Installation

Hello,
i have enabled ipv6 in my monowall and have the tunnel to sixxs with ayiya running. So this part works fine and my rule allows anything on the LAN go through the tunnel.
Now i wanted to add a rule for allowing acces from the WAN to LAN, e.g. ICMPV6 and ports on a single machine, but it doesn't seem to work for me.
I could see the firewall blocking ICMPV6 coming from tun0.
In another log i found, that monowall expects gif0 for filtering IPV6.

Can anyone confirm, that filtering WAN access for AYIYA works or works not ?

Stefan

I'm not exactly sure what you're trying to achieve. Anyways, regardless of whether you get your IPv6 connectivity from Sixxs or from your ISP, the firewall rules for IPv4 and IPv6 are on two separate pages. Any rules you specify on the IPv4 page will apply to IPv4 traffic, any rules on the IPv6 page will apply to IPv6 traffic.

Since you're using Sixxs, the "WAN" on the IPv6 page could also be thought of as your Sixxs AYIYA tunnel.

Hi there,

I'm having slight problems with ICMPv6 in connection with a SixXS tunnel as well.

Here's my setup:
 + I'm running a m0n0wall 1.32 on a PCwrap board.
 + I have acquired a SixXS tunnel in 6in4-heartbeat mode and a /64 subnet.
 + The tunnel itself works perfectly, as does the routing and RAD on my subnet.

However, SixXS is not able to ping my end of the tunnel.  This results in their
thinking that the tunnel is offline, which is wrong (but means that I am unable
to collect credits, which sucks).

In the m0n0 logs, I can see that the ICMPv6 pings from SixXS are blocked:
---
[blocked]    01:37:35.539340    WAN    2a01:1e8:e100:X::1    2a01:1e8:e100:X::2    ICMPV6
---
(My end of the tunnel is 2a01:1e8:e100:X::2, the SixXS PoP end is 2a01:1e8:e100:X::1.)

I have added a rule to the IPv6 firewall which I would have hoped to help, but obviously doesn't
(essentially, pass everything from any to any on WLAN interface that is ICMPv6).

So far, I don't quite understand what is wrong.

So I've looked at the status.php page, and interestingly, in the "unparsed IPv6 ipfilter rules"
section, there are a lot of rules defined for interface tun0 what look suspicously like they should,
in fact, be defined for interface gif0 (there is no tun0 interface, but the gif0 interface is the
tunnel interface).

This I don't really understand either.

Finally, running, say, "ping6 -c 1 2a01:1e8:e100:X::1" on the exec.php page results in the
error message "ping6: sendmsg: Network is unreachable".  However, "netstat -rn" yields
---
[...]
2a01:1e8:e100:X::1              link#8                        UHL        gif0
[...]
---

So I don't see why the network should be unreachable (gif0 is up, of course).

Any suggestions?  I'd be grateful for any tip whatsoever.

THX & Cheers,
Toby.

[...]
However, SixXS is not able to ping my end of the tunnel.  This results in their
thinking that the tunnel is offline, which is wrong (but means that I am unable
to collect credits, which sucks).

In the m0n0 logs, I can see that the ICMPv6 pings from SixXS are blocked:
---
[blocked]    01:37:35.539340    WAN    2a01:1e8:e100:X::1    2a01:1e8:e100:X::2    ICMPV6
---
(My end of the tunnel is 2a01:1e8:e100:X::2, the SixXS PoP end is 2a01:1e8:e100:X::1.)

I have added a rule to the IPv6 firewall which I would have hoped to help, but obviously doesn't
(essentially, pass everything from any to any on WLAN interface that is ICMPv6).

So far, I don't quite understand what is wrong.

So I've looked at the status.php page, and interestingly, in the "unparsed IPv6 ipfilter rules"
section, there are a lot of rules defined for interface tun0 what look suspicously like they should,
in fact, be defined for interface gif0 (there is no tun0 interface, but the gif0 interface is the
tunnel interface).

This I don't really understand either.

Finally, running, say, "ping6 -c 1 2a01:1e8:e100:X::1" on the exec.php page results in the
error message "ping6: sendmsg: Network is unreachable".  However, "netstat -rn" yields
---
[...]
2a01:1e8:e100:X::1              link#8                        UHL        gif0
[...]
---

So I don't see why the network should be unreachable (gif0 is up, of course).

Turns out that I had to configure the SixXS tunnel as AICCU, not as heartbeat (on the
SixXS side).  I had misguidedly set it to heartbeat after finding a statement on the
interwebs basically saying that m0n0 supports heartbeat-mode tunnels only.

After setting the tunnel to AICCU, the tunnel interface on the m0n0wall changed
from gif0 to tun0, and all of the above problems were *poof* gone. :-) \o/ Yay!
So now everything works as expected.

Cheers,
Toby.