[SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

cooldiver2 · 2024-10-03 07:26:20

Currently I am using systemd with systemd-networkd on my router to control the access to my private lan and handle the network interfaces. With kernel 6.9.3.arch1-1 and systemd 255.7-1 all is working as expected. IPv4 and IPv6 is routed and clients can access internet via IPv4 and IPv6.

Current configuration:
/etc/systemd/networkd.conf:

[Network]
#SpeedMeter=no
#SpeedMeterIntervalSec=10sec
#ManageForeignRoutingPolicyRules=yes
#ManageForeignRoutes=yes
#RouteTable=
#IPv6PrivacyExtensions=no

[DHCPv4]
#DUIDType=vendor
#DUIDRawData=

[DHCPv6]
#DUIDType=vendor
#DUIDRawData=

/etc/systemd/network/10-wan.network:

[Match]
Name=wan

[Link]
RequiredForOnline=no

[Network]
DHCP=yes
DNSSEC=no
LinkLocalAddressing=ipv6
IPv6AcceptRA=yes
IPForward=yes

[DHCPv4]
Hostname=hostname
UseDNS=no
UseNTP=no
UseSIP=no
UseHostname=no
UseRoutes=yes
UseGateway=yes

[DHCPv6]
PrefixDelegationHint=::/59
Hostname=hostname
UseDNS=no
UseNTP=no
UseHostname=no

[IPv6AcceptRA]
UseDNS=no

/etc/systemd/network/30-lan.network:

[Match]
Name=lan

[Link]
RequiredForOnline=yes

[Network]
IPMasquerade=ipv4
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
IPv6SendRA=yes
DHCPv6PrefixDelegation=yes
IPForward=yes

[Address]
Address=192.168.10.1/24

[IPv6SendRA]
EmitDNS=yes
EmitDomains=no

[DHCPPrefixDelegation]
UplinkInterface=wan
SubnetId=1
Announce=yes

/etc/sysctl.d/10-ipforward.conf:

#IPv4 forward
net.ipv4.ip_forward=1

#IPv6 forward
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

/etc/sysctl.d/20-ra.conf:

# Accept router advertisements.
net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.accept_ra=2

After my update to the latest packages kernel 6.11.1.arch1-1 and systemd 256.6-1 and all the others my router is not working. IPv4 can be used for internet access. IPv6 is not routed and no IPv6 addresses are assigned internally.
I have changed the configuration to the new preferred settings :

/etc/systemd/networkd.conf:

[Network]
#SpeedMeter=no
#SpeedMeterIntervalSec=10sec
#ManageForeignRoutingPolicyRules=yes
#ManageForeignRoutes=yes
#RouteTable=
#IPv6PrivacyExtensions=no
IPv4Forwarding=yes   # Added for global routing
IPv6Forwarding=yes   # Added for global routing

[DHCPv4]
#DUIDType=vendor
#DUIDRawData=

[DHCPv6]
#DUIDType=vendor
#DUIDRawData=

/etc/systemd/network/10-wan.network:

[Match]
Name=wan

[Link]
RequiredForOnline=no

[Network]
DHCP=yes
DNSSEC=no
LinkLocalAddressing=ipv6
IPv6AcceptRA=yes
#IPForward=yes       # Removed old setting
IPv4Forwarding=yes   # Added for interface routing
IPv6Forwarding=yes   # Added for interface routing

[DHCPv4]
Hostname=hostname
UseDNS=no
UseNTP=no
UseSIP=no
UseHostname=no
UseRoutes=yes
UseGateway=yes

[DHCPv6]
PrefixDelegationHint=::/59
Hostname=hostname
UseDNS=no
UseNTP=no
UseHostname=no

[IPv6AcceptRA]
UseDNS=no

/etc/systemd/network/30-lan.network:

[Match]
Name=lan

[Link]
RequiredForOnline=yes

[Network]
IPMasquerade=ipv4
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
IPv6SendRA=yes
DHCPv6PrefixDelegation=yes
#IPForward=yes       # Removed old setting
IPv4Forwarding=yes   # Added for interface routing
IPv6Forwarding=yes   # Added for interface routing

