Nos, csak most jutott időm, hogy ezzel foglalkozzak kicsit.
A helyzet a következő:
- A route-ok és a prefixek amennyire meg tudom ítélni jól terjednek
- A belső LAN-ra kötött hosztról és a routerről tudom pingelni a tunnel HE felőli IPv6-os végpontját, azonban azon túl semmit.
A LAN-os hosztról pingelve a router LAN oldali lábának címével kapok választ, mely szerint "Destination unreachable: No route". Ha a routerről próbálom, csak 100%-os packet losst látok. A routing szerint jó irányban látszik a hoszt.
A routerről pingelve az indexet IPv6-on, azt látom a "tcpdump -peni any host 2a02:730:4000::c0 or host 2a02:730:4000::f0" kimenetében, hogy a filter nem kap el semmit sem, egyik interfészen sem, ergo a tűzfal valószínűleg eldobja a forgalmat és ki sem megy sehová. (Ha a tunnel HE felőli végpontját pingelem IPv6 felett, akkor az a megfelelő filterrel látszik a tcpdump kimenetén, tehát nem az a gond, hogy nem látja a tunnelben menő forgalmat.)
A LAN-os gépemről:
root@host:~# ip -6 ro sh
::1 dev lo proto kernel metric 256 pref medium
2001:470:ZZZZ:1::fe5 dev enxcABCD proto kernel metric 102 pref medium
2001:470:ZZZZ:1::/64 dev enxcABCD proto ra metric 102 pref medium
fe80::/64 dev enxcABCD proto kernel metric 1024 pref medium
default via fe80::da58:d8ff:fe01:cdc9 dev enxcABCD proto ra metric 102 pref medium
root@host:~# ping 2001:470:XXXX:YYY::1
PING 2001:470:XXXX:YYY::1(2001:470:XXXX:YYY::1) 56 data bytes
64 bytes from 2001:470:XXXX:YYY::1: icmp_seq=1 ttl=63 time=17.8 ms
64 bytes from 2001:470:XXXX:YYY::1: icmp_seq=2 ttl=63 time=17.5 ms
64 bytes from 2001:470:XXXX:YYY::1: icmp_seq=3 ttl=63 time=15.5 ms
^C
--- 2001:470:XXXX:YYY::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 15.482/16.946/17.814/1.041 ms
root@host:~# ping 2001:470:XXXX:YYY::2
PING 2001:470:XXXX:YYY::2(2001:470:XXXX:YYY::2) 56 data bytes
64 bytes from 2001:470:XXXX:YYY::2: icmp_seq=1 ttl=64 time=0.539 ms
64 bytes from 2001:470:XXXX:YYY::2: icmp_seq=2 ttl=64 time=0.498 ms
^C
--- 2001:470:XXXX:YYY::2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1031ms
rtt min/avg/max/mdev = 0.498/0.518/0.539/0.020 ms
root@host:~# ping -6 index.hu
PING index.hu(manis-1.cdn.magex.hu (2a02:730:4000::c0)) 56 data bytes
From 2001:470:ZZZZ:1::1 (2001:470:ZZZZ:1::1) icmp_seq=1 Destination unreachable: No route
From 2001:470:ZZZZ:1::1 (2001:470:ZZZZ:1::1) icmp_seq=2 Destination unreachable: No route
From 2001:470:ZZZZ:1::1 (2001:470:ZZZZ:1::1) icmp_seq=3 Destination unreachable: No route
From 2001:470:ZZZZ:1::1 (2001:470:ZZZZ:1::1) icmp_seq=4 Destination unreachable: No route
From 2001:470:ZZZZ:1::1 (2001:470:ZZZZ:1::1) icmp_seq=5 Destination unreachable: No route
^C
--- index.hu ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4006ms
A routerről:
root@router:~# ip -6 ro sh
default from 2001:470:XXXX:YYY::/64 dev 6in4-wan6 proto static metric 1024 pref medium
default from 2001:470:ZZZZ::/48 dev 6in4-wan6 proto static metric 1024 pref medium
2001:470:XXXX:YYY::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
2001:470:ZZZZ::/64 dev br-wlan proto static metric 1024 pref medium
2001:470:ZZZZ:1::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:470:ZZZZ::/48 dev lo proto static metric 2147483647 pref medium
unreachable fdec:2f47:8966::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-wlan proto kernel metric 256 pref medium
fe80::/64 dev wlan1-1 proto kernel metric 256 pref medium
fe80::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
fe80::/64 dev tun_turris proto kernel metric 256 pref medium
default dev 6in4-wan6 proto static metric 1024 pref medium
root@router:~# ping -6 index.hu
PING index.hu(manis-4.cdn.magex.hu (2a02:730:4000::f0)) 56 data bytes
^C
--- index.hu ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6269ms
root@router:~# ip ro get 2a02:730:4000::f0
2a02:730:4000::f0 from :: dev 6in4-wan6 proto static src 2001:470:XXXX:YYY::2 metric 1024 pref medium
root@router:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wlan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wwan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
option limit '100/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option src 'wan'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
option limit '100/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option src 'wan'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'turris_vpn_client'
option name 'tr_vpn_cl'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
config forwarding 'turris_vpn_client_forward'
option src 'lan'
option dest 'tr_vpn_cl'
config zone 'vpn_turris'
option enabled '1'
option name 'vpn_turris'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
list network 'vpn_turris'
option forward 'ACCEPT'
config rule 'vpn_turris_rule'
option name 'vpn_turris_rule'
option target 'ACCEPT'
option proto 'udp'
option src 'wan'
option dest_port '1194'
option family 'ipv4'
config forwarding 'vpn_turris_forward_lan_in'
option enabled '1'
option src 'vpn_turris'
option dest 'lan'
config forwarding 'vpn_turris_forward_lan_out'
option enabled '1'
option src 'lan'
option dest 'vpn_turris'
config forwarding 'vpn_turris_forward_wan_out'
option enabled '1'
option src 'vpn_turris'
option dest 'wan'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule
option src 'wan'
option name 'allow-proto-41-from-HE'
list src_ip '216.66.87.14'
option family 'ipv4'
option target 'ACCEPT'
option device 'eth0'
option direction 'in'
list proto '41'