Member
ipv6 в работе
Доброго всем.
С недавнего времени подключился к Онлайм/Ростелеком (Москва), у них в тестовом режиме Native IPv6, а IPv4 на младших тарифах за NAT-ом.
В вебморде (RT-N16@1.9.2.7-rtn-r5450) IPv6 поставил всё на Авто (картинку прилагаю), заработало только после перезагрузки роута (может модули подгрузил).
На клиенте Win7, настроилось автоматом (RA), тесты http://test-ipv6.com/ 10/10.
Дальше разрешил входящие соединения для торрента (на статический порт):
Получилось так, и даже работает:Code:post-firewall ip6tables -I FORWARD 9 -o br0 -p tcp -m tcp --syn --dport 12345 -j ACCEPT ip6tables -I FORWARD 10 -o br0 -p udp -m udp --dport 12345 -j ACCEPT
1. Вопрос к гуру iptables - всё правильно сделал?Code:ip6tables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 logdrop all * * ::/0 ::/0 rt type:0 0 0 logdrop all * * ::/0 ::/0 ctstate INVALID 28 2688 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all lo * ::/0 ::/0 ctstate NEW 1295 108K ACCEPT all br0 * ::/0 ::/0 ctstate NEW 0 0 ACCEPT all * * ff00::/8 ::/0 79 12728 SECURITY all vlan2 * ::/0 ::/0 ctstate NEW 79 12728 ACCEPT udp * * ::/0 ::/0 udp dpt:546 6601 736K ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp !type 128 0 0 logdrop all * * ::/0 ::/0 Chain FORWARD (policy ACCEPT 2187 packets, 155K bytes) pkts bytes target prot opt in out source destination 0 0 logdrop all * * ::/0 ::/0 rt type:0 0 0 ACCEPT all br0 br0 ::/0 ::/0 1 60 logdrop all * * ::/0 ::/0 ctstate INVALID 0 0 ACCEPT all * * ff00::/8 ::/0 803K 661M ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED 0 0 logdrop all !br0 vlan2 ::/0 ::/0 5102 271K SECURITY all !br0 * ::/0 ::/0 ctstate NEW 0 0 ACCEPT icmpv6 * br0 ::/0 ::/0 ipv6-icmp !type 128 124 8828 ACCEPT tcp * br0 ::/0 ::/0 tcp dpt:12345 flags:0x17/0x02 187 12796 ACCEPT udp * br0 ::/0 ::/0 udp dpt:12345 4791 249K logdrop all * br0 ::/0 ::/0 Chain OUTPUT (policy ACCEPT 8693 packets, 976K bytes) pkts bytes target prot opt in out source destination 0 0 logdrop all * * ::/0 ::/0 rt type:0 Chain BRUTE (0 references) pkts bytes target prot opt in out source destination Chain MACS (0 references) pkts bytes target prot opt in out source destination Chain SECURITY (2 references) pkts bytes target prot opt in out source destination Chain logaccept (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all * * ::/0 ::/0 ctstate NEW LOG flags 39 level 4 prefix `ACCEPT ' 0 0 ACCEPT all * * ::/0 ::/0 Chain logdrop (8 references) pkts bytes target prot opt in out source destination 4791 249K LOG all * * ::/0 ::/0 ctstate NEW LOG flags 39 level 4 prefix `DROP ' 4792 249K DROP all * * ::/0 ::/0
2. Вопрос туда же - почему цепочка SECURITY пустая? Нет защиты от DDOS? Можно воткнуть туда правила из IPv4 SECURITY?
