[SOLVED] How to configure IPv6

guilouv · 2022-02-22 15:03:30

Hello World,

After decades, I eventually decided to move to IPv6 following the always wonderful Arch wiki. I went with the config for stable private addresses.

1. I'm using systemd-networkd and enabled the ipv6-icmp packets in nftables with the following lines in the nftables.conf file:

table ip6 filter {
        chain INPUT {
                type filter hook input priority 0; policy drop;
                iif lo accept
                iif != lo ip6 daddr ::1/128 counter drop
                ct state invalid drop
                ct state established,related accept
                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
                #ip protocol igmp accept
                tcp dport { smtp, 465, 143, 993 } counter accept
                counter drop
        }
        chain FORWARD {
                type filter hook forward priority 0; policy drop;
                counter comment
        }
        chain OUTPUT {
                type filter hook output priority 0;
        }
}

These are the lines for IPv6 only. Obviously I have working lines for IPv4.

2. /etc/sysctl.d/40-ipv6.conf

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.enp4s00.use_tempaddr = 2
net.ipv6.conf.wlp2s0f3.use_tempaddr = 2
net.ipv6.conf.vmnet1.use_tempaddr = 2
net.ipv6.conf.vmnet8.use_tempaddr = 2
net.ipv6.conf.tun0.use_tempaddr = 2
net.ipv6.conf.nicN.use_tempaddr = 2
net.ipv6.conf.wlp0s20f3.stable_secret = XYZ_Secret
net.ipv6.conf.wlp0s20f3.addr_gen_mode = 2

Note that XYZ_Secret has been replaced by the output of sysctl net.ipv6.conf.wlan0.stable_secret after running sysctl net.ipv6.conf.wlp0s20f3.addr_gen_mode=3.

3. /etc/systemd/network/25-wireless.network

[Match]
Name=wlp0s20f3

[Network]
DHCP=ipv6
IPv6PrivacyExtensions=Kernel

[DHCP]
RouteMetric=20

4. /etc/dhcpcd.conf

# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Allow users of this group to interact with dhcpcd via the control socket.
#controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
#hostname

# Use the hardware address of the interface for the Client ID.
#clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
# Some non-RFC compliant DHCP servers do not reply with this set.
# In this case, comment out duid and enable clientid above.
duid

# Persist interface configuration when dhcpcd exits.
persistent

# vendorclassid is set to blank to avoid sending the default of
# dhcpcd-<version>:<os>:<machine>:<platform>
vendorclassid

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search
option classless_static_routes
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu

# Request a hostname from the network
option host_name

# Most distributions have NTP support.
#option ntp_servers

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option set
# on the server to actually work.
option rapid_commit

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate SLAAC address using the Hardware Address of the interface
slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
#slaac private
noipv4ll

5. Following the instructions for the Asus AC1900 router I've selected Passthrough for the IPv6 connection type.

The result is that I can see an IPv6 address for my interface (wlp0s20f3) by running the command ip addr show dev wlp0s20f3 but cannot connect to the internet.

Any help from the great Arch community is welcome. Thanks in advance !

Last edited by guilouv (2022-02-22 18:53:09)

seth · 2022-02-22 15:21:24

move to IPv6

but cannot connect to the internet

You cannot "move to IPv6" because "the internet" might be some domain that "only" has an IPv4.

ip a; ip r; ping -6 2001:4860:4860::8888; ping -4 8.8.8.8; ping -c1 google.com; ping -c1 ipv6.google.com

enabled the ipv6-icmp packets in nftables

Are you concerned about outbound traffic ("connect to the internet") or inbound traffic (server)?

I can see an IPv6 address for my interface

Unless you disable the IPv6 stack you're getting an IPv6 no matter what - doesn't mean there's an IPv6 route or even support from your ISP.
If you want to know whether you can reach IPv6 domains, try https://ipv6test.google.com/

-thc · 2022-02-22 15:28:51

Does your current ISP provide IPv6 to you?

If yes, does your ISP support your chosen mode (Passthrough) for IPv6?

Last edited by -thc (2022-02-22 15:29:34)

guilouv · 2022-02-22 15:40:28

You cannot "move to IPv6" because "the internet" might be some domain that "only" has an IPv4.

That's completely true.

ip a; ip r; ping -6 2001:4860:4860::8888; ping -4 8.8.8.8; ping -c1 google.com; ping -c1 ipv6.google.com

This command works.

Are you concerned about outbound traffic ("connect to the internet") or inbound traffic (server)?

I'm concerned about connecting to the internet. Just followed the wiki's instruction for clients: "If you are using an other firewall frontend (ufw, shorewall, etc) consult their documentation on how to enable the ipv6-icmp packets."

Unless you disable the IPv6 stack you're getting an IPv6 no matter what - doesn't mean there's an IPv6 route or even support from your ISP.

Right. I just wanted to let you know that an IPv6 address is attributed to my interface. That can eliminate some other issues which would prevent that because if not configured correctly at all you can end up with the system not being able to give you an ip address. But the gap between getting an address and navigating the web is huge ^^

Great questions -thc ! Verizon is my ISP and I could not find any clear information. Their IPv6 FAQ page is pretty useless with:
"Q: Where is IPv6 available?
A: Dual stack IPv4/IPv6 will be launched in various areas within Verizon’s Fios network. Check back for more information."
I would be happy to get more info if you have some.

Re: the Passthrough method, it is the one recommended for my router for automatic IP (the other options are for PPPoE and static IP).

