he-ipv6 + nftables

[frankw]

Hallo,

ich versuche gerade, meinen HE ipv6-tunnel hinzubekommen...die ip bei HE ist aktuell, ich habe (hoffentlich alles) in der nftables-fw eingeschaltet (protocol 41+47 und icmpv6), hoffentlich alle module geladen (gre+ip_gre), kann das ipv4-gateway pingen, aber nicht das ipv6 gateway (die lokale ipv6 aber schon).

die netzwerkkonfig habe ich über systemd angelegt, habe aber das sit-interface auch testweise mal manuell definiert. das he-ipv6 interface habe ich an die lanbr0 gebunden, damit es beim systemstart automatisch gebunden wird...die lokale IPv4 ist auch die der lanbr0.

ich sehe im tcpdump des he-ipv6 die echo-request, aber kein echo reply. auf der lanbr0 oder auf ppp8 sehe ich keine gre-pakete.

hat evtl. jemand eine idee? sollte ich die gre-pakete nicht zumindest auf dem lan-interface sehen? ich habe testweise auch mal die nftables komplett deaktiviert, gleiches Ergebnis

Code: Alles auswählen

# ip a s he-ipv6
30: he-ipv6@lanbr0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state UNKNOWN group default qlen 1000
    link/sit 192.168.0.11 peer 216.66.86.114
    inet6 2001:...::2/64 scope global 
       valid_lft forever preferred_lft forever

Code: Alles auswählen

...
        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "accept loopback"
                limit rate 5/second icmp type { echo-reply, echo-request } accept comment "limit icmp to 5/s"
                tcp dport 22 limit rate 10/second accept comment "limit SSH"
                ct state { established, related } accept comment "allow connections initiated"
                iifname { "wlan0", "wlan1", "lanbr0" } accept comment "allow traffic from internal interfaces"
                tcp sport 20 ct state established,related accept comment "allow active/passive FTP"
                ip protocol { ipv6, gre } accept
                ip6 nexthdr { ipv6, gre } accept
                ip6 nexthdr ipv6-icmp accept
                iifname "lxcbr0" accept comment "allow LXC"
                udp dport 1195 accept comment "allow local vpn"
                iifname "tun0" accept comment "accept from openvpn"
                jump PortKnock
                goto rejectlog
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state invalid counter packets 532 bytes 54876 drop comment "early drop of invalid packets"
                oifname { "wan", "ppp8", "ppp9" } tcp flags syn tcp option maxseg size set rt mtu
                ct state vmap { established : jump forward-known, related : jump forward-known, new : jump forward-new }
                iifname "lxcbr0" accept comment "allow from LXC"
                oifname "lxcbr0" accept comment "allow to LXC"
                iifname "tun0" accept comment "allow from VPN"
                goto rejectlog
        }

        chain forward-new {
                jump blocking
                iifname { "wlan0", "wlan1", "lanbr0" } oifname { "wlan0", "wlan1", "lanbr0" } accept comment "allow int => int"
                iifname { "wlan0", "wlan1", "lanbr0" } oifname { "wan", "ppp8", "ppp9" } accept comment "allow int => ext"
                iifname { "wan", "ppp8", "ppp9" } oifname { "wlan0", "wlan1", "lanbr0" } ct state established,related accept comment "allow ext => int (only established/related)"
                udp dport 9 accept comment "allow WOL"
                ip6 nexthdr ipv6-icmp accept
                ip protocol { ipv6, gre } accept
                ip6 nexthdr { ipv6, gre } accept
        }
...

Gruß Frank

[debra]

Ich tippe mal 10:1, dass der Fehler wie immer im abgeschnittenen Outputs hängt.
ip r wäre auch interessant. Auch wenn ich vermute, dass da kein Fehler ist, trägt es massiv zum Verständnis bei.

