Can't reach global addresses behind IPv6 router

dviktor · 2019-10-25 02:18:23

I have IPv6 router based on Arch Linux. My ISP gives me 2a00:f480:4:266::/64 network:

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 78:24:af:04:66:72 brd ff:ff:ff:ff:ff:ff
    inet 10.20.10.134/16 brd 10.20.255.255 scope global dynamic noprefixroute eth0
       valid_lft 42952sec preferred_lft 37552sec
    inet6 2a00:f480:4:266:7a24:afff:fe04:6672/64 scope global dynamic mngtmpaddr 
       valid_lft 2591945sec preferred_lft 604745sec
    inet6 fe80::7a24:afff:fe04:6672/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b8:27:eb:c5:31:79 brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.1/24 brd 192.168.88.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 2a00:f480:4:266::0388/64 scope global nodad 
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:fec5:3179/64 scope link 
       valid_lft forever preferred_lft forever

My external interface is configured via netctl; for IPv4 I use DHCP and for IPv6 I use SLAAC:

# cat /etc/netctl/external 
Description='Wired WAN connection'
Interface=eth0
Connection=ethernet
IP=dhcp
IP6=stateless
DNS=('127.0.0.1' '::1')
SkipNoCarrier=yes

DNS server is dnsmasq installed locally. My internal interface is hand-configured:

# cat /etc/netctl/internal 
Description='Wireless LAN connection'
Interface=wlan0
Connection=ethernet
IP=static
IP6=static
Address='192.168.88.1/24'
Address6='2a00:f480:4:266::0388/64'
SkipNoCarrier=yes

I share internet connection to the whole room via hostapd.

Forwarding is enabled:

# cat /etc/sysctl.d/30-ipforward.conf .
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

iptables is configured for both IP protocol versions according to the Arch Wiki articles:

# cat /etc/iptables/iptables.rules 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]

# loopback functionality
-A INPUT -i lo -j ACCEPT
# drop all invalid packets regardless its origin
-A INPUT -m conntrack --ctstate INVALID -j DROP
# allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# allow ping from LAN
-A INPUT -i wlan0 -s 192.168.88.0/24 -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# allow TCP and UDP services
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# deny all other incoming connections
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# TCP services
-A TCP -i wlan0 -s 192.168.88.0/24 -p tcp --dport 22 -j ACCEPT
-A TCP -i wlan0 -s 192.168.88.0/24 -p tcp --dport 53 -j ACCEPT
# UDP services
-A UDP -i wlan0 -s 192.168.88.0/24 -p udp --dport 53 -j ACCEPT
-A UDP -i wlan0 -p udp --dport 67 -j ACCEPT

# allow forwarding between eth0 and wlan0
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
# deny all remaining
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# allow masquerading for LAN
-A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE
COMMIT

# cat /etc/iptables/ip6tables.rules 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# loopback functionality
-A INPUT -i lo -j ACCEPT
# drop all invalid packets regardless its origin
-A INPUT -m conntrack --ctstate INVALID -j DROP
# allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# allow ICMPv6
-A INPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
# allow forwarding between eth0 and wlan0
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
# deny all other incoming connections
-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

radvd is also installed and configured:

# cat /etc/radvd.conf 
interface wlan0 {
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;

    prefix 2a00:f480:4:266::/64 {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr on;
    };

    RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {
    };
};

On my laptop in LAN I have IPv6 address from ISP's subnet (I assume via Router Advertisements):

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 78:24:af:04:66:72 brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 48:45:20:c0:77:cc brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.10/24 brd 192.168.88.255 scope global dynamic noprefixroute wlp2s0
       valid_lft 85645sec preferred_lft 85645sec
    inet6 2a00:f480:4:266:50d5:7ac7:d3b1:618f/64 scope global dynamic noprefixroute 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::40e2:4067:e8c6:3c1/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

However, test-ipv6, ping and traceroute of ipv6.google.com doesn't work on laptop:

[viktor@desolve-nettop ~]$ ping ipv6.google.com
PING ipv6.google.com(li-in-x71.1e100.net (2a00:1450:4010:c05::71)) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7103ms

