Ping fails if -I is not set (IPv6 Permission denied)

Installing and Using OpenWrt
1

Ok, I had started configuring my router. And it's already having issues :stuck_out_tongue:

I'm using OpenWrt 21.02-SNAPSHOT r15986-cc51d97200 and had set only wan and wan6 so far, and installed ip-full and iputils-ping. ping -I pppoe-wan -c 4 208.67.222.222 works, but ping -c 2 208.67.222.222 fails:

# ping -I pppoe-wan -c 4 208.67.222.222
PING 208.67.222.222 (208.67.222.222): 56 data bytes
64 bytes from 208.67.222.222: seq=0 ttl=54 time=26.376 ms
64 bytes from 208.67.222.222: seq=1 ttl=54 time=26.633 ms
64 bytes from 208.67.222.222: seq=2 ttl=54 time=26.390 ms
64 bytes from 208.67.222.222: seq=3 ttl=54 time=26.357 ms

--- 208.67.222.222 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 26.357/26.439/26.633 ms

# ping -c 2 208.67.222.222
PING 208.67.222.222 (208.67.222.222): 56 data bytes

--- 208.67.222.222 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

traceroute also isn't working

traceroute 208.67.222.222

traceroute to 208.67.222.222 (208.67.222.222), 30 hops max, 46 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *
 4  *  *  *

Oddly, it works for IPv6.

ping -c 4 ipv6.google.com
PING ipv6.google.com(2800:3f0:4001:813::200e (2800:3f0:4001:813::200e)) 56 data bytes
64 bytes from 2800:3f0:4001:813::200e (2800:3f0:4001:813::200e): icmp_seq=1 ttl=116 time=21.5 ms
64 bytes from 2800:3f0:4001:813::200e (2800:3f0:4001:813::200e): icmp_seq=2 ttl=116 time=21.5 ms
64 bytes from 2800:3f0:4001:813::200e (2800:3f0:4001:813::200e): icmp_seq=3 ttl=116 time=21.4 ms
64 bytes from 2800:3f0:4001:813::200e (2800:3f0:4001:813::200e): icmp_seq=4 ttl=116 time=21.7 ms

--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 21.417/21.525/21.666/0.090 ms

Configs are pretty basic, am I missing anything?

# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfa::/48'

config interface 'self'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.255'
        option gateway '192.168.1.1'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ip6ifaceid '::1'

config interface 'wan'
        option ifname 'eth3'
        option proto 'pppoe'
        option username 'cliente@cliente'
        option password 'cliente'
        option ipv6 'auto'
        option delegate '0'
        option metric '10'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option peerdns '0'
        option metric '20'
        option reqprefix '56'

config interface 'modem_telefk'
        option proto 'static'
        option ifname 'eth3'
        option ipaddr '192.168.35.22'
        option netmask '255.255.255.0'

# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq                     1
        option mtu_fix          1
        list   network          'wan'
        list   network          'wan6'
        list   network          'wan_6'
        list   network          'modem_telefk'

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

# allow interoperability with traceroute classic
# note that traceroute uses a fixed port range, and depends on getting
# back ICMP Unreachables.  if we're operating in DROP mode, it won't
# work so we explicitly REJECT packets on these ports.
config rule
        option name             Support-UDP-Traceroute
        option src              wan
        option dest_port        33434:33689
        option proto            udp
        option family           ipv4
        option target           REJECT
        option enabled          false

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

Some more info in case of needed

ip a show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.1.1/32 brd 255.255.255.255 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether a0:36:9f:aa:4b:68 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether a0:36:9f:aa:4b:69 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether a0:36:9f:aa:4b:6a brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:aa:4b:6b brd ff:ff:ff:ff:ff:ff
    inet 192.168.35.22/24 brd 192.168.35.255 scope global eth3
       valid_lft forever preferred_lft forever
    inet6 fe80::a236:------------/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a0:36:9f:aa:4b:68 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2804:-----------::1/64 scope global dynamic noprefixroute 
       valid_lft 42643sec preferred_lft 42643sec
    inet6 fdfa::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::a236:9fff:feaa:4b68/64 scope link 
       valid_lft forever preferred_lft forever
7: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp 
    inet x.x.x.x peer x.x.x.x/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2804:--------------------/64 scope global dynamic noprefixroute 
       valid_lft 259171sec preferred_lft 172771sec
    inet6 fe80::f8bf:-----------------/128 scope link 
       valid_lft forever preferred_lft forever

# ip route show
default via 192.168.1.1 dev lo proto static
default via 179.x.x.21 dev pppoe-wan proto static metric 10
179.x.x.21 dev pppoe-wan proto kernel scope link src 179.y.y.50
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.35.0/24 dev eth3 proto kernel scope link src 192.168.35.22

nslookup google.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      google.com
Address 1: 172.217.162.142
Address 2: 2800:3f0:4001:81b::200e

traceroute -i pppoe-wan 208.67.222.222
traceroute to 208.67.222.222 (208.67.222.222), 30 hops max, 46 byte packets
 1  *  *  *
 2  ----------.net.br (----------)  2.463 ms  ---------.net.br (187.115.223.47)  2.252 ms  --------.com.br (152.255.176.107)  2.002 ms
 3  --------------.com.br (--------------)  19.704 ms  19.582 ms  19.703 ms
2

