请帮助在 linux gate 上设置 ipv6 网络。我想从 HE 路由 2001:471:70c8::/48 池中为客户端提供一个静态 ipv6 地址。我从那里获取了第一个 /64 子网 (2001:471:70c8:1::/64),我想从那里将地址分发给客户端。
ipv6 转发已开启,ip6tables 接受 FORWARD。从 gate 我可以 ping 通 6 个客户端和互联网,从客户端我可以 ping gate,但不能 ping 通 6 个互联网。请告诉我,我做错了什么?
radvd:
gate ~ # cat /etc/dhcp/radvd.conf
interface internal_0
{
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix 2001:471:70c8:1::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS 2001:471:70c8:1::1
{
};
DNSSL domain-home.local
{
};
};
DHCPv6
ddns-update-style none;
authoritative;
option dhcp6.name-servers 2001:471:70c8:1::1;
option dhcp6.domain-search "domain-home.local";
default-lease-time 3600;
max-lease-time 14400;
option client-class-information code 97 = string;
deny duplicates;
ping-check true;
update-optimization false;
shared-network "domain-home"
{
interface internal_0;
subnet6 2001:471:70c8:1::/64
{
pool6
{
# Range for clients
range6 2001:471:70c8:1::1 2001:471:70c8:1::fe;
# Range for clients requesting a temporary address
range6 2001:471:70c8:1::/64 temporary;
# Prefix range for delegation to sub-routers
prefix6 2001:471:70c8:1:: 2001:471:70c8:1:: /64;
}
}
}
host spc_94_de_80_7c_8b_ee
{
hardware ethernet 94:de:80:7c:8b:ee;
host-identifier option dhcp6.client-id 00:02:00:00:ab:11:7a:1c:61:eb:ac:c3:f0:f3;
fixed-address6 2001:471:70c8:1::a;
} # Interface name: internal_0 (Internal)
门:
gate ~ # ip -6 a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: external_kis_0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::523e:aaff:fe04:8fb0/64 scope link
valid_lft forever preferred_lft forever
3: internal_0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:471:70c8:1:96de:80ff:fe6c:66b0/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86225sec preferred_lft 14225sec
inet6 2001:471:70c8:1::1/0 scope global
valid_lft forever preferred_lft forever
inet6 fe80::96de:80ff:fe6c:66b0/64 scope link
valid_lft forever preferred_lft forever
7: external_he_0@external_kis_0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 state UNKNOWN qlen 1000
inet6 2001:471:1f0a:1880::2/0 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5bd2:623e/64 scope link
valid_lft forever preferred_lft forever
gate ~ # ip -6 r l
anycast 2001:471:70c8:1:: dev internal_0 proto kernel metric 0 pref medium
2001:471:70c8:1::/64 dev internal_0 proto ra metric 1024 pref medium
2001:471:70c8::/48 dev internal_0 proto ra metric 1024 pref medium
anycast fe80:: dev external_he_0 proto kernel metric 0 pref medium
anycast fe80:: dev external_kis_0 proto kernel metric 0 pref medium
anycast fe80:: dev internal_0 proto kernel metric 0 pref medium
fe80::/64 dev external_he_0 proto kernel metric 256 pref medium
fe80::/64 dev external_kis_0 proto kernel metric 256 pref medium
fe80::/64 dev internal_0 proto kernel metric 256 pref medium
ff00::/8 dev external_he_0 metric 256 pref medium
ff00::/8 dev internal_0 metric 256 pref medium
default dev external_he_0 proto kernel metric 256 pref medium
default dev internal_0 proto kernel metric 256 pref medium
default via 2001:471:1f0a:1880::1 dev external_he_0 proto static metric 1024 pref medium
客户:
spc ~ # ip -6 a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
inet6 fe80::24df:7f80:e175:c322/64 scope link
valid_lft forever preferred_lft forever
3: internal_0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:471:70c8:1::a/128 scope global dynamic noprefixroute
valid_lft 3592sec preferred_lft 2242sec
inet6 2001:471:70c8:1:96de:80ff:fe7c:8bee/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86391sec preferred_lft 14391sec
inet6 2001:471:70c8:1:7aed:e36d:f089:ad33/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86391sec preferred_lft 14391sec
inet6 fe80::b492:58c4:b12d:b2e0/64 scope link
valid_lft forever preferred_lft forever
spc ~ # ip -6 r l
2001:471:70c8:1::/64 dev internal_0 proto ra metric 203 pref medium
2001:471:70c8:1::/64 dev internal_0 proto ra metric 1024 pref medium
fe80::/64 dev dummy0 proto kernel metric 256 pref medium
fe80::/64 dev internal_0 proto kernel metric 256 pref medium
ff00::/8 dev dummy0 metric 256 pref medium
ff00::/8 dev internal_0 metric 256 pref medium
default via fe80::96de:80ff:fe6c:66b0 dev internal_0 proto ra metric 203 pref medium
default via fe80::96de:80ff:fe6c:66b0 dev internal_0 proto ra metric 1024 pref medium
这里也很有趣。我只给客户端一个地址(2001:471:70c8:1::a)。后两个(2001:471:70c8:1:96de:80ff:fe7c:8bee、2001:471:70c8:1:7aed:e36d:f089:ad33)是从哪里来的?