3. После настройки IPv6 в лог каждые 15 минут начал флудить dnsmasq:
Code:Sep 11 16:02:47 dnsmasq[228]: read /etc/hosts - 3 addresses Sep 11 16:02:47 dnsmasq[228]: using nameserver 77.37.251.33#53 Sep 11 16:02:47 dnsmasq[228]: using nameserver 77.37.255.30#53 Sep 11 16:02:47 dnsmasq[228]: using nameserver 2a02:2168:208:1::1#53 Sep 11 16:02:47 dnsmasq[228]: using nameserver 2a02:2168:208:2::1#53 Sep 11 16:02:53 dnsmasq[228]: read /etc/hosts - 3 addresses Sep 11 16:02:53 dnsmasq[228]: using nameserver 77.37.251.33#53 Sep 11 16:02:53 dnsmasq[228]: using nameserver 77.37.255.30#53 Sep 11 16:02:53 dnsmasq[228]: using nameserver 2a02:2168:208:1::1#53 Sep 11 16:02:53 dnsmasq[228]: using nameserver 2a02:2168:208:2::1#53 Sep 11 16:17:47 dnsmasq[228]: read /etc/hosts - 3 addresses Sep 11 16:17:47 dnsmasq[228]: using nameserver 77.37.251.33#53 Sep 11 16:17:47 dnsmasq[228]: using nameserver 77.37.255.30#53 Sep 11 16:17:47 dnsmasq[228]: using nameserver 2a02:2168:208:1::1#53 Sep 11 16:17:47 dnsmasq[228]: using nameserver 2a02:2168:208:2::1#53 Sep 11 16:17:53 dnsmasq[228]: read /etc/hosts - 3 addresses Sep 11 16:17:53 dnsmasq[228]: using nameserver 77.37.251.33#53 Sep 11 16:17:53 dnsmasq[228]: using nameserver 77.37.255.30#53 Sep 11 16:17:53 dnsmasq[228]: using nameserver 2a02:2168:208:1::1#53 Sep 11 16:17:53 dnsmasq[228]: using nameserver 2a02:2168:208:2::1#53Это нормально? И из-за чего может быть?Code:dnsmasq.conf user=nobody resolv-file=/tmp/resolv.conf no-poll interface=br0 no-negcache cache-size=512 dhcp-leasefile=/tmp/dnsmasq.log dhcp-range=lan,192.168.1.101,192.168.1.254,86400 dhcp-option=lan,252,"\n" dhcp-authoritative quiet-ra ra-param=br0,10,1800 dhcp-range=lan,::,constructor:br0,ra-stateless,ra-names,64,600 dhcp-option=lan,option6:23,[::]
Last edited by ff0255; 11-09-2016 at 18:28. Reason: добавил цвет
применение настроек тут только после apply, finish, save & restartOriginally Posted by ff0255
не реализовано для IPv6
Ну, относительно. Провайдер выдает аренду IPv6 на 30 минут, после половины времени происходит обновление, в т.ч. адресов DNS, используемых dnsmasq.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | fake ident daemon
Member
Спасибо за разъяснения (а заодно и за прошивку))
Не нашел где можно посмотреть время аренды IPv6 (да и v4 тоже).
есть /tmp/udhcpc0.expires - там 1473940098 - на секунды не похоже;
есть /tmp/var/state/dhcp6c_duid - там пусто.
UPD
Отловил через tcpdump
И по времени точно совпадает с логом от dnsmasq.Code:$ tcpdump -i vlan2 -vv -n port 546 or 547 tcpdump: listening on vlan2, link-type EN10MB (Ethernet), capture size 65535 bytes 14:48:36.558449 IP6 (hlim 64, next-header UDP (17) payload length: 96) fe80::12bf:48ff:fee6:193f.546 > ff02::1:2.547: [udp sum ok] dhcp6 renew (xid=c5dcd (client-ID hwaddr type 1 10bf48e6193f) (server-ID hwaddr type 1 001af0481351) (elapsed-time 0) (option-request DNS-server) (IA_NA IAID:399679 T1:900 T2:1500 (IA_ADDR 2a02:2168:xxxx:xxxx::2 pltime:1800 vltime:1800) (opt_0) (opt_0) (opt_0))) 14:48:36.575449 IP6 (class 0xc0, hlim 255, next-header UDP (17) payload length: 120) fe80::21a:f0ff:fe48:1351.547 > fe80::12bf:48ff:fee6:193f.546: [udp sum ok] dhcp6 reply (xid=c5dcd (server-ID hwaddr type 1 001af0481351) (client-ID hwaddr type 1 10bf48e6193f) (IA_NA IAID:399679 T1:900 T2:1500 (IA_ADDR 2a02:2168:xxxx:xxxx::2 pltime:1800 vltime:1800)[|dhcp6ext]) (DNS-server 2a02:2168:208:1::1 2a02:2168:208:2::1)) 14:48:45.147384 IP6 (hlim 64, next-header UDP (17) payload length: 97) fe80::12bf:48ff:fee6:193f.546 > ff02::1:2.547: [udp sum ok] dhcp6 renew (xid=f3127b (client-ID hwaddr type 1 10bf48e6193f) (server-ID hwaddr type 1 001af0481351) (IA_PD IAID:399679 T1:900 T2:1500 (IA_PD-prefix 2a02:2168:xxxx:xxxx::/56 pltime:1800 vltime:1800) (elapsed-time 0) (option-request DNS-server)) (elapsed-time 0) (option-request DNS-server)) 14:48:45.154471 IP6 (class 0xc0, hlim 255, next-header UDP (17) payload length: 121) fe80::21a:f0ff:fe48:1351.547 > fe80::12bf:48ff:fee6:193f.546: [udp sum ok] dhcp6 reply (xid=f3127b (server-ID hwaddr type 1 001af0481351) (client-ID hwaddr type 1 10bf48e6193f) (IA_PD IAID:399679 T1:900 T2:1500 (IA_PD-prefix 2a02:2168:xxxx:xxxx::/56 pltime:1800 vltime:1800)[|dhcp6ext]) (DNS-server 2a02:2168:208:1::1 2a02:2168:208:2::1))
1800 сек = 30 мин
Я так понимаю, что 30 мин это настройки прова, и поменять их нельзя.?
