03-15-2021 01:57 AM
Hi,
I have set up filter for the inbound interface on the wan part.
I permit www and 443 traffic from any to a specific host (2A01:XXXX:XXXX:C884:8000::1).
I get the following error on the browser:
<html><head><title>Service Unavailable</title></head> <body><h4>Service temporairement indisponible ou en maintenance.</h4></body></html>
Here is the config I have:
interface GigabitEthernet9 description Primary link Free ip address 192.168.10.100 255.255.255.0 ip access-group 199 in ip nat outside ip virtual-reassembly in duplex auto speed auto ipv6 address 2A01:XXXX:XXXX:C880::2/64 ipv6 address autoconfig default ipv6 enable ipv6 traffic-filter ipv6in in
interface Vlan4
description front-web
ip address 192.168.104.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address 2A01:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0/65
ipv6 enable
ipv6 nd prefix 2A01:XXXX:XXXX:C884::/65 infinite infinite
ipv6 nd advertisement-interval
ipv6 nd ra interval 100
ACL:
ipv6 access-list ipv6in deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C883:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C884:7FFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C885:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C886:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C887:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFE:0 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFD:0 deny ipv6 any host 2A01:XXXX:XXXX:C882:FFFF:FFFF:FFFC:0 permit tcp any any established permit icmp any any echo-reply permit udp any eq domain any permit tcp any host 2A01:XXXX:XXXX:C884:8000::1 eq www permit tcp any host 2A01:XXXX:XXXX5:C884:8000::1 eq 443 permit tcp any host 2A01:XXXX:XXXX:C884:8000::1 eq 22 log permit tcp any 2A01:XXXX:XXXX5:C884:8000::/65 range 1024 65535 permit udp any 2A01:XXXX:XXXX:C884:8000::/65 range 1024 65535 permit icmp any 2A01:XXXX:XXXX:C884:8000::/65 echo-reply sequence 1000 remark Permit good ICMPv6 message types remark Deny loopback address deny ipv6 host ::1 any remark Deny IPv4-compatible addresses deny ipv6 ::/96 any remark Deny IPv4-mapped addresses (obsolete) deny ipv6 ::FFFF:0.0.0.0/96 any remark Deny auto tunneled packets w/compatible addresses (RFC 4291) remark Deny other compatible addresses deny ipv6 ::224.0.0.0/100 any log deny ipv6 ::127.0.0.0/104 any log deny ipv6 ::/104 any log deny ipv6 ::255.0.0.0/104 any log remark Deny false 6to4 packets deny ipv6 2002:E000::/20 any log deny ipv6 2002:7F00::/24 any log deny ipv6 2002::/24 any log deny ipv6 2002:FF00::/24 any log deny ipv6 2002:A00::/24 any log deny ipv6 2002:AC10::/28 any log deny ipv6 2002:C0A8::/32 any log remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns remark Deny Link-Local communications deny ipv6 FE80::/10 any remark Deny Site-Local (deprecated) deny ipv6 FEC0::/10 any remark Deny Unique-Local packets deny ipv6 FC00::/7 any remark Deny multicast packets deny ipv6 FF00::/8 any remark Deny Documentation Address deny ipv6 2001:DB8::/32 any remark Deny 6Bone addresses (deprecated) deny ipv6 3FFE::/16 any remark Deny RH0 packets deny ipv6 any any routing-type 0 log remark Deny our own addresses coming inbound
Here is the router/firewall (C892FSP-K9) log:
Mar 15 08:35:53.712: %IPV6_ACL-6-ACCESSLOGP: list ipv6in/150 permitted tcp 2A01:CB09:8017:5F97:99B9:2DBF:AA47:3E8B(45698) -> 2A01:E34:EC45:C884:8000::1(80), 1 packet
Mar 15 08:39:52.236: %IPV6_ACL-6-ACCESSLOGP: list ipv6in/160 permitted tcp 2A01:CB09:8017:5F97:99B9:2DBF:AA47:3E8B(33474) -> 2A01:E34:EC45:C884:8000::1(443), 3 packets
The traffic does not go through??
Any Idea?
Thanks
vandman
Solved! Go to Solution.
08-07-2021 11:32 AM
Hi, Sorry for late reply.
I found the solution, the problem came from the fact that I did not have default route ::/0.
The ACL I had blocked automatic routing negotiation between the router and the box.
Here is the ACL I had to apply to allow automatic configuration:
permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns permit icmp FF02::/16 any router-advertisement permit icmp FE80::/10 FF02::/16 router-advertisemen
Thanks
vandman
03-15-2021 02:28 AM
Hi there,
The HTML response you include has the text for a HTML 503 error: "Service unavailable". Which implies an issue with the server you are connecting to.
This is confirmed by the router logs which show packets being permitted to that host.
I would check on the www service on your server, is it hosting websites on IPv6, does it have an ACL on the http service which blocks requests to IPv6 hosts?
cheers,
Seb.
03-15-2021 01:42 PM
Hi,
From local network, it works perfectly well. In debug mode, Traefik gives me logs, the website shows itself in the browser.
From Internet, I have no logs in Traefik???
For me, No traffic goes to the service.
This is wearied.
Regards
vandman
03-16-2021 02:37 AM
This sounds very much like an issue localised to the server. You could run a packet capture on the machine to confirm the externally sourced packets are indeed reaching the machine.
What OS are you running? What HTTP service are you running?
The HTTP response page suggests that it is not an OS firewall, but a configuration item with the HTTP service.
cheers,
Seb.
08-07-2021 11:32 AM
Hi, Sorry for late reply.
I found the solution, the problem came from the fact that I did not have default route ::/0.
The ACL I had blocked automatic routing negotiation between the router and the box.
Here is the ACL I had to apply to allow automatic configuration:
permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns permit icmp FF02::/16 any router-advertisement permit icmp FE80::/10 FF02::/16 router-advertisemen
Thanks
vandman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide