New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
flushed:
sudo ip addr flush dev vx84
changed the 172.16.41.x to 172.16.40.x on all except the --to parameter in the dual-stack last command and still same result on
traceroute
.changed the 172.16.40.x to 172.15.40.x and still same result on
traceroute
. Below the last attempt. The first command on both servers saidRTNETLINK answers: File exists
vs-free:
sudo ip link add vx84 type vxlan id 0 remote <dual's ipv6 here> local <vs4-free ipv6 here> dstport 4789
sudo ip link set vx84 mtu 1420
sudo ip link set vx84 up
sudo ip addr add 172.15.40.232/24 dev vx84
sudo ip route add 0.0.0.0/0 via 172.15.40.231
dual-stack:
sudo ip link add vx84 type vxlan id 0 remote <vs4-free ipv6 address> local <dual-stack's ipv6 address> dstport 4789
sudo ip link set vx84 mtu 1420
sudo ip link set vx84 up
sudo ip addr add 172.15.40.231/24 dev vx84
sudo iptables-legacy -t nat -A POSTROUTING -s 172.15.40.230/24 ! -d 172.15.40.230/24 -j SNAT --to 172.16.41.212
$ traceroute -n -q1 lgger.nexusbytes.com traceroute to lgger.nexusbytes.com (46.4.199.225), 30 hops max, 60 byte packets 1 172.15.40.232 3077.948 ms !H
Delete the virtual interface before trying to readd it.
If you didn't setup systemd service, you can also reboot both servers to clear out virtual interfaces.
172.15.40.0/24 is a publicly routable subnet, not for private use!
You may use 172.16.40.0/24 subnet.
Still not working
vs-free&dualstack:
sudo ip link del vx84
vs-free:
sudo ip link add vx84 type vxlan id 0 remote <dual's ipv6 here> local <vs4-free ipv6 here> dstport 4789
sudo ip link set vx84 mtu 1420
sudo ip link set vx84 up
sudo ip addr add 172.16.40.2/24 dev vx84
sudo ip route add 0.0.0.0/0 via 172.16.40.1
dualstack:
sudo ip link add vx84 type vxlan id 0 remote <vs4-free ipv6 address> local <dual-stack's ipv6 address> dstport 4789
sudo ip link set vx84 mtu 1420
sudo ip link set vx84 up
sudo ip addr add 172.16.40.1/24 dev vx84
sudo iptables-legacy -t nat -A POSTROUTING -s 172.16.40.0/24 ! -d 172.16.40.0/24 -j SNAT --to 172.16.41.212
vs-free:
~$ traceroute -n -q1 lgger.nexusbytes.com traceroute to lgger.nexusbytes.com (46.4.199.225), 30 hops max, 60 byte packets 1 172.16.40.2 3097.326 ms !H
vs-free:
ip addr
shows the vx84 like this:
3: vx84: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether de:bd:a3:8c:43:cf brd ff:ff:ff:ff:ff:ff
inet 172.16.40.2/24 scope global vx84
valid_lft forever preferred_lft forever
inet6 fe80::dcbd:a3ff:fe8c:43cf/64 scope link
valid_lft forever preferred_lft forever
dualstack:
4: vx84: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 6e:3e:3f:65:5f:a4 brd ff:ff:ff:ff:ff:ff
inet 172.16.40.1/24 scope global vx84
valid_lft forever preferred_lft forever
inet6 fe80::6c3e:3fff:fe65:5fa4/64 scope link
valid_lft forever preferred_lft forever
I can access duastack ipv6 web server for example on port 80. Through ipv4 it's only 21200-21220 that allows incoming traffic, but in this setup it's not relevant to specify the port anywhere? I tried also with
dstport 21204
on both servers in case it was because dualstack server has a port open there but it didn't help. Wonder if I have a some firewall/setting enabled on euserv control panel that I have to disable?IPv4 ports are irrelevant here.
I'm unaware about any firewall.
Try to get 172.16.40.2 and 172.16.40.1 to talk to each other first, before attempting to reach Internet hosts.
This would isolate any problem related to NAT and routing, and conform VXLAN tunneling is working.
