No access from WAN / IPv6 auto config / IPv6 gateway

stone49th · 11. März 2015

Hi folks,

first of all thanks for all the effort with the forum and omv, great work!

I've been using synology for quite a while and went xpenology with a custom build that I've been updating with new hardware from time to time. I switched to omv for numerous reasons the last days, and its working nicely so far , except:

Local connections are fine, but I can't get access from WAN. I'm on a IPv6 + DS-Lite, but thats usually not the issue. Port forwarding seems ok, I'm currently only testing with port SSH, since i will only use ssh tunnels later on for security reasons and maybe a pydio instance directly available for convenience. When I test the ports with a online port scanner, the result is a access denied on other ports than 22 (I guess my fritzbox sends ICMP replies) and a timeout on port 22.

Am I missing something? The network/firewall/hosts config is stock right now, so could something be blocking?? I'm still no expert on the shell, so could someone help me out on this? Local IPv6/IPv4 access is working, both work with ssh/gui/samba/etc...

Edit (some infos):

Spoiler anzeigen

================================================================================
= Network interfaces
================================================================================
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether fc:aa:14:21:81:c7 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fc:aa:14:21:81:c5 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global eth1
inet6 2001:a60:16fd:7301:feaa:14ff:fe21:81c5/64 scope global
valid_lft forever preferred_lft forever
inet6 2001:a60:16be:f401:feaa:14ff:fe21:81c5/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::feaa:14ff:fe21:81c5/64 scope link
valid_lft forever preferred_lft forever
--------------------------------------------------------------------------------
Interface information eth0:
===========================
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: Unknown!
Duplex: Unknown! (255)
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: pg
Wake-on: pg
Current message level: 0x00000000 (0)

Link detected: no
--------------------------------------------------------------------------------
Driver information eth0:
========================
driver: alx
version:
firmware-version: alx
bus-info: 0000:02:00.0
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no
--------------------------------------------------------------------------------
Interface information eth1:
===========================
Settings for eth1:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 2
Transceiver: internal
Auto-negotiation: on
MDI-X: on
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
--------------------------------------------------------------------------------
Driver information eth1:
========================
driver: e1000e
version: 2.3.2-k
firmware-version: 0.13-4
bus-info: 0000:00:19.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

================================================================================
= IP packet filter
================================================================================
IPv4:
=====
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
--------------------------------------------------------------------------------
IPv6:
=====
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere

tcp6 0 0 :::22 :::* LISTEN 2821/sshd

So long,
Stoney

stone49th · 11. März 2015

tracing the problem down (I'm quite a novice in linux...):

looks to me like tcpdump reveals that the port forwarding is working, so it's not a NAT/FW issue from the router since something from the outside world is arriving:

Spoiler anzeigen

What next? Seems like something is blocking...but I can't really figure out what and how to configure this correctly.

What now?

stone49th · 12. März 2015

Once this is done I'm going to make a pydio-install & setup guide based on the websites and mysql plugin from extras (since it was super easy to install, instance is already running but only internal access since this issue is not resolved, however there's no up-to-date guide or how to) for the forum which pretty much obsoletes a plugin for the future. I'm willing to return something for a little help

Please

Enra · 12. März 2015

Hi,

Zitat von stone49th

I'm on a IPv6 + DS-Lite, but thats usually not the issue. Port forwarding seems ok,
Stoney

I don't fully understand your setup:
You have DS-Lite; creating IPv4 connections from outside (WAN) is impossible.
But if you use v6 for the remote access, then there is no port-forwarding.

stone49th · 12. März 2015

Jep, I'm aware of that and only using IPv6 for connecting...with my router (fritzbox) however you have to enable the ports in the firewall for IPv6, which I have done properly (it's been working with the old xpenology setup) and there are at least some packets that seem to make it through to omv as in the tcpdump above, but I guess somethings blocking and I just cant figure out whats going on...

stone49th · 14. März 2015

not quite sure, but shouldn't there be an IPv6 gateway somewhere:

Spoiler anzeigen

Edit: Got it working by manually defining a default route for the IPv6 (seems like this is not properly advertised by dhcp?) with

Code

ip -6 route add default via fe80::a96:d7ff:fe12:3941 dev eth1

.

But this won't survive a reboot...any way to make this the config static in such a way that it also survives updates and OMV config changes through the gui??

Enra · 14. März 2015

Hi,

v6 sometimes is a beast.
What you need first is a proper v6 configuration of your fritzbox.
As I do not own a FB i can't help there.
I don't think its a good idea to start configuring static gateways etc. in v6.
V6 usually has its advantages in dynamic configurations.

