My ERL v1.9.0 is not responding on the link local interface.
The router is sending neighbor discovery messages (as seen in the TCPDUMP bellow) but never receive an answer ??? So I suspect that for some reason, these packets are being filtered at the interface which is why they don’t show up in my logs. Can someone please tell me how to fix this.
From the ERL CLI: sudo tcpdump -nn -i eth0 icmp6 From my Laptop [Windows 10]: ping -6 2001:8b0::2020 halo@stargate:~$ sudo tcpdump -nn -i eth0 icmp6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:03:31.122681 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:32.122368 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:33.122368 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:35.125569 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:36.122363 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:37.122369 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:39.125909 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:40.122371 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:41.122400 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:43.126338 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:44.122359 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:45.122359 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:47.926251 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:48.922372 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:49.922355 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:51.925779 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:52.922368 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:53.922384 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:55.925634 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:56.922394 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:57.922387 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:03:59.926119 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:04:00.922368 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 12:04:01.922395 IP6 fe80::de9f:dbff:fe28:5a5 > ff02::1:ff91:5429: ICMP6, neighbor solicitation, who has fe80::217:10ff:fe91:5429, length 32 ^C 24 packets captured 24 packets received by filter 0 packets dropped by kernel halo@stargate:~$ exit logout
Of Interest; My WAN Interface can be reached from the outside. but none of my Internal interfaces can be reached.
Config follows:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group BOGONS {
address 10.0.0.0/8
address 100.64.0.0/10
address 127.0.0.0/8
address 169.254.0.0/16
address 172.16.0.0/12
address 192.0.0.0/24
address 192.0.2.0/24
address 192.168.0.0/16
address 198.18.0.0/15
address 198.51.100.0/24
address 203.0.113.0/24
address 224.0.0.0/4
address 240.0.0.0/4
description "Bogons Networks"
}
address-group MODEM_IP {
address 192.168.100.1
description "Access to Cable Modem"
}
address-group PRINTER_IP {
address 192.168.10.36
address 192.168.10.44
description "Printers for authorized subnets/vlans"
}
}
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name VLAN_IN {
default-action accept
description "segregate VLANS"
rule 10 {
action accept
description "Accept established / related"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "drop invalid"
protocol all
state {
invalid enable
}
}
rule 50 {
action accept
description "Cable Modem GUI access"
destination {
group {
address-group MODEM_IP
}
}
log disable
protocol all
state {
new enable
}
}
rule 60 {
action accept
description "Printer access for authorized subnets/vlans"
destination {
group {
address-group PRINTER_IP
}
}
log disable
protocol all
state {
new enable
}
}
rule 70 {
action drop
description "drop all LANs"
destination {
address 192.168.0.0/16
}
protocol all
state {
new enable
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action drop
description "Drop Bogon source"
log disable
protocol all
source {
group {
address-group BOGONS
}
}
}
rule 40 {
action accept
description "Allow IKE for Remote VPN Server"
destination {
port 500
}
log disable
protocol udp
}
rule 50 {
action accept
description "Allow L2TP for Remote VPN Server"
destination {
port 1701
}
log disable
protocol udp
}
rule 60 {
action accept
description "Allow ESP for Remote VPN server"
log disable
protocol 50
}
rule 70 {
action accept
description "Allow NAT-T for Remote VPN Server"
destination {
port 4500
}
log disable
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description "IPv4 and IPv6-Internet"
dhcpv6-pd {
no-dns
pd 0 {
interface eth1.10 {
host-address ::1
no-dns
service slaac
}
prefix-length 64
}
pd 1 {
interface eth1.20 {
host-address ::1
no-dns
service slaac
}
prefix-length 64
}
pd 2 {
interface eth2 {
host-address ::1
no-dns
service slaac
}
prefix-length 64
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
vif 10 {
address 192.168.10.1/24
description vlan10
firewall {
in {
name VLAN_IN
}
local {
}
}
mtu 1500
}
vif 20 {
address 192.168.20.1/24
description vlan20
firewall {
in {
name VLAN_IN
}
local {
}
}
mtu 1500
}
vif 30 {
address 192.168.30.1/24
description vlan30
firewall {
in {
name VLAN_IN
}
local {
}
}
mtu 1500
}
}
ethernet eth2 {
address 192.168.5.1/24
description "Local 2"
duplex auto
firewall {
in {
name VLAN_IN
}
local {
}
}
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.1.101 {
stop 192.168.1.110
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 192.168.5.0/24 {
default-router 192.168.5.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.5.101 {
stop 192.168.5.110
}
}
}
shared-network-name vlan10 {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.10.100 {
stop 192.168.10.114
}
}
}
shared-network-name vlan20 {
authoritative disable
subnet 192.168.20.0/24 {
default-router 192.168.20.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.20.100 {
stop 192.168.20.115
}
}
}
shared-network-name vlan30 {
authoritative disable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.30.100 {
stop 192.168.30.105
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
listen-on eth1.10
listen-on eth1.20
listen-on eth1.30
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
}
}
gui {
http-port 80
https-port 8443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
upnp2 {
acl {
rule 10 {
action deny
description "Block Port 3074 to Force a Different Port For Xbox"
external-port 3074
local-port 0-65535
subnet 192.168.20.0/24
}
rule 15 {
action deny
description "Block Port 4500 to Force a Different Port For ATC"
external-port 4500
local-port 0-65535
subnet 192.168.20.0/24
}
rule 20 {
action allow
description "Allow DiskStation"
external-port 1024-65535
local-port 0-65535
subnet 192.168.10.15/32
}
rule 30 {
action allow
description "Allow Apple Airport Time Capsule"
external-port 1024-65535
local-port 0-65535
subnet 192.168.20.254/32
}
rule 40 {
action allow
description "Allow XBOX360_LAB"
external-port 1024-65535
local-port 0-65535
subnet 192.168.20.50/32
}
rule 50 {
action allow
description "Allow XBOX360_AMY"
external-port 1024-65535
local-port 0-65535
subnet 192.168.20.55/32
}
rule 9001 {
action deny
description "Deny everything else"
external-port 0-65535
local-port 0-65535
subnet 0.0.0.0/0
}
}
listen-on eth1.10
listen-on eth1.20
nat-pmp enable
port 49xxx
secure-mode enable
wan eth0
}
}
system {
host-name stargate
login {
user halo {
authentication {
encrypted-password ""
}
full-name "xxxxxxxxxx"
level admin
}
user xcxcxcxc {
authentication {
encrypted-password ""
plaintext-password ""
}
full-name "XcXcXcXcXc"
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipv4 {
forwarding enable
vlan enable
}
ipv6 {
forwarding enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
host 192.168.10.15 {
facility all {
level notice
}
}
}
time-zone America/Toronto
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username xcxcxcxc {
password ""
}
}
mode local
}
client-ip-pool {
start 192.168.177.101
stop 192.168.177.110
}
dhcp-interface eth0
dns-servers {
server-1 8.8.8.8
server-2 8.8.4.4
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ""
}
ike-lifetime 3600
}
mtu 1492
}
}
}