[Address]
Address=192.168.10.1/24

[IPv6SendRA]
EmitDNS=yes
EmitDomains=no

[DHCPPrefixDelegation]
UplinkInterface=wan
SubnetId=1
Announce=yes

/etc/sysctl.d/10-ipforward.conf:

#IPv4 forward
net.ipv4.ip_forward=1

#IPv6 forward
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

/etc/sysctl.d/20-ra.conf:

# Accept router advertisements.
net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.accept_ra=2

After applying new settings behavior did not change. Only IPv4 is working and IPv6 is sill broken. I have search systemd for issues and could not find one. At the moment I am not sure, were the issue is located. Perhaps someone can help me to get it running again. :lol

Thank you very much.

Last edited by cooldiver2 (2024-11-05 09:18:23)

Lone_Wolf · 2024-10-03 09:30:15

systemd 256.1-1 entered repos around 19 september, linux 6.11.1 around oktober 1 .

Have you tested with 6.10.x or linux-lts to verify if this is kernel related ?

-thc · 2024-10-03 09:31:11

A router should not accept RA itself

cooldiver2 wrote:

IPv6AcceptRA=no

but you instruct the kernel to accept it anyway

cooldiver2 wrote:

net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.accept_ra=2

Anyhow - what exactly do the clients get? The RA (gateway and DNS)? The global IPv6 address?

cooldiver2 · 2024-10-05 00:27:11

Lone_Wolf wrote:

systemd 256.1-1 entered repos around 19 september, linux 6.11.1 around oktober 1 .

I have not updated for a long time.

Lone_Wolf wrote:

Have you tested with 6.10.x or linux-lts to verify if this is kernel related ?

I have installed linux-lts. Both kernels behave the same way.

-thc wrote:

IPv6AcceptRA=no and sysctl

I have set IPv6AcceptRA=no in 10-wan.network. Additionally I removed file /etc/sysctl.d/20-ra.conf.

With those changes no IPv6 was assigned to local clients. So I have added WithoutRA=solicit in DHCPv6 section in 10-wan.network.
After that my local clients receive IPv6 again. But this address can not be used for connections to external IPv6 websites for example.

New configuration

/etc/systemd/networkd.conf:

[Network]
#SpeedMeter=no
#SpeedMeterIntervalSec=10sec
#ManageForeignRoutingPolicyRules=yes
#ManageForeignRoutes=yes
#ManageForeignNextHops=yes
#RouteTable=
#IPv6PrivacyExtensions=no
#UseDomains=no
IPv4Forwarding=yes   # Added for global routing
IPv6Forwarding=yes   # Added for global routing

[IPv6AcceptRA]
#UseDomains=

[DHCPv4]
#DUIDType=vendor
#DUIDRawData=
#UseDomains=

[DHCPv6]
#DUIDType=vendor
#DUIDRawData=
#UseDomains=

[DHCPServer]
#PersistLeases=yes

/etc/systemd/network/10-wan.network:

[Match]
Name=wan

[Link]
RequiredForOnline=no

[Network]
DHCP=yes
DNSSEC=no
LinkLocalAddressing=ipv6
IPv6AcceptRA=no      # Changed to no
#IPForward=yes       # Removed old setting
IPv4Forwarding=yes   # Added for interface routing
IPv6Forwarding=yes   # Added for interface routing

[DHCPv4]
Hostname=hostname
UseDNS=no
UseNTP=no
UseSIP=no
UseHostname=no
UseRoutes=yes
UseGateway=yes

[DHCPv6]
WithoutRA=solicit   # Added to assign IPv6 prefix to clients
PrefixDelegationHint=::/59
Hostname=hostname
UseDNS=no
UseNTP=no
UseHostname=no

[IPv6AcceptRA]
UseDNS=no

/etc/systemd/network/30-lan.network:

