PTT數位生活區 / IPv6

[問題] router設定gw6c不能連線問題

看板IPv6作者 (Dowbatw)時間10年前 (2014/10/24 17:56), 10年前編輯推噓1(1031)
留言32則, 2人參與, 最新討論串1/1
各位好 我在我的AP(Openwrt)上面已經安裝並且設定好了gw6c 連線到中華電信的tunnel broker取得ipv6的ip router 上面 ping6 ipv6.google.com 也沒有問題 traceroute to ipv6.l.google.com (2404:6800:4008:c03::8b) from 2001:b020:0:71::281, 30 hops max, 16 byte packets 1 2001:b020:0:71::280 2.227 ms 2 2001:b020:0:24::254 2.099 ms 3 2001:b000:80:4:3011:3315:1:a 2.447 ms 4 2001:b000:80:3:80:81:3:1 2.999 ms 5 2001:b000:81:4:3201:3302:4:b 6.009 ms 6 2001:4860:1:1:0:d86:0:1a 3.505 ms 7 2001:4860::1:0:73ac 17.34 ms 8 2001:4860::8:0:73ad 11.252 ms 9 2001:4860::2:0:5046 34.833 ms 10 * 11 2404:6800:4008:c03::8b 9.448 ms gw6c並設定ifprefix 為區域網路(br-lan),也就是會把拿到的ip廣播給區域網路的設備 所以我的電腦目前網路卡有看到幾個ip如下 IPv6 Address: 2001:b000:a:e:7850:fcd6:b5ce:1bac IPv6 Address: fdb1:5979:7760::735 IPv6 Address: fdb1:5979:7760:0:7850:fcd6:b5ce:1bac Temporary IPv6 Address: 2001:b000:a:e:9cbd:5445:da23:707e Temporary IPv6 Address: fdb1:5979:7760:0:74dd:772e:1094:b49a Link-Local IPv6 Address: fe80:7850:fcd6:b5ce:1bac%4 Default Gateway: fe80:126f:3fff:fe02:3dd6%4 DNS Servers: 2001:b000:a:2:1 在電腦上 ping ipv6.google.com 顯示 Destination port unreacheable tracert -d -6 顯示 Destination protocol unreacheable 不知道是怎麼一回事 有試過把防火牆暫時先關掉測試,結果仍相同 PO上來希望各位解惑 -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 140.112.230.135 ※ 文章網址: http://www.ptt.cc/bbs/IPv6/M.1414144595.A.524.html
10/24 23:41, , 1F
openwrt版本? 有可能是ipv6的forward沒設好
10/24 23:41, 1F
10/24 23:55, , 2F
Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)
10/24 23:55, 2F
這是我gw6c自動產生出的radvd設定值: ##### rtadvd.conf made by Gateway6 Client #### interface br-lan { AdvSendAdvert on; prefix 2001:b000:000a:000e::/64 { AdvOnLink on; AdvAutonomous on; }; }; gw6c 執行記錄 2014/10/24 23:38:21 I gw6c: /sbin/sysctl -w net.ipv6.conf.all.forwarding=1 2014/10/24 23:38:21 I gw6c: net.ipv6.conf.all.forwarding = 1 2014/10/24 23:38:21 I gw6c: /usr/sbin/radvd -p /var/run/radvd.pid -C /tmp/gw6c-radvd.conf 然後這是我用router擷取封包的紀錄(tcpdump -i br-lan -vv ip6) 擷取過程中電腦ping ipv6.google.com tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 65535 bytes 00:24:20.307314 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) 2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 50 00:24:20.307675 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88) 2001:b000:a:e::1 > 2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port[|icmp6] 00:24:21.309425 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) 2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 51 00:24:21.309721 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88) 2001:b000:a:e::1 > 2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port[|icmp6] 00:24:22.312397 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) 2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 52 00:24:22.312691 IP6 (hlim 64, next-header ICMPv6 (58) payload length : 88) 2001:b000:a:e::1 > 2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port[|icmp6] 