老哥们,路由已有 pb 前缀,设备 ipv6 依然无法上网

2021-11-29 18:20:21 +08:00
 sorasyl
设备已经分配到了公网的 ipv6 地址,依然无法访问纯 ipv6 网站
ip6tables 添加以下
ip6tables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
就可以通过路由器的 ipv6 地址上网

请教下各位老哥,如何通过设备的 ipv6 访问公网?
3489 次点击
所在节点    宽带症候群
25 条回复
datou
2021-11-29 18:45:04 +08:00
直连电脑 pppoe 拨号看看 v6 通不通
sorasyl
2021-11-29 18:50:22 +08:00
@datou 电脑 pppoe 拨号正常,实际上路由器加上我说的那条 iptable 也可以上网,但是这相当于组了一个 ipv6 的 nat
acbot
2021-11-29 18:52:42 +08:00
啥信息都没有,怎么弄?查看一下 v6 的默认路由 / v6 网关 / v6 的防火墙, 另外用 tracert/traceroute 看一下路由, 一般 wan 口 DHCP 获得的 v6 地址 和 pd 不在一个网段 极端的情况有可能 pd 这个网段运营商没有路由.
jousca
2021-11-29 21:16:45 +08:00
路由器的 IPV6 模式请选择穿透,路由器不参与任何 IPV6 管理。 客户机要直接从光猫拿地址。
sorasyl
2021-11-30 00:46:50 +08:00
@acbot 路由器 traceout 科大论坛,如下:
traceroute to bbs6.ustc.edu.cn (2001:da8:d800::3), 30 hops max, 64 byte packets
1 240e:398:332:: 5.750 ms
2 240e:16:1002:c00::2 8.172 ms

设备无法 ping 通路由器分配的网关:
ping6 fe80::1e40:e8ff:fe12:327d
PING6(56=40+8+8 bytes) fe80::463:37b7:e560:f9c4%en0 --> fe80::1e40:e8ff:fe12:327d
ping6: sendmsg: No route to host
ping6: wrote fe80::1e40:e8ff:fe12:327d 16 chars, ret=-1

v6 路由表如下
Destination Next Hop Flags Metric Ref Use Iface
::/0 fe80::ce1a:faff:feea:e1a0 UG 512 2 0 pppoe-wan
::/0 fe80::ce1a:faff:feea:e1a0 UG 512 6 0 pppoe-wan
240e:398:332:5f::/64 :: U 256 2 0 pppoe-wan
240e:398:332:5f::/64 :: !n 2147483647 2 0 lo
240e:39b:3a1:b70::/64 :: U 1024 1 0 br-lan
240e:39b:3a1:b70::/60 :: !n 2147483647 1 0 lo
fe80::1e40:e848:7512:327c/128 :: U 256 1 0 pppoe-wan
fe80::ce1a:faff:feea:e1a0/128 :: U 1 1 0 pppoe-wan
fe80::/64 :: U 256 1 0 eth0.2
fe80::/64 :: U 256 1 0 eth0
fe80::/64 :: U 256 2 0 br-lan
fe80::/64 :: U 256 1 0 wlan0
fe80::/64 :: U 256 1 0 wlan1
::/0 :: !n -1 2 0 lo
::1/128 :: Un 0 7 0 lo
240e:398:332:5f::/128 :: Un 0 3 0 pppoe-wan
240e:398:332:5f:1e40:e848:7512:327c/128 :: Un 0 4 0 pppoe-wan
240e:39b:3a1:b70::/128 :: Un 0 3 0 br-lan
240e:39b:3a1:b70::1/128 :: Un 0 5 0 br-lan
fe80::/128 :: Un 0 3 0 eth0.2
fe80::/128 :: Un 0 3 0 eth0
fe80::/128 :: Un 0 3 0 br-lan
fe80::/128 :: Un 0 3 0 wlan0
fe80::/128 :: Un 0 3 0 wlan1
fe80::1e40:e848:7512:327c/128 :: Un 0 5 0 pppoe-wan
fe80::1e40:e8ff:fe12:327c/128 :: Un 0 4 0 eth0.2
fe80::1e40:e8ff:fe12:327c/128 :: Un 0 2 0 eth0
fe80::1e40:e8ff:fe12:327d/128 :: Un 0 3 0 br-lan
fe80::1e40:e8ff:fe12:327e/128 :: Un 0 3 0 wlan0
fe80::1e40:e8ff:fe12:327f/128 :: Un 0 2 0 wlan1
ff00::/8 :: U 256 4 0 eth0.2
ff00::/8 :: U 256 2 0 pppoe-wan
ff00::/8 :: U 256 1 0 eth0
ff00::/8 :: U 256 4 0 br-lan
ff00::/8 :: U 256 1 0 wlan0
ff00::/8 :: U 256 1 0 wlan1
::/0 :: !n -1 2 0 lo
acbot
2021-11-30 09:35:50 +08:00
@sorasyl 根据上面的信息 你 WAN 口 dhcp 得到的地址是:240e:398:332:5f::/64 这个段,分配的 PD 段是:240e:39b:3a1:b70::/60 ,你这个 PD 段我发现运营商可能没有对外发布路由,你可以在路由器上用 ping 命令指定源地址或者是接口分别测试一下两个地址段对外的路由,比如:traceroute bbs6.ustc.edu.cn -s 240e:398:332:5f:1e40:e848:7512:327c ( pppoe-wan v6 公网)或者 traceroute bbs6.ustc.edu.cn -s 240e:39b:3a1:b70::1 ( br-lan pd 公网)注:地址随时会变,另外如果你用 WAN 口的 v6 地址 NAT 能访问你也可以把路由器的 v6 地址分配改成 代理 /桥接 /穿透模式(路由器不一样叫法不一样)直接使用运营商 dhcp 来给你内网分配 v6 地址。
sorasyl
2021-11-30 22:58:36 +08:00
@acbot 感谢老哥,我用 traceroute 分别测试了:
traceroute6 -s 240e:39b:3a1:b70::1 bbs6.ustc.edu.cn
traceroute to bbs6.ustc.edu.cn (2001:da8:d800::3) from 240e:39b:3a1:b70::1, 30 hops max, 64 byte packets
1 240e:398:332:: (240e:398:332::) 6.888 ms 6.529 ms 4.333 ms
2 240e:16:1002:a706::2 (240e:16:1002:a706::2) 7.710 ms 4.169 ms 240e:16:1002:c0b::2 (240e:16:1002:c0b::2) 5.613 ms
3 *

traceroute6 -s 240e:398:332:5f:1e40:e848:7512:327c bbs6.ustc.edu.cn
traceroute to bbs6.ustc.edu.cn (2001:da8:d800::3) from 240e:398:332:5f:1e40:e848:7512:327c, 30 hops max, 64 byte packets
1 240e:398:332:: (240e:398:332::) 5.821 ms 5.471 ms 4.521 ms
2 240e:16:1000:6bf::2 (240e:16:1000:6bf::2) 16.984 ms 4.733 ms 240e:16:1002:a711::2 (240e:16:1002:a711::2) 6.638 ms
3 240e:16:1001:10f::2 (240e:16:1001:10f::2) 4.998 ms 240e:16:1001:12b::2 (240e:16:1001:12b::2) 3.459 ms 240e:16:1001:114::2 (240e:16:1001:114::2) 4.751 ms
4 240e::1:31:81:5402 (240e::1:31:81:5402) 38.134 ms 39.012 ms 240e::1:31:81:5302 (240e::1:31:81:5302) 39.610 ms
5 *

以上为关闭 ip6tables 测试
sorasyl
2021-11-30 23:50:43 +08:00
@acbot traceroute6 bbs6.ustc.edu.cn -s 240e:398:332:5f:1e40:e89f:3312:327c
traceroute to bbs6.ustc.edu.cn (2001:da8:d800::3) from 240e:398:332:5f:1e40:e89f:3312:327c, 30 hops max, 64 byte packets
1 240e:398:332:: (240e:398:332::) 7.669 ms 5.845 ms 4.481 ms
2 240e:16:1000:702::2 (240e:16:1000:702::2) 4.386 ms 8.288 ms 240e:16:1000:703::2 (240e:16:1000:703::2) 11.790 ms
3 240e:16:1001:26::2 (240e:16:1001:26::2) 4.119 ms 240e:16:1001:2d::2 (240e:16:1001:2d::2) 4.968 ms 240e:16:1001:e::2 (240e:16:1001:e::2) 10.552 ms
4 240e::1:31:81:6022 (240e::1:31:81:6022) 34.381 ms * 240e::1:31:81:6402 (240e::1:31:81:6402) 30.460 ms
5 * * *
6 240e::e:3:2008:403 (240e::e:3:2008:403) 38.569 ms 37.962 ms 39.352 ms
7 2001:da8:2:704::1 (2001:da8:2:704::1) 37.627 ms 35.178 ms 43.262 ms
8 2001:da8:2:16::2 (2001:da8:2:16::2) 47.890 ms 46.925 ms 46.816 ms
9 2001:da8:2:f::1 (2001:da8:2:f::1) 47.488 ms 46.611 ms 48.111 ms
10 2001:da8:2:e::2 (2001:da8:2:e::2) 55.295 ms 55.932 ms 60.028 ms
11 * * 2001:da8:2:111::2 (2001:da8:2:111::2) 59.003 ms
12 2001:da8:b3:14::2 (2001:da8:b3:14::2) 60.921 ms 61.645 ms 61.812 ms
13 2001:da8:b3:101::10 (2001:da8:b3:101::10) 58.573 ms 53.646 ms 56.812 ms
14 bbs6.ustc.edu.cn (2001:da8:d800::3) 54.360 ms 55.533 ms 56.945 ms