[viktor@desolve-nettop ~]$ traceroute -6 ipv6.google.com
traceroute to ipv6.google.com (2a00:1450:4010:c05::71), 30 hops max, 80 byte packets
 1  2a00:f480:4:266::0388 (2a00:f480:4:266::0388)  121.853 ms  122.249 ms  122.224 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

At the same time all is great on router:

# ping ipv6.google.com
PING ipv6.google.com(li-in-x71.1e100.net (2a00:1450:4010:c05::71)) 56 data bytes
64 bytes from li-in-x71.1e100.net (2a00:1450:4010:c05::71): icmp_seq=1 ttl=45 time=16.4 ms
64 bytes from li-in-x71.1e100.net (2a00:1450:4010:c05::71): icmp_seq=2 ttl=45 time=16.4 ms
64 bytes from li-in-x71.1e100.net (2a00:1450:4010:c05::71): icmp_seq=3 ttl=45 time=16.3 ms
64 bytes from li-in-x71.1e100.net (2a00:1450:4010:c05::71): icmp_seq=4 ttl=45 time=16.3 ms
^C
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 16.313/16.359/16.434/0.047 ms

# traceroute -6 ipv6.google.com
traceroute to ipv6.google.com (2a00:1450:4010:c05::71), 30 hops max, 80 byte packets
 1  2a00:f480:4:266::1 (2a00:f480:4:266::1)  0.723 ms  0.621 ms  0.608 ms
 2  2a00:f480:0:3::4:ff (2a00:f480:0:3::4:ff)  0.667 ms  0.641 ms  0.626 ms
 3  2a00:f480:0:3::517:10 (2a00:f480:0:3::517:10)  1.133 ms  1.007 ms  0.882 ms
 4  2a00:f480:0:3::514:12 (2a00:f480:0:3::514:12)  0.773 ms  1.014 ms  0.889 ms
 5  2a00:f480:0:1:: (2a00:f480:0:1::)  1.203 ms  1.261 ms  1.205 ms
 6  m9-3-gw.msk.runnet.ru (2001:b08:b08:b08::f1)  0.690 ms  0.850 ms  0.768 ms
 7  2001:4860:1:1:0:cc3:0:1 (2001:4860:1:1:0:cc3:0:1)  0.922 ms  0.797 ms  0.832 ms
 8  2001:4860:0:116f::11 (2001:4860:0:116f::11)  1.315 ms 2001:4860:0:1170::2 (2001:4860:0:1170::2)  1.958 ms 2001:4860:0:1170::12 (2001:4860:0:1170::12)  1.155 ms
 9  2001:4860::c:4001:8e2d (2001:4860::c:4001:8e2d)  19.363 ms  17.405 ms 2001:4860::8:4000:e519 (2001:4860::8:4000:e519)  18.808 ms
10  2001:4860::2:0:752c (2001:4860::2:0:752c)  16.285 ms  14.465 ms  14.462 ms
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  li-in-x71.1e100.net (2a00:1450:4010:c05::71)  18.411 ms  17.802 ms  16.240 ms

ip6tables rules doesn't block requests, forwarding is enabled and I don't know why it doesn't work. The same true for my Android phone. Can anyone help me to find the cause of the problem?

PS: I've found the same issue here but with no solution

Last edited by dviktor (2019-10-25 15:33:09)

Zod · 2019-10-25 02:22:08

Enabling forwarding isn't enough.

By design routers do not forward dhcp requests.

Edit: It seems I've misread your issue.

Last edited by Zod (2019-10-25 03:40:08)

dviktor · 2019-10-25 02:24:35

I've checked all related topic in Wiki and decided that all that I need is kernel forwarding, advertisement daemon and prefix from my ISP. I don't use DHCPv6 server. dnsmasq is serving only IPv4 lan

Zod · 2019-10-25 02:27:47

I forgot to add that routers do not forward any broadcast traffic.

dviktor · 2019-10-25 02:30:43

But how it's related to the simple ping? I can see activity in ip6tables -nvL forward chain (accepted) but I get no response (I assume)

Zod · 2019-10-25 02:32:22

Ping is not broadcast, it is directed icmp.

dviktor · 2019-10-25 02:40:17

But it doesn't work on my LAN laptop and phone. And http IPv6 test doesn't work too.
But from router itself it works

Zod · 2019-10-25 02:59:53

I think dhclient might work for you, I'm trying to find relevant documentation

Zod · 2019-10-25 03:18:51

https://www.archlinux.org/packages/extra/x86_64/dhcp/

https://kb.isc.org/docs/isc-dhcp-41-man … s-dhcrelay

This is a relay agent (also a server and a client).

