Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 33 replies
  • Subscribers 6 subscribers
  • Views 14259 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipv6 for hosts behind UTM

Daniel Huhardeaux

Hi list,

I got an ipv6 /48 from my provider. I gave an ipv6 address to the UTM interface connected to the provider, a second one to the internal interface of UTM with ipv6 GW being the UTM interface connected to provider. I don't use Prefix Advertisement which is limited to /64. BTW, would it work if I use another mask like /96 or so ?

My Setup: host with Linux Debian9 and libvirt/kvm. UTM is software in a VM v9.510-5. A second VM act as server for OpenVPN, DHCP, DNS, aso. Everything is working fine with ipv4. I create a FW rule to allow all ipv6 to ipv6 for all services. I setted manually ipv6 address to a host behind the UTM -which means connected to the internal interface- and from here I can ping, ssh or telnet to outside, all is good.

Problem is that I can't connect/reach the other way, outside to internal. I can ping the UTM provider interface, that's all. What is also possible is to ssh an outside port redirected to the ipv6 of the host, but session doesn't finish properly. With tshark I can see the traffic coming and on the client side (ssh -vvv) I have after a while:

debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by <UTM external ipv6 addr> port <ssh port>

Client is a VM in DC with same set up (Host Debian9, VM Debian9, ipv6 in /64 subnet). From the host behind UTM I can ping, ssh, telnet this client.

Any clue on that ?

Daniel



This thread was automatically locked due to age.
Parents
  • 0

    Nobody on this ? Does anyone use ipv6 behind UTM ?

    I restarted all the setup, everything is now in a /64 including the ISP interface. From inside, it's almost working (see *), I can ping all hosts including the UTM on the internal interface. Hosts with no ipv6 fixed ip get's one from prefix advertisement, all is good. Problem is that I can't ping the UTM ISP interface ipv6 :(

    From outside the same, I can ping the ISP ipv6 but none of the internal ! From the UTM, using Support => Tools, I can ping an outside ipv6 using nearest routing -which means ISP interface- but not if I set the internal interface.

    It seems that the firewall is blocking internal ipv6 to external and vice versa. I even try to give an ipv6 GW to internal interface (ISP interface), no changes. Also I see in ip -6 r of UTM

    2a01:xxxx:yyyy::1 dev eth0.1002 metric 1024   ; ISP ipv6 GW
    2a01:xxxx:yyyy::2 dev eth2 metric 1024           ; ISP interface
    2a01:xxxx:yyyy::10:254 dev eth2 metric 1024  ; *** This entry should not be here, that's the ip of the second VM ! *** Internal ipv6 is ::10:1
    2a01:xxxx:yyyy::/64 dev eth2 proto kernel metric 256
    2a01:xxxx:yyyy::/64 dev eth0.1002 proto kernel metric 256
    fe80::/64 dev eth2 proto kernel metric 256
    fe80::/64 dev eth0 proto kernel metric 256
    fe80::/64 dev eth0.1002 proto kernel metric 256
    fe80::/64 dev eth0.1001 proto kernel metric 256
    fe80::/64 dev eth0.100 proto kernel metric 256
    fe80::/64 dev eth0.2 proto kernel metric 256
    fe80::/64 dev eth0.1000 proto kernel metric 256
    fe80::/64 dev eth0.210 proto kernel metric 256
    fe80::/64 dev ifb0 proto kernel metric 256

    Any help or tip is appreciated.

    (*) the second VM can only be reached by the UTM VM and the physical host. Other way it's working like a charm. But that's another story.

     

    Daniel

  • 0 in reply to Daniel Huhardeaux

    Me again ;)

    what I see in logs is that neighbor sollicitation for external ipv6 get never answered (capture on internal interface)

    19:01:35.455562 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:35.578057 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:36.474502 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:36.602368 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:37.498390 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:37.626370 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:38.522412 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:39.034301 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:39.546318 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has guava, length 32
    19:01:40.058373 IP6 2a01:xxxx:yyyy::10:254 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::1, length 32
    19:01:40.457457 IP6 fe80::xyz:ff:zyx:1234 > 2a01:xxxx:yyyy::10:254: ICMP6, neighbor solicitation, who has 2a01:xxxx:yyyy::10:254, length 32
    19:01:40.457574 IP6 2a01:xxxx:yyyy::10:254 > fe80::xyz:ff:zyx:1234: ICMP6, neighbor advertisement, tgt is 2a01:xxxx:yyyy::10:254, length 24

    but is for internal ipv6 (2 last lines).

    Is there a rule to add on firewall to allow those neighbor solicitations/advertisement ?

    Daniel

  • 0 in reply to Daniel Huhardeaux

    This sounds to me like a routing issue. 

    Can you filter your TCPDump per interface and check to see if it is going out the correct one?

    Neighbor solicitation is done within the same broadcast domain so if you have two interfaces with the overlapping networks that could be the issue. 

    I would suggest opening a support case for this issue if everything seems correct after doing the above. 

  • 0 in reply to Daniel Huhardeaux

    This may be related to the RADVD issue I have been having for over a year:

     

    https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/97554/radvd-does-not-seem-to-be-working

     

    Basically, I can get an IPv6 address on my internal network, but no one else knows how to route to me. The outside interface is a /128 because it is supposed to be the gateway to your assigned networks. I have never heard pot any solution, and after a few updates, the problem persists. If you want, you can NAT your internal network to the /128 on the outside interface and IPv6 will work, but you will be using masquerade instead of your IP.

     

    Is this related to your issue?

Reply Children
Unfiltered HTML