search

Ysurac / openmptcprouter

OpenMPTCProuter is an open source solution to aggregate multiple internet connections using Multipath TCP (MPTCP) on OpenWrt
https://www.openmptcprouter.com/
GNU General Public License v3.0
1.8k stars 258 forks source link

IPv6 Port Forwarding #1978

Closed iamfreaky closed 2 years ago

iamfreaky commented 3 years ago

Expected Behavior

IPv6 Forwarding for a Webserver should work like IPv4

Current Behavior

IPv6 Does not work

Specifications

In /etc/shorewall6/rules you can see a DNAT Rule after changing the Rules on the MPTCP Router.

Config Rule on Router

config rule option src 'vpn' option target 'ACCEPT' option family 'ipv6' list proto 'tcp' option dest_port '80' option name 'HTTP' option dest 'lan' list dest_ip 'IPv6 Address'

Config on VPS in /etc/shorewall6/rules

DNAT net vpn:$OMR_ADDR tcp 80 # OMR openmptcprouter redirect router 80 port tcp

Config on VPS IPv4 (IPv4 is working)

DNAT net vpn:$OMR_ADDR tcp 80 # OMR openmptcprouter redirect router 80 port tcp

Internet Access (IPv4 and IPv6) is completly working.

Adorfer commented 3 years ago

same here. i want to have a webserver in LAN available via VPS-IPV6.

Ysurac commented 3 years ago

For IPv6 you should have an "ACCEPT" rule on shorewall6, DNAT is not used. I will check how a DNAT can be created.

iamfreaky commented 3 years ago

well the DNAT Rule get created automatically, so this is a bug or ? i will try to change the shorewall6 rule myself.

iamfreaky commented 3 years ago

If i change the exact rule from DNAT to ACCEPT i still wont work

Adorfer commented 3 years ago

For IPv6 you should have an "ACCEPT" rule on shorewall6, DNAT is not used. I will check how a DNAT can be created.

So it does not work with the UI alone, we have to use ssh to the vps for that?

Ysurac commented 3 years ago

You can try to add "OMR_ADDR=fe80::a00:2" in /etc/shorewall6/rules and /etc/init.d/shorewall6 restart

iamfreaky commented 3 years ago

@Ysurac

● shorewall6.service - Shorewall IPv6 firewall Loaded: loaded (/lib/systemd/system/shorewall6.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sun 2021-07-25 10:59:39 PDT; 33s ago Process: 6254 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS (code=exited, status=25) Main PID: 6254 (code=exited, status=25)

Jul 25 10:59:39 shorewall[6254]: Adding rules for DHCP Jul 25 10:59:39 shorewall[6254]: Compiling TCP Flags filtering... Jul 25 10:59:39 shorewall[6254]: Compiling /etc/shorewall6/snat... Jul 25 10:59:39 shorewall[6254]: Compiling MAC Filtration -- Phase 1... Jul 25 10:59:39 shorewall[6254]: Compiling /etc/shorewall6/rules... Jul 25 10:59:39 shorewall[6254]: ERROR: Invalid parameter (OMR_ADDR=fe80::a00:2) /etc/shorewall6/rules (line 24) Jul 25 10:59:39 root[6400]: ERROR:Shorewall6 start failed Jul 25 10:59:39 systemd[1]: shorewall6.service: Main process exited, code=exited, status=25/n/a Jul 25 10:59:39 systemd[1]: shorewall6.service: Failed with result 'exit-code'. Jul 25 10:59:39 systemd[1]: Failed to start Shorewall IPv6 firewall.

Thats doesnt work, inside the /etc/shorewall6/params.vpn there is also the same IPv6 Address.

iamfreaky commented 3 years ago

Changing the line from

ACCEPT net vpn:$OMR_ADDR tcp 80 # OMR openmptcprouter redirect router 80 port tcp

to

ACCEPT net vpn:fe80::a00:2 tcp 80 # OMR openmptcprouter redirect router 80 port tcp

Will work with shorewall. but traffic still wont be passed down to openmptcp router. tcpdump will show no Packets on the omr-6in4-user0 interface on the VPS.

Ysurac commented 3 years ago

Sorry OMR_ADDR=fe80::a00:2 should be in /etc/shorewall6/params.vpn With this, rule should use DNAT.

iamfreaky commented 3 years ago

Well it was in there allready from the beginning. at least the same IPv6 Address just with a Prefix like so OMR_ADDR=fe80::a00:2/126

iamfreaky commented 3 years ago

Okay so with OMR_ADDR=fe80::a00:2 in /etc/shorewall6/params.vpn and DNAT net vpn:$OMR_ADDR tcp 80 # OMR openmptcprouter redirect router 80 port tcp in /etc/shorewall6/rules i get an Error Message ICMP6, destination unreachable, unreachable address

Port is still open on OpenMPTCPRouter. IPv6 Access from the Client behind the router is still possible (Going Out)

Ysurac commented 3 years ago

Can you ping the IP from the VPS ?

iamfreaky commented 3 years ago

Yes that is working.

ping fe80::a00:2 PING fe80::a00:2(fe80::a00:2) 56 data bytes 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=1 ttl=64 time=22.9 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=2 ttl=64 time=29.0 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=3 ttl=64 time=20.9 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=4 ttl=64 time=21.1 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=5 ttl=64 time=14.8 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=6 ttl=64 time=17.7 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=7 ttl=64 time=23.7 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=8 ttl=64 time=21.7 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=9 ttl=64 time=31.7 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=10 ttl=64 time=16.0 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=11 ttl=64 time=22.2 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=12 ttl=64 time=19.6 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=13 ttl=64 time=14.5 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=14 ttl=64 time=14.8 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=15 ttl=64 time=15.0 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=16 ttl=64 time=17.4 ms 64 bytes from fe80::a00:2%omr-6in4-user0: icmp_seq=17 ttl=64 time=20.9 ms

iamfreaky commented 3 years ago

And of course the other way Arround also works.

Ysurac commented 3 years ago

Ping the IP you want to redirect to.

iamfreaky commented 3 years ago

From VPS to Client is also working.

Ysurac commented 3 years ago

Did you check using tcpdump -i eth0 -vv ip6 and port 80 (or something like that) on the router to see if you have something when you connect to external IP ?

iamfreaky commented 3 years ago

So yes i did, but now i got something different. So again.

Ping on VPS -> OpenMPTCP -> Client that is working. This basically describes the Routing which takes places.

Ping on External Server -> VPS -> OpenMPTCP -> Client that is NOT working.

The Other way Round Ping from Client -> OpenMPTCP -> VPS -> External Server is working.

For both ping tests im using the Global Address.

if i do a tcpdump -i eth0 -n host XXXX::XXXX on the VPS i can see that there are ICMP6 Request are incoming for that client, but the same is not present on the omr-6in4-user Interface on the VPS Side.

iamfreaky commented 3 years ago

Any more Ideas ? @Ysurac

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days