[SOLVED] IPv6 routing across Debian interfaces

1ontheriver · 11-28-2016, 09:45 AM

Hello,

I am a newbie when it comes to Linux so I am hoping the answer is simple here. I am testing VOIP traffic across a wireless mesh network using different routing protocols. For some reason one of the protocols will not route between interfaces on the edge devices. I tried static routing without the protocol and it suffers the same problem. I am assuming there is some security feature that the first two protocols disable that the third does not.

Topology

ClientA-----wired------AP01-------wireless-------AP02-----wired------ClientB

ClientA eth0 - 2002::2/64
AP01 eth0 - 2002::1/64
AP01 wlan0 - 2001::1/64
AP02 wlan0 - 2001::5/64
AP02 eth0 - 2003::1/64
ClientB eth0 - 2003::2/64

Client A default gateway is 2002::1/64
Client B default gateway is 2003::1/64
AP01 has a static route to the network 2003::/64 with next hop 2001::5/64
AP02 has a static route to the network 2002::/64 with next hop 2001::1/64
Note: This is when I configure it statically. The routing protocol add the routes when I configure it

ClientA can ping both interfaces of AP01 but no further
ClientB can ping both interfaces of AP02 but no further
AP01 can ping Client A and both interfaces of AP02
AP02 can ping Client B and both interfaces of AP01

ClientA and ClientB are IBM desktops running Debian Jessie
AP01 and AP02 are Raspberry Pi3 devices running Rasbian Wheezy

When the mesh is configured using BMX6 or OLSR I can ping end to end.
When the mesh is configured using Babel or using static routes I hit the problem.

All devices are configured as dual stack with IPv4 addresses on eth0 used for management traffic. The IPv4 network is a flat network 172.20.20.0/24 which I do not believe should be relevant but I have included it here for completeness.

I have confirmed that the correct interfaces are being used to reach each network.

Thank you in advance for reading my post and hopefully somebody can help.

nini09 · 12-02-2016, 03:31 PM

In AP01, what's default gateway?

pingu_penguin · 12-02-2016, 03:34 PM

Im not an ipv6 expert, but perhaps this link may help

http://lists.alioth.debian.org/piper...ry/001868.html

camp0 · 12-05-2016, 07:03 AM

Hi,

Can you paste the output of the command route of each component?

1ontheriver · 12-06-2016, 10:52 AM

Quote:

Originally Posted by nini09

In AP01, what's default gateway?

None set however it has a route to all networks and I can ping at least 1 IP in each

***EDIT*** Formatting is not clear so please see attached screenshots

pi@AP-1:~ $ route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: U 256 0 0 lo
2001::5/128 fe80::34fb:11b6:29f6:916b UG 1024 1 3052 wlan1
2001::/64 :: U 256 0 0 wlan1
2002::/64 :: U 256 2 6 eth0
2003::1/128 fe80::34fb:11b6:29f6:916b UG 1024 0 0 wlan1
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 wlan1
::/0 fe80::5ef9:6aff:fe1a:1426 UG 202 0 0 eth0
::/0 :: !n -1 1 3059 lo
::1/128 :: Un 0 4 4 lo
2001::/128 :: Un 0 1 0 lo
2001::1/128 :: Un 0 2 3 lo
2002::/128 :: Un 0 1 0 lo
2002::1/128 :: Un 0 2 116 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::86ab:4558:ee67:3b75/128 :: Un 0 2 153 lo
fe80::95a2:f7a5:dfa7:c4eb/128 :: Un 0 2 133 lo
ff00::/8 :: U 256 3 36 eth0
ff00::/8 :: U 256 1 4 wlan0
ff00::/8 :: U 256 3 4210 wlan1
::/0 :: !n -1 1 3059 lo
pi@AP-1:~ $

1ontheriver · 12-06-2016, 10:55 AM

Quote:

Originally Posted by camp0

Hi,

Can you paste the output of the command route of each component?