[frankw]

Code: Alles auswählen

# ip r
default dev ppp8 scope link 
10.0.3.0/24 via 192.168.0.10 dev lanbr0 proto static onlink 
10.0.4.0/24 dev lxcbr0 proto kernel scope link src 10.0.4.1 
10.0.9.0/24 dev tun0 proto kernel scope link src 10.0.9.1 
157.180.224.1 dev ppp8 proto kernel scope link src a.b.c.d 
172.21.192.1 dev ppp9 proto kernel scope link src w.x.y.z 
192.168.0.0/24 dev lanbr0 proto kernel scope link src 192.168.0.11 
192.168.10.0/24 via 192.168.0.10 dev lanbr0 proto static onlink 
192.168.11.0/24 via 192.168.0.10 dev lanbr0 proto static onlink 
192.168.25.0/24 dev wlan0 proto kernel scope link src 192.168.25.11 
192.168.26.0/24 dev wlan1 proto kernel scope link src 192.168.26.11 
# ip -6 r
2001:aaa:bb:ccc::/64 dev he-ipv6 proto kernel metric 256 pref medium
fe80::/64 dev wan.140 proto kernel metric 256 pref medium
fe80::/64 dev wan.110 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev lanbr0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev vethbmsQMG proto kernel metric 256 pref medium
fe80::/64 dev lxcbr0 proto kernel metric 256 pref medium
fe80::/64 dev veth621qCe proto kernel metric 256 pref medium
default via 2001:aa:bb:ccc::1 dev he-ipv6 proto static metric 1024 pref medium
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc mq state UP group default qlen 1000
    link/ether da:ce:39:20:07:5a brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 5e:d8:16:a7:14:51 brd ff:ff:ff:ff:ff:ff
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
5: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 08:22:33:44:55:78 brd ff:ff:ff:ff:ff:ff permaddr da:ce:39:20:07:5a
    inet6 fe80::a22:33ff:fe44:5578/64 scope link 
       valid_lft forever preferred_lft forever
6: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lanbr0 state UP group default qlen 1000
    link/ether da:ce:39:20:07:5a brd ff:ff:ff:ff:ff:ff
7: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master lanbr0 state DOWN group default qlen 1000
    link/ether da:ce:39:20:07:5a brd ff:ff:ff:ff:ff:ff
8: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master lanbr0 state LOWERLAYERDOWN group default qlen 1000
    link/ether da:ce:39:20:07:5a brd ff:ff:ff:ff:ff:ff
9: lan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lanbr0 state UP group default qlen 1000
    link/ether da:ce:39:20:07:5a brd ff:ff:ff:ff:ff:ff
10: lan4@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether da:ce:39:20:07:5a brd ff:ff:ff:ff:ff:ff
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:43:26:60:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.25.11/24 brd 192.168.25.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:43ff:fe26:6000/64 scope link 
       valid_lft forever preferred_lft forever
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 82:0c:43:26:60:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.11/24 brd 192.168.26.255 scope global wlan1
       valid_lft forever preferred_lft forever
    inet6 fe80::800c:43ff:fe26:6000/64 scope link 
       valid_lft forever preferred_lft forever
13: lanbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ba:5a:10:d0:0d:fe brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.11/24 brd 192.168.0.255 scope global lanbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::b85a:10ff:fed0:dfe/64 scope link 
       valid_lft forever preferred_lft forever
14: wan.140@wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 02:12:02:03:04:08 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::12:2ff:fe03:408/64 scope link 
       valid_lft forever preferred_lft forever
15: wan.110@wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 02:12:02:03:04:07 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::12:2ff:fe03:407/64 scope link 
       valid_lft forever preferred_lft forever
16: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 10.0.4.1/24 brd 10.0.4.255 scope global lxcbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe00:0/64 scope link 
       valid_lft forever preferred_lft forever
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1300 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.0.9.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::3ac5:f4a7:a520:d8e9/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
19: ppp9: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp 
    inet a.b.c.d peer 172.21.192.1/32 scope global ppp9
       valid_lft forever preferred_lft forever
20: vethbmsQMG@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxcbr0 state UP group default qlen 1000
    link/ether fe:4b:d9:d3:ce:9d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::fc4b:d9ff:fed3:ce9d/64 scope link 
       valid_lft forever preferred_lft forever
21: veth621qCe@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxcbr0 state UP group default qlen 1000
    link/ether fe:df:c8:4e:32:bc brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::fcdf:c8ff:fe4e:32bc/64 scope link 
       valid_lft forever preferred_lft forever
25: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
26: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
27: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
30: he-ipv6@lanbr0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1452 qdisc noqueue state UNKNOWN group default qlen 1000
    link/sit 192.168.0.11 peer 216.66.86.114
    inet6 2001:xxx:yy:zzz::2/64 scope global 
       valid_lft forever preferred_lft forever
34: ppp8: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp 
    inet w.x.y.z peer 157.180.224.1/32 scope global ppp8
       valid_lft forever preferred_lft forever

ip v4 internet funktioniert, ich kann auch die peer-IP anpingen...aktuell wundere ich mich über die interfaces 25,26 und 27, die ich so nicht angelegt habe (zumindest nicht wissentlich, evtl. durch das testen mit dem gre und ip_gre modul).

