Debian Bullseye icmp not working

[ghost]

Hello,

I have jool installed on Debian 11, I have tried both the Jool that came with debian stable, and also installed 4.1.9.0 manually. But still I cannot get ICMP working from a client.

HTTP via 464xlat/nat64 from a client works fine. I have tried both a separate namespace and not, it makes no difference, https/s works but not ICMP.

I start jool with these commands:

#!/bin/bash
ethtool -K enp4s0 gro off
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.ip_local_port_range="32768 50000"
/sbin/modprobe jool
jool instance add --netfilter --pool6 2c06:ff9b::/96
jool pool4 add 172.21.8.4 50001-61000 --tcp
jool pool4 add 172.21.8.4 50001-61000 --udp
jool pool4 add 172.21.8.4 50001-61000 --icmp 

ip addr looks like this:

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether fe:cb:af:e7:a0:18 brd ff:ff:ff:ff:ff:ff
    inet 172.21.8.4/24 brd 172.21.8.255 scope global enp4s0
       valid_lft forever preferred_lft forever
    inet6 2c06:25:f1cd:11:8::4/80 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::fccb:afff:fee7:a018/64 scope link
       valid_lft forever preferred_lft forever

Any ideas why ping/icmp/traceroute isn't working? I have an opnsense firewall between the clients and the jool host, but nothing is stopping ICMP there.

[ydahhrk]

What's the exact ping command you're running, and where are you running it?

[ghost]

Hi! I have tried these commands from my laptop connected to vlan10, the jool host is on vlan8:

dp@MacBook-Air-4 ~ % ping6  2c06:ff9b::1.1.1.1
PING6(56=40+8+8 bytes) 2c06:25:f1cd:12:103f:f128:7d97:ceb1 --> 2c06:ff9b::101:101

^C
--- 2c06:ff9b::1.1.1.1 ping6 statistics ---
11 packets transmitted, 0 packets received, 100.0% packet loss
dp@MacBook-Air-4 ~ % telnet  2c06:ff9b::1.1.1.1 443
Trying 2c06:ff9b::101:101...
Connected to one.one.one.one.
Escape character is '^]'.
^CConnection closed by foreign host.

Also: I see this in tcpdump on the jool host:

19:44:42.061406 IP6 (flowlabel 0x1530e, hlim 64, next-header ICMPv6 (58) payload length: 80) 2c06:25:f1cd:11:8::3 > 2c06:25:f1cd:12:1816:140b:aa97:21d8: [icmp6 sum ok] ICMP6, time exceeded in-transit for 2c06:ff9b::101:101

[ydahhrk]

Can't reproduce; works fine for me.

ethtool -K enp4s0 gro off

Not that I expect it to fix the problem, but this isn't supposed to be necessary anymore. In fact, it might be losing you performance.

Also: I see this in tcpdump on the jool host:

Is this really relevant? Who are 2c06:25:f1cd:11:8::3 and 2c06:25:f1cd:12:1816:140b:aa97:21d8:? Neither the ping client nor the translator seem to be involved.

Also, when the hop limit is exceeded, ping doesn't stand idle for me:

$ ping -c1 2c06:ff9b::1.1.1.1 -t 2
PING 2c06:ff9b::1.1.1.1(2c06:ff9b::101:101) 56 data bytes
From 2c06:ff9b::a00:202 icmp_seq=1 Time exceeded: Hop limit

--- 2c06:ff9b::1.1.1.1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

Any ideas why ping/icmp/traceroute isn't working?

What is the output of traceroute? Maybe ping uses a smaller hop limit than telnet?

Maybe try ping6 2c06:ff9b::1.1.1.1 -t 255

[ghost]

Hi, thanks for your help. I realized that traceroute was actually working, I then found out that I had a global rule forcing all icmp to go out via my wan conection and bypasing jool completely, so it's working now!