Does anyone have experience in combining these two?

I run a he.net tunnel that arrives in my LAN on a dedicated Raspberry Pi that acts as the end point of the tunnel. On the Pi I then run radvd across my LAN to assign other devices an IPv6 address.

I have a Debian buster box that I have assigned a static IPv6 address in the GUI config and from a terminal can ping -6 google.co.nz from the box just fine.

I can also run BinkD and poll out to an IPv6 address fine also.

The problem is getting incoming IPv6 connections to BinkD etc. to work.

I have UFW as the firewall, I have enabled IPv6 in the UFW config settings and added ports like 24554 which when I check the status I can see the port is enabled for both IPv4 and IPv6

To Action From
-- ------ ----
24554/tcp ALLOW Anywhere
24555/tcp ALLOW Anywhere
24554/tcp (v6) ALLOW Anywhere (v6)
24555/tcp (v6) ALLOW Anywhere (v6)

My router has port forwarding enabled from the WAN to the static IPv4 on the Debian box and certainly for IPv4 traffic all is good.

I'm stuck as to know why I can't seem to get ports open for my IPv6 address when I have UFW seemingly enabled.

Now the Pi that acts as the end point of the tunnel has a static IPv4 and IPv6 address perhaps I need to enable something in UFW for that address(ess)?

I'm also wondering if it's something to do with the tunnel stuff.

But it feels like I'm 90%+ sorted as I know the Debian box can happily poll outbound BinkD traffic without issue.

Any help appreciated.

Best, Paul

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

Hi Paul.

11 Oct 21 19:53:50, you wrote to All:

Does anyone have experience in combining these two?

Well, yes. I have he.net tunnel terminated to a Ubuntu 18.04.6 LTS box.

To Action From
-- ------ ----
24554/tcp ALLOW Anywhere
24555/tcp ALLOW Anywhere
24554/tcp (v6) ALLOW Anywhere (v6)
24555/tcp (v6) ALLOW Anywhere (v6)

If you think the problem is in UFW, you can turn it off for a while. I think the problem is not there.

tommi@pin:~$ sudo ufw status|grep 24554
24554/tcp ALLOW Anywhere
24554/tcp (v6) ALLOW Anywhere (v6)

Works for me.

I think your problem is somehere in your router PI, you should open ports 24554-24555 there as well. But as I'm no linux expert, I dont think I can help much more.

I'm also wondering if it's something to do with the tunnel stuff.

Your tunnel is working ok as you can poll out by ipv6.

'Tommi

---
* Origin: rbb.fidonet.fi (2:221/360)

Hi Michiel.

11 Oct 21 12:37:52, you wrote to Paul Hayton:

I'm also wondering if it's something to do with the tunnel stuff.

Did you get my netmail about protocol 41?

His tunnel is working, he can make outbound connections. So the protocal 41 is open to the tunnel endpoint computer. (PI).

'Tommi

---
* Origin: rbb.fidonet.fi (2:221/360)

Hi Paul.

11 Oct 21 20:18, I wrote to you:

I'm also wondering if it's something to do with the tunnel stuff.

Your tunnel is working ok as you can poll out by ipv6.

Yes, I can ping... Something... :)

tommi@mxo:~$ ping -6 agency.bbs.nz
PING agency.bbs.nz(2001:470:d:123::200 (2001:470:d:123::200)) 56 data bytes
64 bytes from 2001:470:d:123::200 (2001:470:d:123::200): icmp_seq=1 ttl=43 time=417 ms
64 bytes from 2001:470:d:123::200 (2001:470:d:123::200): icmp_seq=2 ttl=43 time=336 ms
64 bytes from 2001:470:d:123::200 (2001:470:d:123::200): icmp_seq=3 ttl=43 time=336 ms
64 bytes from 2001:470:d:123::200 (2001:470:d:123::200): icmp_seq=4 ttl=43 time=336 ms
64 bytes from 2001:470:d:123::200 (2001:470:d:123::200): icmp_seq=5 ttl=43 time=336 ms
^C

'Tommi

--- GoldED+/LNX 1.1.5-b20210402
* Origin: nntps://news.fidonet.fi (2:221/1)

On 11 Oct 2021 at 09:00p, Tommi Koivula pondered and said...

