→ danny8376: openwrt版本? 有可能是ipv6的forward沒設好 10/24 23:41
→ dowbatw: Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530) 10/24 23:55
這是我gw6c自動產生出的radvd設定值:
##### rtadvd.conf made by Gateway6 Client ####
interface br-lan
{
AdvSendAdvert on;
prefix 2001:b000:000a:000e::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
gw6c 執行記錄
2014/10/24 23:38:21 I gw6c: /sbin/sysctl -w net.ipv6.conf.all.forwarding=1
2014/10/24 23:38:21 I gw6c: net.ipv6.conf.all.forwarding = 1
2014/10/24 23:38:21 I gw6c: /usr/sbin/radvd -p /var/run/radvd.pid -C /tmp/gw6c-radvd.conf
然後這是我用router擷取封包的紀錄(tcpdump -i br-lan -vv ip6)
擷取過程中電腦ping ipv6.google.com
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 65535
bytes
00:24:20.307314 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40)
2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok]
ICMP6, echo request, seq 50
00:24:20.307675 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88)
2001:b000:a:e::1 > 2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6,
destination unreachable, unreachable port[|icmp6]
00:24:21.309425 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40)
2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok]
ICMP6, echo request, seq 51
00:24:21.309721 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88)
2001:b000:a:e::1 > 2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6,
destination unreachable, unreachable port[|icmp6]
00:24:22.312397 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40)
2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok]
ICMP6, echo request, seq 52
00:24:22.312691 IP6 (hlim 64, next-header ICMPv6 (58) payload length
: 88)
2001:b000:a:e::1 > 2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6,
destination unreachable, unreachable port[|icmp6]
00:24:22.433005 IP6 (hlim 1, next-header UDP (17) payload length: 154)
fe80::7850:fcd6:b5ce:1bac.55817 > ff02::c.1900: [udp sum ok] UDP, length 146
00:24:23.315871 IP6 (hlim 128, next-header ICMPv6 (58) payload length: 40)
2001:b000:a:e:9cbd:5445:da23:707e > sa-in-x65.1e100.net: [icmp6 sum ok]
ICMP6, echo request, seq 53
00:24:23.316160 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 88)
2001:b000:a:e::1 > 2001:b000:a:e:9cbd:5445:da23:707e: [icmp6 sum ok] ICMP6,
destination unreachable, unreachable port[|icmp6]
00:24:23.454334 IP6 (hlim 1, next-header Options (0) payload length: 32)
fe80::7850:fcd6:b5ce:1bac > ff02::c: HBH (rtalert: 0x0000) (padn) [icmp6 sum
ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::c
00:24:23.454430 IP6 (hlim 1, next-header Options (0) payload length: 32)
fe80::7850:fcd6:b5ce:1bac > ff02::1:3: HBH (rtalert: 0x0000) (padn) [icmp6
sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:3
00:24:23.454589 IP6 (hlim 1, next-header Options (0) payload length: 32)
fe80::7850:fcd6:b5ce:1bac > ff02::1:ffce:1bac: HBH (rtalert: 0x0000) (padn)
[icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr:
ff02::1:ffce:1bac
00:24:25.432870 IP6 (hlim 1, next-header UDP (17) payload length: 154)
fe80::7850:fcd6:b5ce:1bac.55817 > ff02::c.1900: [udp sum ok] UDP, length 146
00:24:25.454043 IP6 (hlim 1, next-header Options (0) payload length: 32)
fe80::7850:fcd6:b5ce:1bac > ff02::1:ff00:735: HBH (rtalert: 0x0000) (padn)
[icmp6 sum ok] ICMP6, multicast listener reportmax resp delay: 0 addr:
ff02::1:ff00:735
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 00:25:16
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 00:35:34
→ danny8376: 看起來是router端出不到google 10/25 01:52
→ danny8376: 你有試著從router上ping google嗎? 10/25 01:53
→ dowbatw: 前面有提到router上面ping沒問題 10/25 01:55
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 02:38:53
→ dowbatw: 看來是wan送到電腦出了一些問題,不知道怎麼調整? 10/25 02:39
推 danny8376: 那可能先看一下ip6tables 10/25 03:42
→ danny8376: 看是不是forward部分沒被允許 10/25 03:43
→ danny8376: 對了 你firewall的wan裡面是不是沒多加gogo6用的介面 10/25 03:46
→ danny8376: (沒動過應該會是sit1) 10/25 03:47
→ dowbatw: 我的是tun不是sit;我有在network設定值裡面把tun和wan橋 10/25 09:16
→ dowbatw: 接變成br-wan 10/25 09:17
/etc/config/network
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option _orig_ifname 'eth0.1 wlan0'
option _orig_bridge 'true'
option ifname 'eth0.1 tun'
config interface 'wan'
option proto 'dhcp'
option _orig_ifname 'eth0.2'
option _orig_bridge 'true'
option type 'bridge'