Check this:

for HOST in example.org 8.8.8.8 208.67.222.222; \
do ping -q -w 3 ${HOST}; ping -4 -q -w 3 ${HOST}; done
2 Likes
3 
# for HOST in openwrt.org 8.8.8.8 208.67.222.222; \
> do ping -q -w 3 ${HOST}; ping -4 -q -w 3 ${HOST}; done
PING openwrt.org(wiki-01.infra.openwrt.org (2a03:b0c0:3:d0::1af1:1)) 56 data bytes

--- openwrt.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 220.857/221.088/221.533/0.314 ms
PING openwrt.org (139.59.209.225) 56(84) bytes of data.

--- openwrt.org ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2036ms

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2043ms

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2050ms

PING 208.67.222.222 (208.67.222.222) 56(84) bytes of data.

--- 208.67.222.222 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2025ms

PING 208.67.222.222 (208.67.222.222) 56(84) bytes of data.

--- 208.67.222.222 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2032ms
1 Like
4

Remove the "self" interface. If you were to set up something like that, definitely don't use a gateway option, that is redundant to reach 192.168.1.1 using a gateway 192.168.1.1.

Gateway is a system-wide option which needs to point at the ISP's upstream router. pppoe should install it automatically, under direction from the ISP. (if that process doesn't work with your ISP, configure gateway in the wan section)

You can see the IPv4 routes by running route with no parameters. The default route should go to pppoe-wan. Default routing is used for any IP that the router does not otherwise have in the routing table-- which is usually a place on the Internet.

3 Likes
6

I created it following mwan3 doc. I didn't install it itself, but was preparing the interfaces. Isn't it needed then?

7
2 Likes
8

oh my mistake!

I removed it and now ping and traceroute work :smiley:

1 Like
9

Maybe you should mention in that article that it is not only not necessary anymore but even wrong to do that.

Not necessary basically means can be done or not. But this must not be done any longer, if I understand this thread correctly.

1 Like
10

Are you using OpenWrt 20 (snapshots) instead of OpenWrt 19 (stable) for some reason?

1 Like
12

This is rly odd. I removed self before and ping without -I worked. Now I made more tests and it's IPv6 under ISP1 that's failing now, with permission denied!

# ping -I pppoe-want -c 4 ipv4.google.com
PING ipv4.l.google.com (142.250.218.174) from 177.x.x.172 pppoe-want: 56(84) bytes of data.
64 bytes from gru06s62-in-f14.1e100.net (142.250.218.174): icmp_seq=1 ttl=118 time=20.1 ms
64 bytes from gru06s62-in-f14.1e100.net (142.250.218.174): icmp_seq=2 ttl=118 time=21.3 ms
64 bytes from gru06s62-in-f14.1e100.net (142.250.218.174): icmp_seq=3 ttl=118 time=20.7 ms
64 bytes from gru06s62-in-f14.1e100.net (142.250.218.174): icmp_seq=4 ttl=118 time=21.4 ms

--- ipv4.l.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 20.094/20.856/21.369/0.516 ms


 # ping -I pppoe-want -c 4 ipv6.google.com
ping: connect: Permission denied



 # traceroute -m 5 -i pppoe-want ipv4.google.com
traceroute to ipv4.google.com (172.217.173.78), 5 hops max, 46 byte packets
 1  *  *  *
 2  -----------------.net.br (-------------)  1.801 ms  -----------------.net.br (187.115.223.47)  1.859 ms  --------------------.net.br (----------------)  1.992 ms
 3  ------------------.com.br (--------------)  22.873 ms  23.670 ms  23.640 ms
 4  ------------------.com.br (--------------)  19.436 ms  19.382 ms  19.425 ms
 5  *  *  *
 
 
 # traceroute -m 5 -i pppoe-want ipv6.google.com
traceroute: can't connect to remote host: Permission denied



 # ip route show
default via 179.184.x.21 dev pppoe-want proto static metric 10
default via 191.176.y.1 dev eth2 proto static src 191.176.y.236 metric 30
179.184.x.21 dev pppoe-want proto kernel scope link src 177.133.x.172
191.176.y.0/21 dev eth2 proto static scope link metric 30
192.168.20.0/24 dev eth2 proto kernel scope link src 192.168.20.9
192.168.35.0/24 dev eth3 proto kernel scope link src 192.168.35.22
192.168.49.0/24 dev br-lan proto kernel scope link src 192.168.49.1

Regarding update the wiki, I'm not able to login. I remember reading that account creation must be asked to someone.

13

19.07 doesn't have NVMe driver :confused: And 21.02 doesn't support Realtek 2,5Gbps chip...

1 Like
14 
# ip -6 ro ls tab all
default from 2804:14c:xxxx:1000:9440:6482:aa0c:2897 via fe80::201:5cff:fe66:7646 dev eth2 proto static metric 512 pref medium
default from 2804:14c:xxxx:585b::/64 via fe80::201:5cff:fe66:7646 dev eth2 proto static metric 512 pref medium
default from 2804:yyyy:181:940c::/64 via fe80::6b0:e7ff:fec9:4557 dev pppoe-want proto static metric 512 pref medium
default from 2804:yyyy:207:c7dc::/64 via fe80::6b0:e7ff:fec9:4557 dev pppoe-want proto static metric 512 pref medium
2804:14c:xxxx:585b::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2804:14c:xxxx:585b::/64 dev lo proto static metric 2147483647 pref medium
2804:yyyy:181:940c::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2804:yyyy:181:940c::/64 dev lo proto static metric 2147483647 pref medium
unreachable 2804:yyyy:207:c7dc::/64 dev lo proto static metric 2147483647 pref medium
fdfa::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdfa::/48 dev lo proto static metric 2147483647 pref medium
fe80::6b0:e7ff:fec9:4557 dev pppoe-want metric 1 pref medium
fe80::a521:82e6:7322:dc23 dev pppoe-want proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth2 proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2804:14c:xxxx:1000:9440:6482:aa0c:2897 dev eth2 table local proto kernel metric 0 pref medium
anycast 2804:14c:xxxx:585b:: dev br-lan table local proto kernel metric 0 pref medium
local 2804:14c:xxxx:585b::1 dev br-lan table local proto kernel metric 0 pref medium
anycast 2804:yyyy:181:940c:: dev br-lan table local proto kernel metric 0 pref medium
local 2804:yyyy:181:940c::1 dev br-lan table local proto kernel metric 0 pref medium
anycast 2804:yyyy:207:c7dc:: dev pppoe-want table local proto kernel metric 0 pref medium
local 2804:yyyy:207:c7dc:a521:82e6:7322:dc23 dev pppoe-want table local proto kernel metric 0 pref medium
anycast fdfa:: dev br-lan table local proto kernel metric 0 pref medium
local fdfa::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth3 table local proto kernel metric 0 pref medium
local fe80::a236:9fff:feaa:4b68 dev br-lan table local proto kernel metric 0 pref medium
local fe80::a236:9fff:feaa:4b6a dev eth2 table local proto kernel metric 0 pref medium
local fe80::a236:9fff:feaa:4b6b dev eth3 table local proto kernel metric 0 pref medium
local fe80::a521:82e6:7322:dc23 dev pppoe-want table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth3 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev pppoe-want table local proto kernel metric 256 pref medium

There are some unreachable records, might that be related?

Some more odd info:

# ip -6 ru
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 2804:14c:xxxx:585b::1/64 iif br-lan unreachable
4200000000:     from 2804:yyyy:181:940c::1/64 iif br-lan unreachable
4200000001:     from all iif lo failed_policy
4200000004:     from all iif eth2 failed_policy
4200000004:     from all iif eth2 failed_policy
4200000004:     from all iif eth2 failed_policy
4200000005:     from all iif eth3 failed_policy
4200000006:     from all iif br-lan failed_policy
4200000007:     from all iif pppoe-want failed_policy
4200000007:     from all iif pppoe-want failed_policy

I keep reading and found out I had option ipv6 '1' on want interface, and also a want6 set. That leads into having want6 and want_6 interfaces. I thought it was expected but it seems it's not. Anyway, it's still resulting on Permission denied error.

Update. ip -6 route add default dev pppoe-want made it work!!

# ping -I pppoe-want -c 4 2800:3f0:4001:819::200e
ping: connect: Permission denied
# ip -6 route add default dev pppoe-want
# ping -I pppoe-want -c 4 2800:3f0:4001:819::200e
PING 2800:3f0:4001:819::200e(2800:3f0:4001:819::200e) from 2804:1b2:202:2115:cd6c:6e50:7b12:de81 pppoe-want: 56 data bytes
64 bytes from 2800:3f0:4001:819::200e: icmp_seq=1 ttl=116 time=25.5 ms
64 bytes from 2800:3f0:4001:819::200e: icmp_seq=2 ttl=116 time=25.5 ms
64 bytes from 2800:3f0:4001:819::200e: icmp_seq=3 ttl=116 time=25.8 ms
64 bytes from 2800:3f0:4001:819::200e: icmp_seq=4 ttl=116 time=26.1 ms

--- 2800:3f0:4001:819::200e ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 25.468/25.735/26.117/0.264 ms

Now, how do I make it permanent? When I reboot, it stops working again.

15

The simplest method is to disable source routing:
https://openwrt.org/docs/guide-user/network/ipv6/start?s=sourcefilter#protocol_dhcpv6

1 Like
16

I had seen it, but can't find a way to place that command into a config :-x

I also tried to run the command on startup, but IDK why it didn't work.

I'm considering making a if script and use it with mwan3. When mwan3 verifies if ISP1 IPv6 is up it runs the script, it makes the verification and if ping fails it runs the command and returns fail, then mwan3 tries again and it works.

17 
uci set network.want.sourcefilter="0"
uci commit network
/etc/init.d/network restart
2 Likes
18

It works, but only after network is restarted, and stops working when it restarts again. :confused:

ip -6 route add default dev pppoe-want doesn't require restart.

19

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.