Jump to content

Question

Posted

Провожу эксперименты с Yggdrasil, столкнулся с тем, что между роутером и другими устройствами в сети не работает связь по IPv6. Между устройствами (подключены через роутер) всё в порядке, ходит пинг, работает обнаружение по мультикасту и т.д.

В Keenetic вставлена флешка с установленным дебианом по инструкции, добавлен модуль IPv6, да и собственно Yggdrasil скомпилированный вручную под MIPS запускается и работает нормально, только локальное обнаружение не работает. Я уже несколько зашёл в тупик, поэтому прошу помощи, это какая-то мистика.

Пускаю пинг до хранилища:

# ping fe80::76d4:35ff:fe07:12e9%eth2.1
PING fe80::76d4:35ff:fe07:12e9%eth2.1(fe80::76d4:35ff:fe07:12e9%eth2.1) 56 data bytes
From fe80::5ef4:abff:fecf:f88%eth2.1 icmp_seq=1 Destination unreachable: Address unreachable
From fe80::5ef4:abff:fecf:f88%eth2.1 icmp_seq=2 Destination unreachable: Address unreachable
From fe80::5ef4:abff:fecf:f88%eth2.1 icmp_seq=3 Destination unreachable: Address unreachable
From fe80::5ef4:abff:fecf:f88%eth2.1 icmp_seq=4 Destination unreachable: Address unreachable

Параллельно смотрю трафик в tcpdump:

# tcpdump -ns 0 -i eth2.1 icmp6
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth2.1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:47:08.133306 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:47:08.133487 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor advertisement, tgt is fe80::76d4:35ff:fe07:12e9, length 32
18:47:09.133236 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:47:09.133510 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor advertisement, tgt is fe80::76d4:35ff:fe07:12e9, length 32
18:47:11.157229 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:47:11.157364 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor advertisement, tgt is fe80::76d4:35ff:fe07:12e9, length 32
18:47:12.157406 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:47:12.157546 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor advertisement, tgt is fe80::76d4:35ff:fe07:12e9, length 32
18:47:12.202065 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:47:13.157340 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:47:13.157487 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor advertisement, tgt is fe80::76d4:35ff:fe07:12e9, length 32
18:47:13.226045 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:47:14.250330 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32

То есть, устройство отвечает, но Keenetic почему-то игнорирует neighbor advertisement. Ещё интереснее, когда пинг идёт (а точнее, не идёт) в обратную сторону, с устройства до роутера:

# ping fe80::5ef4:abff:fecf:f88%eth0
PING fe80::5ef4:abff:fecf:f88%eth0(fe80::5ef4:abff:fecf:f88%eth0) 56 data bytes
From fe80::76d4:35ff:fe07:12e9%eth0 icmp_seq=1 Destination unreachable: Address unreachable
From fe80::76d4:35ff:fe07:12e9%eth0 icmp_seq=2 Destination unreachable: Address unreachable
From fe80::76d4:35ff:fe07:12e9%eth0 icmp_seq=3 Destination unreachable: Address unreachable
From fe80::76d4:35ff:fe07:12e9%eth0 icmp_seq=4 Destination unreachable: Address unreachable
From fe80::76d4:35ff:fe07:12e9%eth0 icmp_seq=5 Destination unreachable: Address unreachable
From fe80::76d4:35ff:fe07:12e9%eth0 icmp_seq=6 Destination unreachable: Address unreachable

На Keenetic трафик такой:

# tcpdump -ns 0 -i eth2.1 icmp6
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth2.1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:50:06.009992 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:50:07.016951 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:50:08.040972 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:50:09.065076 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:50:10.088973 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:50:11.112972 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:50:12.136971 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:50:13.160913 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32
18:50:14.184931 IP6 fe80::76d4:35ff:fe07:12e9 > ff02::1:ffcf:f88: ICMP6, neighbor solicitation, who has fe80::5ef4:abff:fecf:f88, length 32

Т.е. он даже не пытается отвечать на запросы, хотя они приходят. У меня есть подозрение на бридж, eth2.1 входит в br0 (у них также одинаковый MAC и link-local адрес IPv6). При пинге с Кинетика через br0 трафик такой:

# tcpdump -ns 0 -i br0 icmp6
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:57:16.417233 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:57:17.417346 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:57:19.425234 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:57:20.425229 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32

Т.е. запросы уходят, но ответов нет. Но устройство эти ответы отсылает (tcpdump на устройстве):

18:57:16.999506 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:57:16.999522 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor advertisement, tgt is fe80::76d4:35ff:fe07:12e9, length 32
18:57:17.999496 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:57:17.999529 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor advertisement, tgt is fe80::76d4:35ff:fe07:12e9, length 32
18:57:18.999637 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32
18:57:18.999660 IP6 fe80::76d4:35ff:fe07:12e9 > fe80::5ef4:abff:fecf:f88: ICMP6, neighbor advertisement, tgt is fe80::76d4:35ff:fe07:12e9, length 32
18:57:21.007498 IP6 fe80::5ef4:abff:fecf:f88 > ff02::1:ff07:12e9: ICMP6, neighbor solicitation, who has fe80::76d4:35ff:fe07:12e9, length 32

Хотя iptables не должен влиять на захватываемый трафик, я всё же добавил правило в INPUT:

# ip6tables-legacy -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   38  5776 ACCEPT     all      *      *       ::/0                 ::/0                
...

И совсем уж непонятно то, что при включении IPv6 для ISP он отчасти работает — роутер получает адрес, но не делегирует префикс в локалку (не знаю, у ТТК криво настроено или Кинетик что-то не так делает), пинг до ipv6.google.com с роутера работает, например. И в том числе пингуется шлюз провайдера по link-local!

Что ещё пробовал:

echo 0 > /sys/class/net/br0/bridge/multicast_snooping
brctl stp br0 on

Без эффекта. В ebtables и arptables пусто. Нагуглить ничего по такому поведению не удалось. Ещё по параметрам интерфейсов:

# sysctl net/ipv6/conf/all
net.ipv6.conf.all.accept_dad = 1
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_ra_defrtr = 1
net.ipv6.conf.all.accept_ra_pinfo = 1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.dad_transmits = 1
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.all.force_mld_version = 0
net.ipv6.conf.all.force_tllao = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.hop_limit = 64
net.ipv6.conf.all.max_addresses = 16
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.all.mtu = 1280
net.ipv6.conf.all.proxy_ndp = 0
net.ipv6.conf.all.regen_max_retry = 3
net.ipv6.conf.all.router_solicitation_delay = 1
net.ipv6.conf.all.router_solicitation_interval = 4
net.ipv6.conf.all.router_solicitations = 3
net.ipv6.conf.all.temp_prefered_lft = 86400
net.ipv6.conf.all.temp_valid_lft = 604800
net.ipv6.conf.all.use_tempaddr = 0

Для br0 и eth2.1 всё идентично, только mtu 1500.

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...