****EDIT**** Formatting was lost so please see attached screenshots

Client 1
root@Client1:/home/pi/Documents# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2002::/64 :: U 256 0 1 eth0
fe80::/64 :: U 256 0 0 eth0
::/0 2002::1 UG 1 0 0 eth0
::/0 :: !n -1 1 3059 lo
::1/128 :: Un 0 1 6 lo
2002::2/128 :: Un 0 1 6 lo
fe80::216:e6ff:fef6:bd1d/128 :: Un 0 1 239 lo
ff00::/8 :: U 256 0 0 eth0
::/0 :: !n -1 1 3059 lo

AP01
pi@AP-1:~ $ route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: U 256 0 0 lo
2001::5/128 fe80::34fb:11b6:29f6:916b UG 1024 1 3052 wlan1
2001::/64 :: U 256 0 0 wlan1
2002::/64 :: U 256 2 6 eth0
2003::1/128 fe80::34fb:11b6:29f6:916b UG 1024 0 0 wlan1
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 wlan1
::/0 fe80::5ef9:6aff:fe1a:1426 UG 202 0 0 eth0
::/0 :: !n -1 1 3059 lo
::1/128 :: Un 0 4 4 lo
2001::/128 :: Un 0 1 0 lo
2001::1/128 :: Un 0 2 3 lo
2002::/128 :: Un 0 1 0 lo
2002::1/128 :: Un 0 2 116 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::86ab:4558:ee67:3b75/128 :: Un 0 2 153 lo
fe80::95a2:f7a5:dfa7:c4eb/128 :: Un 0 2 133 lo
ff00::/8 :: U 256 3 36 eth0
ff00::/8 :: U 256 1 4 wlan0
ff00::/8 :: U 256 3 4310 wlan1
::/0 :: !n -1 1 3059 lo

AP02
pi@AP-2:~ $ route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: U 256 0 0 lo
2001::1/128 fe80::86ab:4558:ee67:3b75 UG 1024 1 3 wlan1
2001::/64 :: U 256 0 0 wlan1
2002::1/128 fe80::86ab:4558:ee67:3b75 UG 1024 1 3 wlan1
2003::/64 :: U 256 1480555 eth0
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 2 3 wlan1
::/0 fe80::5ef9:6aff:fe1a:1426 UG 202 4 6249 eth0
::/0 :: !n -1 1965180 lo
::1/128 :: Un 0 4 5 lo
2001::/128 :: Un 0 1 0 lo
2001::5/128 :: Un 0 2 2976 lo
2003::/128 :: Un 0 1 0 lo
2003::1/128 :: Un 0 2 4347 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::34fb:11b6:29f6:916b/128 :: Un 0 2 151 lo
fe80::cdf9:b2a5:629e:f201/128 :: Un 0 2 13513 lo
ff00::/8 :: U 256 4 5396 eth0
ff00::/8 :: U 256 4 4500 wlan1
::/0 :: !n -1 1965180 lo
pi@AP-2:~ $

Client 1
root@Client2:~# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2003::/64 :: U 256 0 1 eth0
fe80::/64 :: U 256 0 0 eth0
::/0 2003::1 UG 1 0 0 eth0
::/0 :: !n -1 1 15337 lo
::1/128 :: Un 0 1 40 lo
2003::/128 :: Un 0 1 0 lo
2003::2/128 :: Un 0 1 5335 lo
fe80::/128 :: Un 0 1 0 lo
fe80::216:e6ff:fef6:bdaf/128 :: Un 0 1 29478 lo
ff00::/8 :: U 256 0 0 eth0
::/0 :: !n -1 1 15337 lo
root@Client2:~#

1ontheriver · 12-06-2016, 10:59 AM

Some further information.

A friend pointed me in the direction of IPTABLES. I don't understand how it works but I tried the following commands on AP01 and AP02

sudo sysctl -w net.ipv6.conf.all.forwarding=1
sudo sysctl -w net.ipv6.conf.all.proxy_ndp=1
sudo sysctl -w net.ipv6.conf.all.autoconf=0
sudo sysctl -w net.ipv6.conf.all.accept_ra=0

sudo ip6tables -A INPUT -i eth0 -j ACCEPT
sudo ip6tables -A INPUT -i wlan1 -j ACCEPT

sudo ip6tables -A FORWARD -i eth0 -o wlan1 -j ACCEPT
sudo ip6tables -A FORWARD -i wlan1 -o eth0 -j ACCEPT

Below are the outputs showing the current IP6TABLES configuration

AP01

pi@AP-1:~ $ sudo ip6tables -L -nv
Chain INPUT (policy ACCEPT 364 packets, 42290 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
711 73944 ACCEPT all eth0 wlan1 ::/0 ::/0
0 0 ACCEPT all wlan1 eth0 ::/0 ::/0

Chain OUTPUT (policy ACCEPT 402 packets, 47473 bytes)
pkts bytes target prot opt in out source destination
pi@AP-1:~ $

