Fórum Root.cz
Hlavní témata => Sítě => Téma založeno: Jigdo 18. 01. 2021, 13:58:47
-
Dobry den,
technicka podpora na UVT pokulhava a uz nejakych par mesicu se snazim nastavit
IPv6 na MikroTik Routeru hEX S | RB760iGS co mam pripojeny k Terminatoru od UVT.
Psal, jsem tam, volal, ale nikdo u nich neni schopny poradit jak to nastavit.
Odkazuji mne na stranky MikroTiku .....
https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client
Tady je postup co jsem nastavil.
#1
!interface=pppoe-out
!pool-prefix-length=64
/ipv6 dhcp-client add add-default-route=yes request=prefix pool-name="ipv6" pool-prefix-length=64 interface=pppoe-out
Dostal jsem 2a03:c20:803:xxxx::/56 site prefix/subnet ID/56 ktery mi UVT pridelili.
#2
!interface=bridge
!from-pool="ipv6"
/ipv6 address add address=::1 from-pool="ipv6" interface=bridge eui-64=no advertise=yes
Ted se u vsech PC pripojenych k routeru hEX S | RB760iGS nabehli IPv6 adresy 2a03:c20:803:xxxx::/64
#3
Vygeneroval jsem si ULA z teto stranky
https://www.ultratools.com/tools/rangeGenerator
Global ID: 2a03c20803
Subnet ID: xxxx
/ipv6 address add address=fdxx:xxxx:xxx:xxx::/64 interface=bridge eui-64=no advertise=yes
Vsechny PC pripojene k routeru hEX S | RB760iGS dostaly lokalni IPv6 fdxx ....
#4
/ipv6 route add dst-address=::/0 gateway=pppoe-out
ping6 na IPv6 adresu funguje na zarizenich, ktere jsou k routeru pripojene (RaspberyPi/Windows 10),
ale WWW weby ktere jsou na IPv6 ne (Windwows 10). test-ipv6.cz tu IPv6 adresu nezobrazuje (0/10) score.
SSH z RaspberryPi ven funguje vsude pres IPv6, ale dovnitr na tu samou adresu se nedostanu :(
Na router se pres IPv6 pripojem pres SSH,WinBox bez problemu.
#5 - Jeste sem prikladam firewall nastaveni, jestli nahodou neni chyba tam:
/ipv6 firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related log=no log-prefix=""
1 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
2 ;;; defconf: accept ICMPv6
chain=input action=accept protocol=icmpv6
3 ;;; defconf: accept UDP traceroute
chain=input action=accept protocol=udp port=33434-33534
4 ;;; defconf: accept DHCPv6-Client prefix delegation.
chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546
5 ;;; defconf: accept IKE
chain=input action=accept protocol=udp dst-port=500,4500
6 ;;; defconf: accept ipsec AH
chain=input action=accept protocol=ipsec-ah
7 ;;; defconf: accept ipsec ESP
chain=input action=accept protocol=ipsec-esp
8 ;;; allow SSH
chain=input action=accept protocol=tcp src-address-list=allow-to-router dst-port=22 log=yes log-prefix=""
9 ;;; allow WinBOX
chain=input action=accept protocol=tcp src-address-list=allow-to-router dst-port=8291 log=yes log-prefix=""
10 ;;; defconf: accept all that matches ipsec policy
chain=input action=accept ipsec-policy=in,ipsec
11 ;;; defconf: drop everything else not coming from LAN
chain=input action=drop in-interface-list=!LAN
12 ;;; defconf: accept established,related,untracked
chain=forward action=accept connection-state=established,related log=no log-prefix=""
13 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
14 ;;; defconf: drop packets with bad src ipv6
chain=forward action=drop src-address-list=bad_ipv6
15 ;;; defconf: drop packets with bad dst ipv6
chain=forward action=drop dst-address-list=bad_ipv6
16 ;;; defconf: rfc4890 drop hop-limit=1
chain=forward action=drop protocol=icmpv6 hop-limit=equal:1
17 ;;; defconf: accept ICMPv6
chain=forward action=accept protocol=icmpv6
18 ;;; defconf: accept HIP
chain=forward action=accept protocol=139
19 ;;; defconf: accept IKE
chain=forward action=accept protocol=udp dst-port=500,4500
20 ;;; defconf: accept ipsec AH
chain=forward action=accept protocol=ipsec-ah
21 ;;; defconf: accept ipsec ESP
chain=forward action=accept protocol=ipsec-esp
22 ;;; defconf: accept all that matches ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
23 ;;; allow SSH
chain=forward action=accept protocol=tcp dst-address=2a03:c20:803:xxxx:xxxx:xxxx:xxxx:afc/128 src-address-list=allow-to-router dst-port=22 log=yes log-prefix=""
24 ;;; allow SSH
chain=forward action=accept protocol=tcp dst-address=2a03:c20:803:xxxx:xxxx:xxxx:xxxx:c3f8/128 src-address-list=allow-to-router dst-port=22 log=yes log-prefix=""
25 ;;; defconf: drop everything else not coming from LAN
chain=forward action=drop in-interface-list=!LAN
Vidi tady nekdo nekde nejkou chybu?
