dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7
share rss forum feed

GmDude66

join:2007-09-09
York, PA
reply to GmDude66

Re: Recieving /128 Address (OpenWRT)

Also, just found this in my kernel log:
[93708.410000] icmpv6_send: no reply to icmp error



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

said by GmDude66:

Also, just found this in my kernel log:
[93708.410000] icmpv6_send: no reply to icmp error

The icmpv6 config in your router is where I was just about to suggest that you look; that is why I had requested the IPv6 traceroutes and pings, so that I could see if your router responded on its LAN interface. The fact that your MacBook does not get a reply from your router's LAN when doing a traceroute6 to an Internet location says that something is wonky in your router's icmpv6 config.

Here is a traceroute I just did to ipv6.speedtest.comcast.net after temporarily disabling IPv6 routing in my D-Link DIR655 by disabling its default allow LAN to WAN IPv6 firewall rule. Following that traceroute is a ping to the router's IPv6 LAN address:


C:\>tracert ipv6.speedtest.comcast.net
 
Tracing route to ipv6.speedtest.g.comcast.net [2001:558:1010:5:68:87:73:52]
over a maximum of 30 hops:
 
  1     1 ms    <1 ms    <1 ms  2601:5:c80:90:1e7e:e5ff:fe4c:e6ff
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *     ^C
 
C:\>ping 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff
 
Pinging 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff with 32 bytes of data:
 
Reply from 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff: time<1ms
Reply from 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff: time<1ms
Reply from 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff: time<1ms
Reply from 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff: time<1ms
 
Ping statistics for 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 



Even with the internal IPv6 routing blocked inside the router, I can still get an ICMP echo response on its LAN interface. Right at this moment it is not convenient for me to connect to my Netgear router to check its icmpv6 config and post some things for you to look for, but later this evening I should be able to do that (if you have not already found the problem in your config before then).

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

GmDude66

join:2007-09-09
York, PA

Yes, please post your configuration. In the meantime, I am searching!


GmDude66

join:2007-09-09
York, PA

Have not found any results. Thinking about switching back to DD-WRT :P



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

said by GmDude66:

Have not found any results. Thinking about switching back to DD-WRT :P

Sorry that I took so long to get back to you, but my notebook was in use by someone else, and that is the only reasonably convenient box I have to access my Netgear guest router.

Once I had it connected, I found that there was no clearly defined config for ICMP6 except for the ip6table rules.

Just for grins, I did an "ip6tables -F" command in the router which cleared the ipv6 firewall rules. That effectively killed LAN to WAN IPv6 traffic in that router. I then did the traceroute below from the notebook:


C:\>tracert6 ipv6.speedtest.comcast.net
 
Tracing route to ipv6.speedtest.g.comcast.net [2001:558:1010:5:68:87:73:52]
from 2601:5:c80:85:3c63:a145:83e4:bb93 over a maximum of 30 hops:
 
  1        1 ms     1 ms     1 ms  2601:5:c80:85:a221:b7ff:fe9c:602
  2        *        *        *     Request timed out.
  3        *        *        *     Request timed out.
  4        *        *        *     Request timed out.
  5        *        *     ^C
 



As you can see, I was no longer able to do a traceroute to an IPv6 server on the Internet, but my Netgear router still responded to the traceroute ICMP6 echo request on its LAN. Since your router did not respond to the ICMP6 echo request, that would seem to indicate that your problem is not necessarily related to a lack of ICMP6 rules. However, you could do a "ip6tables -L" command in your router to see what rules (if any) are present. Here is what I saw after I flushed the ip6tables in my router:


root@WNR1000v2:/# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 



If you don't have any ip6tables rules in your router, that would definitely be a problem, but that may or may not be the only problem. FWIW, here are the ip6tables that are normally in my router:


root@WNR1000v2:/# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       ipv6-icmp    anywhere             ::1/128            [8 bytes of unknown target data]
DROP       ipv6-icmp    anywhere             ::1/128            [8 bytes of unknown target data]
IPv6-CONE  all      anywhere             anywhere           [8 bytes of unknown target data]
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all     !2601:5:c80:85::/64   anywhere           [8 bytes of unknown target data]
DROP       tcp      ::1/128              ::2/128            UNKNOWN match `tcp' [8 bytes of unknown target data]
ACCEPT     udp      ::3/128              ::4/128            UNKNOWN match `udp' [8 bytes of unknown target data]
DROP       ipv6-icmp    ::5/128              ::6/128            ipv6-icmp echo-reply UNKNOWN match `limit' [8 bytes of
ACCEPT     ipv6-icmp    ::5/128              ::6/128            ipv6-icmp echo-reply [8 bytes of unknown target data]
DROP       all      ::7/128              anywhere           [8 bytes of unknown target data]
IPv6-CONE  all      anywhere             anywhere           [8 bytes of unknown target data]
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 



If you would like to see any specific config or script file on my router, let me know and I will try to find it and post it. I say "try" because even though the router does run on OpenWrt, it is still a Netgear specific version of OpenWrt, and they seem to be doing some rather obfuscated things. Most of the config files that I see are created on the fly by script files on bootup, so I don't see the usual generic config files that are present in public OpenWrt distributions.

