 NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro
 ·Comcast Business..
 ·Vonage
 ·Cingular Wireless
·Comcast
1 edit | reply to GmDude66
Re: Recieving /128 Address (OpenWRT) said by GmDude66:Hmm my Mac was assigned both ipv6 and ipv4 addresses. Still cannot ping on 6.
Interesting, it looks as if it should be working.
Can you ping6 your router's LAN IPv6 address [2601:1:b80:4e:126f:3fff:fe02:c1ca]?
Does a traceroute6 to a known public IPv6 host like ipv6.speedtest.comcast.net reach your router's LAN interface and stop there? Does it even reach your router's LAN interface?
I know these seem like dumb questions, but I am just trying to see where the blockage occurs. Since you say you can get internet IPv6 connectivity from inside your router, and since the router and your MacBook both have IPv6 address assignments, I am thinking that this may be a firewall problem. The question would be is it the MacBook's firewall or the router's firewall.
I ran into a similar scenario when I first enabled the IPv6 firewall in my D-Link DIR655. The router and attached devices had IPv6 addresses, and I could do IPv6 pings to the internet from inside the router, but IPv6 connectivity from attached devices stopped at the DIR655's LAN interface. The problem in my case was that the IPv6 firewall in the DIR655 did not have a default allow outbound rule (unlike any router's firewall I have ever seen). As soon as I created a default allow outbound rule in its IPv6 firewall, I had IPv6 connectivity.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
 graysonfPremium,MVM
join:1999-07-16
Fort Lauderdale, FL | said by NetFixer:The problem in my case was that the IPv6 firewall in the DIR655 did not have a default allow outbound rule (unlike any router's firewall I have ever seen). m0n0wall also does not have a default "allow outbound to any" rule for IPv6 internal interfaces. |
|
Reviews:
·Comcast
1 edit | reply to NetFixer
I cannot ping6 from any computer connected to LAN.
I can ping6 anything directly from router.
I disabled the firewall on Mac and on the router (Allow Any From Any To Any).
I ran a traceroute6:
dereks-macbook:~ derek$ traceroute6 ipv6.speedtest.comcast.net
traceroute6 to ipv6.speedtest.g.comcast.net (2001:558:1010:5:68:87:73:52) from 2601:1:b80:53:449c:1b65:79a8:3890, 64 hops max, 12 byte packets
1 * * *
2 * * *
^C
dereks-macbook:~ derek$
I noticed on the routes page something funky:
Active IPv4-Routes
Network
Target
IPv4-Gateway
Metric
wan
0.0.0.0/0
98.237.12.1
0
wan
98.237.12.0/22
0.0.0.0
0
lan
192.168.1.0/24
0.0.0.0
0
Active IPv6-Routes
Network
Target
IPv6-Gateway
Metric
wan
2001:558:6031:17:7C6F:C57F:8412:9424
0:0:0:0:0:0:0:0/0
00000100
wan
2001:558:FEED:0:0:0:0:1
0:0:0:0:0:0:0:0/0
00000000
wan
2001:558:FEED:0:0:0:0:2
0:0:0:0:0:0:0:0/0
00000000
loopback
2601:1:B80:4E:0:0:0:0/64
0:0:0:0:0:0:0:0/0
00000100
loopback
2601:1:B80:53:449C:1B65:79A8:3890
0:0:0:0:0:0:0:0/0
00000000
loopback
2601:1:B80:53:0:0:0:0/64
0:0:0:0:0:0:0:0/0
00000100
lan
2601:1:B80:53:0:0:0:0/64
0:0:0:0:0:0:0:0/0
00000100
wan
2607:F8B0:4006:800:0:0:0:1000
0:0:0:0:0:0:0:0/0
00000000
wan
2607:F8B0:4006:803:0:0:0:1005
0:0:0:0:0:0:0:0/0
00000000
wan
0:0:0:0:0:0:0:0/0
0:0:0:0:0:0:0:0/0
00000400
loopback
0:0:0:0:0:0:0:0/0
0:0:0:0:0:0:0:0/0
FFFFFFFF
There is no ipv6 gateway listed for anything. |
|
| Also, just found this in my kernel log:
[93708.410000] icmpv6_send: no reply to icmp error |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| said by GmDude66:Also, just found this in my kernel log:
[93708.410000] icmpv6_send: no reply to icmp error
The icmpv6 config in your router is where I was just about to suggest that you look; that is why I had requested the IPv6 traceroutes and pings, so that I could see if your router responded on its LAN interface. The fact that your MacBook does not get a reply from your router's LAN when doing a traceroute6 to an Internet location says that something is wonky in your router's icmpv6 config.