-
Co vygenerovalo ty pravidla firewallu? Je to možná až příliš komplikované.
Navíc pravidlo úplně na konci, tj.:
25 ;;; defconf: drop everything else not coming from LAN
chain=forward action=drop in-interface-list=!LANtohle zahodí všechno, co nepřichází z LAN. Jak ale vypadá interface list LAN?
Jak vypadá ICMPv6 traceroute (traceroute6 -I) na 2001:4860:4860::8888?
Jak vypadá ICMPv6 traceroute (traceroute6 -I) zvenku na to Raspberry? (HE má ICMPv6 traceroute na http://lg.he.net/)
Co se stane, když ve firewallu zakážete všechna DROP pravidla (pro input i forward) a reinicializujete PPPoE spojení?
-
Vidi tady nekdo nekde nejkou chybu?
nn. povol si tam logování pro všechna dropovací pravidla a koukej do logu na čem se to bude dropovat a jestli ti to vubec dorazilo.
-
Co vygenerovalo ty pravidla firewallu? Je to možná až příliš komplikované.
Navíc pravidlo úplně na konci, tj.:
25 ;;; defconf: drop everything else not coming from LAN
chain=forward action=drop in-interface-list=!LANtohle zahodí všechno, co nepřichází z LAN. Jak ale vypadá interface list LAN?
Jak vypadá ICMPv6 traceroute (traceroute6 -I) na 2001:4860:4860::8888?
Jak vypadá ICMPv6 traceroute (traceroute6 -I) zvenku na to Raspberry? (HE má ICMPv6 traceroute na http://lg.he.net/)
Co se stane, když ve firewallu zakážete všechna DROP pravidla (pro input i forward) a reinicializujete PPPoE spojení?
LAN=bridge
WAN=ether1 (pppoe-out)
Bridge = ether2,3,4,5,sfp1
Vsechna DROP pravidla v IPv6 jsem "disable" [input/forward] a router restartoval (reinicializujete PPPoE spojení nepripada v uvahu,
nemam pristup k tomuto zarizeni momentalne).
Firewall pise ze spojeni na SSH port RaspberryPi je "established" ale v konzoli po nejakem case naskoci:
"Connection closed by 2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx port xx"
Windows 10 PC stale nevidi IPv6 konektivitu .........
Z MikroTiku se na RPi dostany pres
/system ssh 2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx user=pi
ale fd a fe adresy nefunguji .....aspon ta fd by mnela ........ale nefunguje .......
$ sudo traceroute6 -I 2001:4860:4860::8888
traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
1 2a03:c20:803:xxxx::xxxx (2a03:c20:803:xxxx::xxxx) 0.394 ms 0.368 ms 0.396 ms
2 * * *
3 * * *
4 2a03:c20:ce::1 (2a03:c20:ce::1) 14.878 ms 14.913 ms 14.874 ms
5 2a00:1238:0:160::2 (2a00:1238:0:160::2) 15.166 ms 15.174 ms 15.138 ms
6 2001:4860:0:101a::1 (2001:4860:0:101a::1) 15.154 ms 14.580 ms 14.696 ms
7 2001:4860:0:1::1dff (2001:4860:0:1::1dff) 14.599 ms 14.299 ms 14.416 ms
8 dns.google (2001:4860:4860::8888) 13.977 ms 14.042 ms 14.050 ms
core1.prg1.he.net> traceroute ipv6 2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx source 2001:470:0:212::1 numeric Target 2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx
Hop Start 1
Hop End 30
Hop Packet 1 Packet 2 Packet 3 Hostname
1 71 ms <1 ms <1 ms nix-ipv6.2connect.cz (2001:7f8:14::24:1)
2 <1 ms <1 ms <1 ms 2a03:c20:ce::2
3 * * * ?
4 14 ms 14 ms 14 ms 2a03:c20:803:xxxx::xxxx
5 25 ms 14 ms 15 ms 2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx
-
Mikrotik ma verzi 6.48 stable ......