Yes, I can ping... Something... :)

Thanks, yes I can see IPv6 pings reaching the system running the BinkD server so traffic is getting to the machine concerned... just not it seems to the port via IPv6

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

Paul Hayton wrote to Tommi Koivula <=-

On 11 Oct 2021 at 08:43p, Tommi Koivula pondered and said...

His tunnel is working, he can make outbound connections. So the protocal 41 is open to the tunnel endpoint computer. (PI).

I can also ping the Debian box via the Pi endpoint tunnel using IPv6...
so I figure things must almost be working as I can reach the system
from the internet via IPv6 and the tunnel using ping

Question:
Is one native IPv6 and the other endpoint a 6-to-4 tunnel? This *may* be an issue. Using IPv4 as a test would help. I know natively on my access node
I can not ssh to it using it's tunneled IPs because the MTU doesn't match. If
I use a direct IP connection there's no issues at all... and again the MTU matches at 1500 not 1480 as a tunneled link would. Could this perhaps be
an issue? Just thinking out loud :)

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.52
* Origin: SBBS - Carnage! 2001:470:8a1e::3 (1:142/103)

Hi Paul.

12 Oct 21 15:43:00, you wrote to me:

I think your problem is somehere in your router PI, you should open ports
24554-24555 there as well. But as I'm no linux expert, I dont think I
can help much more.

So look at the Raspberry Pi that acts as the end point of the tunnel?

At that PI you should open and/or forward ports. Which OS are you running there?

The main router connected to the internet does have 24554-24555 open already, and IPv4 traffic coming in via my ISP works OK

At the main router it is needed only to open protocol 41 from he.net to your PI so that the tunnel works. Anything else on the IPV4 side is irrelevant.

In my Ubuntu:

tommi@pin:~$ sudo ufw status|grep ipv6
Anywhere ALLOW 216.66.84.46/ipv6

But all this seems to be working at your setup...

'Tommi

---
* Origin: rbb.fidonet.fi (2:221/360)

On 12 Oct 2021 at 01:31p, Brian Rogers pondered and said...

Question:
Is one native IPv6 and the other endpoint a 6-to-4 tunnel? This *may* be an issue. Using IPv4 as a test would help. I know natively on my access

No native IPv6 here :( I'm only able to access IPv6 because I run the he.net tunnel on the Raspberry Pi. It in turn assigns other devices on my LAN their IPv6 addresses.

Before I moved to Linux for my HUB things worked fine on Windows for BinkD. So with the settings in the Edgerouter and the settings in the RPi end point for the IPv6 tunnel unchanged, my hunch is that it's something not right in the Debian 10 box I built that now runs the HUB and BBS

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

On 12 Oct 2021 at 09:06p, Tommi Koivula pondered and said...

At that PI you should open and/or forward ports. Which OS are you running there?

It's an older Pi, not sure.

At the main router it is needed only to open protocol 41 from he.net to your PI so that the tunnel works. Anything else on the IPV4 side is irrelevant.

If I can ping to the box that's not enough to know things are OK right? OK will see what I can find.

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

On 13 Oct 2021 at 09:34a, Paul Hayton pondered and said...

If I can ping to the box that's not enough to know things are OK right?
OK will see what I can find.

I think I figured it out (at last).

It turns out the Rpi endpoint of my he.net tunnel was missing some FORWARD rules in the ip6tables setting. When I finally dug into that and saw it was missing such a rule for the new static IPv6 I had set for my new Linux box things finally started working.

If you would like to test

agency.bbs.nz
ipv6.agency.bbs.nz

ports 24554-24556

I'm hoping all is well now.

