Closed iamfreaky closed 2 years ago
same here. i want to have a webserver in LAN available via VPS-IPV6.
For IPv6 you should have an "ACCEPT" rule on shorewall6, DNAT is not used. I will check how a DNAT can be created.
well the DNAT Rule get created automatically, so this is a bug or ? i will try to change the shorewall6 rule myself.
If i change the exact rule from DNAT to ACCEPT i still wont work
For IPv6 you should have an "ACCEPT" rule on shorewall6, DNAT is not used. I will check how a DNAT can be created.
So it does not work with the UI alone, we have to use ssh to the vps for that?
You can try to add "OMR_ADDR=fe80::a00:2" in /etc/shorewall6/rules
and /etc/init.d/shorewall6 restart
@Ysurac
● shorewall6.service - Shorewall IPv6 firewall Loaded: loaded (/lib/systemd/system/shorewall6.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sun 2021-07-25 10:59:39 PDT; 33s ago Process: 6254 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS (code=exited, status=25) Main PID: 6254 (code=exited, status=25)
Jul 25 10:59:39 shorewall[6254]: Adding rules for DHCP Jul 25 10:59:39 shorewall[6254]: Compiling TCP Flags filtering... Jul 25 10:59:39 shorewall[6254]: Compiling /etc/shorewall6/snat... Jul 25 10:59:39 shorewall[6254]: Compiling MAC Filtration -- Phase 1... Jul 25 10:59:39 shorewall[6254]: Compiling /etc/shorewall6/rules... Jul 25 10:59:39 shorewall[6254]: ERROR: Invalid parameter (OMR_ADDR=fe80::a00:2) /etc/shorewall6/rules (line 24) Jul 25 10:59:39 root[6400]: ERROR:Shorewall6 start failed Jul 25 10:59:39 systemd[1]: shorewall6.service: Main process exited, code=exited, status=25/n/a Jul 25 10:59:39 systemd[1]: shorewall6.service: Failed with result 'exit-code'. Jul 25 10:59:39 systemd[1]: Failed to start Shorewall IPv6 firewall.
Thats doesnt work, inside the /etc/shorewall6/params.vpn there is also the same IPv6 Address.
Changing the line from
ACCEPT net vpn:$OMR_ADDR tcp 80 # OMR openmptcprouter redirect router 80 port tcp
to
ACCEPT net vpn:fe80::a00:2 tcp 80 # OMR openmptcprouter redirect router 80 port tcp
Will work with shorewall. but traffic still wont be passed down to openmptcp router. tcpdump will show no Packets on the omr-6in4-user0 interface on the VPS.
Sorry OMR_ADDR=fe80::a00:2
should be in /etc/shorewall6/params.vpn
With this, rule should use DNAT.
Well it was in there allready from the beginning. at least the same IPv6 Address just with a Prefix like so OMR_ADDR=fe80::a00:2/126
Okay so with OMR_ADDR=fe80::a00:2
in /etc/shorewall6/params.vpn
and DNAT net vpn:$OMR_ADDR tcp 80 # OMR openmptcprouter redirect router 80 port tcp
in /etc/shorewall6/rules
i get an Error Message ICMP6, destination unreachable, unreachable address
Port is still open on OpenMPTCPRouter. IPv6 Access from the Client behind the router is still possible (Going Out)
Can you ping the IP from the VPS ?
Yes that is working.
ping fe80::a00:2 PING fe80::a00:2(fe80::a00:2) 56 data bytes 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=1 ttl=64 time=22.9 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=2 ttl=64 time=29.0 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=3 ttl=64 time=20.9 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=4 ttl=64 time=21.1 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=5 ttl=64 time=14.8 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=6 ttl=64 time=17.7 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=7 ttl=64 time=23.7 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=8 ttl=64 time=21.7 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=9 ttl=64 time=31.7 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=10 ttl=64 time=16.0 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=11 ttl=64 time=22.2 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=12 ttl=64 time=19.6 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=13 ttl=64 time=14.5 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=14 ttl=64 time=14.8 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=15 ttl=64 time=15.0 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=16 ttl=64 time=17.4 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=17 ttl=64 time=20.9 ms
And of course the other way Arround also works.
Ping the IP you want to redirect to.
From VPS to Client is also working.
Did you check using tcpdump -i eth0 -vv ip6 and port 80
(or something like that) on the router to see if you have something when you connect to external IP ?
So yes i did, but now i got something different. So again.
Ping on VPS -> OpenMPTCP -> Client
that is working. This basically describes the Routing which takes places.
Ping on External Server -> VPS -> OpenMPTCP -> Client
that is NOT working.
The Other way Round Ping from Client -> OpenMPTCP -> VPS -> External Server
is working.
For both ping tests im using the Global Address.
if i do a tcpdump -i eth0 -n host XXXX::XXXX
on the VPS i can see that there are ICMP6 Request are incoming for that client, but the same is not present on the omr-6in4-user
Interface on the VPS Side.
Any more Ideas ? @Ysurac
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days
Expected Behavior
IPv6 Forwarding for a Webserver should work like IPv4
Current Behavior
IPv6 Does not work
Specifications
In /etc/shorewall6/rules you can see a DNAT Rule after changing the Rules on the MPTCP Router.
Config Rule on Router
config rule option src 'vpn' option target 'ACCEPT' option family 'ipv6' list proto 'tcp' option dest_port '80' option name 'HTTP' option dest 'lan' list dest_ip 'IPv6 Address'
Config on VPS in /etc/shorewall6/rules
DNAT net vpn:$OMR_ADDR tcp 80 # OMR openmptcprouter redirect router 80 port tcp
Config on VPS IPv4 (IPv4 is working)
DNAT net vpn:$OMR_ADDR tcp 80 # OMR openmptcprouter redirect router 80 port tcp
Internet Access (IPv4 and IPv6) is completly working.