我的系统运行的是 Debian GNU/Linux 11 (bullseye) 我的网络配置了两个接口,一个连接到我的 ISP,一个连接到我的局域网。我使用 systemd-networkd 来管理接口。问题是 IPv6 没有被转发。(systemd 版本 247.3-6 )
我可以从路由器 ping -6 上游,但不能从内部主机 ping 通。内部主机无法连接到外部 IPv6 服务器,但可以通过 NAT 连接连接到外部 IPv4 服务器。
cat /etc/systemd/network/eth0.network
[Match]
Name=eth0
[Network]
DHCP=yes
IPv6AcceptRA=yes
IPForward=ipv6
LLDP=yes
[DHCPv6]
PrefixDelegationHint=::/56
cat /etc/systemd/network/lan0.network
[Match]
Name=lan0
[Network]
Address=192.168.1.2/24
Address=192.168.1.1/24
Address=192.168.1.5/24
Address=192.0.2.5/24
Address=2001:0DB8:c101:b700::1/64
Address=2001:0DB8:c101:b700:beef::5/64
Domains=lan example.com
IPForward=ipv6
LLDP=yes
ip -6 route show table all
::1 dev lo proto kernel metric 256 pref medium
2001:0DB8:c101:b700::/64 dev lan0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev lan0 proto kernel metric 256 pref medium
default via fe80::2a2:ff:feb2:c2 dev eth0 proto ra metric 1024 expires 1724sec mtu 1500 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f dev eth0 table local proto kernel metric 0 pref medium
anycast 2001:0DB8:c101:b700:: dev lan0 table local proto kernel metric 0 pref medium
local 2001:0DB8:c101:b700::1 dev lan0 table local proto kernel metric 0 pref medium
local 2001:0DB8:c101:b700:beef::5 dev lan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev lan0 table local proto kernel metric 0 pref medium
local fe80::fca5:6fff:fe75:6109 dev eth0 table local proto kernel metric 0 pref medium
local fe80::fca5:6fff:fe75:6129 dev lan0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev lan0 table local proto kernel metric 256 pref medium
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether fe:a5:6f:75:61:09 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.199/23 brd 192.0.2.255 scope global dynamic eth0
valid_lft 1602sec preferred_lft 1602sec
inet6 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 scope global dynamic noprefixroute
valid_lft 3802sec preferred_lft 2802sec
inet6 fe80::fca5:6fff:fe75:6109/64 scope link
valid_lft forever preferred_lft forever
3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fe:a5:6f:75:61:29 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.5/24 brd 192.0.2.255 scope global lan0
valid_lft forever preferred_lft forever
inet 192.168.1.1/24 brd 192.168.1.255 scope global lan0
valid_lft forever preferred_lft forever
inet 192.168.1.5/24 brd 192.168.1.255 scope global secondary lan0
valid_lft forever preferred_lft forever
inet6 2001:0DB8:c101:b700:beef::5/64 scope global
valid_lft forever preferred_lft forever
inet6 2001:0DB8:c101:b700::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::fca5:6fff:fe75:6129/64 scope link
valid_lft forever preferred_lft forever
ip6tables-save
# Generated by ip6tables-save v1.8.7 on Sun Mar 27 06:29:25 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127035:902105282]
:client_in - [0:0]
:client_out - [0:0]
:nameserver_in - [0:0]
:server_in - [0:0]
:server_out - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -d 2001:0DB8:c101:b700::1/128 -i eth0 -j nameserver_in
-A INPUT -d 2001:0DB8:c101:b700::5/128 -i eth0 -j nameserver_in
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s 2001:0DB8:c101:b700::/56 -i lan0 -j ACCEPT
-A FORWARD -d 2001:0DB8:c101:b700:beef::/80 -i eth0 -j server_in
-A FORWARD -d 2001:0DB8:c101:b700::/125 -i eth0 -j nameserver_in
-A FORWARD -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A client_in -m state --state RELATED,ESTABLISHED -j ACCEPT
-A client_out -j ACCEPT
-A nameserver_in -p udp -m udp --dport 53 -j ACCEPT
-A nameserver_in -p tcp -m tcp --dport 53 -j ACCEPT
-A server_in -m state --state RELATED,ESTABLISHED -j ACCEPT
-A server_in -p tcp -m tcp --dport 80 -j ACCEPT
-A server_in -p tcp -m tcp --dport 443 -j ACCEPT
-A server_in -p tcp -m tcp --dport 25 -j ACCEPT
-A server_out -j ACCEPT
COMMIT
# Completed on Sun Mar 27 06:29:25 2022
networkctl status lan0
● 3: lan0
Link File: /lib/systemd/network/73-usb-net-by-mac.link
Network File: /etc/systemd/network/lan0.network
Type: ether
State: routable (configured)
Path: platform-xhci-hcd.0.auto-usb-0:1:1.0
Driver: r8152
Vendor: Realtek Semiconductor Corp.
