From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 9BC773B2DA for ; Tue, 21 Jun 2016 18:02:00 -0400 (EDT) Received: by mail-oi0-x231.google.com with SMTP id u201so5727453oie.0 for ; Tue, 21 Jun 2016 15:02:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fyKarDJvhp1+Q24cIdjrEOGz/9yDFkYpJ3SuKwUNfBk=; b=HKkBTWIo3l3AezZxO52g/2dxf4TVfwrTpisn2Be6SGIrJOvgkSnDBCINZ/3u1+8anr jPKOsh/IoCMbemvcmKHsJcwnHtwr0UjP9IiADIC0XUMgxrW0ZHdG9aTvanKH1uoKv6cH eNS02qPHKwcCF1mtXy2+/pxRNzY7eXVwdkYJ2xdsxfflK4Ra/r5ZAPQVoSAlGlxZtDEp 8+L8JsMDfxB7vyC58e5kMPL8k4BidsSujFaccdo+crcMniyPtgovrRbPzdiJhFO5atJ4 lHeBzYr2WaTS9DSJGwezQWJlHcoz0nyo5InYhcZnDtQx9Cfp69ACiicc48pgb3bd/rZ1 ewHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fyKarDJvhp1+Q24cIdjrEOGz/9yDFkYpJ3SuKwUNfBk=; b=EaroL8KXFUrcHeUpm0GTD5roJxzr5Yq6t6tBKr1YbZzwc9x/6TEmhnTxW6ajHqcJyr uX0+1xFYJm1H6GpbhYxuEib9TGUgWTFPgQyfNHMtgnoFA2YisMwhC0Q1FgiBwnZA+NNX 8cTjFps9O+aNIQPuWazW4sty98W0bP8o1MjKgyfLWJJ5gAcuyEqzD3GvIGvs3vn8EPen 46yKLtrtA3v9r7FFQZ00o7QYT8S1AZ1RL+zB6x75nc+TolXaYlB4hwsxh+Q9ZlWcqQfu NzeEcfx3CeyEehuIzjheKlqFsAsZVt3lXcLCJUw02w1naoSgJnvm/FPwmNT5WjvQi9tV 9JCQ== X-Gm-Message-State: ALyK8tIeqfZIS23oez5qC1q/dvucVJvReKFehXdAAHz2QiGKRTRFWXC5K1XmNfdnEPHeeYFeJF2yzmSjY75row== X-Received: by 10.157.15.151 with SMTP id d23mr18048932otd.49.1466546519735; Tue, 21 Jun 2016 15:01:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.175.130 with HTTP; Tue, 21 Jun 2016 15:01:59 -0700 (PDT) In-Reply-To: <5769AFAB.5030603@gmail.com> References: <5769AFAB.5030603@gmail.com> From: Dave Taht Date: Tue, 21 Jun 2016 15:01:59 -0700 Message-ID: To: Simon Dalley Cc: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] [Bloat] ipv6 not quite working for me on internal networks X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2016 22:02:00 -0000 On Tue, Jun 21, 2016 at 2:20 PM, Simon Dalley wrot= e: > On 17/06/16 15:21, Dave Taht wrote: >> >> On Thu, Jun 16, 2016 at 8:56 PM, Simon Dalley >> wrote: >>> >>> Hello, >>> >>> First, thanks for all the work to make cerowrt what it is. >> >> Was. I am really encouraging everyone to update to lede at this point, >> which has nearly everything that was "good" about cerowrt in it. > > Well, the nice thing about cerowrt "was" its improved list of setup defau= lts > vs. openwrt, not least the routed-instead-of-bridged subnets which is so > helpful on mixed wired/wireless. Has this been carried over into lede? Is > there a recommended cerowrt-flavoured git branch in lede? No, and no. I've gotten quite fast on unbridging stuff by hand, but decided that it was too lonely in the general case to do more than follow the herd on this front, at least for when I was not actively testing wifi's multicast behaviors. One of the "big ideas" in cerowrt was to rename interfaces on creation and before they came up by their security model (gXXX for guest, sXXX for secure) so that there could be a stateless firewall that you'd never have to reload, and would never be vulnerable for an instant. It used pattern matching so you could bring up a "s+" rule and have iptables match all that all the time, and have interfaces come and go underneath it. Among other things this meant you'd never break conntracking