AP02

pi@AP-2:~ $ sudo ip6tables -L -nv
Chain INPUT (policy ACCEPT 1782 packets, 189K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 3 packets, 288 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all eth0 wlan1 ::/0 ::/0
0 0 ACCEPT all wlan1 eth0 ::/0 ::/0

Chain OUTPUT (policy ACCEPT 1827 packets, 196K bytes)
pkts bytes target prot opt in out source destination
pi@AP-2:~ $

1ontheriver · 12-06-2016, 11:10 AM

Quote:

Originally Posted by pingu_penguin

Im not an ipv6 expert, but perhaps this link may help

http://lists.alioth.debian.org/piper...ry/001868.html

Hello

Thank you for your input. The redistribution was done using the following command

sudo babeld -D wlan1 -C 'redistribute proto 11 ip 2003::/64 metric 256'

I am confident that this is not a routing issue since all devices appear to have a path to each network. The clients have a default gateway pointing at their closest AP. Each AP is either directly connected or learning the networks from the routing protocol.

Further evidence is that AP01 can ping 2003::1 which is through 2001::5 but it cannot ping 2003::2 which is one hop further.

***EDIT*** and of course, like I said, I get the same problem when I use static routing so it is not the routing protocol either

pingu_penguin · 12-06-2016, 12:41 PM

Okay I have some points to say.

1. you dont need this

Quote:

sudo ip6tables -A INPUT -i eth0 -j ACCEPT
sudo ip6tables -A INPUT -i wlan1 -j ACCEPT

sudo ip6tables -A FORWARD -i eth0 -o wlan1 -j ACCEPT
sudo ip6tables -A FORWARD -i wlan1 -o eth0 -j ACCEPT

if you have enabled this :

Quote:

sudo sysctl -w net.ipv6.conf.all.forwarding=1

if your default policy is to set to DROP for INPUT then the first two lines make sense.

2. you have to do # sysctl -p
to load the settings , just -w is not enough

3. If you sure routing is correct and protocols are correct too, then you should check the firewall settings.

If you still think its a routing issue , set your default INPUT policy to ACCEPT try this :

# ip6tables -F
# iptables -F (for ipv4)
# echo 1 > /proc/sys/net/ipv4/ip_forward (for ipv4)
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

those first 2 lines clear the firewall rules , so save your firewall rules if any before you try.
the last 2 lines enable kernel level forwarding, so if your networks are properly configured , the routing should happen automatically.

pingu_penguin · 12-06-2016, 12:51 PM

I have a feeling routing works in your case, since other protocols are working.

If routing did not work, I think all protocols would have failed.

You could have recieved a destination unreachable or something similar.

Maybe you can check if there is some incorrect configuration with babel, or overlooking something simple ?

I am afraid I can help you little in this , as I have very little experience in ipv6.

nini09 · 12-06-2016, 02:41 PM

The default gateway in AP01 should point to wlan0, not eth0. The eth0 will point back to clientA itself.

camp0 · 12-07-2016, 03:08 AM

I suggest also use tcpdump on the different interfaces that you have in order to verify that ping6 command(for example) are recevied on each interface.

But with all the information that is on the thread you should be able to communicate both clients.

1ontheriver · 12-07-2016, 12:35 PM

OK, we are making progress.

What I did was I changed the network back to one of the protocols that worked and recorded a number of outputs. Then I set up Babel and recorded the same outputs for comparison. I spotted a mistake in the routing table. The route learned through redistribution contains just one IP address, not the whole range. There was a problem with the redistribution command. When I corrected it the correct route is learned however, a new problem has reared its ugly head.

Note how in the original post I said that all devices have management connections to the same switch. I am separating test traffic from management traffic by using different IP stacks. The problem is that the edge devices are now seeing each other over BOTH wired and wireless. TWO routes are learned and the devices are preferring the wired connection. I have attached screenshots showing that the correct routes are there but a few seconds later the wired routes take over.

Does anyone know how I can force it to prefer the wireless routes? I need to the traffic to go over the mesh as it is the mesh I am testing. I cannot disconnect the management cables during testing as this is how the clients reach the edge devices in the first place

nini09 · 12-07-2016, 02:48 PM

If all device connect to same switch, you need use VLAN on switch to separate different network range.

1ontheriver · 12-08-2016, 12:50 AM

Quote:

Originally Posted by nini09

If all device connect to same switch, you need use VLAN on switch to separate different network range.

This would require a layer 3 switch and to configure inter-vlan routing. I only have a layer 2 switch in this lab. I wonder if there is a way I can use IP6TABLES to prevent AP01 & AP02 from talking to anything else on their eth0 interface other than their client?