Model: RTL8153 Gigabit Ethernet Adapter
HW Address: fe:a5:6f:75:61:29
MTU: 1500 (min: 68, max: 9194)
QDisc: pfifo_fast
IPv6 Address Generation Mode: eui64
Queue Length (Tx/Rx): 1/1
Auto negotiation: yes
Speed: 1Gbps
Duplex: full
Port: mii
Address: 192.168.1.1
192.168.1.5
192.0.2.5
2001:0DB8:c101:b700::1
2001:0DB8:c101:b700:beef::5
fe80::fca5:6fff:fe75:6129
Search Domains: lan
example.com
Mar 27 05:35:20 firewall systemd-networkd[6691]: lan0: Gained IPv6LL
Mar 27 05:44:47 firewall systemd-networkd[6750]: lan0: Gained IPv6LL
Mar 27 06:19:05 firewall systemd-networkd[7041]: lan0: Gained IPv6LL
networkctl status eth0
● 2: eth0
Link File: /lib/systemd/network/99-default.link
Network File: /etc/systemd/network/eth0.network
Type: ether
State: routable (configured)
Path: platform-ff540000.ethernet
HW Address: fe:a5:6f:75:61:09
MTU: 1500 (min: 46, max: 3712)
QDisc: mq
IPv6 Address Generation Mode: eui64
Queue Length (Tx/Rx): 8/8
Auto negotiation: yes
Speed: 1Gbps
Duplex: full
Port: tp
Address: 192.0.2.199 (DHCP4 via 202.90.244.1)
2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f
fe80::fca5:6fff:fe75:6109
Gateway: 202.90.244.1
fe80::2a2:ff:feb2:c2
DNS: 202.142.142.142
202.142.142.242
2001:0DB8:100:1::142
2001:0DB8:1:5::242
DHCP4 Client ID: IAID:0xa3d03369/DUID
DHCP6 Client IAID: 0xa3d03369
DHCP6 Client DUID: DUID-EN/Vendor:0000ab111f00fd4412b87eae0000
Mar 27 05:44:47 firewall systemd-networkd[6691]: eth0: DHCPv6 lease lost
Mar 27 05:44:47 firewall systemd-networkd[6750]: eth0: Gained IPv6LL
Mar 27 05:44:50 firewall systemd-networkd[6750]: eth0: DHCPv4 address 192.0.2.199/23 via 202.90.244.1
Mar 27 05:44:51 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000
Mar 27 06:00:17 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000
Mar 27 06:15:52 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000
Mar 27 06:19:04 firewall systemd-networkd[6750]: eth0: DHCPv6 lease lost
Mar 27 06:19:05 firewall systemd-networkd[7041]: eth0: Gained IPv6LL
Mar 27 06:19:07 firewall systemd-networkd[7041]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000
Mar 27 06:19:08 firewall systemd-networkd[7041]: eth0: DHCPv4 address 192.0.2.199/23 via 202.90.244
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1