Ubuntu – DHCPv6 not working when UFW is enabled (Ubuntu 16.04 LTS)

dhcpv6isc-dhcpUbuntuufw

So, as the title says, I setup a isc-dhcp-server for DHCPv6, which is working as long as UFW is disabled.

Once enabled, though I have all the necessary rules in place, and UFW is enabled for v6, it stops working.

My rules are:

xxx@deadpool:/etc/ufw# grep '546\|547' *
after6.rules:-A ufw6-after-input -p udp --dport 546 -j ufw6-skip-to-policy-input
after6.rules:-A ufw6-after-input -p udp --dport 547 -j ufw6-skip-to-policy-input    
before6.rules:-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT

I found two related but fixed bugs on launchpad:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/947416
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1007326

Any ideas?

Best Answer

I see an existing rule for a DHCP client:

# allow dhcp client to work
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT

I think you need to reverse the source/destination ports for your *server:

# dhcp server
-A ufw6-before-input -p udp -s fe00::/7 --sport 546 -d fe00::/7 --dport 547 -j ACCEPT

Related Solutions

Ubuntu – OpenVPN client without redirect-gateway doing triangular routing and IP spoofing not working on Ubuntu

I have to admit that I do not (yet) fully understand what you are trying to achieve. But I think you want your Ubuntu (and Debian) server to be reachable by an IP you got through OpenVPN (incoming traffic) but send your own (= Ubuntu servers) traffic through the eth0 interface local to your (Ubuntu) server ("spoofing") the VPN-IP. Or along these lines. I am not sure if this is a very good idea (probably depends on why you do it) but I assume there is a reason for it and as you say it does work with Debian. So let's not elaborate on this (although it might still be important later on).

Further I wonder why the line

route-gateway a.b.28.129

included in your VPN configuration does not (seem to) lead to an entry in your routing table.

Also I am not sure what the goal/insight of the two traceroutes you show is... You seem to be trying to traceroute to 8.8.8.8 through the VPN tunnel. As this is outgoing traffic I do not really understand its relevance to your problem. And I would say (looking at your routing table) that the traffic you generate this way is not (should not be?) going through the tunnel. I see that it looks like this is the case on Debian though... But I don't see why this is the case. Looking at the routing table I would rather assume the traceroute packages you try to send out on tap0 are (should be?) "re-routed" to eth0 (default route).

Now this brings me to the guess I would take for your problem: IP forwarding. Could it be that your Debian box has it enabled while it is disabled on Ubuntu? You can find more information (how to find out if IP forwarding is enabled for example) by visiting the link above (or use your favorite search engine or the Ubuntu manual).

Your being able to reach the SSH daemon on Ubuntu suggests that you are very close :). So it might be crucial to know what you mean by

"The debian server VPN client IP is publically accessible, but on the Ubuntu server it's not!"

What are you trying to do (i.e. what service are you trying to connect to) when the Ubuntu machine "is not reachable"? Access its web server? What IP is this service listening on?

Ubuntu – SSH freeze when UFW is enabled

It seems that ufw has a problem with VPSs. Might be related to this: http://blog.bodhizazen.net/linux/how-to-use-ufw-in-openvz-templates/ I'll stick to using iptables.

Best Answer

Related Solutions

Ubuntu – OpenVPN client without redirect-gateway doing triangular routing and IP spoofing not working on Ubuntu

Ubuntu – SSH freeze when UFW is enabled

Related Topic