Then you an own dyndns entry for every devices you want to reach cause v6 doesn't use port-forwarding.

stone49th · 14. März 2015

Hey,

jep, sometimes it is...

Well, on all the windows and other linux hosts, its working nicely with the current configuration. As I run out of options I did a check with a Ubuntu VM today with a simple ssh server and it worked out of the box. So I guess the FB config should be fine, since router-advertisement is also enabled and my other linux machines are completely self-configuring without any manual intervention. The static gateway I configured preliminary to get my other stuff working is a fe80:: right now, and the FB keeps a static postfix unless you explicitly change it manually.

Now, all options are correctly taken vom DHCPv6 in OMV, therefor I still suspect some sort of configuration error, since the default route in v6 is normally provided via router-advertisement. Seems like you have to enable this explicitly and I'm not sure if the current OMV ifconfig does so properly. I found this: https://bugs.launchpad.net/ubu…rce/ifupdown/+bug/1013597
Could it be that the fritzbox is not advertising in regular intervals, and the advertisements to the kernels initial solicitations are ignored?

Maybe some Mod/Dev can comment on the issue? Could the launchpad "bug" apply here?

Enra · 16. März 2015

Hi,

just activated v6 on my OMV box via the GUI for testing purposes.
v6 Method = auto
I've got full v6 connectivity instantaneously.
I'm running an OpenWRT Router with v6 support.

stone49th · 17. März 2015

hm, strange...how many IPv6 adresses are assigned at your ethX? One or two?

I'll investigate this this evening/tomorrow if auto configuration makes a difference...

Enra · 17. März 2015

I've got masses of adresses:
root@OMV:~# ifconfig
eth0 Link encap:Ethernet Hardware Adresse xx:xx:xx:xx:xx:xx
inet Adresse:x.x.x.x Bcast:x.x.x.x Maske:255.255.255.0
inet6-Adresse: fdb6:7570:x:x:x:x:x:x/64 Gültigkeitsbereich:Global
inet6-Adresse: 2a02:8108:x:x:x:x:x:x/64 Gültigkeitsbereich:Global
inet6-Adresse: fdb6:7570:x:x:x:x:x:x/64 Gültigkeitsbereich:Global
inet6-Adresse: 2a02:8108:x:x:x:x:x:x/64 Gültigkeitsbereich:Global
inet6-Adresse: fe80::3aea:x:x:x:x/64 Gültigkeitsbereich:Verbindung

Think, you should try v6 Method = auto, which I think correspondends to "SLAAC"

stone49th · 18. März 2015

hey,

jup, this also worked at my machine with the fritzbox network. Thanks for the help

bierkistenschlepper · 25. März 2015

Why does the WebGUI IPv6 configuration not work? When will this be fixed? It seems the bug is there for a very long time. What exactly is the problem? DHCPv6 of IPv6 itself?

I need IPv6 because I use DynDNS (myFritz.net) wih Owncloud. With IPv4, all internal traffic is directed over WAN. With IPv6 its recognized that this is an internal IP and routing is made directly.

I ccould also do this via terminal but I'd appreciate a good tutorial because It took a long time to restore it last time. I'm pretty new with IPv6. For example I don't know what address i could give manually?

Enra · 26. März 2015

Zitat von bierkistenschlepper

Why does the WebGUI IPv6 configuration not work? When will this be fixed? It seems the bug is there for a very long time. What exactly is the problem? DHCPv6 of IPv6 itself?

As I mentioned above the v6 WebGUI configuration works in my setup. So what exactly is your problem?

Zitat von bierkistenschlepper

I need IPv6 because I use DynDNS (myFritz.net) wih Owncloud. With IPv4, all internal traffic is directed over WAN. With IPv6 its recognized that this is an internal IP and routing is made directly.

I think it is a DNS issue. You can try to insert en entry on your local DNS-server (router) with the name of your myfritz.net name pointing to your local servers IP-adress.
e.g.:
my-owncloud.myfritz.net = 192.168.178.1

bierkistenschlepper · 27. März 2015

Hi, on my setup it does not work. When I change the setting, it says 'an error occurred'. Then after reboot, it stops after DHCP, even if i have no cables connected. To fix this I had to boot a live CD and comment out the IPv6 config in /etcetwork/interfaces. This happened at least twice, so it is obviously an OMV bug. I guess OMV writes some invalid values into the interface config. When doing it manually it should work, except there is a debian bug... Could anyone post his or her working DHCPv6 config?

I don't know any way to change the DNS rules inside my FritzBox. I can onle set it in my local /etc/hosts. But this change has to be made on every host and is very error-prone on mobile hosts.

Jetzt mitmachen!