-
Takze SSH problem se mi podarilo vyresit.
napadlo mne ze ssh se da debugovat s parametrem -vvvvvvvvv
a to se zaseklo na:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Prvni search result na StackExchange zminuje neco o MTU, takze jsem to zkousel s timto prikazem....
ssh -o MACs=hmac-sha2-256 pi@2a03:c20:803:xxxx:xxxx:xxxx:xxxx:xxxx
a funguje ...........
Tady je nastaveni Interface:
hEX S] > interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R ;;; Terminator - ZYXEL VMG4005-B60A
name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:26 link-downs=0
....
5 RS ;;; CSS106-1G-4P-1S <--> PoE Switch
name="sfp1" default-name="sfp1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:25 link-downs=0
6 R ;;; vLAN.TV
name="VLAN.835.TV" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:26 link-downs=0
7 R ;;; vLAN.NET
name="VLAN.848.NET" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:26 link-downs=0
8 R ;;; defconf
name="bridge" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 mac-address=AA:BB:CC:DD:EE:EE last-link-up-time=jan/18/2021 21:14:16 link-downs=0
9 R name="pppoe-out" type="pppoe-out" mtu=1480 actual-mtu=1480 last-link-up-time=jan/18/2021 21:14:30 link-downs=0
A tady VLAN:
hEX S] > interface vlan print detail
Flags: X - disabled, R - running
0 R ;;; vLAN.TV
name="VLAN.835.TV" mtu=1500 l2mtu=1592 mac-address=AA:BB:CC:DD:EE:EE arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=835 interface=ether1 use-service-tag=no
1 R ;;; vLAN.NET
name="VLAN.848.NET" mtu=1500 l2mtu=1592 mac-address=AA:BB:CC:DD:EE:EE arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=848 interface=ether1 use-service-tag=no
Nema to MTU neco spolecneho z tim proc nefunguje IPv6?
A jestli se na to divam tak je to pppoe 1480 a mnelo by byt 1500/nebo 1496??
Ted jsem se dival do logu a ja mam doma u sveho oblibeneho ISP pppoe 1500:
2021-01-11T11:11:11.111111+00:00 clueless radius-auth: BBEU12345678 BT Accept 90.155.11.111 213.1.111.11#12345 ab123@a.1 i.gormless Via=21CN LCP-restart linerate=75916000/19999000 adjust=74524459(98.167%) MTU=1500
Tady k tomu maji zajimavy clanek:
https://support.aa.net.uk/MTU
-
Update/Upgrade on the RPi na IPv6 taky nefunguje
pi@RaspberryPi-4-2GB-1dot2-b03112:~ $ sudo apt update; sudo apt list --upgradable -a; sudo apt upgrade
Hit:1 http://deb.debian.org/debian buster-backports InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian buster InRelease
Err:3 http://archive.raspberrypi.org/debian buster InRelease
Connection failed [IP: 2a00:1098:80:56::2:1 80]
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://archive.raspberrypi.org/debian/dists/buster/InRelease Connection failed [IP: 2a00:1098:80:56::2:1 80]
W: Some index files failed to download. They have been ignored, or old ones used instead.
Listing... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
linux-image-5.8.0-0.bpo.2-armmp-lpae
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
-
Jak mate nastavene MTU v ND?
V nastaveni RA/ND nastavte stejne MTU, jake bude mit PPPoE rozhrani, tj. melo by to byt taky 1480 (resp. shodne s MTU na PPPoE). Obvykle se u mikrotiku zapomina na tohle nastaveni RA/ND a pak se to chova spatne.
Ukazka: https://twitter.com/zajdee/status/1316472498935005184?s=21
-
Jak mate nastavene MTU v ND?
V nastaveni RA/ND nastavte stejne MTU, jake bude mit PPPoE rozhrani, tj. melo by to byt taky 1480 (resp. shodne s MTU na PPPoE). Obvykle se u mikrotiku zapomina na tohle nastaveni RA/ND a pak se to chova spatne.
Ukazka: https://twitter.com/zajdee/status/1316472498935005184?s=21
Vyreseno.
/ipv6 nd set mtu=1480
Pane Zajic, muzu se Vam nejak revanzovat za vasi pomoc?
Prosim poslete mi zpravicku.
Diky.
-
A jeste pro uplnost pridavam bod 7
#7 - TCP MSS Clamping
/ipv6 firewall mangle print detail
/ipv6 firewall mangle add chain=postrouting action=change-mss new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn out-interface=pppoe-out
/ipv6 firewall mangle add chain=output action=change-mss new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn out-interface=pppoe-out
/ipv6 firewall mangle print detail