更新:隧道和门接口配置
gate ~ # cat /etc/systemd/network/external_he_0.network
[Match]
Name=external_he_0
[Network]
Address=2001:471:1f0a:1880::2
Gateway=2001:471:1f0a:1880::1
gate ~ # cat /etc/systemd/network/external_he_0.netdev
[Match]
[NetDev]
Name=external_he_0
Kind=sit
MTUBytes=1480
[Tunnel]
Local=91.200.98.62
Remote=216.66.80.30
TTL=255
gate ~ # cat /etc/systemd/network/internal_0.network
[Match]
Name=internal_0
MACAddress=94:de:80:6c:66:b0
[Network]
Description=Internal
DHCP=no
Address=10.100.100.1
Address=2001:471:70c8:1::1
Domains=domain-home.local
gate ~ # cat /etc/systemd/network/external_kis_0.network
[Match]
Name=external_kis_0
MACAddress=50:3e:aa:04:8f:b0
[Network]
Description=External KIS
DHCP=no
Address=91.200.98.62
Gateway=91.200.98.61
Tunnel=external_he_0
答案1
3:internal_0:
inet6 2001:471:70c8:1::1/0 范围全局
即使您的隧道和子网地址属于 /64 前缀,但出于某种原因,您已将它们配置为 /0。使用错误的子网掩码已经会导致各种奇怪的问题,但 /0 的危害更大,因为它被解释为“整个世界都是我的子网”。请注意,您最终得到了两个额外的默认路由,例如无意义的::/0 dev internal_0。
由于您有两条针对相同目的地(::/0 又称“默认”)和相同度量的路由,因此您最终实际上会得到一条负载平衡路由。每个数据包选择“dev internal_0”下一跳还是“dev external_he_0”下一跳完全取决于运气。(完全出于偶然,后者实际上是有效且可行,因为它指向隧道设备。我猜这就是为什么您的某些数据包可以通行,而其他数据包则不能通行的原因。)
修复您的配置以便为两个接口上的地址指定正确的前缀长度(/64)。
发送有关您的网络配置工具的错误报告:缺少 /prefixlen 应该中止或默认为最大限度长度(v6 为 /128),而不是零。
我只给客户端一个地址(2001:471:70c8:1::a)。后两个地址(2001:471:70c8:1:96de:80ff:fe7c:8bee、2001:471:70c8:1:7aed:e36d:f089:ad33)是从哪里来的?
DHCPv6 并不是唯一的地址自动配置机制(实际上某些系统甚至不支持)。除此之外,您还有设置了AdvAutonomous前缀标志的路由器通告 - 这将启用 SLAAC 并向接收这些通告的客户端指示它们可以从前缀自行分配地址。
(第一个地址基于 EUI64 或 MAC 地址;第二个地址似乎是基于 RFC7217 哈希的。看来这个客户端实际上有二处理路由器通告的程序——可能是内核 + dhcpcd,或内核 + systemd-networkd。这就是为什么它也有两个默认路由。)