我正在使用一台名为 ubu1404-150805-3 的 Ubuntu 14.04 机器作为双栈(IPv4 和 IPv6)路由器。我有一台名为 ubu1404-150805-2 的客户端机器,它也是 Ubuntu 14.04,并且它的唯一网络访问是通过该 Ubuntu 路由器。这一切对于 IPv4 都运行良好。但每当客户端尝试向路由器以外的任何设备发送 IPv6 数据包时,路由器都会返回类型 3、代码 9(管理禁止)的 ICMP 数据包。客户端能 ping6路由器。出了什么问题?如何修复?
在 Ubuntu 路由器上没有 ip6tables 规则,唯一的 iptables 规则执行 SNAT:
root@ubu1404-150805-3:~# iptables-save
# Generated by iptables-save v1.4.21 on Sun Sep 27 03:35:36 2015
*nat
:PREROUTING ACCEPT [33:3275]
:INPUT ACCEPT [4:744]
:OUTPUT ACCEPT [17:1207]
:POSTROUTING ACCEPT [1:60]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Sep 27 03:35:36 2015
root@ubu1404-150805-3:~# ip6tables-save
root@ubu1404-150805-3:~#
路由器有两个网卡,一个用于上行,一个用于下行。它没有来自上行的原生 IPv6 服务,所以我也在那里安装了 miredo。路由器本身可以毫无问题地处理 IPv6 事务:
root@ubu1404-150805-3:~# ping6 -c 1 2001:4860:4860::8844
PING 2001:4860:4860::8844(2001:4860:4860::8844) 56 data bytes
64 bytes from 2001:4860:4860::8844: icmp_seq=1 ttl=57 time=289 ms
--- 2001:4860:4860::8844 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 289.616/289.616/289.616/0.000 ms
为了进行比较,以下是客户端失败的情况:
mspreitz@ubu1404-150805-2:~$ ping6 -c 1 2001:4860:4860::8844
PING 2001:4860:4860::8844(2001:4860:4860::8844) 56 data bytes
From fddf:2::1 icmp_seq=1 Destination unreachable: Administratively prohibited
--- 2001:4860:4860::8844 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
tcpdump -i eth1路由器上显示 ping 请求进来,并显示“管理禁止”返回到客户端。
tcpdump -i teredo路由器上显示它转发了客户端的 ping 请求!但没有看到 ping 回复。
root@ubu1404-150805-3:~# tcpdump -nne -i teredo
tcpdump: WARNING: teredo: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on teredo, link-type RAW (Raw IP), capture size 65535 bytes
03:57:39.349401 ip: fddf:2::b9ca:b0dc:8ae:4002 > 2001:4860:4860::8844: ICMP6, echo request, seq 1, length 64
以下是ip addr来自路由器的信息:
root@ubu1404-150805-3:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:e0:d0:b2 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fee0:d0b2/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:f7:66:4a brd ff:ff:ff:ff:ff:ff
inet 10.0.100.1/24 brd 10.0.100.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fddf:2::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fef7:664a/64 scope link
valid_lft forever preferred_lft forever
5: teredo: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet6 2001:0:53aa:64c:28fd:345a:d0ed:e570/32 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ffff:ffff:ffff/64 scope link
valid_lft forever preferred_lft forever
客户端上的配置如下:
mspreitz@ubu1404-150805-2:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:72:df:14 brd ff:ff:ff:ff:ff:ff
inet 10.0.100.2/24 brd 10.0.100.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fddf:2::b9ca:b0dc:8ae:4002/64 scope global temporary dynamic
valid_lft 85988sec preferred_lft 13988sec
inet6 fddf:2::a00:27ff:fe72:df14/64 scope global dynamic
valid_lft 85988sec preferred_lft 13988sec
inet6 fe80::a00:27ff:fe72:df14/64 scope link
valid_lft forever preferred_lft forever
路由器配置为转发单播 IPv4 和 IPv6 数据包:
root@ubu1404-150805-3:~# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.teredo.forwarding = 1
net.ipv4.conf.teredo.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.teredo.forwarding = 1
net.ipv6.conf.teredo.mc_forwarding = 0
并且路由器已关闭 IPv6 隐私:
root@ubu1404-150805-3:~# sysctl -a | grep tempaddr
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0
net.ipv6.conf.eth0.use_tempaddr = 0
net.ipv6.conf.eth1.use_tempaddr = 0
net.ipv6.conf.lo.use_tempaddr = 0
net.ipv6.conf.teredo.use_tempaddr = -1
我怀疑这是否重要,但我在路由器上运行了 radvd 和 rdnssd。客户端使用/etc/network/interfaces静态方法配置 IPv4 和 IPv6,autoconf 1在 v6 情况下(即启用 SLAAC)。
以下是来自服务器的版本信息:
root@ubu1404-150805-3:~# uname -a
Linux ubu1404-150805-3 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
在客户端也是一样的:
mspreitz@ubu1404-150805-2:~$ uname -a
Linux ubu1404-150805-2 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
顺便说一句,这两台机器都是 VirtualBox(版本 4.3.30)虚拟机。我在服务器的 eth1 和客户端的 eth0 上使用 VirtualBox 内部网络。服务器的 eth0 已通过 NAT 连接到主机(运行 MacOS 10.10.5 的 Mac)。
答案1
Teredo 仅为主机本身提供 IPv6,因此您无法使用它在 LAN 上提供 IPv6。如果您想要可以路由的子网,则应使用隧道服务,例如 tunnelbroker.net 或 SixXS。
此外,Teredo 是一种非常不可靠的协议。