[Match]
Name=lan

[Link]
RequiredForOnline=yes

[Network]
IPMasquerade=ipv4
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
IPv6SendRA=yes
DHCPv6PrefixDelegation=yes
#IPForward=yes       # Removed old setting
IPv4Forwarding=yes   # Added for interface routing
IPv6Forwarding=yes   # Added for interface routing

[Address]
Address=192.168.10.1/24

[IPv6SendRA]
EmitDNS=yes
EmitDomains=no

[DHCPPrefixDelegation]
UplinkInterface=wan
SubnetId=1
Announce=yes

/etc/sysctl.d/10-ipforward.conf:

#IPv4 forward
net.ipv4.ip_forward=1

#IPv6 forward
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

grep -H . /proc/sys/net/ipv4/ip_forward

/proc/sys/net/ipv4/ip_forward:1

grep -H . /proc/sys/net/ipv6/conf/{all,default,wan,lan}/forwarding

/proc/sys/net/ipv6/conf/all/forwarding:1
/proc/sys/net/ipv6/conf/default/forwarding:1
/proc/sys/net/ipv6/conf/wan/forwarding:1
/proc/sys/net/ipv6/conf/lan/forwarding:1

grep -H . /proc/sys/net/ipv6/conf/{all,default,wan,lan}/accept_ra

/proc/sys/net/ipv6/conf/all/accept_ra:1
/proc/sys/net/ipv6/conf/default/accept_ra:1
/proc/sys/net/ipv6/conf/wan/accept_ra:0
/proc/sys/net/ipv6/conf/lan/accept_ra:0

My local clients get IPv6 addresses assigned from IPv6 prefix. That is working. But route is missing. I can not ping IPv6 addresses.

Last edited by cooldiver2 (2024-10-05 00:32:45)

seth · 2024-10-05 19:58:32

Did you try to downgrade systemd to confirm that its update is the cause?

According to https://wiki.archlinux.org/title/Router#DNS_and_DHCP systemd-networkd doesn't provice DHCPv6 at all, https://github.com/systemd/systemd/issues/16039 (I haven't read most of the thread but it seems that's the sought but broken function?)

cooldiver2 · 2024-10-06 08:11:02

seth wrote:

Did you try to downgrade systemd to confirm that its update is the cause?

Yes, I have done a downgrade before to the last working systemd. I have adapted configuration to old version. Then, it was working again.

seth wrote:

According to https://wiki.archlinux.org/title/Router#DNS_and_DHCP systemd-networkd doesn't provice DHCPv6 at all, https://github.com/systemd/systemd/issues/16039 (I haven't read most of the thread but it seems that's the sought but broken function?)

That is interesting. So I could not explain, why the old configuration was working all the years.

I did one step back and configured my router for external IPv4 only. Following configuration is applied:

sysctl settings

************************
*** IPv4
************************
 - ip_forward
/proc/sys/net/ipv4/ip_forward:1

 - forwarding
/proc/sys/net/ipv4/conf/all/forwarding:1
/proc/sys/net/ipv4/conf/default/forwarding:1
/proc/sys/net/ipv4/conf/wan/forwarding:1
/proc/sys/net/ipv4/conf/lan/forwarding:1

************************
*** IPv6
************************
 - ip_forward
/proc/sys/net/ipv6/conf/all/forwarding:1
/proc/sys/net/ipv6/conf/default/forwarding:1
/proc/sys/net/ipv6/conf/wan/forwarding:1
/proc/sys/net/ipv6/conf/lan/forwarding:1

 - accept_ra
/proc/sys/net/ipv6/conf/all/accept_ra:1
/proc/sys/net/ipv6/conf/default/accept_ra:1
/proc/sys/net/ipv6/conf/wan/accept_ra:0
/proc/sys/net/ipv6/conf/lan/accept_ra:0

/etc/dnsmasq.conf

$ grep -Ev '^\s*(#.*)?$' dnsmasq.conf
domain-needed
bogus-priv
no-resolv
no-poll
server=1.1.1.1
server=1.0.0.1
server=2606:4700:4700::1111
server=2606:4700:4700::1001
local=/lan/
interface=lan
interface=vpn
no-dhcp-interface=vpn
expand-hosts
domain=lan
dhcp-fqdn
dhcp-range=interface=lan,192.168.10.10,192.168.10.50,12h
dhcp-range=interface=lan,fdde:4834:7c86:0::10,fdde:4834:7c86:0::50, 64, 10m
enable-ra
dhcp-option=option6:dns-server,[fdde:4834:7c86:0::1],[fe80::]
dhcp-authoritative
cache-size=1000

/etc/systemd/networkd.conf

$ grep -Ev '^\s*(#.*)?$' networkd.conf
[Network]
[IPv6AcceptRA]
[DHCPv4]
[DHCPv6]
[DHCPServer]

/etc/systemd/network/10-wan.network

$ grep -Ev '^\s*(#.*)?$' 10-wan.network
[Match]
Name=wan
[Link]
RequiredForOnline=no
[Network]
DHCP=yes
DNSSEC=no
LinkLocalAddressing=ipv6
IPv6AcceptRA=no

/etc/systemd/network/30-lan.network

$ grep -Ev '^\s*(#.*)?$' 30-lan.network
[Match]
Name=lan
[Link]
RequiredForOnline=yes
[Network]
IPMasquerade=ipv4
LinkLocalAddressing=ipv6
[Address]
Address=192.168.10.1/24
[Address]
Address=fdde:4834:7c86:0::1/64

Now with that configuration all clients can access internet with IPv4. Internal it is possible to use IPv4 or IPv6 for communication between router and clients.

The question is now, how can I enable prefix delegation and correct routing for my received prefix from my provider Vodafone. For example I receive follwonging information:

# Abstract from journalctl
systemd-networkd[471]: wan: DHCPv4 address 91.89.84.91/22, gateway 91.89.84.1 acquired from 81.210.254.28
systemd-networkd[471]: wan: DHCPv6 address 2a02:8070:9900::1a7f/128 (valid for 23h 59min 59s, preferred for 23h 59min 59s)
systemd-networkd[471]: wan: DHCP: received delegated prefix 2a02:8070:9989:bb00::/59

What changes are needed to get IPv6 2a02:8070:9900::1a7f/128 assigned to my wan interface and get default route applied for external routing?
What changes are needed to get prefix 2a02:8070:9989:bb00::/59 delegated to my clients via lan interface that they can directly use IPv6 address to access internet?

If possible it should be done with systemd-networkd, dnsmasq or a combinition of both. I am open for any suggests.

-thc · 2024-10-06 11:50:18

cooldiver2 wrote:

# Abstract from journalctl
systemd-networkd[471]: wan: DHCPv4 address 91.89.84.91/22, gateway 91.89.84.1 acquired from 81.210.254.28
systemd-networkd[471]: wan: DHCPv6 address 2a02:8070:9900::1a7f/128 (valid for 23h 59min 59s, preferred for 23h 59min 59s)
systemd-networkd[471]: wan: DHCP: received delegated prefix 2a02:8070:9989:bb00::/59

What changes are needed to get IPv6 2a02:8070:9900::1a7f/128 assigned to my wan interface and get default route applied for external routing?

This address is for the WAN interface of your router only. The default gateway for the WAN interface of your router should arrive via router advertisement from the upstream router of your provider. After they are applied your router should be able to reach the public IPv6 space.

cooldiver2 wrote:

What changes are needed to get prefix 2a02:8070:9989:bb00::/59 delegated to my clients via lan interface that they can directly use IPv6 address to access internet?

You need to decide which network ID (you can use the next 5 bit after the /59 network ID for that) you wish to provide to your clients (from 2a02:8070:9989:bb00::/64 to 2a02:8070:9989:bb1f::/64) and set up a RA daemon providing this prefix to you clients. dnsmasq can do this (via "dhcp-range=2a02:8070:9989:bbXX::N,2a02:8070:9989:bbXX::M, ra-only").