for nailed up nat connections. Nobody bought into that - even after going through hell on interfaces and ipv6 addresses coming and going, triggering so many firewall reloads that the default openwrt system was basically useless at one point in it's development, the answer was to rate limit firewall changes and keep the loose coupling between a bridge/firewall "interface" and reality... and I'd never got anywhere on renaming vlans properly, so I gave up. Nowadays the systemd folk are off creating memorable, distinct names for interfaces, like a new random usb+mac hash for enx029b514afb6f for what used to be called usb0, enp2s0 for what was eth2, and so on. This does not strike me as an improvement, either. It was primarily not being able to figure out how to map "eth0.2" into se00 and eth0.3 into ge01 portion of the pattern matching problem that caused me to give up on the "cerowall" design. https://www.bufferbloat.net/projects/cerowrt/wiki/CeroWall/ I have some hope (but only some) that nftables might straighten some of this out. I have mildly more hope that the iptables rules will gain chains and filter out protocols by frequency, one day, at least. >>> I am having some difficulty with ipv6 on the "last hop", namely my >>> internal >>> network. >>> >>> Platform: Netgear WNDR3800 >>> Cerowrt version: CeroWrt Toronto 3.10.50-1 / LuCI Trunk (svn-r10459) >>> >>> AQUISS, my UK ISP, provides an ipv6 address range: >>> IPv6 Address 20xx:xxxx:xx55:ae00::/56 >> >> Are you getting this via dhcp-pd or is it static? > > I had set the Network | Interfaces | GE00 check box "Enable IPv6 negotiat= ion > on the PPP link" and the options below for the WAN6 interface, but that > didn't seem to do anything. Only when I added an explicit value for the > "ipv6prefix" option did any global ipv6 addresses appear. In > /etc/config/networks: > config interface 'wan6' > option ifname '@ge00' > option proto 'dhcpv6' > option broadcast '1' > option metric '2048' > option reqprefix '56' > option reqaddress 'try' > option ip6prefix '20xx:xxxx:xx55:ae00::/56' > > config interface 'ge00' > option _orig_ifname 'ge00' > option _orig_bridge 'false' > option ifname 'ge00' > option proto 'pppoe' > option ipv6 '1' > option username 'xxxxx@aquiss.com' > option password 'xxxxx' > option mtu '1458' I am sorry but I am confused, is this a 6rd device? I regret that I do not know anyone that tested pppoe in this scenario. > >>> Recommended MTU: 1458 bytes >>> >>> I can make ipv6 work when connecting PC host "centaur" directly to the >>> cable >>> modem and running pppd. ping6 ipv6.google.com etc works fine. >> >> The "cable" modem is running over ppp??? > > Sorry, I shouldn't have just glibly said "cable modem". It's actually a F= TTC > DSL modem, serving via PPPoE. When I was trying it directly from the PC, = I > set it up using pppoeconf under ubuntu. >>> >>> Reconnecting via the WNDR3800, everything ipv4 related works fine with >>> "centaur" on the se00 subnet. >>> >>> I can also ping6 without problems from the WNDR3800: >>> root@cerowrt:~# ping6 ipv6.google.com >>> PING ipv6.google.com (2a00:1450:4009:80f::200e): 56 data bytes >>> 64 bytes from 2a00:1450:4009:80f::200e: seq=3D0 ttl=3D53 time=3D15.5= 76 ms >>> 64 bytes from 2a00:1450:4009:80f::200e: seq=3D1 ttl=3D53 time=3D14.9= 59 ms >>> 64 bytes from 2a00:1450:4009:80f::200e: seq=3D2 ttl=3D53 time=3D15.1= 56 ms >>> 64 bytes from 2a00:1450:4009:80f::200e: seq=3D3 ttl=3D53 time=3D15.0= 44 ms >>> ^C >>> --- ipv6.google.com ping statistics --- >>> 4 packets transmitted, 4 packets received, 0% packet loss >>> round-trip min/avg/max =3D 14.959/15.183/15.576 ms >>> >>> but ping6 can't get through from centaur on se00: >> >> A traceroute6 would be better. Try it from various source addresses on >> the router. > > From centaur on se00: > root@centaur:/etc/network# traceroute6 ipv6.google.com > traceroute to ipv6.l.google.com (2a00:1450:400b:c00::71) from > 20xx:xxxx:xx55:ae02::f48, 30 hops max, 24 byte packets > 1 20xx:xxxx:xx55:ae02::1 (20xx:xxxx:xx55:ae02::1) 0.498 ms !N 0.559 ms= !N > 0.438 ms !N > > From cerowrt using default interface: > root@cerowrt:/etc/config# traceroute6 ipv6.google.com > traceroute to ipv6.google.com (2a00:1450:4009:80e::200e), 30 hops max, 16 > byte packets > 1 fe80::f60f:1bff:fe17:8d00%pppoe-ge00 > (fe80::f60f:1bff:fe17:8d00%pppoe-ge00) 8.742 ms 8.763 ms 8.595 ms > 2 gi1-2.inx.dist.dsl.enta.net (2001:4d48:feed:58::a) 8.901 ms 8.512 ms > 8.410 ms > 3 te2-2.interxion.dsl.enta.net (2001:4d48:feed:4b::a) 8.825 ms 8.628 m= s > 8.749 ms > 4 te2-3.interxion.core.enta.net (2001:4d48:feed:22::a) 9.024 ms 7.482 = ms > 9.070 ms > 5 2001:4d48:ace::44 (2001:4d48:ace::44) 15.690 ms 17.611 ms 15.333 ms > 6 2001:4d48:ace::43 (2001:4d48:ace::43) 15.427 ms 15.566 ms 16.255 ms > 7 2001:4860:1:1:0:2114:0:5 (2001:4860:1:1:0:2114:0:5) 15.109 ms 14.715= ms > 14.300 ms > 8 2001:4860:1:1:0:2114:0:4 (2001:4860:1:1:0:2114:0:4) 14.467 ms 15.516= ms > 14.986 ms > 9 2001:4860::1:0:cd12 (2001:4860::1:0:cd12) 15.367 ms 15.571 ms 15.63= 8 > ms > 10 2001:4860::8:0:87b7 (2001:4860::8:0:87b7) 14.824 ms 24.848 ms 15.11= 9 > ms > 11 2001:4860::8:0:ac54 (2001:4860::8:0:ac54) 15.387 ms 29.964 ms 15.63= 7 > ms > 12 2001:4860::1:0:ab9d (2001:4860::1:0:ab9d) 16.347 ms 16.363 ms 15.68= 5 > ms > 13 2001:4860:0:1::1b27 (2001:4860:0:1::1b27) 16.147 ms 16.556 ms 15.45= 9 > ms > 14 2001:4860:0:1::1755 (2001:4860:0:1::1755) 15.657 ms 15.828 ms 15.43= 4 > ms > 15 lhr25s01-in-x200e.1e100.net (2a00:1450:4009:80e::200e) 15.515 ms > 15.551 ms 15.457 ms > > From cerowrt but using se00 interface's address: > root@cerowrt:/etc/config# traceroute6 -s 20xx:xxxx:xx55:ae02::1 > ipv6.google.com > traceroute to ipv6.google.com (2a00:1450:4009:80e::200e) from > 20xx:xxxx:xx55:ae02::1, 30 hops max, 16 byte packets > 1traceroute6: sendto: Operation not permitted You have now narrowed it down a bit. Are you sure you are getting a /56? Do try disabling the firewall rule below. Do a traceroute6 from the outside and see where it stops. > >> Disabling the firewall for ipv6 is sometimes helpful also, for debugging= . > > I tried > /etc/init.d/firewall stop > > but that disabled all traffic. What's the recommended way of temporarily > enabling everything? ip6tables -P FORWARD ACCEPT; >> You might also want a reqprefix of 56 in the wan stanza. > > Already done. > >> We did not have much