You are not logged in.

Pages: 1

#1 2020-12-17 11:12:37

epyon_avenger
Member
From: Earth
Registered: 2016-06-01
Posts: 1

[SOLVED] (Mostly) Arch Router - IPv6 Works For Clients, Not For Host

Hello! So, after spending several days between here, the wiki, various blogs, etc. I've run out of ideas to try, and so here I am.

Firstly, background.

I started with the Arch Router (systemd-networkd + systemd-resolved based), combined it with the IPv6 (systemd-networkd IPv6-PD) info, and then slapped on the wpa_supplicant bit I need to play nice with AT&T (I'm doing the complete RG replacement with certs, not any kind of crazy proxying/routing/etc.). Added in Firewalld on top of that, and now we've got a working setup.

So! After doing all this, I get IPv4 and IPv6 addresses on the router. I give out IPv4 to clients behind the router via DHCP, I pass along IPv6 addresses to the clients, etc. Clients can ping anything via IPv4 or IPv6. The router itself can ping anything via IPv4, but cannot via IPv6.

Now, before people ask for all the various bits, let me show you!

systemd-networkd Files

==> 10-enp1s0.network <==
[Match]
Name=enp1s0

[Network]
VLAN=enp1s0.0

==> 15-enp1s0.0.netdev <==
[NetDev]
Name=enp1s0.0
Kind=vlan

[VLAN]
Id=0

==> 20-enp1s0.0.network <==
[Match]
Name=enp1s0.0

[Network]
DHCP=yes

# IPv6 Things
IPForward=ipv6
IPv6AcceptRA=yes
IPv6DuplicateAddressDetection=1
IPv6PrivacyExtensions=no

[DHCPv4]
UseDNS=false

[DHCPv6]
UseDNS=false
WithoutRA=solicit

[IPv6AcceptRA]
UseDNS=false

==> 25-br0.netdev <==
[NetDev]
Name=br0
Kind=bridge

==> 30-br0.network <==
[Match]
Name=br0

[Network]
Address=192.168.7.1/24
Domains=asgard.home

# Route Traffic
IPMasquerade=true
DHCPServer=true

# Do IPv6
IPv6PrefixDelegation=dhcpv6
IPv6DuplicateAddressDetection=1
IPv6PrivacyExtensions=no

[IPv6PrefixDelegation]
RouterLifetimeSec=3600

[DHCPServer]
PoolOffset=11
PoolSize=200
EmitDNS=yes
DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001

==> 35-uplinks.network <==
[Match]
Name=enp[2-6]*

[Link]
RequiredForOnline=no

[Network]
Bridge=br0
LinkLocalAddressing=no

systemd-networkd Conf

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See networkd.conf(5) for details

[Network]
#SpeedMeter=no
#SpeedMeterIntervalSec=10sec
#ManageForeignRoutes=yes

[DHCP]
#DUIDType=vendor
#DUIDRawData=

systemd-resolved Conf

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
# Google:     8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
# Quad9:      9.9.9.9 2620:fe::fe
DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Domains=asgard.home
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
MulticastDNS=yes
LLMNR=yes
Cache=yes
DNSStubListener=yes
#DNSStubListenerExtra=
ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

wpa_supplicant Conf

# Generated by 802.1x Credential Extraction Tool
# Copyright (c) 2018-2019 devicelocksmith.com
# Version: 1.04 windows 386
#
# Change file names to absolute paths
eapol_version=1
ap_scan=0
fast_reauth=1
network={
        ca_cert="/etc/wpa_supplicant/ca.pem"
        client_cert="/etc/wpa_supplicant/client.pem"
        eap=TLS
        eapol_flags=0
        identity="XX:XX:XX:XX:XX:XX" # I am excluding my actual RG MAC that goes here.
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/etc/wpa_supplicant/key.pem"
}

firewalld WAN Zone

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Router External</short>
  <description>For use on external router networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <masquerade/>
  <service name="dhcpv6-client"/>
  <interface name="enp1s0"/>
  <interface name="enp1s0.0"/>
</zone>

firewalld LAN Zone

<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
  <interface name="br0"/>
</zone>

