IPv6 Router and NAT/connection tracking

IPv6 Router and NAT/connection tracking

[Internet Protocol version Six]

Hello all, I have a box that's configured as a firewall and router for IPv6, which is doing it's job fine, well, fine.., IPv6 connections keep timing out, they work for a second or 30 and then it timesout -> connections, ping6, traceroutes, ... from the Internet to the IPv6 address behind the router don't work anymore. Also if I do a ping6 or make a connection to a remote IPv6 host on the Internet it doesn't work, however if I ping6 the router from the network, everything works again...for about 30 seconds again, and then the problem begins again...

I was told that this is caused by NAT/connection tracking. Is there *any* solution to this? This is really annoying as I *need* NAT, but also want to give IPv6 connectivity to other machines on the LAN.
-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

Re: IPv6 Router and NAT/connection tracking

[Joel Newkirk]

On Wed, 2003-06-18 at 17:05, Internet Protocol version Six wrote:
> Hello all, I have a box that's configured as a firewall 
> and router for IPv6, which is doing it's job fine, well, 
> fine.., IPv6 connections keep timing out, they work for 
> a second or 30 and then it timesout -> connections, 
> ping6, traceroutes, ... from the Internet to the IPv6 
> address behind the router don't work anymore. Also if I 
> do a ping6 or make a connection to a remote IPv6 host 
> on the Internet it doesn't work, however if I ping6 the 
> router from the network, everything works again...for 
> about 30 seconds again, and then the problem begins 
> again...
> 
> I was told that this is caused by NAT/connection 
> tracking. Is there *any* solution to this? This is 
> really annoying as I *need* NAT, but also want to give 
> IPv6 connectivity to other machines on the LAN.

Are you directly connected to an IPv6 router, or are you 
connecting via an ipv6_over_ipv4 tunnel of some sort?

If you are direct, then I think all you need to do is work
with ip6tables.  (not sure, not done this)

If you are using a tunnel, then that tunnel will either be
using a specific protocol or port number, which you could
explicitly ACCEPT in all directions to avoid conntrack
interference.  For example, tspc (freenet6.net) uses 
TCP 4343 to talk to the server to create the tunnel, and
the tunnel itself is protocol 41.

j

Re: IPv6 Router and NAT/connection tracking

[Internet Protocol version Six]

I'm connected via IPv6-in-IPv4 and I have a /48 assigned to this
box, and I want the box to act as a router for my machines which
it's doing nicely, only the conntrack thing is annoying the hell
outta me ;) Will that solve it (ACCEPTING in both directions)?

And so what you are saying is that I should do this?:
iptables -I INPUT -p 41 -j ACCEPT
iptables -I OUTPUT -p 41 -j ACCEPT
iptables -I PREROUTING -p 41 -j ACCEPT -> not sure about this one

or am I wrong/forgetting something? :)

Thanks for your help, greatly appreciated

> ----------------------------------------
> From: Joel Newkirk <netfilter@newkirk.us>
> Sent: Thu Jun 19 00:28:57 GMT+02:00 2003
> To: Internet Protocol version Six <inet6@mail.be>
> Subject: Re: IPv6 Router and NAT/connection tracking
> 
> 
> On Wed, 2003-06-18 at 17:05, Internet Protocol version Six wrote:
> > Hello all, I have a box that's configured as a firewall 
> > and router for IPv6, which is doing it's job fine, well, 
> > fine.., IPv6 connections keep timing out, they work for 
> > a second or 30 and then it timesout -> connections, 
> > ping6, traceroutes, ... from the Internet to the IPv6 
> > address behind the router don't work anymore. Also if I 
> > do a ping6 or make a connection to a remote IPv6 host 
> > on the Internet it doesn't work, however if I ping6 the 
> > router from the network, everything works again...for 
> > about 30 seconds again, and then the problem begins 
> > again...
> > 
> > I was told that this is caused by NAT/connection 
> > tracking. Is there *any* solution to this? This is 
> > really annoying as I *need* NAT, but also want to give 
> > IPv6 connectivity to other machines on the LAN.
> 
> Are you directly connected to an IPv6 router, or are you 
> connecting via an ipv6_over_ipv4 tunnel of some sort?
> 
> If you are direct, then I think all you need to do is work
> with ip6tables.  (not sure, not done this)
> 
> If you are using a tunnel, then that tunnel will either be
> using a specific protocol or port number, which you could
> explicitly ACCEPT in all directions to avoid conntrack
> interference.  For example, tspc (freenet6.net) uses 
> TCP 4343 to talk to the server to create the tunnel, and
> the tunnel itself is protocol 41.
> 
> j
> 
> 
> 
> 

-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

Re: IPv6 Router and NAT/connection tracking

[Joel Newkirk]