The Arch community is so responsive and knowledgeable. I post rarely but after 20 years running Arch I'm still amazed by the community. Thanks guys!

seth · 2022-02-22 15:56:15

This command works.

It's actually a series of commands and I assume some of them to fail - please post the complete output.

However…

I'm concerned about connecting to the internet.

If you undo your efforts, can you reach https://ipv6test.google.com/ ?

The Verizon FAQ wrote:

What will happen if I try to reach an IPv6 website today?
If you attempt to connect to an IPv6-only website with your Verizon service today, you will receive an error message in your browser indicating that a communication error has occurred and you are unable to route to the host. You will receive this message until your area has been changed to dual stack IPv6/IPv4.

https://www.ipv6.com/blog/how-long-will … -its-time/
https://forums.verizon.com/t5/Fios-Inte … d-p/860656
https://arstechnica.com/civis/viewtopic … &t=1478961
https://forum.netgate.com/topic/155534/ … gs-work/16

Sounds as if Verizon is still working on the dual stack - I doubt that you'll have an IPv6 WAN…
Most consumer routers have tools to eg. ping remote hosts - try to ping an IPv6 from there before you focus on the client systems.

guilouv · 2022-02-22 16:08:10

And I'm stupid... I meant ip a; ip r; ping -6 2001:4860:4860::8888; ping -4 8.8.8.8; ping -c1 google.com; ping -c1 ipv6.google.com does not work.
And to be totally dumb I also forgot to add the output (you should never do 5 things at once):

ping: connect: Network is unreachable
ping: connect: Network is unreachable
ping: google.com: Temporary failure in name resolution
ping: ipv6.google.com: Temporary failure in name resolution

If you undo your efforts, can you reach https://ipv6test.google.com/ ?

Do you mean connecting with IPv4? Then yes I can access this website.

Your links confirmed the vagueness of the Verizon situation. I thought I was late in the IPv6 game but I may still have time ^^

Most consumer routers have tools to eg. ping remote hosts - try to ping an IPv6 from there before you focus on the client systems.

And here you go. Looks like I was fighting for nothing. Thanks for saving me so much time !

PING ipv6.google.com (2607:f8b0:4004:800::200e): 56 data bytes
ping: sendto: Network is unreachable

Last edited by guilouv (2022-02-22 16:17:03)

merlock · 2022-02-22 16:23:40

I think that by using the passthru mode of your router, you won't get an IPv6 routing (at least that was my findings from my ASUS ACRH-13 router).

For Cox, my IPv6 router settings are:

Connection type:  Native
DHCP-PD: Enable
Router Advertisement: Enable

What do you get from

ip -6 route show

?

Mine:

ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
<redacted>:a780:6d::/64 dev eth0 proto ra metric 1002 mtu 1500 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::127b:44ff:fe56:a00c dev eth0 proto ra metric 1002 mtu 1500 pref medium

Last edited by merlock (2022-02-22 16:24:12)

-thc · 2022-02-22 16:25:47

guilouv wrote:

Verizon is my ISP and I could not find any clear information. Their IPv6 FAQ page is pretty useless with:
"Q: Where is IPv6 available?
A: Dual stack IPv4/IPv6 will be launched in various areas within Verizon’s Fios network. Check back for more information."
I would be happy to get more info if you have some.
Re: the Passthrough method, it is the one recommended for my router for automatic IP (the other options are for PPPoE and static IP).

I just want you to understand that you can not decide to switch to (native, not tunneled) IPv6 if your ISP doesn't provide it.
And you can not decide which IPv6 WAN configuration method to use because your ISP decides/defines this for your port.

guilouv · 2022-02-22 16:57:27

Right -thc but we have to pick the right option in the router anyway, no? Otherwise, it may messed up things anyway. Otherwise there's no need for such options.

merlock, with the same router config as yours, ip -6 route show returns:

::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev wlp0s20f3 proto kernel metric 256 pref medium

If I understand -thc correctly (though I may be wrong here as well), the fact that a ping from my router does not work seems to indicate that my ISP does not provide me with IPv6 support.

seth · 2022-02-22 17:21:35

At least the router isn't configured in a way that allows it to access IPv6 hosts.
Given the other findings on verizons status quo on the matter, you currently don't have direct access to IPv6 addresses.
If you need access to an IPv6-only host, you'll have to rely on a broker service.

guilouv · 2022-02-22 18:52:27

The good news is that my system should be ready to use IPv6 whenever it is available to me.

I will go ahead and mark this thread as solved even if technically it is all in ISP's hands now ^^

Another victory for the Arch community who rocks !

Arch Linux

#1 2022-02-22 15:03:30

[SOLVED] How to configure IPv6

#2 2022-02-22 15:21:24

Re: [SOLVED] How to configure IPv6

#3 2022-02-22 15:28:51

Re: [SOLVED] How to configure IPv6

#4 2022-02-22 15:40:28

Re: [SOLVED] How to configure IPv6

#5 2022-02-22 15:56:15

Re: [SOLVED] How to configure IPv6

#6 2022-02-22 16:08:10

Re: [SOLVED] How to configure IPv6

#7 2022-02-22 16:23:40

Re: [SOLVED] How to configure IPv6

#8 2022-02-22 16:25:47

Re: [SOLVED] How to configure IPv6

#9 2022-02-22 16:57:27

Re: [SOLVED] How to configure IPv6

#10 2022-02-22 17:21:35

Re: [SOLVED] How to configure IPv6

#11 2022-02-22 18:52:27

Re: [SOLVED] How to configure IPv6

Board footer