option ifname 'eth0.2 tun'
config interface 'wan6'
option proto 'dhcp'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option type 'bridge'
option ifname 'eth0.2 tun'
/etc/config/firewall
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 09:23:41
→ danny8376: 你怎設定不重要... 10/25 10:19
→ danny8376: ifconfig跟ip6tables出來的才是實際設定 10/25 10:19
→ danny8376: 再說跟wan bridge是很奇妙的設定啊... 10/25 10:20
ifconfig
br-lan Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2001:b000:a:d::1/64 Scope:Global
inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link
inet6 addr: fdb1:5979:7760::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70199 errors:0 dropped:0 overruns:0 frame:0
TX packets:79433 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:37825616 (36.0 MiB) TX bytes:51010066 (48.6 MiB)
eth0 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:447605 errors:0 dropped:10 overruns:0 frame:0
TX packets:91849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:119217969 (113.6 MiB) TX bytes:56233397 (53.6 MiB)
Interrupt:4
eth0.1 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23436 errors:0 dropped:2 overruns:0 frame:0
TX packets:27686 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11344259 (10.8 MiB) TX bytes:17254222 (16.4 MiB)
eth0.2 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
inet addr:140.112.230.135 Bcast:140.112.230.255 Mask:255.255.255.0
inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:424109 errors:0 dropped:0 overruns:0 frame:0
TX packets:64152 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:99812759 (95.1 MiB) TX bytes:38610658 (36.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:476 errors:0 dropped:0 overruns:0 frame:0
TX packets:476 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:51192 (49.9 KiB) TX bytes:51192 (49.9 KiB)
tun Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: 2001:b020:0:71::47f/128 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:2399 errors:0 dropped:83 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:200 (200.0 B) TX bytes:730504 (713.3 KiB)
wlan0 Link encap:Ethernet HWaddr 10:6F:3F:02:3D:D6
inet6 addr: fe80::126f:3fff:fe02:3dd6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48436 errors:0 dropped:0 overruns:0 frame:0
TX packets:57669 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27536078 (26.2 MiB) TX bytes:35613035 (33.9 MiB)
ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
delegate_input all anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
delegate_forward all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
delegate_output all anywhere anywhere
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all anywhere anywhere
/* user chain for forwarding */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
zone_lan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
zone_wan_forward all anywhere anywhere
reject all anywhere anywhere
Chain delegate_input (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
input_rule all anywhere anywhere
/* user chain for input */
ACCEPT all anywhere anywhere ctstate
RELATED,ESTABLISHED
syn_flood tcp anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
zone_lan_input all anywhere anywhere
zone_wan_input all anywhere anywhere
zone_wan_input all anywhere anywhere
Chain delegate_output (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
output_rule all anywhere anywhere
/* user chain for output */
ACCEPT all anywhere anywhere ctstateRELATED,ESTABLISHED
zone_lan_output all anywhere anywhere
zone_wan_output all anywhere anywhere
zone_wan_output all anywhere anywhere
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp anywhere anywhere reject-with tcp-reset
REJECT all anywhere anywhere reject-with icmp6-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all anywhere anywhere
Chain zone_lan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all anywhere anywhere
/* user chain for forwarding */
zone_wan_dest_ACCEPT all anywhere anywhere
/* forwarding lan -> wan */
zone_lan_dest_ACCEPT all anywhere anywhere
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all anywhere anywhere
/* user chain for input */
zone_lan_src_ACCEPT all anywhere anywhere
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all anywhere anywhere
/* user chain for output */