chance to test against any other prefix sizes >> than 64, 60, and 48. >> >>> root@centaur:/etc/network# ping6 ipv6.google.com >>> PING ipv6.google.com(lhr25s02-in-x200e.1e100.net) 56 data bytes >>> From lhr25s02-in-x200e.1e100.net icmp_seq=3D1 Destination unreachabl= e: >>> No >>> route >>> From lhr25s02-in-x200e.1e100.net icmp_seq=3D2 Destination unreachabl= e: >>> No >>> route >>> From lhr25s02-in-x200e.1e100.net icmp_seq=3D3 Destination unreachabl= e: >>> No >>> route >>> From lhr25s02-in-x200e.1e100.net icmp_seq=3D4 Destination unreachabl= e: >>> No >>> route >>> ^C >>> --- ipv6.google.com ping statistics --- >>> 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time >>> 3024ms >>> >>> For your information, ipv6 routes on centaur are: >>> root@centaur:/etc/network# ip -6 route >>> 20xx:xxxx:xx55:ae10::f48 dev eth0 proto kernel metric 256 expires >>> 84847sec pref medium >>> 20xx:xxxx:xx55:ae10::/64 dev eth0 proto ra metric 100 pref medium >>> 20xx:xxxx:xx55:ae00::/56 via fe80::2cb0:5dff:fea6:94ad dev eth0 pro= to >>> ra >>> metric 100 pref medium >>> fe80::/64 dev eth0 proto kernel metric 256 pref medium >>> default via fe80::2cb0:5dff:fea6:94ad dev eth0 proto static metric >>> 100 >>> pref medium Maybe you can setup centaur directly, and give it the ipv6 address that is failing and repeat the traceroute6 -s thataddress test there. >>> and on the router are: >>> root@cerowrt:~# ip -6 route >>> default from :: via fe80::f60f:1bff:fe17:8d00 dev pppoe-ge00 proto >>> static >>> metric 1024 >>> default from 20:xx:xxxx:xx00:55ae::/64 via fe80::f60f:1bff:fe17:8d00 >>> dev >>> pppoe-ge00 proto static metric 1024 >> >> you should also have had a default from >> >> 20xx:xxxx:xx55:ae00::/56 >> >> I think. >> >> ip -6 route add default from >> >>> 20xx:xxxx:xx55:ae00::/64 dev gw00 proto kernel metric 256 >>> 20xx:xxxx:xx55:ae01::/64 dev gw10 proto kernel metric 256 >>> 20xx:xxxx:xx55:ae02::/64 dev sw00 proto kernel metric 256 >>> 20xx:xxxx:xx55:ae03::/64 dev sw10 proto kernel metric 256 >>> 20xx:xxxx:xx55:ae10::/60 dev se00 proto kernel metric 256 >> >> This appears wrong to me in that ae10 should have been a /64 > > I changed the "config interface 'se00'" option ip6assign back from '60' t= o > '64'. Did not affect the routing problem. (I had earlier changed it to '6= 0' > to see if it made any difference.) > >>> unreachable 20xx:xxxx:xx55:ae00::/56 dev lo proto static metric >>> 2147483647 error -128 >>> fe80::/64 dev se00 proto kernel metric 256 >>> fe80::/64 dev ifb0 proto kernel metric 256 >>> fe80::/64 dev sw10 proto kernel metric 256 >>> fe80::/64 dev sw00 proto kernel metric 256 >>> fe80::/64 dev gw10 proto kernel metric 256 >>> fe80::/64 dev gw00 proto kernel metric 256 >>> fe80::/64 dev ge00 proto kernel metric 256 >>> fe80::/10 dev pppoe-ge00 metric 1 >>> fe80::/10 dev pppoe-ge00 proto kernel metric 256 >>> >>> I'm stumped. Can anybody help? >>> >>> regards, Simon >>> >>> _______________________________________________ >>> Bloat mailing list >>> Bloat@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/bloat >>> >> > --=20 Dave T=C3=A4ht Let's go make home routers and wifi faster! With better software! http://blog.cerowrt.org