hier meine komplette firewall (ports für portknock natürlich geändert)...mein internet-interface ist ppp8 (default-route)

Code: Alles auswählen

# nft list ruleset
table inet filter {
	set icmpv6_types {
		type icmpv6_type
		elements = { destination-unreachable,
			     packet-too-big,
			     time-exceeded,
			     parameter-problem,
			     echo-request,
			     echo-reply,
			     nd-router-solicit,
			     nd-router-advert,
			     nd-neighbor-solicit,
			     nd-neighbor-advert }
	}

	set clients_ipv4 {
		type ipv4_addr
		size 65535
		flags dynamic,timeout
	}

	set candidates_ipv4 {
		type ipv4_addr . inet_service
		size 65535
		flags dynamic,timeout
	}

	flowtable f {
		hook ingress priority filter
		devices = { lan0, lan1, lan2, lan3, wan }
		flags offload
	}

	chain blocking {
		oifname { "wan", "ppp8", "ppp9" } ip saddr { 192.168.0.100-192.168.0.254, 192.168.25.100-192.168.25.254, 192.168.26.100-192.168.26.254 } reject with icmp port-unreachable comment "block internal ip ranges to have only internal access"
		oifname "ppp8" ip saddr 192.168.0.9 reject with icmp port-unreachable comment "Block internet-access for cisco switch"
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept comment "accept loopback"
		limit rate 5/second icmp type { echo-reply, echo-request } accept comment "limit icmp to 5/s"
		tcp dport 22 limit rate 10/second accept comment "limit SSH"
		ct state { established, related } accept comment "allow connections initiated"
		iifname { "wlan0", "wlan1", "lanbr0" } accept comment "allow traffic from internal interfaces"
		tcp sport 20 ct state established,related accept comment "allow active/passive FTP"
		ip protocol { ipv6, gre } accept
		ip6 nexthdr { ipv6, gre } accept
		ip6 nexthdr ipv6-icmp accept
		iifname "lxcbr0" accept comment "allow LXC"
		udp dport 1194 accept comment "allow local vpn"
		iifname "tun0" accept comment "accept from openvpn"
		jump PortKnock
		goto rejectlog
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state invalid counter packets 38363 bytes 4311142 drop comment "early drop of invalid packets"
		oifname { "wan", "ppp8", "ppp9" } tcp flags syn tcp option maxseg size set rt mtu
		ct state vmap { established : jump forward-known, related : jump forward-known, new : jump forward-new }
		iifname "lxcbr0" accept comment "allow from LXC"
		oifname "lxcbr0" accept comment "allow to LXC"
		iifname "tun0" accept comment "allow from VPN"
		goto rejectlog
	}

	chain forward-new {
		jump blocking
		iifname { "wlan0", "wlan1", "lanbr0" } oifname { "wlan0", "wlan1", "lanbr0" } accept comment "allow int => int"
		iifname { "wlan0", "wlan1", "lanbr0" } oifname { "wan", "ppp8", "ppp9" } accept comment "allow int => ext"
		iifname { "wan", "ppp8", "ppp9" } oifname { "wlan0", "wlan1", "lanbr0" } ct state established,related accept comment "allow ext => int (only established/related)"
		udp dport 9 accept comment "allow WOL"
		ip6 nexthdr ipv6-icmp accept
		ip protocol { ipv6, gre } accept
		ip6 nexthdr { ipv6, gre } accept
	}

	chain forward-known {
		ct state established flow add @f counter packets 486999 bytes 73195915
		accept
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}