zone_lan_dest_ACCEPT all anywhere anywhere
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain zone_wan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
Chain zone_wan_forward (2 references)
target prot opt source destination
forwarding_wan_rule all anywhere anywhere
/* user chain for forwarding */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header
/* Allow-ICMPv6-Forward */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type
/* Allow-ICMPv6-Forward */
zone_wan_dest_REJECT all anywhere anywhere
Chain zone_wan_input (2 references)
target prot opt source destination
input_wan_rule all anywhere anywhere
/* user chain for input */
ACCEPT udp fe80::/10 fe80::/10 udp
spt:dhcpv6-server dpt:dhcpv6-client
/* Allow-DHCPv6 */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp bad-header
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp unknown-header-type
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement
/* Allow-ICMPv6-Input */
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement
/* Allow-ICMPv6-Input */
zone_wan_src_REJECT all anywhere anywhere
Chain zone_wan_output (2 references)
target prot opt source destination
output_wan_rule all anywhere anywhere
/* user chain for output */
zone_wan_dest_ACCEPT all anywhere anywhere
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all anywhere anywhere
reject all anywhere anywhere
ip6tables-save
# Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014
*nat
:PREROUTING ACCEPT [8489:2118004]
:INPUT ACCEPT [220:18732]
:OUTPUT ACCEPT [72:5117]
:POSTROUTING ACCEPT [377:23457]
COMMIT
# Completed on Sat Oct 25 16:11:11 2014
# Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014
*raw
:PREROUTING ACCEPT [6740:1197649]
:OUTPUT ACCEPT [457:40178]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Sat Oct 25 16:11:11 2014
# Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014
*mangle
:PREROUTING ACCEPT [6740:1197649]
:INPUT ACCEPT [275:20918]
:FORWARD ACCEPT [189:15796]
:OUTPUT ACCEPT [457:40178]
:POSTROUTING ACCEPT [495:42962]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment
--comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Oct 25 16:11:11 2014
# Generated by ip6tables-save v1.4.21 on Sat Oct 25 16:11:11 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:936]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j
forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j
forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j
zone_wan_dest_ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j
input_lan_rule
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j
output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -j reject
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j
forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Forward -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j
input_wan_rule
-A zone_wan_input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport
546 -m comment --comment Allow-DHCPv6 -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit
1000/sec -m comment --comment Allow-ICMPv6-Input -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j
output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -j reject
COMMIT
# Completed on Sat Oct 25 16:11:11 2014
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 15:56:11
→ danny8376: ifconfig裏沒有br-wan存在 這說明你的wan沒有bridge 10/25 16:54
→ danny8376: (gogoc的介面無法bridge 因為他要gw6c啟動後才會出現) 10/25 16:59
→ dowbatw: 其實是我後來看了大大你的建議之後改掉的 10/25 18:28
→ dowbatw: 要有br-wan也是可以,只是我沒貼上來。不過,這終究還不 10/25 18:29
→ dowbatw: 是重點,我還在看iptable 10/25 18:30
→ dowbatw: 我有試過把iptable中最上層的forward設定為accept,結果 10/25 18:31
→ danny8376: 你知道iptables跟ip6tables是不同東西嗎... 10/25 18:56
→ danny8376: ipv4跟ipv6是分開兩組iptables 兩者設定無關的 10/25 18:57
→ dowbatw: 一樣,我上面講的就是ip6table中的設定 10/25 19:57
→ dowbatw: 我剛剛試了一下,要把table最上層的forward打開成accept 10/25 19:59
→ dowbatw: 就可以成功,只是這樣就很危險 10/25 19:59
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 20:30:41
※ 編輯: dowbatw (140.112.230.135), 10/25/2014 20:33:01
→ danny8376: 所以就說問題在於你防火牆(forward)沒設對啊... 10/25 20:49
→ danny8376: ip6tables -L -v連介面一起出來就比較清楚狀況了 10/25 20:49
→ danny8376: 不過主要應該是lan>wan這段被reject掉了 10/25 20:49
→ danny8376: 所以回了dest unreachable 10/25 20:50
→ danny8376: 然後找個pastebin之類的地方貼 不然整串有夠長OTZ 10/25 20:51