Last edited by Zod (2019-10-25 03:23:47)

Zod · 2019-10-25 04:03:16

I didn't see your routers routing table, you can see it with...

ip -6 route

Heres a how to for ipv6 routing..

https://www.ibiblio.org/pub/Linux/docs/ … HOWTO.html

fukawi2 · 2019-10-25 04:37:26

Zod, please use the Edit button for your post instead of replying to yourself multiple times: https://wiki.archlinux.org/index.php/Co … mpty_posts

dviktor · 2019-10-25 11:00:35

Here is my routing table on laptop in LAN:

[viktor@desolve-nettop ~]$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a00:f480:4:266::/64 dev wlp2s0 proto ra metric 600 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 600 pref medium
default via fe80::ba27:ebff:fec5:3179 dev wlp2s0 proto ra metric 20600 pref medium

Last edited by dviktor (2019-10-25 15:33:55)

dviktor · 2019-10-27 18:19:16

Any ideas? I think I'm pretty close because the point of fail seems to be forwarding issue. If anyone has some experience with building IPv6 routers it will be great to know about your cases

Lone_Wolf · 2019-10-28 14:25:39

laptop traceroute first hop

1  2a00:f480:4:266::0388 (2a00:f480:4:266::0388)  121.853 ms  122.249 ms  122.224 ms

router traceroute first hop

2a00:f480:4:266::1 (2a00:f480:4:266::1)  0.723 ms  0.621 ms  0.608 ms

address 2a00:f480:4:266::0388 appears to be wlan0 interface of your router.
Is the (outside-facing) etho interface of your router ping/traceable over ipv6 from the laptop ?

dviktor · 2019-10-29 20:01:08

Just tested now.

Router eth0 IPv6 address is 2a00:f480:4:266:7a24:afff:fe04:6672/64 (got from SLAAC)
Router wlan0 IPv6 address is 2a00:f480:4:266::388/64 (set manually)

nettop wlp2s0 IPv6 address is 2a00:f480:4:266:50d5:7ac7:d3b1:618f/64 (got from Router Advertisements)

Trying to ping router's eth0 IPv6:

[viktor@desolve-nettop ~]$ ping 2a00:f480:4:266:7a24:afff:fe04:6672
PING 2a00:f480:4:266:7a24:afff:fe04:6672(2a00:f480:4:266:7a24:afff:fe04:6672) 56 data bytes
From 2a00:f480:4:266:50d5:7ac7:d3b1:618f icmp_seq=1 Destination unreachable: Address unreachable
From 2a00:f480:4:266:50d5:7ac7:d3b1:618f icmp_seq=2 Destination unreachable: Address unreachable
From 2a00:f480:4:266:50d5:7ac7:d3b1:618f icmp_seq=3 Destination unreachable: Address unreachable
^C
--- 2a00:f480:4:266:7a24:afff:fe04:6672 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3043ms

At the same time trying to traceroute it:

[viktor@desolve-nettop ~]$ traceroute -6 2a00:f480:4:266:7a24:afff:fe04:6672
traceroute to 2a00:f480:4:266:7a24:afff:fe04:6672 (2a00:f480:4:266:7a24:afff:fe04:6672), 30 hops max, 80 byte packets
 1  desolve-nettop (2a00:f480:4:266:50d5:7ac7:d3b1:618f)  3036.082 ms !H  3036.002 ms !H  3035.975 ms !H

Very strange. ip6tables on router says nothing has been blocked:

# ip6tables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   48  7195 ACCEPT     all      lo     *       ::/0                 ::/0                
    0     0 DROP       all      *      *       ::/0                 ::/0                 ctstate INVALID
  140 21209 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
  159 16632 ACCEPT     icmpv6    *      *       ::/0                 ::/0                
    0     0 REJECT     udp      *      *       ::/0                 ::/0                 reject-with icmp6-adm-prohibited
    0     0 REJECT     tcp      *      *       ::/0                 ::/0                 reject-with tcp-reset
    0     0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-adm-prohibited

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   416 ACCEPT     icmpv6    *      *       ::/0                 ::/0                
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
  205 41478 ACCEPT     all      wlan0  eth0    ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 206 packets, 21510 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  176 20311 ACCEPT     icmpv6    *      *       ::/0                 ::/0

progandy · 2019-10-29 21:58:46

I wonder, your linux router might have to request the whole prefix from your router/modem using prefix delegation:
https://wiki.archlinux.org/index.php/IP … DHCPv6-PD)

Edit: I believe if configured correctly, systemd-networkd might also replace radvd?

Last edited by progandy (2019-10-29 22:02:48)

dviktor · 2019-10-30 14:37:04

I already tried wiki section about dhcpcd (because netctl can use it, which is my case) but with no luck. Suggested settings make impossible to get IPv6 address (and delegate them). May be I miss something and article a bit unclear.

May be it worth to experiment with systemd-networkd if it's capable of doing so. I will see

progandy · 2019-10-30 17:16:21

You might also have to enable prefix delegation in your ISP router.

Your ISP router receives an IPv6 prefix from your provider, probably /48 or /56. In normal operation it now chooses one /64 subprefix and allows clients to choose an address from that pool with SLAAC and/or DHCPv6.
If you want to delegate a prefix to another router, then first the delegation server has to be started on the ISP router. Then the delegation client can ask for a prefix and the distribute addresses with e.g. SLAAC.

Edit: You could also try to configure your ISP supplied router as a dumb modem and delegate connecting and fetching the IP from the ISP to your linux box).

Last edited by progandy (2019-10-30 17:18:32)

dviktor · 2019-11-10 15:24:20

Moved to the systemd-networkd setup. My configs for wan and lan now:

# cat /etc/systemd/network/10-wired.network 
[Match]
Name=eth0

[Network]
DHCP=yes
IPForward=yes
IPv6Token=::1
IPv6AcceptRA=yes
IPv6DuplicateAddressDetection=1
IPv6PrivacyExtensions=kernel

# cat /etc/systemd/network/10-wlan.network 
[Match]
Name=wlan0

[Network]
Address=192.168.88.1/24
IPv6PrefixDelegation=dhcpv6

However, I have no IPv6 assigned to my wlan0 interface and on any of my LAN clients. Seems like my ISP manages IPv6 in strange way...

Arch Linux

#1 2019-10-25 02:18:23

Can't reach global addresses behind IPv6 router

#2 2019-10-25 02:22:08

Re: Can't reach global addresses behind IPv6 router

#3 2019-10-25 02:24:35

Re: Can't reach global addresses behind IPv6 router

#4 2019-10-25 02:27:47

Re: Can't reach global addresses behind IPv6 router

#5 2019-10-25 02:30:43

Re: Can't reach global addresses behind IPv6 router

#6 2019-10-25 02:32:22

Re: Can't reach global addresses behind IPv6 router

#7 2019-10-25 02:40:17

Re: Can't reach global addresses behind IPv6 router

#8 2019-10-25 02:59:53

Re: Can't reach global addresses behind IPv6 router

#9 2019-10-25 03:18:51

Re: Can't reach global addresses behind IPv6 router

#10 2019-10-25 04:03:16

Re: Can't reach global addresses behind IPv6 router

#11 2019-10-25 04:37:26

Re: Can't reach global addresses behind IPv6 router

#12 2019-10-25 11:00:35

Re: Can't reach global addresses behind IPv6 router

#13 2019-10-27 18:19:16

Re: Can't reach global addresses behind IPv6 router

#14 2019-10-28 14:25:39

Re: Can't reach global addresses behind IPv6 router

#15 2019-10-29 20:01:08

Re: Can't reach global addresses behind IPv6 router

#16 2019-10-29 21:58:46

Re: Can't reach global addresses behind IPv6 router

#17 2019-10-30 14:37:04

Re: Can't reach global addresses behind IPv6 router

#18 2019-10-30 17:16:21

Re: Can't reach global addresses behind IPv6 router

#19 2019-11-10 15:24:20

Re: Can't reach global addresses behind IPv6 router

Board footer