	chain PortKnock {
		tcp dport 111 add @candidates_ipv4 { ip saddr . 494 timeout 1s }
		tcp dport 222 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 587 timeout 1s }
		tcp dport 333 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 900 timeout 1s }
		tcp dport 444 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 { ip saddr timeout 10s } log prefix "Successful v4 portknock: "
		tcp dport 22 ip saddr @clients_ipv4 ct count 5 counter packets 0 bytes 0 accept comment "ratelimited guarded ports"
		tcp dport 22 ct state established,related counter packets 0 bytes 0 accept
		iifname { "wan", "ppp8", "ppp9" } tcp dport 22 counter packets 58 bytes 3176 reject with tcp reset
	}

	chain rejectlog {
		reject
	}
}
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wan", "ppp8", "ppp9" } masquerade comment "NAT on all external interfaces"
	}
}
table ip filter {
	chain nat-pre {
		type nat hook prerouting priority dstnat; policy accept;
		udp dport 9 dnat to 192.168.0.254:9 comment "forwarding WOL to ARP broadcaster-IP, needs additional ARP-Command"
		iifname != "ppp8" fib daddr type local tcp dport 443 dnat to 10.0.4.10:443 comment "allow https forwarding to lxc except wan"
		iifname != "ppp8" fib daddr type local tcp dport 80 dnat to 10.0.4.10:80 comment "allow http forwarding to LXC except wan"
		fib daddr type local tcp dport 21027 dnat to 10.0.4.10:21027 comment "forward syncthing discovery"
		fib daddr type local tcp dport 22000 dnat to 10.0.4.10:22000 comment "forward syncthing listening"
		iifname "lanbr0" tcp dport 8384 dnat to 10.0.4.10:8384
		udp dport { 5104-5120, 5160-5162 } dnat to 192.168.0.8 comment "forward SIP+RTP to VOIP-Box"
	}

	chain mangle-pre {
		type filter hook prerouting priority mangle; policy accept;
		tcp flags != syn / fin,syn,rst,ack ct state new counter packets 7812 bytes 1433473 drop
		tcp flags fin,syn / fin,syn drop comment "new and sending FIN"
		tcp flags syn,rst / syn,rst drop comment "new and reset"
		tcp flags & (fin | syn | rst | psh | ack | urg) < fin drop comment "0 attack"
		tcp flags fin,psh,urg / fin,syn,rst,psh,ack,urg drop comment "x-mas attack"
		tcp flags syn / fin,syn,rst,ack limit rate over 10/second burst 20 packets counter packets 3049 bytes 179819 drop comment "syn-flooding"
	}

	chain mangle-input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle-forward {
		type filter hook forward priority mangle; policy accept;
	}

	chain mangle-output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle-post {
		type filter hook postrouting priority mangle; policy accept;
		oifname { "wan", "ppp8", "ppp9" } ip protocol udp ip saddr 192.168.0.8 meta mark set 0x00000001 comment "mark voip-traffic for route/rule/QoS"
	}
}

[debra]

Die Wette hätte ich dann vermutlich verloren. Oder ich sehe zumindest nicht, wo der Fehler liegt.

Kannst du mal gucken, ob da pakete ankommen:
ip protocol { ipv6, gre } accept
Da kannst du ein counter anhängen.
Die gleiche Regel eventuell nochmal bei output. – Wird zwar anyway akzeptiert, aber nur um zu gucken ob was passiert um das Problem einzuschränken.
Alternativ mal mit Wireshark gucken.

[frankw]

wireshark bzw. tcpdump habe ich schon probiert...auf dem he-ipv6 sehe ich meine echo requests, auf dem lanbr0/ppp8 sehe ich keine gre-packete

Code: Alles auswählen

# tcpdump -i ppp8 proto gre
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ppp8, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

# tcpdump -i lanbr0 proto gre
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lanbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

was ich aber mit den countern sehe ich das packete bei output rausgehen, bei input/forward aber nicht