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

Hello Paul;

Paul Hayton wrote to Brian Rogers <=-

No native IPv6 here :( I'm only able to access IPv6 because I run the he.net tunnel on the Raspberry Pi. It in turn assigns other devices on
my LAN their IPv6 addresses.

Before I moved to Linux for my HUB things worked fine on Windows for BinkD. So with the settings in the Edgerouter and the settings in the
RPi end point for the IPv6 tunnel unchanged, my hunch is that it's something not right in the Debian 10 box I built that now runs the HUB
and BBS

Ok, so by process of elimination, what happens when you shut off ALL your firewalling? Don't forget you probably have one firewall on your router,
one on your RPi, and one on your Debian box. Insure they're ALL off... test your bink. Turn the one on your router back on, test bink. Eventually if it
is firewall related you'll find which one it is.

I write my own firewall so it's simple for me to maintain it. It almost looks like UFW is almost like manually writing iptables rules. If still no go then look at sysctrl.conf. If that's good then look at your routing. You should
be able to "traceroute6 bbs.n1uro.com". If you can do all that, then I'd look at your bink settings. If everything looks great, then try IPv4 only. This
will be a hair pulling experience but you'll get it.

... What is mind? No matter! What is matter? Never mind! - Homer S.
--- MultiMail/Linux v0.52
* Origin: SBBS - Carnage! 2001:470:8a1e::3 (1:142/103)

Hey Paul;

Paul Hayton wrote to All <=-

It turns out the Rpi endpoint of my he.net tunnel was missing some
FORWARD rules in the ip6tables setting. When I finally dug into that
and saw it was missing such a rule for the new static IPv6 I had set
for my new Linux box things finally started working.

If you would like to test

agency.bbs.nz
ipv6.agency.bbs.nz

ports 24554-24556

n1uro@n1uro:~$ telnet6 ipv6.agency.bbs.nz 24554
Trying 2001:470:d:123::200...
Connected to ipv6.agency.bbs.nz.
Escape character is '^]'.
ƒ–’.OPT CRAM-MD5-63a15ca50d2db19365e6ebdec75a76eeƒ–’SYS Agency + Risa HUBƒ–’ZYZ Paul Haytonƒ–’LOC Dunedin, New Zealandƒ–’)NDL 115200,TCP,CM,MO,IBN,BINKP,PING,IPv6ƒ–’%TIME Wed, 13 Oct 2021 17:14:26 +1300ƒ–’#VER binkd/1.1a-112/Linux binkp/1.1ƒ–’ƒ–’ 3:57/0@fidonet 3:770/1@fidonet 3:770/0@fidonet 3:772/1@fidonet 3:772/0@fidonet 21:1/100@fsxnet 21:1/3@fsxnet 21:1/2@fsxnet 21:1/1@fsxnet 21:1/0@fsxnet 39:970/0@amiganet 46:3/103@agoranet


Sorry doesn't work <G>

--- MultiMail/Linux v0.52
* Origin: SBBS - Carnage! 2001:470:8a1e::3 (1:142/103)

On 13 Oct 2021 at 12:14a, Brian Rogers pondered and said...

n1uro@n1uro:~$ telnet6 ipv6.agency.bbs.nz 24554
Trying 2001:470:d:123::200...
Connected to ipv6.agency.bbs.nz.
Escape character is '^]'.
ƒ–’.OPT CRAM-MD5-63a15ca50d2db19365e6ebdec75a76eeƒ–’SYS Agency + Risa HUBƒ–’ZYZ Paul Haytonƒ–’LOC Dunedin, New Zealandƒ–’)NDL 115200,TCP,CM,MO,IBN,BINKP,PING,IPv6ƒ–’%TIME Wed, 13 Oct 2021 17:14:26 +1300ƒ–’#VER binkd/1.1a-112/Linux binkp/1.1ƒ–’ƒ–’ 3:57/0@fidonet

Phew :)

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

On 12 Oct 2021 at 10:32p, Brian Rogers pondered and said...