You can keep a ping running from 172.16.40.2 to 172.16.40.1, and use tcpdump to find out where does the traffic disappear.
You should look at both the main interface and the VXLAN interface, on both servers.
If you don't see ICMP packets, check whether ARP is working.
I have done some basic setup on euserv vsfree, checked some digitalocean tutorial what to do first on vps that I usually do. I have done that on other places too, like that dualstack vps. However on this euserv for example tools like "ping" wants sudo rights, I wonder if a problem like that is related. Anyway, I can't even ping the dualstack server:
$ ping 172.16.40.1
ping: socket: Operation not permitted
xxx@localhost:~$ sudo ping 172.16.40.1
[sudo] password for xxx:
PING 172.16.40.1 (172.16.40.1) 56(84) bytes of data.
From 172.16.40.2 icmp_seq=1 Destination Host Unreachable
From 172.16.40.2 icmp_seq=2 Destination Host Unreachable
From 172.16.40.2 icmp_seq=3 Destination Host Unreachable
^C
--- 172.16.40.1 ping statistics ---
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 149ms
pipe 4
Can you throw in some commands I could try to speed up the "debugging" process. Should I rather send you a private message, or should I go ask help on these subtasks elsewhere? I might have to first read about these tools how to use them otherwise
Most of my tutorials are prepared/tested on a clean/default Debian 10 environment with minimal custom setup.
It's possible that the so called tutorials are interfering with the VXLAN setup.
ping and UDP traceroute should not need sudo privileges.
You can consider reinstalling the box and starting from scratch.
Otherwise, as I said, keep the ping running, and use tcpdump on each interface to find out where does the traffic disappear.
I used this: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-10
I created a user, installed sudo and then
usermod -aG sudo <user>
then I installed ufw, although I then disabled it after first enabling and setting some rules to it and that's it for the setup.Then installed weechat, bitlbee-common and bitlbee-libpurple. However I am unable to make a bitlbee server running on 127.0.0.1 or localhost so I figured it might be because of lack of ipv4. Also if I would get it work, I would need to connect to discord which doesn't support ipv6 so this VXLAN thing would be needed.
Then today or yesterday I installed traceroute. I might have installed some other tools like that if they were needed in this setup. I don't know if I have installed anything else on the server. I will try first something with the ping and tcpdump before I try reinstall the box.
In a tmux terminal 1 I ran
tcpdump
and it spams a lot of messages very quickly, then on another terminal I ransudo ping 172.16.40.1
gettingFrom 172.16.40.2 icmp_seq=1026 Destination Host Unreachable
but I can't see anything that makes sense in tcpdump output. I guess I will need to add some flags to tcpdump command. I will see if I read about tcpdump a bit later today. Thanks for all the help so far!running
sudo ping 172.16.40.1
from 172.16.40.2It returns
From 172.16.40.2 icmp_seq=1718 Destination Host Unreachable
but I keep it running and then check tcpdump.short snippets of lines from command
sudo tcpdump
first on euserv:18:45:24.439711 IP6 (flowlabel 0x159e7, hlim 61, next-header UDP (17) payload length: 98) fdns4.kundencontroller.de.domain > .35769: [udp sum ok] 46719 ServFail q: PTR? 1.0.0.0.0.0.0.0.0.0.0.0.e.5.3.a.7.7.0.4.a.1.8.1.0.e.4.9.3.0.a.2.ip6.arpa. 0/0/0 (90)
18:45:24.447174 IP6 (flowlabel 0x81c1a, hlim 64, next-header UDP (17) payload length: 50) .40712 > fdns1.kundencontroller.de.domain: [bad udp cksum 0x94cb -> 0xc579!] 21245+ PTR? 1.40.16.172.in-addr.arpa. (42)
18:45:24.455162 IP6 (flowlabel 0x65e54, hlim 61, next-header UDP (17) payload length: 50) fdns1.kundencontroller.de.domain > .40712: [udp sum ok] 21245 NXDomain q: PTR? 1.40.16.172.in-addr.arpa. 0/0/0 (42)