Code: Alles auswählen

        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "accept loopback"
                limit rate 5/second icmp type { echo-reply, echo-request } accept comment "limit icmp to 5/s"
                tcp dport 22 limit rate 10/second accept comment "limit SSH"
                ct state { established, related } accept comment "allow connections initiated"
                iifname { "wlan0", "wlan1", "lanbr0" } accept comment "allow traffic from internal interfaces"
                tcp sport 20 ct state established,related accept comment "allow active/passive FTP"
                ip protocol { ipv6, gre } counter packets 0 bytes 0 accept
                ip6 nexthdr { ipv6, gre } counter packets 0 bytes 0 accept
                ip6 nexthdr ipv6-icmp counter packets 0 bytes 0 accept
                iifname "lxcbr0" accept comment "allow LXC"
                udp dport 1195 accept comment "allow local vpn"
                iifname "tun0" accept comment "accept from openvpn"
                jump PortKnock
                goto rejectlog
        }

        chain forward-new {
                jump blocking
                iifname { "wlan0", "wlan1", "lanbr0" } oifname { "wlan0", "wlan1", "lanbr0" } accept comment "allow int => int"
                iifname { "wlan0", "wlan1", "lanbr0" } oifname { "wan", "ppp8", "ppp9" } accept comment "allow int => ext"
                iifname { "wan", "ppp8", "ppp9" } oifname { "wlan0", "wlan1", "lanbr0" } ct state established,related accept comment "allow ext => int (only established/related)"
                udp dport 9 accept comment "allow WOL"
                ip6 nexthdr ipv6-icmp counter packets 0 bytes 0 accept
                ip protocol { ipv6, gre } counter packets 0 bytes 0 accept
                ip6 nexthdr { ipv6, gre } counter packets 0 bytes 0 accept
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ip protocol { ipv6, gre } counter packets 31 bytes 3844 accept
        }

[frankw]

keine idee?

so wie es aussieht, gehen die Pakete auch auf dem ppp-interface raus

Code: Alles auswählen

tcpdump -nvvvX -i any proto 41
...
19:02:53.738251 ppp8  Out IP (tos 0x0, ttl 64, id 9170, offset 0, flags [DF], proto IPv6 (41), length 124)
    192.168.0.11 > 216.66.86.114: IP6 (flowlabel 0x1788f, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:470:6c:5cd::2 > 2001:470:6c:5cd::1: [icmp6 sum ok] ICMP6, echo request, id 21924, seq 8
        0x0000:  4500 007c 23d2 4000 4029 271f c0a8 000b  E..|#.@.@)'.....
        0x0010:  d842 5672 6001 788f 0040 3a40 2001 0470  .BVr`.x..@:@...p
        0x0020:  006c 05cd 0000 0000 0000 0002 2001 0470  .l.............p
        0x0030:  006c 05cd 0000 0000 0000 0001 8000 ede3  .l..............
        0x0040:  55a4 0008 bd20 1d67 0000 0000 4243 0b00  U......g....BC..
        0x0050:  0000 0000 1011 1213 1415 1617 1819 1a1b  ................
        0x0060:  1c1d 1e1f 2021 2223 2425 2627 2829 2a2b  .....!"#$%&'()*+
        0x0070:  2c2d 2e2f 3031 3233 3435 3637            ,-./01234567

habe auch nochmal die ip vom he-server und meine eigene kontrolliert

in der firewall sehe ich keine ipv6-pakete in der input-chain

Code: Alles auswählen

        chain input {
                type filter hook input priority filter; policy drop;
                ...
                ip protocol { ipv6, gre } counter packets 0 bytes 0 accept
                ip6 nexthdr { ipv6, gre } counter packets 0 bytes 0 accept
                ip6 nexthdr ipv6-icmp counter packets 0 bytes 0 accept

während ich die in der output chain sehe

Code: Alles auswählen

        chain output {
                type filter hook output priority filter; policy accept;
                ip protocol { ipv6, gre } counter packets 45 bytes 5580 accept
        }

[frankw]

ich habe den tunnel mal mit meiner public ipv4 angelegt und damit geht es, mit der lan-ip geht es nicht...das hatte ich aber irgendwan schonmal laufen...tunnelbroker.net kennt auf alle fälle meine public-ip über den update-mechanismus

es ist aber scheinbar kein nftables problem

was mir noch aufgefallen ist: wenn ich den tunnel händisch anlege steht bei "ip a" he-ipv6@NONE...sollte da nicht die lanbr0 (welche die lokale ipv4 zugeordnet hat) stehen? wenn ja, wie kann ich diese zuordnung herstellen?

ich habe den systemd-networkd mal neugestartet nachdem ich das interface gelöscht habe, nun steht da @lanbr0, aber ich sehe keinen traffic mehr vom typ ipv6 (proto 41)...auch nicht mehr die echo request auf dem he-ipv6 und pakete zum sit-gateway