测试应该就是运营商没有对外发布路由
flynaj
2021-12-01 01:28:45 +08:00
用 openwrt 21.02 测试一下。老版本可能有 bug.
acbot
2021-12-01 09:05:50 +08:00
@sorasyl 这个应该是 PD 池配错了导致的。你哪里 PD 正常情况应该是 240e:399:: / 240e:39A:: 这样开头的段才对。你可以 10000 号上报一下故障,这个一般是数据或者网络部门的人才能处理,一线的装维是处理不了的。
qbqbqbqb
2021-12-01 12:43:33 +08:00
@sorasyl 看来是运营商的锅,自己没办法解决。
sorasyl
2021-12-02 21:28:53 +08:00
@acbot ip6tables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp anywhere anywhere tcp dpt:8087 to:[fd61:3912:b533::16e]:8087

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all anywhere anywhere

路由器 ping 设备
ping6 fd61:3912:b533::16e
PING fd61:3912:b533::16e(fd61:3912:b533::16e) 56 data bytes
64 bytes from fd61:3912:b533::16e: icmp_seq=1 ttl=64 time=5.41 ms
64 bytes from fd61:3912:b533::16e: icmp_seq=2 ttl=64 time=1.71 ms
--- fd61:3912:b533::16e ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.706/3.556/5.407/1.850 ms

已实现内部设备 v6 NAT 上网,但我使用以下规则无法实现端口转发,请教下如何排查问题
ip6tables -I INPUT -p tcp --dport 8087 -j ACCEPT
ip6tables -t nat -I PREROUTING -p tcp --dport 8087 -j DNAT --to [fd61:3912:b533::16e]:8087
acbot
2021-12-03 09:00:12 +08:00
你分别试试:ip6tables -I INPUT -m conntrack --ctstate DNAT -j ACCEPT 或者 ip6tables -t filter -I FORWARD -m conntrack --ctstate DNAT -j ACCEPT 注意规则位置不要再 默认 drop 后,简单就算允许 DNAT 状态包进。 我很奇怪,PD 不通 ,你为何不直通或者中继 WAN 口的 v6 段呢?
sorasyl
2021-12-03 11:04:14 +08:00
@acbot 添加了之后,table 如下
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere ctstate DNAT
forwarding_rule all anywhere anywhere /* !fw3: Custom forwarding rule chain */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward all anywhere anywhere /* !fw3 */
zone_wan_forward all anywhere anywhere /* !fw3 */
reject all anywhere anywhere /* !fw3 */

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp anywhere anywhere tcp dpt:32400
ACCEPT all anywhere anywhere ctstate DNAT
ACCEPT tcp anywhere anywhere tcp dpt:ssh
ACCEPT tcp anywhere anywhere tcp dpt:7788
ACCEPT all anywhere anywhere /* !fw3 */
input_rule all anywhere anywhere /* !fw3: Custom input rule chain */
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood tcp anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input all anywhere anywhere /* !fw3 */
zone_wan_input all anywhere anywhere /* !fw3 */

telnet 该端口超时
telnet -6 240e:398:332:9:1e40:e8cd:7b12:327c 32400
Trying 240e:398:332:9:1e40:e8cd:7b12:327c...
telnet: connect to address 240e:398:332:9:1e40:e8cd:7b12:327c: Operation timed out
telnet: Unable to connect to remote host
sorasyl
2021-12-03 11:06:57 +08:00
@sorasyl ip6tables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp anywhere anywhere tcp dpt:32400 to:[fdb1:98b4:438b::7f8]:32400

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all anywhere anywhere
acbot
2021-12-03 14:32:25 +08:00
ip6tables -t nat -A prerouting_wan_rule -p tcp -m tcp --dport 8087 -j DNAT --to-destination [fd61:3912:b533::16e]:8087
ip6tables -t filter -A forwarding_wan_rule -m conntrack --ctstate DNAT -j ACCEPT

按理来说添加这两条规则就可以了,现在你的问题有可能出在 IPv6 masquerading 上,因为我没有调试过 NAT 方式的端口转发,所以你只能把 防火墙 debug 打开自己调试 看日志卡哪里了才能判断。
acbot
2021-12-03 14:44:51 +08:00
@sorasyl 我的环境不一样 我内网的机器都是公网 v6 下做的端口转发。
sorasyl
2021-12-03 17:33:13 +08:00
@acbot 老哥,我试了下改成中继,直接关闭了 lan 的 dhcpv6 ,但是设备拿到的始终是 fe 开头的内网 ip ,不是 isp 下发的公网 ip
acbot
2021-12-03 19:45:03 +08:00
@sorasyl

打开 OpenWRT 设置–>接口–>LAN->DHCP 服务器–>IPV6 设置 把路由通告服务、DHCPv6 服务、NDP 代理全部设置为中继模式,注意 不勾上选项 总是通告默认路由

检查 LAN 口设置
acbot
2021-12-03 19:47:31 +08:00
对应 代码里就应该是类似这样

config dhcp 'lan'
option interface 'lan'

....

option ndp 'relay'
option dhcpv6 'relay'
option ra 'relay'

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/818830

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX