linux ipv6 routing problem

Hi,


Here's the problem:

I have a central server in my house that does acts as a router between
the computers I have and the internet. It have ipv6 forwarding
enabled, and has a statically assigned ipv6 address.

Other machines in my house receive an ipv6 address automatically from
the radvd running on the server.

I cannot ping6 my server from my laptop (it says Destination
unreachable: Address unreachable). However, I can ping my laptop from
my server. Now once they both know each other (ip neigh shows they
know each other) /then/ I can ping my server from my laptop! So it
seems that the laptop can't discover the server, but the server can
discover the laptop!


radvd on the server uses the following conf file:
interface eth0 {
MinRtrAdvInterval 30;
MaxRtrAdvInterval 60;
AdvSendAdvert on;
prefix 2001:XXXX:XXXX:XXXX::0/64
{
AdvOnLink on;
AdvAutonomous on;
};

prefix fd05:YYYY:YYYY::0/64
{
AdvOnLink on;
AdvAutonomous on;
};
};

Here, the 2001:XXXX... is an ipv6 prefix I was assigned by my ipv6
tunnel provider.

the fd05:YYYY... is my unique local prefix

Forgive me for blanking out details of my personal ipv6 prefixes, I'm
a little paranoid.


On my server, ip -6 addr gives:

4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fd05:YYYY:YYYY::1/64 scope global
valid_lft forever preferred_lft forever
inet6 2001:XXXX:XXXX:XXXX::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::230:18ff:fea4:df9f/64 scope link
valid_lft forever preferred_lft forever

and ip -6 route gives (just the important bits):

2001:XXXX:XXXX:XXXX::/64 dev eth0 metric 256 expires 21267640sec mtu
1500 advmss 1440 hoplimit 4294967295
fd05:YYYY:YYYY::/64 dev eth0 metric 256 expires 21267640sec mtu 1500
advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 metric 256 expires 21267636sec mtu 1500 advmss
1440 hoplimit 4294967295
ff00::/8 dev eth0 metric 256 expires 21267636sec mtu 1500 advmss
1440 hoplimit 4294967295



On my laptop, ip -6 addr gives the following output:

6: ath0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:XXXX:XXXX:XXXX:219:7dff:fe25:6e20/64 scope global dynamic
valid_lft 2577272sec preferred_lft 590072sec
inet6 fd05:YYYY:YYYY:0:219:7dff:fe25:6e20/64 scope global dynamic
valid_lft 2577272sec preferred_lft 590072sec
inet6 fe80::219:7dff:fe25:6e20/64 scope link
valid_lft forever preferred_lft forever

ip -6 route gives:

2001:XXXX:XXXX:XXXX::/64 dev ath0 proto kernel metric 256 expires
2577191sec mtu 1500 advmss 1440 hoplimit 4294967295
fd05:YYYY:YYYY::/64 dev ath0 proto kernel metric 256 expires
2577191sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev ath0 metric 256 expires -19452sec mtu 1500 advmss 1440
hoplimit 4294967295
ff00::/8 dev ath0 metric 256 expires -19452sec mtu 1500 advmss 1440
hoplimit 4294967295
default via fe80::230:18ff:fea4:df9f dev ath0 proto kernel metric
1024 expires 113sec mtu 1500 advmss 1440 hoplimit 64


When the neighour tables are clear, and I ping my server from my
laptop (i.e. when ping6 doesn't work) wireshark on my laptop tells me
its sending ICMPv6 neighbour solicitation packets to ff02::1:ff00:1
over ath0, but I don't receive anything on my server's wireshark. So
these ff02::1:ff00:1 packets aren't being answered by the server. Any
ideas?

I know this is complicated, hopefully someone here can tell me what's
happening (I've seen this problem around the 'net quite a bit, but
haven't seen any answers).

Thanks


--
From: ayqazi at yahoo <dot> co DOT uk

Hello,

ayqazi a écrit :
>
> When the neighour tables are clear, and I ping my server from my
> laptop (i.e. when ping6 doesn't work) wireshark on my laptop tells me
> its sending ICMPv6 neighbour solicitation packets to ff02::1:ff00:1
> over ath0, but I don't receive anything on my server's wireshark. So
> these ff02::1:ff00:1 packets aren't being answered by the server. Any
> ideas?

Is this a wifi network ? I've heard about wifi devices or drivers behave
strangely with broadcast/multicast MAC addresses.

Pascal Hambourg wrote:
> Hello,
>
> ayqazi a écrit :
>>
>> When the neighour tables are clear, and I ping my server from my
>> laptop (i.e. when ping6 doesn't work) wireshark on my laptop tells me
>> its sending ICMPv6 neighbour solicitation packets to ff02::1:ff00:1
>> over ath0, but I don't receive anything on my server's wireshark. So
>> these ff02::1:ff00:1 packets aren't being answered by the server. Any
>> ideas?
>
> Is this a wifi network ? I've heard about wifi devices or drivers behave
> strangely with broadcast/multicast MAC addresses.

