I’ve bought a house community, the place i run Linux on the egress-gateway (OpenWRT master-branch). I’m attempting to offer IPv6 connectivity by way of a sit tunnel to a different host of mine, a colocated linux server (CentOS).
The colo field I even have configured to do IPv6 forwarding to a distant community by way of wireguard (that is the interface the place I am sniffing packets with tcpdump under), and thus this linux colo field is an “intermediate router” on this network-path.
Nonetheless I’ve this puzzling state of affairs the place a returning IPv6 icmp-ping reply packet at this intermediate host is handled in a different way, relying on which a part of my house community it got here from (which is baffling since on the intermediate it needs to be masqueraded identcally).. It both succeeds going again to the pinger, or failing with a “vacation spot unreachable, unreachable prohibited” reply being despatched BACK to the host being pinged, seemingly solely relying on whether or not I ran a ping on the house router, or a bunch behind the house router.
In my instance under, fd8f:a363::1 is the IPv6 deal with on the local-side of my wireguard tunnel (and the tunnel in any other case works tremendous for IPv4 site visitors and for IPv6 site visitors so long as it is both from this colo host or my house gateway router), and 2001:db8:1328::3 is the distant goal of the ICMP on the far finish of the tunnel.
So the request makes all of it the best way to the goal host simply tremendous however when the host replies, its reply might be blocked relying on the place the supply was. I can not work out what could be inflicting this.
After I ping from the house router by way of the sit1 tunnel, all appears regular:
[root@ intermediate ipv6]# tcpdump -n -vv -i wg0 icmp6
tcpdump: listening on wg0, link-type RAW (Uncooked IP), seize measurement 262144 bytes
17:01:51.661837 IP6 (flowlabel 0x81990, hlim 63, next-header ICMPv6 (58) payload size: 64) fd8f:a363::1 > 2001:db8:1328::3: [icmp6 sum ok] ICMP6, echo request, seq 0
17:01:51.789607 IP6 (flowlabel 0x8878d, hlim 63, next-header ICMPv6 (58) payload size: 64) 2001:db8:1328::3 > fd8f:a363::1: [icmp6 sum ok] ICMP6, echo reply, seq 0
17:01:52.661629 IP6 (flowlabel 0x81990, hlim 63, next-header ICMPv6 (58) payload size: 64) fd8f:a363::1 > 2001:db8:1328::3: [icmp6 sum ok] ICMP6, echo request, seq 1
17:01:52.789111 IP6 (flowlabel 0x8878d, hlim 63, next-header ICMPv6 (58) payload size: 64) 2001:db8:1328::3 > fd8f:a363::1: [icmp6 sum ok] ICMP6, echo reply, seq 1
Nonetheless, if i ping from any host behind the house gateway (like say a laptop computer on my house community that makes use of the home-gateway as its default router):
[root@intermediate ipv6]# tcpdump -n -vv -i wg0 icmp6
tcpdump: listening on wg0, link-type RAW (Uncooked IP), seize measurement 262144 bytes
17:01:43.095796 IP6 (flowlabel 0x20000, hlim 62, next-header ICMPv6 (58) payload size: 16) fd8f:a363::1 > 2001:db8:1328::3: [icmp6 sum ok] ICMP6, echo request, seq 0
17:01:43.223639 IP6 (flowlabel 0x8878d, hlim 63, next-header ICMPv6 (58) payload size: 16) 2001:db8:1328::3 > fd8f:a363::1: [icmp6 sum ok] ICMP6, echo reply, seq 0
17:01:43.223713 IP6 (hlim 64, next-header ICMPv6 (58) payload size: 64) fd8f:a363::1 > 2001:db8:1328::3: [icmp6 sum ok] ICMP6, vacation spot unreachable, unreachable prohibited fd8f:a363::1
17:01:44.100759 IP6 (flowlabel 0x20000, hlim 62, next-header ICMPv6 (58) payload size: 16) fd8f:a363::1 > 2001:db8:1328::3: [icmp6 sum ok] ICMP6, echo request, seq 1
17:01:44.228429 IP6 (flowlabel 0x8878d, hlim 63, next-header ICMPv6 (58) payload size: 16) 2001:db8:1328::3 > fd8f:a363::1: [icmp6 sum ok] ICMP6, echo reply, seq 1
17:01:44.228510 IP6 (hlim 64, next-header ICMPv6 (58) payload size: 64) fd8f:a363::1 > 2001:db8:1328::3: [icmp6 sum ok] ICMP6, vacation spot unreachable, unreachable prohibited fd8f:a363::1
I think one thing is misconfigured on the colo “intermediate” field setup as a result of if i traffic-sniff on the tunnel from the house community, i do not see something however the requests, which means that the colo host just isn’t matching up the “flows” appropriately to ahead them again to the house community.
I’ve double and triple checked my ip6tables, and whereas I prefer to assume I perceive linux networking considerably effectively, that is genuinely stumping me. Any concepts on what could be inflicting this?
Replace: I might need an concept why, it appears my home-router is NOT doing masquerading of the IPv6 deal with when it arrives on the colo field’s aspect of the sit-tunnel. And that is regardless of it being in the identical firewall zone as a working ipv4 tunnel (the place masquerading is happening). I assume I will ~should ask the OpenWRT people what’s up with that~ have ignored at there is a separate “masq6” parameter I had not set on the FW zone. All is working now.