[Wien] ipv6 with olsrd2?

Erich N. Pekarek (spam-protected)
Di Aug 15 16:02:28 CEST 2017 

Am 2017-08-15 um 14:12 schrieb Markus Kittenberger:
> my 2 cents are that bridges without WDS already cause ipv4 problems 
> and not only issues with ipv6, so they should never have been used.
>
> Unfortunately i fear there are still quite a few of them in our network.

Definitely all firmware builds of Backfire-Vienna use isolated wlan 
interfaces with olsr routing only, but there may be some devices out 
there that use bridge mode nevertheless, while still maintaining the 
described setup. IPv4 will work well on those, while IPv6 will not (as 
described previously).

But these firmwares carry a much more relevant design flaw: active 
external-to-external NAT for IPv4 because of the missing exclusion of 
RCF1918 and APIPA ranges. So if 'Masquerading' is active for the zone 
0xFF and that zone contains several interfaces with public IP addresses, 
that problem will occur - incoming traffic with a destination behind the 
other IP will not be forwarded correctly.

Screenshots - Problem:



Screenshots - Should-be:


>
> lg Markus
>
> On Tue, Aug 15, 2017 at 12:07 PM, Erich N. Pekarek <(spam-protected) 
> <mailto:(spam-protected)>> wrote:
>
>     Hi!
>     Am 2017-08-15 um 11:43 schrieb Matthias Šubik:
>
>         let me have a guess ...
>
>     Let me guess a bit further...
>
>             On 11 Aug 2017, at 15:37, Gui Iribarren
>             <(spam-protected) <mailto:(spam-protected)>> wrote:
>
>             On 11/08/17 13:43, Christian Pock wrote:
>
>         ...
>
>
>                 For some reason, not all routers running olsr2 are
>                 reachable via IPv6. As far as we found out, this is
>                 related to the  setting "WDS bridge" on
>                 Ubiquiti-Antennas running AirOS 6 or earlier (with
>                 must be enabled). So in case there's a node listed in
>                 the "olsr2 cloud", a missing WDS-bridge-enabled
>                 setting could cause that the node is not available
>                 (highlighted blue in the listing and map).
>
>             yeah, "WDS" must always be enabled on all bridges (in some
>             AirOs
>             versions is called "Transparent bridge mode") or funny
>             things happen in
>             IPv6 world
>
>         I don’t know AirOS, but I guess if disabled, it filters
>         ethernet multicast, this kills neighbour discovery, which is
>         essential for normal IPv6 operation.
>         If you debug IPv6, please take into account the subtile
>         differences between IPv4 and IPv6 on layer two.
>
>     Multicast is not the only problem. Since AirOS is used in bridged
>     mode, you'd then have 'foreign' MAC addresses leaving the Wireless
>     Interface.
>     This is, what WDS is usually for: it resembles 4-address mode,
>     that rewrites packets.
>
>     The effect of using a non-WDS-bridge would be, that ip neigh show
>     would list the neighbours correctly, but all of them will be STALE
>     in the first place.
>     If you try to ping them, you will fail, which will be represented
>     by a FAILED link in die neighbour table.
>     The funny thing is, that you could still ping6 the link local
>     address from a direct 1 hop neighbour.
>
>     So you may be lead to believe it's a mere multicast problem. But
>     debugging that, you will see, that proxying the multicast won't help.
>     The problem resides in NDP failing to resolve devices behind the
>     bridge, since it will only discover the wrong originator MAC -
>     that is the one of the AP on non-WDS-enabled devices.
>
>
>         TL;DR: ARP reachability is not v6 reachability.
>
>     Full Ack.
>
>
>         just a little reminder,
>         Matthias
>
>
>         --
>         Wien mailing list
>         (spam-protected) <mailto:(spam-protected)>
>         https://lists.funkfeuer.at/mailman/listinfo/wien
>         <https://lists.funkfeuer.at/mailman/listinfo/wien>
>         Best regards
>
>     Erich
>
>
>     --
>     Wien mailing list
>     (spam-protected) <mailto:(spam-protected)>
>     https://lists.funkfeuer.at/mailman/listinfo/wien
>     <https://lists.funkfeuer.at/mailman/listinfo/wien>
>
>
br
erich
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.funkfeuer.at/pipermail/wien/attachments/20170815/0347e092/attachment.htm>
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : ceppnoeidccnnmog.png
Dateityp    : image/png
Dateigröße  : 20616 bytes
Beschreibung: nicht verfügbar
URL         : <http://lists.funkfeuer.at/pipermail/wien/attachments/20170815/0347e092/attachment.png>
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : pimgegjkbjpnjhgb.png
Dateityp    : image/png
Dateigröße  : 22344 bytes
Beschreibung: nicht verfügbar
URL         : <http://lists.funkfeuer.at/pipermail/wien/attachments/20170815/0347e092/attachment-0001.png>

Mehr Informationen über die Mailingliste Wien