<br><br><div class="gmail_quote">On Sun, Mar 25, 2012 at 1:40 PM, Francis Dupont <span dir="ltr"><<a href="mailto:fdupont@isc.org">fdupont@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">> wake me up at the quality inn hotel, <a href="tel:%28831%29%20427-1616" value="+18314271616">(831) 427-1616</a> room 103<br>
<br>
</div>=> we got it to work, some comments about the WNDR3800 sd-b4<br></blockquote><div><br>yea! I can go back to sleep.<br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
(we jumped the WNDR3700v2 but it should have the same problems):<br>
- I tried to debug the dhclient6 init script:<br>
* dhclient -6 requires '-D LL' to build a repeatable and<br>
easy to predict DUID in the LL format (vs LLT format, which<br>
is the MAC address + time stamp)<br>
<br></blockquote><div>As if you know the time before you have a ntp lock, which you can't get before you get on the internet.<br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
* for an unknown reason the MAC address is one less than written<br>
on the box and returned by 'ip addr' ? Can't say why...<br>
(the answer is in the code in dhclient which computes the DUID LL)<br>
<br></blockquote><div><br>Sorry about that.<br><br>There are only 3 mac addresses on the box that are real. The rest are generated via various algorithms. You probably hit the flip the 'local' bit one?<br><br></div>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
* uci fails to get the wan interface (BTW with B4 there are two<br>
wan interfaces, one (tun0) for IPv4, one (ge00) for IPv6<br>
<br></blockquote><div><br>not clear to me this issue, something like uci get network.ge00.addr (syntax maybe off) would work.<br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- the iptables is a mess, I had to flush it (-F -X) and to<br>
put the default policy for FORWARD<br>
<br></blockquote><div><br>I tried to clear out as many rules as possible, but in general, iptables rules are messy to deal with. And for every rule, there's a requirement of some sort. <br><br>My own gripe is that by default all protocols are blocked, and individually opening up each one costs performance. (the overhead of the default firewall rules on forwarding performance is over 20% - and I actually ship LESS rules by default than openwrt does, and most firewall boxes have hundreds)<br>
<br>I've been meaning to write an iptables module for protocol matches, so that the ipv6tables rule would look like, for example:<br><br>ip6tables -A FORWARD -m protocols --protocols 1,2,4,6,7,17,33,41,47,50,51,58,89,94,97,98,103,112,115,124,144,132,136,138,139,140,141 -j ACCEPT<br>
<br>As you might imagine, writing a rule for each of these would seriously cost, wheras this is a single bitfield lookup. Sadly, I've had no time to do this since realizing it was a good idea, nor have I managed to tom sawyer someone else into doing it. By default there's about 6? 7? protocols open on ipv4...<br>
<br>did you also have to nuke the ip6tables ?<br><br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
- default dnsmasq arguments didn't work, I relaunched without any<br>
argument to fix it<br></blockquote><div><br>hmm. What I had was working for me.<br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
but it finished by working before the end of demo...<br>
<br>
I fixed the DHCPv6 server entries (required the LL prefix (03:01?)<br>
and -1 on the last byte. (PS: on the SD-AFTR).<br>
<br></blockquote><div>I had figured you'd just ifconfig ge00 and go from there.<br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I runned the PCP + incoming connection from the Internet on the laptop<br>
SD-B4 but it should work on the WNDR SD-B4 too.<br>
<br>
I didn't try the ICMP stuff, in fact with DHCPv4 over IPv6 it was the<br>
only part we skipped. In particular the SD-AFTR failover works great.<br>
<br></blockquote><div><br>cool.<br><br>Have a fun conference!<br><br>If you can slam a copy of the entire working /etc directory somewhere I will diff it against what is in the current images and fix it for the next demos april 4.<br>
<br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Regards<br>
<span class="HOEnZb"><font color="#888888"><br>
Francis Dupont <<a href="mailto:fdupont@isc.org">fdupont@isc.org</a>><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br>Dave Täht<br>SKYPE: davetaht<br>US Tel: 1-239-829-5608<br><a href="http://www.bufferbloat.net" target="_blank">http://www.bufferbloat.net</a><br>