Calling anyone who knows routing or iptables

[aus-city]

I have almost got ipv4 and ipv6 all running together.

My last issue is how do you forward from eth2 to eth1 on the same server.

Now with iptables you can use nat and masquerade.

How do you do this with ip6tables? There is no nat or masquerade.

Right now all my clients can ping6 and traceroute6 themselves on their given ip6 addresses, as well as ping6 the servers eth2 (LAN). However they can't ping6 the eth1.

The server can ping6 anything on the net, LAN, clients and both eth1 and eth2 adapters.

The clients when they try to ping6 ipv6.google.com get the ip address (so my named is answering ipv6), but the ping times out.

Its obvious the clients are getting the ipv6 gateway, but eth2 is not forwarding to eth1.

What we are trying to do surely others must do the same its a typical router situation.

# ping6 -c1 ipv6.google.com
PING ipv6.google.com(2404:6800:8004::68) 56 data bytes
From primary.engineering.idb icmp_seq=1 Destination unreachable: Administratively prohibited

--- ipv6.google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

Anyone?

[mikeshinn]

Ah yes, NAT in IPv6. Well, the IPv6 designers decided that NAT is evil, so there is no NAT in IPv6 the protocol which is why there is no NAT in ip6tables. Heres a post on the netfilter mailing list explaining even more the opinions of some:

http://lists.netfilter.org/pipermail/ne ... 59463.html

From Harald Welte laforge at netfilter.org

> When is support NAT table for Ip6tables?

Only over my dead body. We will never implement ipv6-to-ipv6 network
address translation as long as I have any say in netfilter/iptables
development. NAT is evil and causes horrible breakage of end-to-end on
the internet. IPv6 has enough addresses and therefore no justification
for NAT.

So, because some decided that NAT is clearly evil and clearly causes horrible breakage - I mean, every day aren't we all just plagued with NAT issues? Its so bad you clearly can't read this forum post from your NATed computer - as we all know the only way to access the Internet is via a direct connection. Oh when will the gurus save us from NAT!

So, because of that clear and present danger, when you use IPv6 you must have a real IP for each device with a real route. To forward, you just setup forwarding rules like you would for any normal routable traffic (which must be routable).

BTW, this whole "NAT is evil" argument is just pure hyperventilating grumbling thats been going on for decades - I remember some of the original VOIP experimenters throwing up their hands and shutting down their projects because of the evils of NAT, they said it was impossible and gave up. Flat end to end routing is easier, but so are a lot of things in life that we don't do because there are good reasons why we do things the harder way (like wearing seat belts for example, sure its easier to not put it on, but that little bit of extra work and uncomfortableness makes us all safer). So, rather than work with what people want (There are good reasons for NAT, like non-Internet routable networks for instance), and the fact that in reality the world has been working just fine with NAT, and that all the shortcomingings people drum up about NAT haven't stopped the world from working around it - instead, the answer as to get rid of NAT.

Go ahead and ask me what I really think. You should see the report we wrote for the White House. Bottom line, its should up to the network owner to decide how they want to route, if they want to use NAT, PAT, etc. there no technological reason it shouldnt be possible with IPv6 - except that the IPv6 crowd doesn't want NAT for IPv6 - everything must be routable - everything.

And they wonder why people aren't adopting IPv6.

[BruceLee]

ha, maybe they change their mind in the future when all of the 3,4·10^38 adressess are in use by fridges, toasters, garbage cans and pencils. Right now they all start with one simple mistake in my opinion. Years ago no one thought that the IPv4 range would expire. They thought there were plenty of ip adresses. We all learned and know now that they were wrong.
Now they(the new team of designers) do it again. It's so stupid and typically human.

Who knows what the future brings? Maybe in 30 years we will use nano roboters with a single dedicated ip and they repair dead cells in our bodies. And suddenly the range is not enough since one billion of them run through one body. who knows.
I know that this hardly can happen since the range is so big.

But it shows how shortminded some people approach the task. It's a simple assumption that environments that are complex and that get more complex every day are hard to maintain, change or replace. It should be felxible from the beginning. They already start with tons of exclusions.

sorry for swerving from the topic

[aus-city]

Yes it all seems stupid stopping NAT. If every single device needs an IP the adress space will run out not to mention these IPs won't be free

So how can I forward ip6tables my eth2 to eth1 (bi directionally)?

I had a few attempts, but my LAN is still stopping dead at eth2 for the clients.

Every adapter has an IPv6 address. The main server has a ip6to4 tunnel that works. Once LAN traffic on ip6 is forwarded through the server it should pick up the tunnel (in theory) as even now my clients can resolve ipv6 ip adreesses like trying to ping ipv6.google.com

I can grab the IP6 addresses I am using, they all in the FC address space and can ping each other.

I also can give a network diagram. Just a few clients want to surf some IPv6 sites and it's working off the main server.

Thanks!

[breun]

If every single device needs an IP the adress space will run out (...)

http://itknowledgeexchange.techtarget.c ... n-numbers/ says:

So we could assign an IPV6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths.

[Highland]

255 ^ 4 = 4228250625 (or around 4 billion IPs)
255 ^ 6 = 274941996890625 (or around 275,000 billion IPs)

Exponential growth for the win

[BruceLee]

maybe you can give ip_forward a try:
http://www.ducea.com/2006/08/01/how-to- ... -in-linux/

[aus-city]

Its already turned on

/proc/sys/net/ipv6/conf/eth1/forwarding is set to 1
/proc/sys/net/ipv6/conf/eth2/forwarding is set to 1

But its not forwarding as any traffic coming in on eth1 cant ping6 eth2 or vice versa. The host server of course can ping6 eth1 or eth2 as well as any client hanging off eth1

[mikeshinn]

Did you follow the troubleshooting methodology we have in our book?

[aus-city]

Hi Mike,

Can you point me to that info and I will play?

I made up ipv6 addresses on all the ethernet cards (using reserved prefix so its not 'global'). Maybe the addresses have to be closer together?

I could post some eth configs.

I do have ip6to4 running on my main server, but I will worry about tunnelling all the clients through this later, not until at least everyone can ping6 everyone.

[mikeshinn]

You mean the link in my sig?

http://www.amazon.com/Troubleshooting-L ... 0321227239

Just out of curiosity, what site(s) are you trying to get to via IPv6 that you can't get to via IPv4? Or are you enabling it just to try it out?

As an aside, word of advice on IPv6: All the IPv6 code out there is less well tested/feature complete than IPv4 code, its just so new and not widely used (so it doesnt get the attention on bugs and features), plus its not a drop in or even 1to1 feature wise so expect bugs and grief with IPv6. I know you love new technology and will probably stick it out, we know tons of government agencies and commercial organizations that dropped support for IPv6 because it was just such a pain with little to no return on the work (for now at least, maybe someday enough of the net will be IPv6 only that it will be worth the pain) - so I want to wish you the best of luck with it!

[aus-city]

Hi Mike,

No just messing around and testing. There are already a few ipv6 sites that have different pages if you connect ipv6.