| View previous topic :: View next topic |
| Author |
Message |
bpoint
Tux's lil' helper
Joined: 07 Oct 2008
Posts: 93
Location: Japan
|
 Posted: Fri Apr 19, 2024 2:12 pm Post subject: [solved] IPv6 forwarding woes |
 |
|
Hi all,
I've been trying to setup IPv6 forwarding and routing to clients on my LAN over the last few days, but I simply cannot figure out why clients on the LAN are unable to access the internet over IPv6. (IPv4 with NAT is working fine, however!)
I (supposedly) have a /56 prefix assignment from my ISP, so I'd expect I should be able to create separate subnets for the LAN and Wifi like I am doing now, but perhaps I'm missing something obvious here...
Currently, my network map looks like this:
(I'm more than happy to ignore Wifi for right now. I'm just including it for completeness sake.)
| Code: | WAN:1f00 +--------+--- LAN:1f01 (enp4s0)
[Internet] --- [ONU] --- [ISP Router] ---------| Gentoo |
(enp3s0) +--------+--- Wifi:1f02 (wlp16s0)
|
Gentoo gets both an IPv4 and IPv6 address and gateway information from the router via DHCP on the WAN interface, and has no issues using IPv6 itself:
| Code: | gentoo ~ # ping6 ipv6.google.com
PING ipv6.google.com (2404:6800:4004:813::200e) 56 data bytes
64 bytes from nrt20s17-in-x0e.1e100.net (2404:6800:4004:813::200e): icmp_seq=1 ttl=115 time=25.5 ms
64 bytes from nrt20s17-in-x0e.1e100.net (2404:6800:4004:813::200e): icmp_seq=2 ttl=115 time=23.0 ms
64 bytes from nrt20s17-in-x0e.1e100.net (2404:6800:4004:813::200e): icmp_seq=3 ttl=115 time=23.0 ms
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 23.028/23.848/25.489/1.160 ms
|
I've setup dnsmasq so clients on the LAN are able to get both IPv4/IPv6 addresses from the Gentoo box, and while they do get a valid IPv6 address, they seem to be unable to get any kind of response over IPv6. For example, a tcpdump on Gentoo shows the echo packets going out the WAN interface, but never receiving an echo reply (public IPv6 addresses partially redacted):
| Code: | gentoo ~ # tcpdump -v -i enp3s0 icmp6
dropped privs to pcap
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:43:04.444669 IP6 (flowlabel 0x293ac, hlim 64, next-header ICMPv6 (58) payload length: 138) 2001:db8::1f00:fa0b:1fe:16fb:c1a5 > one.one.one.one: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port, 2001:db8::1f00:fa0b:1fe:16fb:c1a5 udp port 58978
22:43:04.445152 IP6 (flowlabel 0x70100, hlim 63, next-header ICMPv6 (58) payload length: 16) 2001:db8::1f01:68f3:e71f:721a:9a4e > nrt13s52-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, id 23029, seq 0
22:43:04.446654 IP6 (flowlabel 0xd48ef, hlim 64, next-header ICMPv6 (58) payload length: 138) 2001:db8::1f00:fa0b:1fe:16fb:c1a5 > one.one.one.one: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port, 2001:db8::1f00:fa0b:1fe:16fb:c1a5 udp port 58978
22:43:05.446394 IP6 (flowlabel 0x70100, hlim 63, next-header ICMPv6 (58) payload length: 16) 2001:db8::1f01:68f3:e71f:721a:9a4e > nrt13s52-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, id 23029, seq 1
22:43:06.451844 IP6 (flowlabel 0x70100, hlim 63, next-header ICMPv6 (58) payload length: 16) 2001:db8::1f01:68f3:e71f:721a:9a4e > nrt13s52-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, id 23029, seq 2
22:43:07.454498 IP6 (flowlabel 0x70100, hlim 63, next-header ICMPv6 (58) payload length: 16) 2001:db8::1f01:68f3:e71f:721a:9a4e > nrt13s52-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, id 23029, seq 3