Ok, so by process of elimination, what happens when you shut off ALL your firewalling? Don't forget you probably have one firewall on your router,

Curious I ended up getting this message twice from you

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

On 13.10.2021 6.43, Paul Hayton wrote:

I think I figured it out (at last).

It turns out the Rpi endpoint of my he.net tunnel was missing some FORWARD rules in the ip6tables setting. When I finally dug into that and saw it was missing such a rule for the new static IPv6 I had set for my new Linux box things finally started working.

If you would like to test

agency.bbs.nz
ipv6.agency.bbs.nz

ports 24554-24556

Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-13 13:28 EEST
Nmap scan report for ipv6.agency.bbs.nz (2001:470:d:123::200)
Host is up (0.35s latency).

PORT STATE SERVICE
24554/tcp open binkp
24555/tcp open unknown
24556/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 5.95 seconds

+1 :)

'Tommi

--- Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0
* Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/1.0)

Hello Paul;

Paul Hayton wrote to Brian Rogers <=-

Curious I ended up getting this message twice from you

I wonder if it's because I had a desktop crash while drafting responses and
a stale copy was in multimail?

Was it just this one?

--- MultiMail/Linux v0.52
* Origin: SBBS - Carnage! 2001:470:8a1e::3 (1:142/103)

On 13 Oct 2021 at 10:19a, Michiel van der Vlist pondered and said...

It is! Now remove the "ipv4." in "ipv4.agency.bbs.nz" in the nodelist
and you are back as a full member of the Fidonet IPv6 club. ;-)

Doing this now. Cheers. :)

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

On 13 Oct 2021 at 12:59p, Brian Rogers pondered and said...

I wonder if it's because I had a desktop crash while drafting responses and a stale copy was in multimail?

Was it just this one?

Yep just one reply sent twice, but erm only seen this once ;-)

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

Hello Paul;

Paul Hayton wrote to Brian Rogers <=-

Yep just one reply sent twice, but erm only seen this once ;-)

It had to have been the desktop crash then. I lost all my good taglines
too *sigh*

--- MultiMail/Linux v0.52
* Origin: SBBS - Carnage! 2001:470:8a1e::3 (1:142/103)

On 14 Oct 2021 at 07:28a, Brian Rogers pondered and said...

It had to have been the desktop crash then. I lost all my good taglines too *sigh*

Poop.. sorry to hear :(

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

Hello Paul!

11 Oct 2021 19:53, Paul Hayton wrote to All:

I'm stuck as to know why I can't seem to get ports open for my IPv6 address when I have UFW seemingly enabled.

ip6tables -nvL
ip -6 route show
ip addr show
ifconfig

would be very helpfull info

if ufw fails, change to shorewall

But it feels like I'm 90%+ sorted as I know the Debian box can happily poll outbound BinkD traffic without issue.

ipv4 and ipv6 is 2 firewall rule set imho also in ufw

one use iptables, and another ip6tables

Any help appreciated.

gentoo ? :=)


Regards Benny

... too late to die young :)

--- Msged/LNX 6.1.2 (Linux/5.14.12-gentoo-dist (x86_64))
* Origin: gopher://fido.junc.eu/ (2:230/0)

Good ${greeting_time}, Benny!

15 Oct 2021 07:50:18, you wrote to Paul Hayton:

ifconfig

Don't use this command for any purpose. Never.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... that's why I really dislike fools.
--- /bin/vi
* Origin: ::1 (2:5020/545)

On 15 Oct 2021 at 09:45a, Michiel van der Vlist pondered and said...

Doing this now. Cheers. :)

The change propagated to this friday's Z2 nodelist. :)

good stuff
--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

On 15 Oct 2021 at 07:50a, Benny Pedersen pondered and said...

Hello Paul!

Hi Benny.

Thanks for the ideas and tips. I have managed to solve my problem now.
A good nights sleep awaits.