The same behaviour occurs with ethernet.

--
From: ayqazi at yahoo <dot> co DOT uk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

,--- ayqazi writes:
| Hi,

[...]

| When the neighour tables are clear, and I ping my server from my
| laptop (i.e. when ping6 doesn't work) wireshark on my laptop tells me
| its sending ICMPv6 neighbour solicitation packets to ff02::1:ff00:1
| over ath0, but I don't receive anything on my server's wireshark. So
| these ff02::1:ff00:1 packets aren't being answered by the server. Any
| ideas?

So looks like ip6tables at server is dropping ICMPv6 packets.
Are you sure, you're accepting all ICMPv6 packets in ip6tables at your
server, hmm... ?

/sbin/ip6tables -t filter -I INPUT 1 -p 58 -j ACCEPT

| I know this is complicated, hopefully someone here can tell me what's
| happening (I've seen this problem around the 'net quite a bit, but
| haven't seen any answers).

| Thanks


| --
| From: ayqazi at yahoo <dot> co DOT uk

HTH
- --
Ashish Shukla "Wah Java !!"
आशीष श�क�ल

weblog: http://wahjava.wordpress.com/

,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, |
((_/)o o(\_)) | with top-notch engineers from every corner of the industry.. |
`-'(. .)`-' | They spend millions. They take years. They are defeated in|
\_/ | days, for pennies, by hobbyists. - Cory Doctorow |

The best optimizer is between your ears.
- Michael Abrash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHJZzLHy+EEHYuXnQRAlAXAKCOdQIvLtI/MZ8qnX3GkZcPEw/vxACdF+VO
4gYyttIP+R1TuS3urNk7Yxo=
=0ZtA
-----END PGP SIGNATURE-----

Ashish Shukla a écrit :
>
> ,--- ayqazi writes:
>
> | When the neighour tables are clear, and I ping my server from my
> | laptop (i.e. when ping6 doesn't work) wireshark on my laptop tells me
> | its sending ICMPv6 neighbour solicitation packets to ff02::1:ff00:1
> | over ath0, but I don't receive anything on my server's wireshark. So
> | these ff02::1:ff00:1 packets aren't being answered by the server. Any
> | ideas?
>
> So looks like ip6tables at server is dropping ICMPv6 packets.

AFAIK, even if ip6tables dropped the packets, wireshark would still see
them, wouldn't it ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

,--- Pascal Hambourg writes:
| Ashish Shukla a écrit :
||

[...]

|| So looks like ip6tables at server is dropping ICMPv6 packets.

| AFAIK, even if ip6tables dropped the packets, wireshark would still
| see them, wouldn't it ?

No, wireshark won't see the packets, if firewall is dropping the packets.

HTH
- --
Ashish Shukla "Wah Java !!"
आशीष श�क�ल

weblog: http://wahjava.wordpress.com/

,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, |
((_/)o o(\_)) | with top-notch engineers from every corner of the industry.. |
`-'(. .)`-' | They spend millions. They take years. They are defeated in|
\_/ | days, for pennies, by hobbyists. - Cory Doctorow |

The best optimizer is between your ears.
- Michael Abrash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHJgfSHy+EEHYuXnQRAvsGAKC06IXlOXi3BcPv3/EVP3TPI8rn7ACbBp5X
4sb3lBxUvzG8/Q886VdJj78=
=BmFD
-----END PGP SIGNATURE-----

Ashish Shukla a écrit :
>
> Pascal Hambourg writes:
> | AFAIK, even if ip6tables dropped the packets, wireshark would still
> | see them, wouldn't it ?
>
> No, wireshark won't see the packets, if firewall is dropping the packets.

I just tested on my box, and both tethereal (console version of
ethereal, predecessor of wireshark) and tcpdump see incoming IPv6
packets that are dropped by ip6tables.

Pascal Hambourg wrote:

> Ashish Shukla a écrit :
>>
>> Pascal Hambourg writes:
>> | AFAIK, even if ip6tables dropped the packets, wireshark would still
>> | see them, wouldn't it ?
>>
>> No, wireshark won't see the packets, if firewall is dropping the packets.
>
> I just tested on my box, and both tethereal (console version of
> ethereal, predecessor of wireshark) and tcpdump see incoming IPv6
> packets that are dropped by ip6tables.

Apologies for posting incorrect information. I just verified I'm able to receive
not only IPv6 packets but also IPv4 packets dropped by ip{6,}tables
respectively.

Thanks for correcting me.

--
Ashish Shukla
http://wahjava.wordpress.com/