[ previous ] [ next ] [ threads ]
 From:  Justin The Cynical <cynical at penguinness dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Ipv6 tunnel, lsubnet being blocked by default rule?
 Date:  Sun, 13 Oct 2013 16:09:49 -0700
The setup:

M0n0 1.34, three 'physical' interfaces, em0, 1, and 2, and a tagged vlan.
IPv6 tunnel from Hurricane Electric
Multiple VM's on a pair of ESXi hosts (different switch ports),
statically assigned addresses and gateway

I will refer to them as:
em0 - LAN
em1 - tun
em2 - DMZ
Tagged - WAN (parent interface is DMZ)

The problem:  Traffic from the tagged VLAN can not make it outside.


Using ping6 -I $VLAN $TARGET from one of the machines, I can:
- Ping another VM's WAN address, both on the same host and the secondary
host, so tagging is being passed across the switch
- Ping the WAN gateway address assigned to the m0n0wall install
- Ping the IPv6 tunnel address on my side

However, I can not ping the tunnel address on the HE side.

I turned on logging for a rule on the WAN to verify that traffic was
coming from/to the right interface, and it did show that traffic was
arriving on the WAN interface and passing as expected.

I've tried adding a * rule to the interfaces, one at a time (traffic
from anywhere to anywhere = pass), for testing and it still won't go

Turning on 'Log packets blocked by the default rule', I see the packets
being blocked at the DMZ interface, not the WAN interface?

I'm at a loss with this one.  The rule set between the DMZ and the WAN
are the same, but traffic will not go out from the WAN when it does from
the DMZ.  Any ideas on where to look?