--- Mystic BBS v1.12 A47 2021/09/29 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

Hello Alexey!

15 Oct 2021 11:10, Alexey Vissarionov wrote to Benny Pedersen:

ifconfig

Don't use this command for any purpose. Never.

i like to know why ?


Regards Benny

... too late to die young :)

--- Msged/LNX 6.1.2 (Linux/5.14.12-gentoo-dist (x86_64))
* Origin: gopher://fido.junc.eu/ (2:230/0)

Hello Paul!

15 Oct 2021 21:44, Paul Hayton wrote to Benny Pedersen:

Thanks for the ideas and tips. I have managed to solve my problem now.
A good nights sleep awaits.

you did use eth0 for tunnel ? :=)

while it should be tun0 ?, as i remember my first he.net setup

no need for me to help others with shorewall then


Regards Benny

... too late to die young :)

--- Msged/LNX 6.1.2 (Linux/5.14.12-gentoo-dist (x86_64))
* Origin: gopher://fido.junc.eu/ (2:230/0)

Good ${greeting_time}, Benny!

15 Oct 2021 09:43:24, you wrote to me:

ifconfig

Don't use this command for any purpose. Never.

i like to know why ?

It uses deprecated API and may leave the kernel network stack in a really unpredictable state.

I guess you are using iptables instead of ipchains and ipfwadm. Or... ?


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... that's why I really dislike fools.
--- /bin/vi
* Origin: ::1 (2:5020/545)

Dear Alexey,

16 Oct 21 00:55, you wrote to Benny Pedersen:

ifconfig

Don't use this command for any purpose. Never.

i like to know why ?

It uses deprecated API and may leave the kernel network stack in a
really unpredictable state.

Using it for viewing (as Benny suggested) is probably safe?

I've seen some Linux distros however where `ifconfig` is even not available unless you install some legacy package. Thank God, BSD is still a Unix-like system.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Hello Alexey!

16 Oct 2021 00:55, Alexey Vissarionov wrote to Benny Pedersen:

ifconfig

Don't use this command for any purpose. Never.

i like to know why ?

It uses deprecated API and may leave the kernel network stack in a
really unpredictable state.

what kernerl version do you refer to here ?

and what ifconfig ?

that is usefull info imho

I guess you are using iptables instead of ipchains and ipfwadm. Or...
?

or maybe vim ?

shorewall is my friend


Regards Benny

... too late to die young :)

--- Msged/LNX 6.1.2 (Linux/5.14.12-gentoo-dist (x86_64))
* Origin: gopher://fido.junc.eu/ (2:230/0)

Good ${greeting_time}, Benny!

16 Oct 2021 15:02:52, you wrote to me:

ifconfig

Don't use this command for any purpose. Never.

i like to know why ?

It uses deprecated API and may leave the kernel network stack
in a really unpredictable state.

what kernerl version do you refer to here ?

2.6+

and what ifconfig ?

Any.

that is usefull info imho

Not really, for over 10 years.

I guess you are using iptables instead of ipchains and ipfwadm.
Or... ?

or maybe vim ? shorewall is my friend

Very stupid.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... that's why I really dislike fools.
--- /bin/vi
* Origin: ::1 (2:5020/545)

Hello Alexey!

17 Oct 2021 05:05, Alexey Vissarionov wrote to Benny Pedersen:

2.6+

time to upgrade ?

and what ifconfig ?

Any.

cve then ?

that is usefull info imho

Not really, for over 10 years.

nothing happended in 10 yaers of cve ?

I guess you are using iptables instead of ipchains and ipfwadm.
Or... ?

or maybe vim ? shorewall is my friend

Very stupid.

its my choice, learn to live with it


Regards Benny

... too late to die young :)

--- Msged/LNX 6.1.2 (Linux/5.14.12-gentoo-dist (x86_64))
* Origin: gopher://fido.junc.eu/ (2:230/0)