Closed genofire closed 6 years ago
@genofire which traffic do you see blocked exactly before flushing all iptables chains?
=> which traffic do we need to allow exactly?
have to enable logging in 'zone wan':
REJECT(src wan)IN=br-wan OUT= MAC=33:33:00:00:01:5c:52:54:00:38:4b:77:86:dd SRC=fe80:0000:0000:0000:5054:00ff:fe38:4b77 DST=ff02:0000:0000:0000:0000:0000:0000:015c LEN=145 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=UDP SPT=54166 DPT=4789 LEN=106
dst ff02::15c proto udp ggf. port noch angeben
Solution:
config rule
option name 'Allow-VXLAN-Init'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/64'
option dest_ip 'ff02::15c'
option dest_port '4789'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-VXLAN-Connected'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/64'
option dest_ip 'fe80::/64'
option dest_port '4789'
option family 'ipv6'
option target 'ACCEPT'
Blame (sry): https://github.com/freifunk-gluon/gluon/commit/a2711065c8cdca4f285319fb3d62db18aa0f0599#commitcomment-26853242
open issue https://github.com/freifunk-gluon/gluon/issues/1308 on gluon
I always have to run
ip6tables -F
to allow src->wan traffic. There should be a wan rule which allows the vxlan traffic.Version: https://github.com/freifunk-ffm/gluon/tree/christf_next