00:24:22.433005 IP6 (hlim 1, next-header UDP (17) payload length: 154) fe80::7850:fcd6:b5ce:1bac.55817 > ff02::c.1900: [udp sum ok] UDP, length 146 00:24:23.315871 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40) 2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok] ICMP6, echo request, seq 53 00:24:23.316160 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88) 2001:b000:a:e::1 > 2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port[|icmp6] 00:24:23.454334 IP6 (hlim 1, next-header Options (0) payload length: 32) fe80::7850:fcd6:b5ce:1bac > ff02::c: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::c 00:24:23.454430 IP6 (hlim 1, next-header Options (0) payload length: 32) fe80::7850:fcd6:b5ce:1bac > ff02::1:3: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:3 00:24:23.454589 IP6 (hlim 1, next-header Options (0) payload length: 32) fe80::7850:fcd6:b5ce:1bac > ff02::1:ffce:1bac: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ffce:1bac 00:24:25.432870 IP6 (hlim 1, next-header UDP (17) payload length: 154) fe80::7850:fcd6:b5ce:1bac.55817 > ff02::c.1900: [udp sum ok] UDP, length 146 00:24:25.454043 IP6 (hlim 1, next-header Options (0) payload length: 32) fe80::7850:fcd6:b5ce:1bac > ff02::1:ff00:735: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ff00:735 ※ 編輯: dowbatw (140.112.230.135), 10/25/2014 00:25:16 ※ 編輯: dowbatw (140.112.230.135), 10/25/2014 00:35:34
10/25 01:52, , 3F
看起來是router端出不到google
10/25 01:52, 3F
10/25 01:53, , 4F
你有試著從router上ping google嗎?
10/25 01:53, 4F
10/25 01:55, , 5F
前面有提到router上面ping沒問題
10/25 01:55, 5F
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 02:38:53
10/25 02:39, , 6F
看來是wan送到電腦出了一些問題,不知道怎麼調整?
10/25 02:39, 6F
10/25 03:42, , 7F
那可能先看一下ip6tables
10/25 03:42, 7F
10/25 03:43, , 8F
看是不是forward部分沒被允許
10/25 03:43, 8F
10/25 03:46, , 9F
對了 你firewall的wan裡面是不是沒多加gogo6用的介面
10/25 03:46, 9F
10/25 03:47, , 10F
(沒動過應該會是sit1)
10/25 03:47, 10F
10/25 09:16, , 11F
我的是tun不是sit;我有在network設定值裡面把tun和wan橋
10/25 09:16, 11F
10/25 09:17, , 12F
接變成br-wan
10/25 09:17, 12F
/etc/config/network config interface 'lan' option force_link '1' option type 'bridge' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' option _orig_ifname 'eth0.1 wlan0' option _orig_bridge 'true' option ifname 'eth0.1 tun' config interface 'wan' option proto 'dhcp' option _orig_ifname 'eth0.2' option _orig_bridge 'true' option type 'bridge' option ifname 'eth0.2 tun' config interface 'wan6' option proto 'dhcp' option _orig_ifname 'eth0.2' option _orig_bridge 'false' option type 'bridge' option ifname 'eth0.2 tun' /etc/config/firewall config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' list network 'wan' list network 'wan6' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' ※ 編輯: dowbatw (140.112.230.135), 10/25/2014 09:23:41
10/25 10:19, , 13F
你怎設定不重要...
10/25 10:19, 13F
10/25 10:19, , 14F
ifconfig跟ip6tables出來的才是實際設定
10/25 10:19, 14F
10/25 10:20, , 15F
再說跟wan bridge是很奇妙的設定啊...