Here is a traceroute I just did to ipv6.speedtest.comcast.net after temporarily disabling IPv6 routing in my D-Link DIR655 by disabling its default allow LAN to WAN IPv6 firewall rule. Following that traceroute is a ping to the router's IPv6 LAN address:
C:\>tracert ipv6.speedtest.comcast.net
Tracing route to ipv6.speedtest.g.comcast.net [2001:558:1010:5:68:87:73:52]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * ^C
C:\>ping 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff
Pinging 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff with 32 bytes of data:
Reply from 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff: time<1ms
Reply from 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff: time<1ms
Reply from 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff: time<1ms
Reply from 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff: time<1ms
Ping statistics for 2601:5:c80:90:1e7e:e5ff:fe4c:e6ff:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Even with the internal IPv6 routing blocked inside the router, I can still get an ICMP echo response on its LAN interface. Right at this moment it is not convenient for me to connect to my Netgear router to check its icmpv6 config and post some things for you to look for, but later this evening I should be able to do that (if you have not already found the problem in your config before then).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
| Yes, please post your configuration. In the meantime, I am searching! |
|
| Have not found any results. Thinking about switching back to DD-WRT :P |
|
|
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| said by GmDude66:Have not found any results. Thinking about switching back to DD-WRT :P
Sorry that I took so long to get back to you, but my notebook was in use by someone else, and that is the only reasonably convenient box I have to access my Netgear guest router.
Once I had it connected, I found that there was no clearly defined config for ICMP6 except for the ip6table rules.
Just for grins, I did an "ip6tables -F" command in the router which cleared the ipv6 firewall rules. That effectively killed LAN to WAN IPv6 traffic in that router. I then did the traceroute below from the notebook:
C:\>tracert6 ipv6.speedtest.comcast.net
Tracing route to ipv6.speedtest.g.comcast.net [2001:558:1010:5:68:87:73:52]
from 2601:5:c80:85:3c63:a145:83e4:bb93 over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 2601:5:c80:85:a221:b7ff:fe9c:602
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * ^C
As you can see, I was no longer able to do a traceroute to an IPv6 server on the Internet, but my Netgear router still responded to the traceroute ICMP6 echo request on its LAN. Since your router did not respond to the ICMP6 echo request, that would seem to indicate that your problem is not necessarily related to a lack of ICMP6 rules. However, you could do a "ip6tables -L" command in your router to see what rules (if any) are present. Here is what I saw after I flushed the ip6tables in my router:
root@WNR1000v2:/# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
If you don't have any ip6tables rules in your router, that would definitely be a problem, but that may or may not be the only problem. FWIW, here are the ip6tables that are normally in my router:
root@WNR1000v2:/# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP ipv6-icmp anywhere ::1/128 [8 bytes of unknown target data]
DROP ipv6-icmp anywhere ::1/128 [8 bytes of unknown target data]
IPv6-CONE all anywhere anywhere [8 bytes of unknown target data]
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all !2601:5:c80:85::/64 anywhere [8 bytes of unknown target data]
DROP tcp ::1/128 ::2/128 UNKNOWN match `tcp' [8 bytes of unknown target data]
ACCEPT udp ::3/128 ::4/128 UNKNOWN match `udp' [8 bytes of unknown target data]
DROP ipv6-icmp ::5/128 ::6/128 ipv6-icmp echo-reply UNKNOWN match `limit' [8 bytes of
ACCEPT ipv6-icmp ::5/128 ::6/128 ipv6-icmp echo-reply [8 bytes of unknown target data]
DROP all ::7/128 anywhere [8 bytes of unknown target data]
IPv6-CONE all anywhere anywhere [8 bytes of unknown target data]
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
If you would like to see any specific config or script file on my router, let me know and I will try to find it and post it. I say "try" because even though the router does run on OpenWrt, it is still a Netgear specific version of OpenWrt, and they seem to be doing some rather obfuscated things. Most of the config files that I see are created on the fly by script files on bootup, so I don't see the usual generic config files that are present in public OpenWrt distributions.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
Reviews:
·Comcast
| I am thinking this is a firewall issue.
Can you please look over this config?
root@OpenWrt:~# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
syn_flood tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all anywhere anywhere
input all anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
forwarding_rule all anywhere anywhere
forward all anywhere anywhere
reject all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all anywhere anywhere
output_rule all anywhere anywhere
output all anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
zone_lan all anywhere anywhere
zone_wan all anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all anywhere anywhere
zone_wan_ACCEPT all anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp anywhere anywhere reject-with tcp-reset
REJECT all anywhere anywhere reject-with icmp6-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all anywhere anywhere
zone_lan_ACCEPT all anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere
Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all anywhere anywhere
forwarding_lan all anywhere anywhere
zone_lan_REJECT all anywhere anywhere
Chain zone_wan (1 references)
target prot opt source destination
ACCEPT udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement limit: avg 1000/sec burst 5
input_wan all anywhere anywhere
zone_wan_REJECT all anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere
Chain zone_wan_REJECT (2 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header limit: avg 1000/sec burst 5
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5
forwarding_wan all anywhere anywhere
zone_wan_REJECT all anywhere anywhere
|
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| If there is anything in the ip6tables information that you posted that would keep your router from processing LAN to WAN IPv6 traffic, I don't see it; but perhaps someone with a keener eye (and more IPv6 experience)* will look at it and let you know definitively.
*When I was actively providing network support before my retirement last year, I did not get involved with native IPv6 support because none of the ISPs I worked with offered it (and I did not even have any clients who needed/used IPv6 tunnels). I have therefore only been involved with my own IPv6 connections, and I have had to learn what I know about IPv6 the hard way.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