18:45:24.458098 IP6 (flowlabel 0x58dc2, hlim 64, next-header UDP (17) payload length: 50) .49001 > fdns4.kundencontroller.de.domain: [bad udp cksum 0x94e5 -> 0x517a!] 42624+ PTR? 2.40.16.172.in-addr.arpa. (42)
18:45:24.458582 IP6 (flowlabel 0xab351, hlim 61, next-header UDP (17) payload length: 50) fdns4.kundencontroller.de.domain > .49001: [udp sum ok] 42624 NXDomain q: PTR? 2.40.16.172.in-addr.arpa. 0/0/0 (42)
18:45:24.459674 IP6 (flowlabel 0x258be, hlim 64, next-header UDP (17) payload length: 98) .38976 > fdns3.kundencontroller.de.domain: [bad udp cksum 0x9514 -> 0x2bf1!] 13142+ PTR? 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.0.0.6.0.0.0.0.8.1.0.2.0.a.2.ip6.arpa. (90)
18:45:24.601704 IP6 (flowlabel 0xeb78b, hlim 61, next-header UDP (17) payload length: 137) fdns3.kundencontroller.de.domain > .38976: [udp sum ok] 13142 q: PTR? 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.0.0.6.0.0.0.0.8.1.0.2.0.a.2.ip6.arpa. 1/0/0 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.0.0.6.0.0.0.0.8.1.0.2.0.a.2.ip6.arpa. PTR fdns1.kundencontroller.de. (129)
18:45:24.602208 IP6 (flowlabel 0xe5d5d, hlim 64, next-header UDP (17) payload length: 98) .49864 > fdns1.kundencontroller.de.domain: [bad udp cksum 0x94fb -> 0x1d36!] 6000+ PTR? e.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.0.0.6.0.0.0.0.8.1.0.2.0.a.2.ip6.arpa. (90)
18:45:24.719608 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::fc69:a8ff:fe4d:7979 > ff02::1:ff00:34d0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has srvxxxxx.blue.kundencontroller.de
source link-address option (1), length 8 (1): fe:00:7d:22:a3:3f
0x0000: fe00 7d22 a33f
Same on dualstack below. On dualstack the hostname is set as the domain that was hosting web server here, but now only hosts one subdomain of it. The hostname (url) appears in the snippet here. I redacted that info and ipv6 address and also the server address of euserv I changed to srvxxxxx :
19:41:02.929382 IP6 (hlim 51, next-header UDP (17) payload length: 58) srvxxxxx.blue.kundencontroller.de.59017 > .4789: [udp sum ok] VXLAN, flags [I] (0x08), vni 0
ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.40.1 tell 172.16.40.2, length 28
19:41:03.953517 IP6 (hlim 51, next-header UDP (17) payload length: 58) srvxxxxx.blue.kundencontroller.de.59017 > .4789: [udp sum ok] VXLAN, flags [I] (0x08), vni 0
ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.40.1 tell 172.16.40.2, length 28
19:41:04.364505 IP (tos 0x0, ttl 64, id 63508, offset 0, flags [DF], proto TCP (6), length 40)
.37652 > 162.159.133.234.https: Flags [.], cksum 0xfe88 (incorrect -> 0x1ce8), seq 2835990610, ack 3452223195, win 434, length 0
19:41:04.367163 IP (tos 0x0, ttl 60, id 2692, offset 0, flags [DF], proto TCP (6), length 40)
162.159.133.234.https > .37652: Flags [.], cksum 0x1e54 (correct), seq 1, ack 1, win 69, length 0
19:41:04.738597 IP (tos 0x0, ttl 64, id 43322, offset 0, flags [DF], proto UDP (17), length 74)
.46352 > one.one.one.one.domain: [bad udp cksum 0xd82d -> 0x5ec6!] 8363+ PTR? 234.133.159.162.in-addr.arpa. (46)
19:41:04.741793 IP (tos 0x0, ttl 60, id 51830, offset 0, flags [DF], proto UDP (17), length 136)
one.one.one.one.domain > .46352: [udp sum ok] 8363 NXDomain q: PTR? 234.133.159.162.in-addr.arpa. 0/1/0 ns: 159.162.in-addr.arpa. SOA cruz.ns.cloudflare.com. dns.cloudflare.com. 2034580120 10000 2400 604800 3600 (108)
19:41:04.978093 IP6 (hlim 51, next-header UDP (17) payload length: 58) srvxxxxx.blue.kundencontroller.de.59017 > 2a03:94e0:181a:4077:a35e::1.4789: [udp sum ok] VXLAN, flags [I] (0x08), vni 0
ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.40.1 tell 172.16.40.2, length 28
Does that indicate that ICMP is not working but ARP is working? The dualstack has 1.1.1.1 and 8.8.8.8 nameservers in /etc/resolv.conf. I can see clouflare related connections mentioned in these packets a lot.