Last edited by ff0255; 15-09-2016 at 14:28. Reason: UPD
аренду ipv4 можно поглядеть через nvram get wan0_lease.
аренда ipv6 нигде не учитывается.
да, все верно.
см http://asus.vectormm.net/rtn/7528/, должно помочь с флудом в сислоге.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | fake ident daemon
Member
Спасибо за фикс, попробовал r7528, но стало еще хуже
Сразу после загрузки:
Времени разбираться не было, прошил обратно r5450, флуд dhcp6c исчез.Code:Jan 1 03:00:07 dhcp6c[299]: started Jan 1 03:00:08 dhcp client: deconfig: lease is lost Jan 1 03:00:08 dnsmasq[222]: read /etc/hosts - 3 addresses Jan 1 03:00:08 dhcp6c[299]: sendto: Cannot assign requested address Jan 1 03:00:08 dnsmasq[222]: read /etc/hosts - 3 addresses Jan 1 03:00:08 dnsmasq[222]: using nameserver 77.37.251.33#53 Jan 1 03:00:08 dnsmasq[222]: using nameserver 77.37.255.30#53 Jan 1 03:00:08 kernel: vlan2: dev_set_allmulti(master, 1) Jan 1 03:00:08 miniupnpd[223]: shutting down MiniUPnPd Jan 1 03:00:09 dhcp6c[299]: add address 2a02:2168:3fc6:c400:12bf:48ff:fee6:193f/56 on br0 Jan 1 03:00:09 dhcp6c[299]: status code for identity association-1: no addresses Jan 1 03:00:09 dnsmasq[222]: read /etc/hosts - 3 addresses Jan 1 03:00:09 dnsmasq[222]: using nameserver 77.37.251.33#53 Jan 1 03:00:09 dnsmasq[222]: using nameserver 77.37.255.30#53 Jan 1 03:00:09 dnsmasq[222]: using nameserver 2a02:2168:208:1::1#53 Jan 1 03:00:09 dnsmasq[222]: using nameserver 2a02:2168:208:2::1#53 Jan 1 03:00:09 miniupnpd[332]: HTTP listening on port 32961 Jan 1 03:00:09 dhcp client: bound IP : 10.236.36.79 from 10.236.32.1 Jan 1 03:00:10 dhcp6c[299]: status code for identity association-1: no addresses Jan 1 03:00:10 dnsmasq-dhcp[222]: DHCPv6 stateless on 2a02:2168:3fc6:c400::, constructed for br0 Jan 1 03:00:10 dnsmasq-dhcp[222]: DHCPv4-derived IPv6 names on 2a02:2168:3fc6:c400::, constructed for br0 Jan 1 03:00:10 dnsmasq-dhcp[222]: router advertisement on 2a02:2168:3fc6:c400::, constructed for br0 Sep 28 01:02:21 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:22 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:23 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:24 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:25 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:26 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:27 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:28 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:29 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:30 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:30 ntp client: Synchronizing time with pool.ntp.org... Sep 28 01:02:30 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:31 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:32 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:33 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:34 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:35 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:36 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:37 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:38 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:39 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:40 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:41 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:42 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:43 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:44 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:45 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:46 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:47 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:48 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:49 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:50 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:51 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:52 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:53 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:54 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:55 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:56 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:57 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:58 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:02:59 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:00 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:01 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:02 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:03 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:04 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:05 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:06 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:07 dhcp6c[299]: status code for identity association-1: no addresses Sep 28 01:03:08 dhcp6c[299]: status code for identity association-1: no addresses
по каким-то причинам провайдер не выдает адрес на WAN интерфейс с IAID равному 1 (ранее был равен IAID-у перфикса), а dhcp6c клиент со включенным rapid-commit не умеет корректно это обрабатывать и уходит в постоянный цикл перезапросов без увеличения таймаута.Спасибо за фикс, попробовал r7528, но стало еще хуже
Сразу после загрузки:
Времени разбираться не было, прошил обратно r5450, флуд dhcp6c исчез.Code:Sep 28 01:02:21 dhcp6c[299]: status code for identity association-1: no addresses
в общем, мигрируем на новый odhcp6c клиент с корректной отработкой подобных ситуаций.
http://asus.vectormm.net/rtn/7533/
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | fake ident daemon
Member
Доброго, еще раз.
