IPv6 forwarding from LAN problem

English Network/Internet
1

I have an openSUSE 11.2 server configured as my firewall/server and ipv4 NAT router for my LAN. I have an ipv6 tunnel configured on it. All traffic to and from the server over ipv6 works just fine. All ipv4 traffic from the LAN gets masqueraded correctly. However, I cannot seem to route ipv6 traffic from my LAN. From the internal machine I can ping the firewall ipv6 address and my end of the sit tunnel. Any ipv6 traffic from the LAN seems to be getting dropped by SuSEfirewall2. The following appears in /var/log/firewall on the router:

Jan 4 21:42:54 curly kernel: [32782.435572] SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=sit1 SRC=2001:0470:1f07:0a4f:0000:0000:0000:0044 DST=2001:0770:0018:aa40:0000:0000:c101:c140 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=48408 SEQ=1

From this I can see that it appears to select the correct route from the internal network interface ‘eth0’ to the ipv6 tunnel ‘sit1’ but it is getting dropped.

The following is what is happening on the internal client machine

PING ftp.ipv6.heanet.ie(ftp.heanet.ie) 56 data bytes
From 2001:470:1f07:a4f::1 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:470:1f07:a4f::1 icmp_seq=2 Destination unreachable: Address unreachable

Does anyone have any suggestions?

Thanks,
Mike

2

I just tried it with SuSEfirewall2 turned off on the router and it seems to pass the traffic. So my problem is with SuSEfirewall2 and not the routing.

Mike

3

Check the settings for SuSEfirewall2. This may help: SuSEfirewall2 - openSUSE

4

On 01/05/10 04:46, w1nr wrote:
>
> I just tried it with SuSEfirewall2 turned off on the router and it seems
> to pass the traffic. So my problem is with SuSEfirewall2 and not the
> routing.

SUSE fw2 doesn’t “do” IPv6, so if you want to stick with this (out)dated software,
all you can do is make custom ip6tables rules yourself.
However, there are other firewall compilers that have no problem working with
IPv6. One of those, that I can recommend, is “Shoreline firewall” or Shorewall
for short. See http://shorewall.net
With Shorewall, you have much more readable configuration files and a very
usable command line interface to the compiler program.
Have a look on the website and read up on the examples Tom has to show, you’ll
find that compared to the cryptic options in the SUSE fw2 file, Shorewall’s
rules file is an “epiphany”.

Theo

5

OK, now the blind man can see. After noticing that I could ping and port scan my internal workstation from OUTSIDE I realized that I may have the rule reversed. In /etc/sysconfig/SuSEfirewall2 the following line is needed:

FW_FORWARD=“2001:470:xxxx:xxxx::/64,2000::/3”

I had the networks reversed allowing Internet traffic in rather than LAN traffic out. Hopefully this will help someone who made the same mistake as I.:wink:

6

Happy to hear it is working now. You did a good job!

7

Thanks very much for the great post, I’ve stumbled upon it multiple times in my web travels! While it may be possible to go through all this trouble to get IPv6 tunnels working through pfSense, would it be possible to simply give pfSense a link-local IPv6 address?