I didn't add code tags around the snippets, since it won't understand linebreaks and I would have to do each line separately. Wonder how I should use markdown on them.
When you run tcpdump, you should set filters to hide irrelevant traffic.
For example,
udp port 4789
when you capture on main interface, andarp or icmp
when you capture on VXLAN virtual interface.Also, use
-n
flag to skip reverse DNS lookup.Anyway, EUserv side setup seems to be correct, as seen here:
There's no ARP reply, which means one or more of the following mistakes on dual stack side:
Run tcpdump on the VXLAN virtual interface at dual stack side.
If you see ARP requests, you can rule out the first two items.
If you see ARP replies too, you can rule out all of the above, and instead investigate IPv6 routing.
If I filter traffic to just to vx84 interface on dualstack, I get no output after waiting a minute or two at least hmm. The ping is running on the euserv.
$ sudo tcpdump -i vx84 -n -vv
tcpdump: listening on vx84, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
I have double checked local/remote ip addresses. The port is as in your examples, id was set to "0" in both servers in the setup command and interface name is "vx84", it's same in both servers.
The
ip addr
says it's "UP" at least:vx84: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
The vx84 has
inet 172.16.40.1/24 scope global vx84
ip address, not 172.16.40.2 though. but shouldn't it have .1 in this setting?This would leave the option that VXLAN is disabled in the kernel.
Yes, it should be 172.16.40.1 (typo in my last comment has been corrected).
Yes it's possible, but I don't know how to confirm or deny this hypothesis.
Normally, if kernel doesn't support a certain feature (e.g. VXLAN), you wouldn't be able to create the item (i.e. VXLAN interface).
However, OpenVZ does weird things all the time, so I'm not surprised.
For reference: my setup, when this tutorial was written, was on Gullo Germany, an OpenVZ7 container.
New method: add warp to euserv and get ipv4
Can you elaborate a bit more? I tried searchi warp and I did find something, but not sure which I should go for on euserv.
Here would be a tutorial to set up a wireguard on debian buster. I guess I could follow that first https://wireguard.how/server/debian/ ?
Then here user bohanyang just explains on a cloudflare CLI warp tool github issues that after installing wireguard, you would need to create couple files and restart systemd-networkd. After this I guess I should have ipv4? https://github.com/ViRb3/wgcf/issues/77
I tried to add wireguard - warp. Installed wireguard with the method in the URL in the previous message, and created 4 files (two from both URLs in previous post) and then when starting the status says
Apr 20 12:01:48 localhost systemd-networkd[18631]: wg0: netdev could not be created: Operation not supported
http://sprunge.us/46QZLv
My ISP does not provide ipv6. I have EUserv-free server but I can't connect to set these settings. I Googled it but couldn't find solution. Is there a way to connect my ipv6 server via ipv4?
Grab a tunnel and give yourself an IPv6 address TunnelBroker
@yoursunny
I have two servers, one from justhost.ru only has IPv6, and the other from Oracle Cloud has both IPv4 and IPv6.
Following the steps in this article, the configuration has been successful, and the server of justhost can access IPv4 network resources.
Everything looks great, until I use iperf3 to test the network bandwidth.
This is my test result:
justhost -> clouvider (IPv6):
iperf3 -c lon.speedtest.clouvider.net -6 -P 8 -R
190 Mbits/sec
oracle cloud -> clouvider (IPv4):
iperf3 -c lon.speedtest.clouvider.net -4 -P 8 -R
375 Mbits/sec
justhost -> oracle cloud (IPv4, VXLAN):
iperf3 -c my_oracle_iperf3_server -4 -P 8 -R
181 Mbits/sec
justhost -> oracle cloud -> clouvider (IPv4, VXLAN, NAT):
iperf3 -c lon.speedtest.clouvider.net -4 -P 8 -R
70 Mbits/sec
After NAT, the network bandwidth is only 70 Mbits/sec.
Is this the normal performance loss of iptables NAT?
Is there any performance tuning method?
Thanks for sharing.
Excellent guide @yoursunny. I had no experience with vxlan and for such tasks I would do VPN, which is indeed an overkill. Thanks.
However, I would like to ask, are there any security considerations having vxlan traffic over internet?
Obviously the traffic is not encrypted, but apart of that, if I'm not mistaken, vxlan is intended to be used in datacenters and isolated networks. Are there any security issues to consider in such setup?
Free of charge but 2.38 Euros setup fee.
It used to be free
Just use Cloudflare WARP bro
Alright, this is a whole other level of crazy than what you demonstrated before... So you are suggesting that IBM and Microsoft should have the same amount of public IP address space as the local high school?
You are wanting to explode the routing table? Right now the smallest IPv4 route is for a /24.. How much bigger do you want the table to become? Verizon broke the IPv4 internet years ago by accidently publishing a (may have been more than one, I don't remember right now) /16 as many /24s..
Nano technology, where each nano-bot in your body will need an address, /64 for a LAN size seems reasonable..
So as a programmer, why do you care so much?
Huh? How does 3-4.5GHz "just so happens to match 32 bits"? Your crazy is showing again..
NAT requires significately more router resources than just routing does.
That is what a firewall is for. NAT is exactly a crutch. NAT isn't a firewall, even if some people try to make it one.
Even then, with IPv6, unless you publish the IP, nothing is going to reasonbly find it. In the 10+ years that I have been using IPv6 (2008 I started), exactly one of my IPv6 addresses has gotten scanned and/or bots connecting to it, and I believe they got the IP from my ISP (because ISP side address, not my network side)
IPv6 was made by multiple committees, unlike IPv4 which was more like a science expirement that worked, then everybody saying, "It works, don't touch it". It took the committees close to two years to come up with the IPv6 framework, which was then tweaked two years later in 1998..
This was throughly discussed and debated by the IPng group, along with others.. Just because you believe it is "well thought out and well engineered" doesn't make it so.
This has been taken into account and is expected. However routing table size is different from address size because the smallest route entry is a /48.
Typical users will never, ever setup a router more than plugging in what their ISP supplies.
Please explain how you figure that walking through a tech illterate person setting up a port-forward is easier than dealing with IPv6 that 'just works'?
At the same time though home users are major group within those not wanting IPv6.
Oh? Source? Home users don't care as long as they can enter facebook into their browser and facebook loads.. Advanced home users, gamers included, want IPv6 because it ends NAT, which interfers with their games.
Can you link to anywhere that has a group of people that feel the same way you do? Overall, if this is really how you feel, that you are not just trolling, you missed the discussions and debates that happened in the mid-90s that made these discisions.
The decision going forward has already been made. Learn it, ask intelligent questions to learn some more, or just shut up.
Damn.. Missed that one then.. lol
Nah it has a cpu that is too slow to run windows 95, linux sometimes takes 30 seconds to print a line in ssh
I don't see any security issues.
If the server has IPv4 natively, you would be transmitting IPv4 traffic unencrypted directly.
When you use VXLAN according to this tutorial, you are still transmitting IPv4 traffic unencrypted, toward your dual stack server that acts like a router.
The higher layer protocols (IPsec or TLS) can encrypt the traffic.
In that case, IPv4 header would appear unencrypted within the VXLAN tunnel, while the application payload is encrypted.
This is the same regardless of using native IPv4 or VXLAN.
In principle, yes. Although I'd be ready to see a full /24 handed out for organizations who can plausibly demonstrate to need more than 64 public IPs.
And you call me crazy? Funny.
Btw those nanobots wouldn't need public IPs ...
As I said in another discussion, every issue you have with IPv6 already has a well thought out and planned solution.
thank you for your how-to. I nearly forget aboout that thing.. they are sooooo slow I really never used it
It’s almost as if RFCs are finalized after “request(ing) for comments.”