a:0:a71a:5.http: Flags [S], seq 2412520137, win 14400, options [mss 1440,sackOK,TS val 123112925 ecr 0,nop,wscale 2], length 0
    22:22:05.945910 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > Ripe-Anchor.homelab.net.au: ICMP6, echo request, seq 6, length 56
    22:22:06.248168 IP6 fe80::5054:ff:fe12:3511 > 2a01:xxxx:yyyy:10::1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    22:22:06.248218 IP6 2a01:xxxx:yyyy:10::1 > fe80::5054:ff:fe12:3511: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 24
    22:22:06.376211 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 8, length 64
    22:22:06.439290 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0.57016 > 2800:68:10:c3d1:a:0:a71a:5.http: Flags [S], seq 2412520137, win 14400, options [mss 1440,sackOK,TS val 123113025 ecr 0,nop,wscale 2], length 0
    22:22:07.232464 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > 2804:e00:8000::1: ICMP6, echo request, seq 12, length 48
    22:22:07.400332 IP6 2a01:xxxx:yyyy:10::254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy:10::1, length 32
    22:22:07.400383 IP6 2a01:xxxx:yyyy:10::1 > 2a01:xxxx:yyyy:10::254: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy:10::1, length 32
    22:22:07.400563 IP6 2a01:xxxx:yyyy:10::254 > 2a01:xxxx:yyyy::1: ICMP6, echo request, seq 9, length 64
    22:22:07.957379 IP6 fe80::5054:ff:fe12:3458 > fe80::6666:b3ff:fed1:45e0: ICMP6, neighbor solicitation, who has fe80::6666:b3ff:fed1:45e0, length 32
    22:22:07.957629 IP6 fe80::6666:b3ff:fed1:45e0 > fe80::5054:ff:fe12:3458: ICMP6, neighbor advertisement, tgt is fe80::6666:b3ff:fed1:45e0, length 24
    22:22:08.439293 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0.57016 > 2800:68:10:c3d1:a:0:a71a:5.http: Flags [S], seq 2412520137, win 14400, options [mss 1440,sackOK,TS val 123113225 ecr 0,nop,wscale 2], length 0
    22:22:08.825087 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > f.root-servers.net: ICMP6, echo request, seq 124, length 28
    22:22:09.205418 IP6 fe80::5054:ff:fe12:3458 > fe80::5054:ff:fe12:3511: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe12:3511, length 32
    22:22:09.825513 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > f.root-servers.net: ICMP6, echo request, seq 125, length 28
    22:22:09.946848 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > Ripe-Anchor.homelab.net.au: ICMP6, echo request, seq 7, length 56
    22:22:10.205388 IP6 fe80::5054:ff:fe12:3458 > fe80::5054:ff:fe12:3511: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe12:3511, length 32
    22:22:10.826737 IP6 2a01:xxxx:yyyy:0:6666:b3ff:fed1:45e0 > f.root-servers.net: ICMP6, echo request, seq 126, length 28
    22:22:11.205355 IP6 fe80::5054:ff:fe12:3458 > fe80::5054:ff:fe12:3511: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe12:3511, length 32

    Thanks for your support

     

    Daniel

  • 0 in reply to Daniel Huhardeaux

    default via 2a01:xxxx:yyyy:10::254 dev eth2 table 1 proto policy metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    default via 2a01:xxxx:yyyy::1 dev eth0.1002 table 220 proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    default via 2a01:xxxx:yyyy::2 dev eth2 table 221 proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    default via 2a01:xxxx:yyyy::1 dev eth0.1002 table default proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    2a01:xxxx:yyyy::1 dev eth0.1002 metric 1024
    2a01:xxxx:yyyy::2 dev eth2 metric 1024
    2a01:xxxx:yyyy:10::254 dev eth2 metric 1024
    2a01:xxxx:yyyy::/64 dev eth0.1002 proto kernel metric 256
    2a01:xxxx:yyyy:10::/64 dev eth2 proto kernel metric 256

    local 2a01:xxxx:yyyy:: dev lo table local proto unspec metric 0
    local 2a01:xxxx:yyyy::2 dev lo table local proto unspec metric 0
    local 2a01:xxxx:yyyy:10:: dev lo table local proto unspec metric 0
    local 2a01:xxxx:yyyy:10::1 dev lo table local proto unspec metric 0

     

    How did you get 4 default gateway routes for IPv6? Only one interface should have ipv6 gateway checked. There should be no manual default gateway routes created in static routing/policy routing.

    My UTM for reference (I just made bogus routes). 

    2001:db8::2/64 eth1 (eth1 gateway 2001:db8::1)/ 2001:db8:1::1/64 eth0

    default via 2001:db8::1 dev eth1 table default proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    2001:db8::1 dev eth1 metric 1024
    2001:db8::/64 dev eth1 proto kernel metric 256
    2001:db8:1::/64 dev eth0 proto kernel metric 256

    local 2001:db8:: dev lo table local proto none metric 0
    local 2001:db8::2 dev lo table local proto none metric 0
    local 2001:db8:1:: dev lo table local proto none metric 0
    local 2001:db8:1::1 dev lo table local proto none metric 0

  • 0 in reply to MasterRoshi

    I just put 2 default route in interfaces menu:

    . external interface has 2a01:xxxx:yyyy::1 as default route (eth0.1002)

    . internal interface has 2a01:xxxx:yyyy::2 as default route (eth2)

    The default 2a01:xxxx:yyyy:10::254 was added by UTM as I have some VPNs launched by another VM having this address.

    I removed the ipv6 gw from internal interface, now I have

    default via 2a01:xxxx:yyyy:10::254 dev eth2 table 1 metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    default via 2a01:xxxx:yyyy::1 dev eth0.1002 table 220 proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
    default via 2a01:xxxx:yyyy::1 dev eth0.1002 table default proto kernel metric 1024
    unreachable default dev lo table unspec proto kernel metric 4294967295 error -101

    Still don't understand why I have 2 times the 2a01:xxxx:yyyy::1 gateway. Will reboot the UTM to be sure.

    What should I put as default ipv6 route on internal hosts ?

    Thanks for your support

    Daniel

Unfiltered HTML