Re: ICMP router advertisement (ipv4)

To: debian-user@lists.debian.org
Subject: Re: ICMP router advertisement (ipv4)
From: Tim Woodall <debianuser@woodall.me.uk>
Date: Mon, 10 Apr 2023 04:02:38 +0100 (BST)
Message-id: <[🔎] alpine.DEB.2.21.2304100247580.8526@einstein.home.woodall.me.uk>
In-reply-to: <[🔎] 87jzyk28e8.fsf@free.fr>
References: <[🔎] alpine.DEB.2.21.2304090824160.22393@dirac.home.woodall.me.uk> <[🔎] 87r0st1mqz.fsf@free.fr> <[🔎] alpine.DEB.2.21.2304091601260.8526@einstein.home.woodall.me.uk> <[🔎] 87jzyk28e8.fsf@free.fr>

On Sun, 9 Apr 2023, Michel Verdier wrote:

Le 9 avril 2023 Tim Woodall a ?crit :

Apr  9 06:27:48 ... IN=isp OUT= MAC=... SRC=1.0.168.192 DST=224.0.0.1 ... PROTO=ICMP TYPE=9 CODE=0


This log is generated on your host? It comes directly from syslog or from
a reporting tool?

I don't get a routable IPv4 address at all. My router is doing DS-lite
to emulate IPv4 connectivity.


your host have ipv6 and ipv4 addresses or only ipv4 ?

Both. It has a global ipv6 address and a 1918 ipv4 address.

on your host can you give
ip route
ip -6 route
ip address


This isn't going to be particularly useful on its own as I'm using
policy based routing and iptables marking.

But on the firewall the (a) default route points at 192.168.0.1 which is
acquired via dhcp and one points at the routers link-local address
acquired using SLAAC

default via 192.168.0.1 dev isp
default via fe80::c6eb:39ff:fe4e:c771 dev isp proto ra metric 1024
expires 1713sec hoplimit 64 pref medium

The router itself has a public WAN side IPv6 address (displayed on the
router info page but discoverable by doing a traceroute inbound too) but
no ipv4 address at all other than the internal 192.168.0.1


obfuscate if you want but let internal addresses, it's not a security
hole

More annoyingly, there doesn't seem to be any way to tell the router
what the next hop router is for IPv6 and it doesn't forward packets for
any IP it doesn't know about - even with the firewall turned off.


this is correct, it needs to know where you are to send you packets
icmp type 9 are for that

I'm not using them as I acquire my ipv4 address and next hop via dhcp.

And I'm not trying to get ipv4 working. That is going via CGNAT. It's
ipv6 that I'm trying to make vaguely sane. I have 2**71 addresses that
reach my router, but only one that will cross it.

So, even though it advertises a /57 on its internal interface, I'm being
forced to do NAT in order to have a firewall.


I don't understand : if it don't forward, where do you do NAT ?

My firewall has a single /128 acquired via SLAAC and the RA from the
router. My entire network is masqueraded through that single IP.

I'm also doing the same for ipv4 - but the router is then using DS-lite
to tunnel to the isp where there's CGNAT to a routable address.

I cannot see packets for any address other than those in one /64
although a traceroute shows they're getting to the router.


You mean you have addresses on the /57 but you can't contact other /64 ?
it seems like a subnet restriction set on the router, and rather common
only a configuration point


The router drops everything except the /128s that it knows about. It
does not even try to do neighbour discovery.

Reply to:

Follow-Ups:
- Re: ICMP router advertisement (ipv4)
  - From: Jeremy Ardley <jeremy@ardley.org>

References:
- ICMP router advertisement (ipv4)
  - From: Tim Woodall <debianuser@woodall.me.uk>
- Re: ICMP router advertisement (ipv4)
  - From: Michel Verdier <mv524@free.fr>
- Re: ICMP router advertisement (ipv4)
  - From: Tim Woodall <debianuser@woodall.me.uk>
- Re: ICMP router advertisement (ipv4)
  - From: Michel Verdier <mv524@free.fr>

Prev by Date: Re: questions about cron.daily
Next by Date: Re: ICMP router advertisement (ipv4)
Previous by thread: Re: ICMP router advertisement (ipv4)
Next by thread: Re: ICMP router advertisement (ipv4)
Index(es):
- Date
- Thread