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

GmDude66

join:2007-09-09
York, PA
Reviews:
·Comcast

I am thinking this is a firewall issue.

Can you please look over this config?

root@OpenWrt:~# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            ctstate RELATED,ESTABLISHED 
ACCEPT     all      anywhere             anywhere            
syn_flood  tcp      anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
input_rule  all      anywhere             anywhere            
input      all      anywhere             anywhere            
 
Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            ctstate RELATED,ESTABLISHED 
forwarding_rule  all      anywhere             anywhere            
forward    all      anywhere             anywhere            
reject     all      anywhere             anywhere            
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            ctstate RELATED,ESTABLISHED 
ACCEPT     all      anywhere             anywhere            
output_rule  all      anywhere             anywhere            
output     all      anywhere             anywhere            
 
Chain forward (1 references)
target     prot opt source               destination         
zone_lan_forward  all      anywhere             anywhere            
zone_wan_forward  all      anywhere             anywhere            
 
Chain forwarding_lan (1 references)
target     prot opt source               destination         
 
Chain forwarding_rule (1 references)
target     prot opt source               destination         
 
Chain forwarding_wan (1 references)
target     prot opt source               destination         
 
Chain input (1 references)
target     prot opt source               destination         
zone_lan   all      anywhere             anywhere            
zone_wan   all      anywhere             anywhere            
 
Chain input_lan (1 references)
target     prot opt source               destination         
 
Chain input_rule (1 references)
target     prot opt source               destination         
 
Chain input_wan (1 references)
target     prot opt source               destination         
 
Chain output (1 references)
target     prot opt source               destination         
zone_lan_ACCEPT  all      anywhere             anywhere            
zone_wan_ACCEPT  all      anywhere             anywhere            
 
Chain output_rule (1 references)
target     prot opt source               destination         
 
Chain reject (5 references)
target     prot opt source               destination         
REJECT     tcp      anywhere             anywhere            reject-with tcp-reset 
REJECT     all      anywhere             anywhere            reject-with icmp6-port-unreachable 
 
Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp      anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 
DROP       all      anywhere             anywhere            
 
Chain zone_lan (1 references)
target     prot opt source               destination         
input_lan  all      anywhere             anywhere            
zone_lan_ACCEPT  all      anywhere             anywhere            
 
Chain zone_lan_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            
ACCEPT     all      anywhere             anywhere            
 
Chain zone_lan_DROP (0 references)
target     prot opt source               destination         
DROP       all      anywhere             anywhere            
DROP       all      anywhere             anywhere            
 
Chain zone_lan_REJECT (1 references)
target     prot opt source               destination         
reject     all      anywhere             anywhere            
reject     all      anywhere             anywhere            
 
Chain zone_lan_forward (1 references)
target     prot opt source               destination         
zone_wan_ACCEPT  all      anywhere             anywhere            
forwarding_lan  all      anywhere             anywhere            
zone_lan_REJECT  all      anywhere             anywhere            
 
Chain zone_wan (1 references)
target     prot opt source               destination         
ACCEPT     udp      fe80::/10            fe80::/10           udp spt:dhcpv6-server dpt:dhcpv6-client 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp echo-request limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp echo-reply limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp bad-header limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp router-solicitation limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp router-advertisement limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp neighbour-advertisement limit: avg 1000/sec burst 5 
input_wan  all      anywhere             anywhere            
zone_wan_REJECT  all      anywhere             anywhere            
 
Chain zone_wan_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            
ACCEPT     all      anywhere             anywhere            
 
Chain zone_wan_DROP (0 references)
target     prot opt source               destination         
DROP       all      anywhere             anywhere            
DROP       all      anywhere             anywhere            
 
Chain zone_wan_REJECT (2 references)
target     prot opt source               destination         
reject     all      anywhere             anywhere            
reject     all      anywhere             anywhere            
 
Chain zone_wan_forward (1 references)
target     prot opt source               destination         
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp echo-request limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp echo-reply limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp bad-header limit: avg 1000/sec burst 5 
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 
forwarding_wan  all      anywhere             anywhere            
zone_wan_REJECT  all      anywhere             anywhere
 


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

If there is anything in the ip6tables information that you posted that would keep your router from processing LAN to WAN IPv6 traffic, I don't see it; but perhaps someone with a keener eye (and more IPv6 experience)* will look at it and let you know definitively.

*When I was actively providing network support before my retirement last year, I did not get involved with native IPv6 support because none of the ISPs I worked with offered it (and I did not even have any clients who needed/used IPv6 tunnels). I have therefore only been involved with my own IPv6 connections, and I have had to learn what I know about IPv6 the hard way.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.