On Wed, 2003-06-18 at 20:09, Internet Protocol version Six wrote:
> I'm connected via IPv6-in-IPv4 and I have a /48 assigned to this
> box, and I want the box to act as a router for my machines which
> it's doing nicely, only the conntrack thing is annoying the hell
> outta me ;) Will that solve it (ACCEPTING in both directions)?
> 
> And so what you are saying is that I should do this?:
> iptables -I INPUT -p 41 -j ACCEPT
> iptables -I OUTPUT -p 41 -j ACCEPT
> iptables -I PREROUTING -p 41 -j ACCEPT -> not sure about this one
> 
> or am I wrong/forgetting something? :)
> 
> Thanks for your help, greatly appreciated

AFAIK that is correct.  (however the PREROUTING one wouldn't work, would
need to be NAT table, and would be unnecessary anyway since that chain
is supposed to have an ACCEPT policy - NAT in NAT table, filter in
FILTER table)  The two rules, INPUT and OUTPUT, should overcome any
failure of the state machine to recognize intermittent tunnel traffic as
ESTABLISHED.

Regarding 'internal' ipv6 traffic within your network, I suspect you
should be using ip6tables there if needed.  (ip6tables won't see 6in4
tunnel traffic though, since the tunnel itself is IPv4)

I haven't configured my gateway as an ipv6 router yet, however.  I have
a single address ATM from freenet6.  When I get the chance to tinker (a
few weeks from now at least) I want to configure ipv6 on my desktop as
well as my server and see what there is to see.

j

Re: IPv6 Router and NAT/connection tracking

[Internet Protocol version Six]

Well, I just tried it, still the same, connections from the
routerbox itself to the Internet (like an IRC server) don't timeout,
but connections to the Internet from a machine on the network do
timeout after a 4 minutes or something and traceroutes to the address
of the machine on the network ends at the router, timing out.
And then I cannot establish a connection anymore unless I tracert6
from the networkmachine to a hostname on the Internet, doesn't even
matter which address I traceroute6 too, aslong as it's an Internet
address and then the whole thing works again..., repeating the same
problem again :(

> ----------------------------------------
> From: Joel Newkirk <netfilter@newkirk.us>
> Sent: Fri Jun 20 08:24:48 GMT+02:00 2003
> To: Internet Protocol version Six <inet6@mail.be>
> Subject: Re: IPv6 Router and NAT/connection tracking
> 
> 
> On Wed, 2003-06-18 at 20:09, Internet Protocol version Six wrote:
> > I'm connected via IPv6-in-IPv4 and I have a /48 assigned to this
> > box, and I want the box to act as a router for my machines which
> > it's doing nicely, only the conntrack thing is annoying the hell
> > outta me ;) Will that solve it (ACCEPTING in both directions)?
> > 
> > And so what you are saying is that I should do this?:
> > iptables -I INPUT -p 41 -j ACCEPT
> > iptables -I OUTPUT -p 41 -j ACCEPT
> > iptables -I PREROUTING -p 41 -j ACCEPT -> not sure about this one
> > 
> > or am I wrong/forgetting something? :)
> > 
> > Thanks for your help, greatly appreciated
> 
> AFAIK that is correct.  (however the PREROUTING one wouldn't work, would
> need to be NAT table, and would be unnecessary anyway since that chain
> is supposed to have an ACCEPT policy - NAT in NAT table, filter in
> FILTER table)  The two rules, INPUT and OUTPUT, should overcome any
> failure of the state machine to recognize intermittent tunnel traffic as
> ESTABLISHED.
> 
> Regarding 'internal' ipv6 traffic within your network, I suspect you
> should be using ip6tables there if needed.  (ip6tables won't see 6in4
> tunnel traffic though, since the tunnel itself is IPv4)
> 
> I haven't configured my gateway as an ipv6 router yet, however.  I have
> a single address ATM from freenet6.  When I get the chance to tinker (a
> few weeks from now at least) I want to configure ipv6 on my desktop as
> well as my server and see what there is to see.
> 
> j
> 
> 
> 
> 

-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

IPv6 Router and NAT/connection tracking

[Internet Protocol version Six]

Hello all,

I have a box that's configured as a firewall/NAT (IPv4) and router
for IPv6, which is doing it's job fine, well, fine.., IPv6
connections keep timing out, they work for a second or 30 and then
it timesout -> connections, ping6, traceroutes, ... from the
Internet to the IPv6 address behind the router don't work anymore.
Also if I do a ping6 or make a connection to a remote IPv6 host on
the Internet it doesn't work, however if I ping6 the router from the
other machine, everything works again...for about 30 seconds to 5
minutes, and then the problem begins again...

I was told that this is caused by NAT/connection tracking. Is there
*any* solution to this? This is really annoying as I *need* NAT, but
also want to give IPv6 connectivity to other machines on the LAN.

Your help is greatly appreciated.

-Robby
-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be