closer and closer to proof of concept but still not there
Francis Dupont
fdupont at isc.org
Thu Mar 22 09:21:43 UTC 2012
> I failed to route through to anywhere via sd-cpe2.
=> you mean it doesn't work from a client?
> I have a feeling the default ipv6 /etc/firewall.user rules need
> revision. Or that I messed up the rules fiddling with sdctl. Or I do
> indeed need to apply the encapsulation patch...
=> checks:
- ip addr => correct
- ip route => correct modulo the missing multicast, adding it
- ip -6 route => missing default route, adding one to the prefix:
'ip -6 route add 2001:db8::/32 via 2001:db8:0:1::1'
- iptables => bad, the SDCTLD filter for FORWARD is after a reject chain
for the demo I suggest to drop the initial setup.
Another example: you still have the MASQUERADE in the nat rules...
- ip6tables => bad
- sdctld => don't know but its function is to punch holes for incoming
from the Internet connection
- encapsulation patch => not needed
Cleaned up netfilter tables (-F -X), copied the fixed setup4 from ida,
run it: it works again
BTW the resolv.conf has:
search home.lan
nameserver 127.0.0.1
when it needs:
nameserver 2001:db8:0:1::1
trying to go on cruithne at 172.28.1.17: no active fdupont account?
For instance:
root at cruithne:~# passwd fdupont
passwd: Authentication information cannot be recovered
connected as root:
- changed the default route
- fixed the netfilter FORWARD policy and IPv4 forwarding on sd-cpe2
- relaunched dnsmasq on sd-cpe2
- changed the /etc/resolv.conf
now it works:
root at cruithne:~# ssh -4 givry.fdupont.fr
root at givry.fdupont.fr's password:
Regards
Francis Dupont <fdupont at isc.org>
More information about the sdcpe-devel
mailing list