Прошил r7533,
В логе опятьCode:cat /.version 1.9.2.7-rtn-r7533M-gf162782
В процессах dhcp6cCode:Jan 1 03:00:09 dhcp client: bound IP : 10.236.36.79 from 10.236.32.1 Jan 1 03:00:09 dhcp6c[299]: status code for identity association-1: no addresses Jan 1 03:00:10 dhcp6c[299]: status code for identity association-1: no addresses Jan 1 03:00:10 dnsmasq-dhcp[222]: DHCPv6 stateless on 2a02:2168:3fc6:da00::, constructed for br0 Jan 1 03:00:10 dnsmasq-dhcp[222]: DHCPv4-derived IPv6 names on 2a02:2168:3fc6:da00::, constructed for br0 Jan 1 03:00:10 dnsmasq-dhcp[222]: router advertisement on 2a02:2168:3fc6:da00::, constructed for br0 Oct 9 00:00:14 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:15 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:16 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:17 kernel: DROP IN=vlan2 OUT= MACSRC=00:1a:f0:48:14:94 MACDST=10:bf:48:e6:19:3f MACPROTO=0800 SRC=77.37.251.33 DST=10.236.36.79 LEN=69 TOS=0x00 PREC=0x00 TTL=56 ID=62444 PROTO=UDP SPT=53 DPT=31436 LEN=49 Oct 9 00:00:17 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:18 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:19 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:20 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:21 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:22 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:22 ntp client: Synchronizing time with pool.ntp.org... Oct 9 00:00:23 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:24 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:25 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:26 dhcp6c[299]: status code for identity association-1: no addresses Oct 9 00:00:27 dhcp6c[299]: status code for identity association-1: no addresses
Ничего не понял, где же odhcp6c?Code:ps PID USER VSZ STAT COMMAND 1 admean 1412 S /sbin/init 2 admean 0 SW< [kthreadd] 3 admean 0 SW< [ksoftirqd/0] 4 admean 0 SW< [events/0] 5 admean 0 SW< [khelper] 27 admean 0 SW< [kblockd/0] 60 admean 0 SW [pdflush] 61 admean 0 SW [pdflush] 62 admean 0 SW< [kswapd0] 113 admean 0 SW< [mtdblockd] 202 admean 1392 S syslogd -m 0 -O /tmp/syslog.log -S -D -l 7 -b 1 204 admean 1392 S klogd 206 admean 832 S eapd 208 admean 1024 S nas 213 admean 1392 S telnetd 215 admean 1068 S dropbear 217 admean 980 S httpd vlan2 222 nobody 968 S dnsmasq 227 admean 892 S lld2d br0 eth1 237 admean 0 SW< [khubd] 299 admean 1408 R /sbin/dhcp6c -D LL -v vlan2 323 admean 676 S /usr/sbin/igmpproxy /etc/igmpproxy.conf 332 admean 844 S miniupnpd 333 admean 1396 S /sbin/udhcpc -i vlan2 -p /var/run/udhcpc0.pid -b -O33 -O121 -O249 335 admean 1408 S watchdog 338 admean 776 S infosrv br0 736 admean 1096 R dropbear 763 admean 1400 R -sh 767 admean 1396 R ps
EDIT 2016.10.09
Сбросил в дефолт, загрузил старые настройки, донастроил IPv6, залил flashfs - вроде заработало
В сислоге - тишина, IPv6 тесты проходит, буду наблюдать дальше.
И все равно не понял, почему в процессах dhcp6c.
Last edited by ff0255; 09-10-2016 at 10:13.
похоже там криво собрано без учета нового конфига, собрал сам:
http://www.entware.net/binaries/wl500g/
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | fake ident daemon
Member
Очередного доброго.
Что-то не шьётся r7534, нажимаю upload, жду ~20мин, никакой реакции, передергиваю питание => загружается старая r7533.
Хотя меня r7533 c dhcp6c вполне устраивает: в лог не флудит, ipv6 работает (работает-не трогай)
Member
1.9.2.7-rtn-r7593-g0c22b0e
Р*азбирался почему андроидофон плохо СЃРїРёС‚ РїСЂРё подключённом WI-Fi (куча wakelock-РѕРІ).
Не понял почему по умолчанию в dnsmasq.conf
То есть Router Advertisement interval =10 секунд (!), что подтвердилось показаниями tcpdump.Code:ra-param=br0,10,1800
Увеличил до 1800
Ipv6 работает, тел. спит гораздо лучше (wakelock-ов меньше).Code:/usr/local/etc/dnsmasq.conf ra-param=br0,1800,1800
Вопрос почему разрабы поставили такое маленькое значение?
Posting Permissions
Reply With Quote