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether 00:e0:67:1f:fd:f0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2e0:67ff:fe1f:fdf0/64 scope link
       valid_lft forever preferred_lft forever
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake master br0 state UP group default qlen 1000
    link/ether 00:e0:67:1f:fd:f1 brd ff:ff:ff:ff:ff:ff
4: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc cake master br0 state DOWN group default qlen 1000
    link/ether 00:e0:67:1f:fd:f2 brd ff:ff:ff:ff:ff:ff
5: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake master br0 state UP group default qlen 1000
    link/ether 00:e0:67:1f:fd:f3 brd ff:ff:ff:ff:ff:ff
6: enp5s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc cake master br0 state DOWN group default qlen 1000
    link/ether 00:e0:67:1f:fd:f4 brd ff:ff:ff:ff:ff:ff
7: enp6s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc cake master br0 state DOWN group default qlen 1000
    link/ether 00:e0:67:1f:fd:f5 brd ff:ff:ff:ff:ff:ff
8: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 1c:4b:d6:7d:94:09 brd ff:ff:ff:ff:ff:ff
9: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1a:25:b6:31:c3:58 brd ff:ff:ff:ff:ff:ff
    inet 192.168.7.1/24 brd 192.168.7.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 2600:1700:8a14:81a0:1825:b6ff:fe31:c358/64 scope global dynamic
       valid_lft 2263sec preferred_lft 2263sec
    inet6 fe80::1825:b6ff:fe31:c358/64 scope link
       valid_lft forever preferred_lft forever
10: enp1s0.0@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:e0:67:1f:fd:f0 brd ff:ff:ff:ff:ff:ff
    inet 104.1.92.108/23 brd 104.1.93.255 scope global dynamic enp1s0.0
       valid_lft 2386sec preferred_lft 2386sec
    inet6 2001:506:78a1:4064::1/128 scope global dynamic noprefixroute
       valid_lft 2263sec preferred_lft 2263sec
    inet6 fe80::2e0:67ff:fe1f:fdf0/64 scope link
       valid_lft forever preferred_lft forever

ip -4 route

default via 104.1.92.1 dev enp1s0.0 proto dhcp src 104.1.92.108 metric 1024
104.1.92.0/23 dev enp1s0.0 proto kernel scope link src 104.1.92.108
104.1.92.1 dev enp1s0.0 proto dhcp scope link src 104.1.92.108 metric 1024
192.168.7.0/24 dev br0 proto kernel scope link src 192.168.7.1

ip -6 route

::1 dev lo proto kernel metric 256 pref medium
2600:1700:8a14:81a0::/64 dev br0 proto kernel metric 256 expires 2274sec pref medium
2600:1700:8a14:81a0::/64 dev br0 metric 1024 pref medium
unreachable 2600:1700:8a14:81a0::/60 dev lo metric 1024 pref medium
fe80::/64 dev enp1s0 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0.0 proto kernel metric 256 pref medium
fe80::/64 dev br0 proto kernel metric 256 pref medium
default via fe80::2d0:f6ff:fec9:d980 dev enp1s0.0 proto ra metric 1024 expires 3802sec pref medium

Ok! I think that's everything people will ask for, but happy to provide other info if it's not. In case you're wondering about the hardware, it's one of these with enp1s0 serving as the WAN and the rest of the ports bridged as a "switch" for the LAN.

Anywho. Not sure if anyone has any hints/tips/troubleshooting steps, but I've run out of ideas. It's not doom if I can't fix it, since the client PCs/phones/etc. are happy and the server doesn't need IPv6 to work, but it'd be nice to finish it off and have everything buttoned up.

EDIT
So, after trying to figure out some of the tcpdump bits, it rattled loose a memory in my brain about which source address to choose. I went and found this bbs post which lead me to trying out...

ip -6 addr change 2001:506:78a1:4064::1/128 dev enp1s0.0 preferred_lft 0

Many thanks to  /u/swayuser and /u/Dagger0 over in the subreddit for jogging my memory and putting forth some good ideas in the cross-post over there.

Last edited by epyon_avenger (2020-12-18 07:30:09)

Offline

Pages: 1

Board footer

Powered by FluxBB