22:43:08.455352 IP6 (flowlabel 0x70100, hlim 63, next-header ICMPv6 (58) payload length: 16) 2001:db8::1f01:68f3:e71f:721a:9a4e > nrt13s52-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, id 23029, seq 4
22:43:09.460435 IP6 (flowlabel 0x70100, hlim 63, next-header ICMPv6 (58) payload length: 16) 2001:db8::1f01:68f3:e71f:721a:9a4e > nrt13s52-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, id 23029, seq 5
22:43:10.465801 IP6 (flowlabel 0x70100, hlim 63, next-header ICMPv6 (58) payload length: 16) 2001:db8::1f01:68f3:e71f:721a:9a4e > nrt13s52-in-x0e.1e100.net: [icmp6 sum ok] ICMP6, echo request, id 23029, seq 6
|
However, I have no problem pinging the Gentoo box over IPv6 from inside the LAN (again, public IPv6 addresses partially redacted):
| Code: | Michaels-Mac-Studio:Downloads $ ping6 2001:db8::1f01::1
PING6(56=40+8+8 bytes) 2001:db8::1f01:68f3:e71f:721a:9a4e --> 2001:db8::1f01::1
16 bytes from 2001:db8::1f01::1, icmp_seq=0 hlim=64 time=0.770 ms
16 bytes from 2001:db8::1f01::1, icmp_seq=1 hlim=64 time=0.794 ms
16 bytes from 2001:db8::1f01::1, icmp_seq=2 hlim=64 time=1.013 ms
^C
--- 2001:db8::1f01::1 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.770/0.859/1.013/0.109 ms
|
My kernel sysctl has the following options set:
| Code: | gentoo ~ # cat /etc/sysctl.d/local.conf
# enable IPv4/v6 packet forwarding
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
# enable reverse path filtering (used to determine if packets are valid)
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
# accept IPv6 route advertisements over WAN interface
net.ipv6.conf.enp3s0.accept_ra=2
|
And /etc/conf.d/net is:
| Code: | # 10Gbit WAN (upper port)
config_enp3s0="dhcp"
# 10Gbit LAN (lower port)
config_enp4s0="172.24.58.1/24 2001:db8::1f01::1/64"
# MediaTek MT7922 WiFi6E
modules_wlp16s0="!iwconfig !wpa_supplicant !iw"
config_wlp16s0="172.24.59.1/24 2001:db8::1f02::1/64"
|
And lastly, the IPv6 routing table:
| Code: | gentoo ~ # ip -6 route
anycast 2001:db8::1f00:: dev enp3s0 proto kernel metric 0 pref medium
2001:db8::1f00::/64 dev enp3s0 proto ra metric 1002 pref medium
anycast 2001:db8::1f01:: dev enp4s0 proto kernel metric 0 pref medium
2001:db8::1f01::/64 dev enp4s0 proto kernel metric 256 pref medium
anycast fe80:: dev enp3s0 proto kernel metric 0 pref medium
anycast fe80:: dev enp4s0 proto kernel metric 0 pref medium
anycast fe80:: dev wlp16s0 proto kernel metric 0 pref medium
fe80::/64 dev enp3s0 proto kernel metric 256 pref medium
fe80::/64 dev enp4s0 proto kernel metric 256 pref medium
fe80::/64 dev wlp16s0 proto kernel metric 256 pref medium
multicast ff00::/8 dev enp3s0 proto kernel metric 256 pref medium
multicast ff00::/8 dev enp4s0 proto kernel metric 256 pref medium
multicast ff00::/8 dev wlp16s0 proto kernel metric 256 pref medium
default via fe80::1e7c:98ff:fe15:8f90 dev enp3s0 proto ra metric 1002 pref medium
default dev lo proto ra metric 1024 pref medium
|
I'm happy to provide any other configuration files or whatever else would help to solve this. I'm currently only using dhcpcd/dnsmasq/ip(6)tables. I've tried radvd but it didn't help. While I haven't tried it yet, I'm happy to switch to nf_tables if it makes things work, but my ip6tables rules are very permissive right now.
This really is my first time getting this deep into IPv6, although I definitely feel like I've learned a lot over these last couple of days. Any pointers or suggestions would be highly appreciated!
Last edited by bpoint on Wed Apr 24, 2024 6:34 am; edited 1 time in total |
|
| Back to top |
|
 |
user
Apprentice
Joined: 08 Feb 2004
Posts: 202
|
| Posted: Fri Apr 19, 2024 2:59 pm Post subject: |
|
|
If client host has trouble to reach internet via router/gentoo over IPv6 start debugging at client host.
Verify routing first and second debug traffic between each hop client<>router and router<>internet.
Default ipv6 route of client host?
| Code: | | client # ip -6 route get 2000:: |
IPv6 route selection at router/gentoo based on client host source?
| Code: | | router # ip -6 route get 2000:: from <client host IPv6> |
|
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54276
Location: 56N 3W
|
| Posted: Fri Apr 19, 2024 9:46 pm Post subject: |
|
|
bpoint,
I do IPv6 like this. See the IPv6 bits.
The problem I had was switching form a static to a dynamic setup when nothing really changed.
The twist was unless I requested delegated prefixes from wy ISP, my ISP dropped the prefixes at their internet boundary. That was new. Previously, everything on my /48 was routed to me and I dropped it. That was a waste of bandwidth carrying junk.
Once the delegated prefixes were actually delegated, it all just worked.
IPv4 and IPv6 are separate network stacks. How do you obtain your delegated prefixes?
Its all very well doing static assignments from your /56 like
| Code: | # 10Gbit LAN (lower port)
config_enp4s0="172.24.58.1/24 2001:db8::1f01::1/64"
# MediaTek MT7922 WiFi6E
modules_wlp16s0="!iwconfig !wpa_supplicant !iw"
config_wlp16s0="172.24.59.1/24 2001:db8::1f02::1/64" |
as long as your ISP doesn't drop them because it doesn't know that they are used.
When the dhcpv6-client makes a request, the response comes back on the dhcpv6-server port. so its neither related nor associated.
It took me a while to work out that I was sending dhcpv6-client requests correctly but dropping all the responses. :)
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
bpoint
Tux's lil' helper
Joined: 07 Oct 2008
Posts: 93
Location: Japan
|
| Posted: Sat Apr 20, 2024 7:56 am Post subject: |
|
|
NeddySeagoon,
That was the missing piece of the puzzle, thank you so much!
I've updated my dhcpcd.conf to request an IPv6 delegated prefix from the upstream and assign it to the LAN interface like so:
| Code: | interface enp3s0
ia_pd 2 enp4s0/0/64
|
The router seems to want to delegate out subnets in /60 blocks even if I specify /64, so I need to use 1f10::/60, 1f20::/60, etc. which isn't a big deal, but I still need to figure out how to pass the assigned IPv6 address ranges to dnsmasq so I don't have to manually configure them every time they change.
Nonetheless, I can finally successfully ping over IPv6 from inside the LAN on the separate subnet:
| Code: | Michaels-Mac-Studio:Downloads $ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:db8::1f20:ed9d:ae:17b:1574 --> 2404:6800:4004:813::200e
16 bytes from 2404:6800:4004:813::200e, icmp_seq=0 hlim=56 time=26.078 ms
16 bytes from 2404:6800:4004:813::200e, icmp_seq=1 hlim=56 time=23.636 ms
16 bytes from 2404:6800:4004:813::200e, icmp_seq=2 hlim=56 time=23.738 ms
^C
--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 23.636/24.484/26.078/1.128 ms
|
Thanks again for your help! |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54276
Location: 56N 3W
|
| Posted: Sat Apr 20, 2024 9:45 am Post subject: |
|
|
bpoint,
radvd does that for free.
dhcpcd gets your delegated prefix(es) and assigns. <prefix>::1 to each interface.
radvd advertises whatever prefix is on the interface.
Look at the fine print. Do you got a delegation of a single /60 or several non overlapping /60s ?
It matters as a /60 covers four /64 subnets. If you want to control routing between /64 subnets that may matter.
There are several syntaxes fop prefix delegation. They are all supposed to be equal. I've found that not all upstream routers provide the desired results unless you provide their desired syntax.
| Code: | | ia_pd 2 enp4s0/0/64 |
Its a bit of trial and error. Well, its quite a lot of trial and error actually.
When I used PPoE to talk to my ISP's router directly.
| Code: |
IAID 0
iaid 100
# Request a DHCPv6 Delegated Prefix for iaid.
#ia_pd 3 blue green <--- Works for ISP
# The /64 to define the requested prefix size is the default and should not be required.
# However some horrible routers get a single bigger prefix and allocate it everywhere.
ia_pd 3 blue/1/64 green/2/64 |
Due to POTS going away here any day and in the interest of keeping working a working VoIP replacement from day 1, I let the ISPs provided Fritz!Box do the PPPoE, so its now my upstream router.
I had to switch to the second form to get two separate /64 delegated.
IPv6 does something that IPv4 does not. Addresses and prefixes do not change instantly.
Your IPv6 address will have a lifetime.
Half way through that lifetime in will become depreciated.
At the end of the lifetime it will be expired.
The expired address will not work. The depreciated address can be used for existing connections. It still works. The new (not depreciated address) will be used for all new outgoing connections.
I don't have depreciated address to show as my IPv6 addresses never change.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
bpoint
Tux's lil' helper
Joined: 07 Oct 2008
Posts: 93
Location: Japan
|
| Posted: Sat Apr 20, 2024 11:28 am Post subject: |
|
|
| NeddySeagoon wrote: | radvd does that for free.
dhcpcd gets your delegated prefix(es) and assigns. <prefix>::1 to each interface.
radvd advertises whatever prefix is on the interface.
|
I considered that, but unless I'm mistaken, it looks like radvd would just pass the DHCP options it receives (such as DNS server) down to the clients from upstream.
Part of my effort of building this server is to run a local caching DNS server (dnsmasq) and ensure all of the clients on the LAN use it.
| Quote: | Look at the fine print. Do you got a delegation of a single /60 or several non overlapping /60s ?
It matters as a /60 covers four /64 subnets. If you want to control routing between /64 subnets that may matter. |
The router is definitely assigning a separate /60 for each delegation requested from dhcpcd. Since I can't post images (a screenshot of the router UI), here's what it currently looks like as ASCII art:
| Code: | DHCPv6 Server Allocation Status
-------------------------------
Allocation Status:
Current number of allocations: 4/15
Current time: 2024/04/20 19:12:48
IPv6 Prefix | MAC Address | Lease time
--------------------+-------------------+-----------------------------
2001:db8::1f10::/60 | d8:43:ae:xx:xx:xx | 2024/04/20 22:03:12
2001:db8::1f20::/60 | d8:43:ae:xx:xx:xx | 2024/04/20 22:30:38
2001:db8::1f30::/60 | d8:43:ae:xx:xx:xx | 2024/04/20 21:34:15
2001:db8::1f40::/60 | d8:43:ae:xx:xx:xx | 2024/04/20 22:02:27
|
I've been tweaking values in dhcpcd.conf and restarted dhcpcd, and even rebooted a few times, so I imagine that's why there's currently 4 different allocations, but I'm really not understanding how exactly each prefix is being allocated.
| Quote: | There are several syntaxes fop prefix delegation. They are all supposed to be equal. I've found that not all upstream routers provide the desired results unless you provide their desired syntax.
| Code: | | ia_pd 2 enp4s0/0/64 |
Its a bit of trial and error. Well, its quite a lot of trial and error actually.
|
I think this trial and error is where I'm at now.  I've read the manpage for dhcpcd.conf about 10 times and I still don't understand what the differences are between the ia_na and ia_pd options are, nor do I know what the iaid is supposed to be.
Given my current configuration of:
| Code: | noipv6rs
interface enp3s0
ipv6rs
ia_pd 2 enp4s0/0/64
|
This does repeatedly assign the 1f20::/60 prefix to enp4s0, so I assumed that the "2" would mean the second prefix (1f20), but changing this value to something like 1 or 8 doesn't give me the appropriate prefix (1f10 or 1f80) either.
| Quote: |
When I used PPoE to talk to my ISP's router directly.
| Code: |
IAID 0
iaid 100
# Request a DHCPv6 Delegated Prefix for iaid.
#ia_pd 3 blue green <--- Works for ISP
# The /64 to define the requested prefix size is the default and should not be required.
# However some horrible routers get a single bigger prefix and allocate it everywhere.
ia_pd 3 blue/1/64 green/2/64 |
|
In your example there, you have IAID specified twice (granted, one is in uppercase, the other is in lowercase). Is that a mistake, or is specifying "0" then "100" for that actually mean something? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54276
Location: 56N 3W
|
| Posted: Sat Apr 20, 2024 1:02 pm Post subject: |
|
|
bpoint,
The IAID is a unique identifier for the interface. It defaults if unset.
| man dhcpcd.conf: | iaid iaid
Set the Interface Association Identifier to iaid. ... This defaults to the
VLANID (prefixed with 0xff) for the interface if set, otherwise
the last 4 bytes of the hardware address assigned to the inter‐
face. |
I set it manually to keep things clear in my mind but it should justwork unless the last 4 bytes of the hardware address assigned to the interface are not unique in your system.
| Code: | ia_na [iaid [/ address]]
Request a DHCPv6 Normal Address for iaid. |
Get yourself an IPv6 address. Only required on your end of the upstream link.
| Code: | ia_pd [iaid ..... ]
Request a DHCPv6 Delegated Prefix for iaid. ... |
Get prefix delegation(s) for the downstream interfaces. This makes my eyes glaze over. Hence lots of trial and error.
I don't understand why different upstream routers want different syntaxes.
Well it will be like The Magpie's Nest
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
bpoint
Tux's lil' helper
Joined: 07 Oct 2008
Posts: 93
Location: Japan
|
| Posted: Wed Apr 24, 2024 6:33 am Post subject: |
|
|
So after the trial and error, I've found the following dhcpcd.conf setup works for me:
| Code: | noipv6rs
interface enp3s0
ipv6rs
ia_pd 2 enp4s0/0/64
ia_pd 2 wlp16s0/1/64
ia_pd 2 enp15s0/2/64
|
This requests a single /60 subnet (of the assigned /56 prefix from my ISP) from my upstream router:
| Code: | IPv6 Prefix | MAC Address | Lease time
--------------------+-------------------+-----------------------------
2001:db8::1f20::/60 | d8:43:ae:xx:xx:xx | 2024/04/23 18:22:51 |
Which then dhcpcd automatically splits that further into a /64 subnet for each interface (I've masked the actual IPv6 addresses, but note the 1f20, 1f21, 1f22):
| Code: | enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.24.56.15 netmask 255.255.255.0 broadcast 172.24.56.255
inet6 fe80::2b4c:c28c:c44b:3763 prefixlen 64 scopeid 0x20<link>
inet6 2001:db8::1f00::c1a5 prefixlen 64 scopeid 0x0<global>
ether 24:5e:be:xx:xx:xx txqueuelen 1000 (Ethernet)
enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.24.58.1 netmask 255.255.255.0 broadcast 172.24.58.255
inet6 fe80::265e:beff:fe84:c09b prefixlen 64 scopeid 0x20<link>
inet6 fe80::c06b:2ab9:25a2:ee7d prefixlen 64 scopeid 0x20<link>
inet6 2001:db8::1f20::1 prefixlen 64 scopeid 0x0<global>
ether 24:5e:be:xx:xx:xx txqueuelen 1000 (Ethernet)
wlp16s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.24.59.1 netmask 255.255.255.0 broadcast 172.24.59.255
inet6 fe80::16ac:60ff:fe7d:179f prefixlen 64 scopeid 0x20<link>
inet6 2001:db8::1f21::1 prefixlen 64 scopeid 0x0<global>
ether 14:ac:60:xx:xx:xx txqueuelen 1000 (Ethernet)
enp15s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.24.60.1 netmask 255.255.255.0 broadcast 172.24.60.255
inet6 fe80::0281:60d5:506a:9c0c prefixlen 64 scopeid 0x20<link>
inet6 fe80::76bd:3f8d:93dc:200f prefixlen 64 scopeid 0x20<link>
inet6 2001:db8::1f22::1 prefixlen 64 scopeid 0x0<global>
ether 00:e0:4c:xx:xx:xx txqueuelen 1000 (Ethernet)
|
For some reason, an IAID of 1 (or 0) wouldn't work for my router, and IPv6 address assignments have been consistent for the last few days, so I'm happy with 2.
Thanks for all the help! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