10/25 10:20, 15F
ifconfig br-lan Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 2001:b000:a:d::1/64 Scope:Global inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link inet6 addr: fdb1:5979:7760::1/60 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:70199 errors:0 dropped:0 overruns:0 frame:0 TX packets:79433 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:37825616 (36.0 MiB) TX bytes:51010066 (48.6 MiB) eth0 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6 inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:447605 errors:0 dropped:10 overruns:0 frame:0 TX packets:91849 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:119217969 (113.6 MiB) TX bytes:56233397 (53.6 MiB) Interrupt:4 eth0.1 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:23436 errors:0 dropped:2 overruns:0 frame:0 TX packets:27686 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:11344259 (10.8 MiB) TX bytes:17254222 (16.4 MiB) eth0.2 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6 inet addr:140.112.230.135 Bcast:140.112.230.255 Mask:255.255.255.0 inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:424109 errors:0 dropped:0 overruns:0 frame:0 TX packets:64152 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:99812759 (95.1 MiB) TX bytes:38610658 (36.8 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:476 errors:0 dropped:0 overruns:0 frame:0 TX packets:476 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:51192 (49.9 KiB) TX bytes:51192 (49.9 KiB) tun Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet6 addr: 2001:b020:0:71::47f/128 Scope:Global UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1 RX packets:3 errors:0 dropped:0 overruns:0 frame:0 TX packets:2399 errors:0 dropped:83 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:200 (200.0 B) TX bytes:730504 (713.3 KiB) wlan0 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6 inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:48436 errors:0 dropped:0 overruns:0 frame:0 TX packets:57669 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27536078 (26.2 MiB) TX bytes:35613035 (33.9 MiB) ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination delegate_input all anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination delegate_forward all anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination delegate_output all anywhere anywhere Chain delegate_forward (1 references) target prot opt source destination forwarding_rule all anywhere anywhere /* user chain for forwarding */ ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED zone_lan_forward all anywhere anywhere zone_wan_forward all anywhere anywhere zone_wan_forward all anywhere anywhere reject all anywhere anywhere Chain delegate_input (1 references) target prot opt source destination ACCEPT all anywhere anywhere input_rule all anywhere anywhere /* user chain for input */ ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED syn_flood tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN zone_lan_input all anywhere anywhere zone_wan_input all anywhere anywhere zone_wan_input all anywhere anywhere Chain delegate_output (1 references) target prot opt source destination ACCEPT all anywhere anywhere output_rule all anywhere anywhere /* user chain for output */ ACCEPT all anywhere anywhere ctstateRELATED,ESTABLISHED zone_lan_output all anywhere anywhere zone_wan_output all anywhere anywhere zone_wan_output all anywhere anywhere Chain forwarding_wan_rule (1 references) target prot opt source destination Chain input_lan_rule (1 references) target prot opt source destination Chain input_rule (1 references) target prot opt source destination Chain input_wan_rule (1 references) target prot opt source destination Chain output_lan_rule (1 references) target prot opt source destination Chain output_rule (1 references) target prot opt source destination Chain output_wan_rule (1 references) target prot opt source destination Chain reject (5 references) target prot opt source destination REJECT tcp anywhere anywhere reject-with tcp-reset REJECT all anywhere anywhere reject-with icmp6-port-unreachable Chain syn_flood (1 references) target prot opt source destination RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 DROP all anywhere anywhere Chain zone_lan_dest_ACCEPT (2 references) target prot opt source destination ACCEPT all anywhere anywhere Chain zone_lan_forward (1 references) target prot opt source destination forwarding_lan_rule all anywhere anywhere /* user chain for forwarding */ zone_wan_dest_ACCEPT all anywhere anywhere /* forwarding lan -> wan */ zone_lan_dest_ACCEPT all anywhere anywhere Chain zone_lan_input (1 references) target prot opt source destination input_lan_rule all anywhere anywhere /* user chain for input */ zone_lan_src_ACCEPT all anywhere anywhere Chain zone_lan_output (1 references) target prot opt source destination output_lan_rule all anywhere anywhere /* user chain for output */ zone_lan_dest_ACCEPT all anywhere anywhere Chain zone_lan_src_ACCEPT (1 references) target prot opt source destination ACCEPT all anywhere anywhere Chain zone_wan_dest_ACCEPT (2 references) target prot opt source destination ACCEPT all anywhere anywhere ACCEPT all anywhere anywhere Chain zone_wan_dest_REJECT (1 references) target prot opt source destination reject all anywhere anywhere reject all anywhere anywhere Chain zone_wan_forward (2 references) target prot opt source destination forwarding_wan_rule all anywhere anywhere /* user chain for forwarding */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request /* Allow-ICMPv6-Forward */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply /* Allow-ICMPv6-Forward */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable /* Allow-ICMPv6-Forward */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big /* Allow-ICMPv6-Forward */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded /* Allow-ICMPv6-Forward */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header /* Allow-ICMPv6-Forward */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type /* Allow-ICMPv6-Forward */ zone_wan_dest_REJECT all anywhere anywhere Chain zone_wan_input (2 references) target prot opt source destination input_wan_rule all anywhere anywhere /* user chain for input */ ACCEPT udp fe80::/10 fe80::/10 udp spt:dhcpv6-server dpt:dhcpv6-client /* Allow-DHCPv6 */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement /* Allow-ICMPv6-Input */ ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement /* Allow-ICMPv6-Input */ zone_wan_src_REJECT all anywhere anywhere Chain zone_wan_output (2 references) target prot opt source destination output_wan_rule all anywhere anywhere /* user chain for output */ zone_wan_dest_ACCEPT all anywhere anywhere Chain zone_wan_src_REJECT (1 references) target prot opt source destination reject all anywhere anywhere reject all anywhere anywhere ip6tables-save # Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014 *nat :PREROUTING ACCEPT [8489:2118004] :INPUT ACCEPT [220:18732] :OUTPUT ACCEPT [72:5117] :POSTROUTING ACCEPT [377:23457] COMMIT # Completed on Sat Oct 25 16:11:11 2014 # Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014 *raw :PREROUTING ACCEPT [6740:1197649] :OUTPUT ACCEPT [457:40178] :delegate_notrack - [0:0] -A PREROUTING -j delegate_notrack COMMIT # Completed on Sat Oct 25 16:11:11 2014 # Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014 *mangle :PREROUTING ACCEPT [6740:1197649] :INPUT ACCEPT [275:20918] :FORWARD ACCEPT [189:15796] :OUTPUT ACCEPT [457:40178] :POSTROUTING ACCEPT [495:42962] :fwmark - [0:0] :mssfix - [0:0] -A PREROUTING -j fwmark -A FORWARD -j mssfix -A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu COMMIT # Completed on Sat Oct 25 16:11:11 2014 # Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [9:936] :delegate_forward - [0:0] :delegate_input - [0:0] :delegate_output - [0:0] :forwarding_lan_rule - [0:0] :forwarding_rule - [0:0] :forwarding_wan_rule - [0:0] :input_lan_rule - [0:0] :input_rule - [0:0] :input_wan_rule - [0:0] :output_lan_rule - [0:0] :output_rule - [0:0] :output_wan_rule - [0:0] :reject - [0:0] :syn_flood - [0:0] :zone_lan_dest_ACCEPT - [0:0] :zone_lan_forward - [0:0] :zone_lan_input - [0:0] :zone_lan_output - [0:0] :zone_lan_src_ACCEPT - [0:0] :zone_wan_dest_ACCEPT - [0:0] :zone_wan_dest_REJECT - [0:0] :zone_wan_forward - [0:0] :zone_wan_input - [0:0] :zone_wan_output - [0:0] :zone_wan_src_REJECT - [0:0] -A INPUT -j delegate_input -A FORWARD -j delegate_forward -A OUTPUT -j delegate_output -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_forward -i br-lan -j zone_lan_forward -A delegate_forward -i eth0.2 -j zone_wan_forward -A delegate_forward -j reject -A delegate_input -i lo -j ACCEPT -A delegate_input -m comment --comment "user chain for input" -j input_rule -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood -A delegate_input -i br-lan -j zone_lan_input -A delegate_input -i eth0.2 -j zone_wan_input -A delegate_output -o lo -j ACCEPT -A delegate_output -m comment --comment "user chain for output" -j output_rule -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_output -o br-lan -j zone_lan_output -A delegate_output -o eth0.2 -j zone_wan_output -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -j REJECT --reject-with icmp6-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN -A syn_flood -j DROP -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT -A zone_lan_forward -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule -A zone_lan_input -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule -A zone_lan_output -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT -A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT -A zone_wan_dest_REJECT -o eth0.2 -j reject -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT -A zone_wan_forward -j zone_wan_dest_REJECT -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule -A zone_wan_input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -m comment --comment Allow-DHCPv6 -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT -A zone_wan_input -j zone_wan_src_REJECT -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule -A zone_wan_output -j zone_wan_dest_ACCEPT -A zone_wan_src_REJECT -i eth0.2 -j reject COMMIT # Completed on Sat Oct 25 16:11:11 2014 ※ 編輯: dowbatw (140.112.230.135), 10/25/2014 15:56:11
10/25 16:54, , 16F
ifconfig裏沒有br-wan存在 這說明你的wan沒有bridge
10/25 16:54, 16F
10/25 16:59, , 17F
(gogoc的介面無法bridge 因為他要gw6c啟動後才會出現)
10/25 16:59, 17F
10/25 18:28, , 18F
其實是我後來看了大大你的建議之後改掉的
10/25 18:28, 18F
10/25 18:29, , 19F
要有br-wan也是可以,只是我沒貼上來。不過,這終究還不
10/25 18:29, 19F
10/25 18:30, , 20F
是重點,我還在看iptable
10/25 18:30, 20F
10/25 18:31, , 21F
我有試過把iptable中最上層的forward設定為accept,結果
10/25 18:31, 21F
10/25 18:32, , 22F
電腦可以ping,只是測試http://test-ipv6.com/仍然會失敗
10/25 18:32, 22F
10/25 18:56, , 23F
你知道iptables跟ip6tables是不同東西嗎...
10/25 18:56, 23F
10/25 18:57, , 24F
ipv4跟ipv6是分開兩組iptables 兩者設定無關的
10/25 18:57, 24F
10/25 19:57, , 25F
一樣,我上面講的就是ip6table中的設定
10/25 19:57, 25F
10/25 19:59, , 26F
我剛剛試了一下,要把table最上層的forward打開成accept
10/25 19:59, 26F
10/25 19:59, , 27F
就可以成功,只是這樣就很危險
10/25 19:59, 27F
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 20:30:41 ※ 編輯: dowbatw (140.112.230.135), 10/25/2014 20:33:01
10/25 20:49, , 28F
所以就說問題在於你防火牆(forward)沒設對啊...
10/25 20:49, 28F
10/25 20:49, , 29F
ip6tables -L -v連介面一起出來就比較清楚狀況了
10/25 20:49, 29F
10/25 20:49, , 30F
不過主要應該是lan>wan這段被reject掉了
10/25 20:49, 30F
10/25 20:50, , 31F
所以回了dest unreachable
10/25 20:50, 31F
10/25 20:51, , 32F
然後找個pastebin之類的地方貼 不然整串有夠長OTZ
10/25 20:51, 32F
更多 dowbatw 的文章
文章代碼(AID): #1KIY9JKa (IPv6)
IPv6 近期熱門文章
更多 近期熱門文章 >>
PTT數位生活區 即時熱門文章
更多 即時熱門文章 >>
更多 dowbatw 的文章
文章代碼(AID): #1KIY9JKa (IPv6)