EDIT: If your delegated prefix is permanent you may also choose stateful DHCPv6 - dnsmasq can do this too.

Last edited by -thc (2024-10-07 06:39:58)

cooldiver2 · 2024-10-07 07:12:38

-thc wrote:

cooldiver2 wrote:
# Abstract from journalctl
systemd-networkd[471]: wan: DHCPv4 address 91.89.84.91/22, gateway 91.89.84.1 acquired from 81.210.254.28
systemd-networkd[471]: wan: DHCPv6 address 2a02:8070:9900::1a7f/128 (valid for 23h 59min 59s, preferred for 23h 59min 59s)
systemd-networkd[471]: wan: DHCP: received delegated prefix 2a02:8070:9989:bb00::/59
What changes are needed to get IPv6 2a02:8070:9900::1a7f/128 assigned to my wan interface and get default route applied for external routing?
This address is for the WAN interface of your router only. The default gateway for the WAN interface of your router should arrive via router advertisement from the upstream router of your provider. After they are applied your router should be able to reach the public IPv6 space.

Okay. I have simplified my systemd-networkd configuration. IPv4Forwarding and IPv6Forwarding is only used in networkd.conf. Accept router advertisment on interface wan and delegate a prefix on lan interface to clients. Router can access internet via IPv4 and IPv6.
Clients get an IPv6 assigned, but they can not use it.

-thc wrote:

cooldiver2 wrote:
What changes are needed to get prefix 2a02:8070:9989:bb00::/59 delegated to my clients via lan interface that they can directly use IPv6 address to access internet?
You need to decide which network ID (you can use the next 5 bit after the /59 network ID for that) you wish to provide to your clients (from 2a02:8070:9989:bb00::/64 to 2a02:8070:9989:bb1f::/64) and set up a RA daemon providing this prefix to you clients. dnsmasq can do this (via "dhcp-range=2a02:8070:9989:bbXX::N,2a02:8070:9989:bbXX::M, ra-only").

Thank you for this explanation. With this configuration, the delegated prefix is fix. My provider is updating or changing it from time to time. So it should be dynamically assigned. Is this also possible with dnsmasq?

Current configuration of router:

/etc/sysctl.d/10-ipforward.conf

$ rm /etc/sysctl.d/10-ipforward.conf

/etc/sysctl.d/20-ra.conf

$rm /etc/sysctl.d/20-ra.conf

/etc/systemd/networkd.conf

$ grep -Ev '#|^ *$' /etc/systemd/networkd.conf
[Network]
IPv4Forwarding=yes
IPv6Forwarding=yes
[IPv6AcceptRA]
[DHCPv4]
[DHCPv6]
[DHCPServer]

/etc/systemd/network/10-wan.network

$ grep -Ev '#|^ *$' /etc/systemd/network/10-wan.network
[Match]
Name=wan
[Link]
RequiredForOnline=no
[Network]
DHCP=yes
DNSSEC=no
LinkLocalAddressing=ipv6
IPv6AcceptRA=yes

/etc/systemd/network/30-lan.network

$ grep -Ev '#|^ *$' /etc/systemd/network/30-lan.network
[Match]
Name=lan
[Link]
RequiredForOnline=yes
[Network]
IPMasquerade=ipv4
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
IPv6SendRA=yes
DHCPv6PrefixDelegation=yes
[Address]
Address=192.168.10.1/24
[Address]
Address=fdde:4834:7c86:0::1/64
[DHCPPrefixDelegation]
UplinkInterface=wan
SubnetId=1
Announce=yes

sysctl settings

************************
*** IPv4
************************
 - ip_forward
/proc/sys/net/ipv4/ip_forward:1

 - forwarding
/proc/sys/net/ipv4/conf/all/forwarding:1
/proc/sys/net/ipv4/conf/default/forwarding:1
/proc/sys/net/ipv4/conf/wan/forwarding:1
/proc/sys/net/ipv4/conf/lan/forwarding:1

************************
*** IPv6
************************
 - ip_forward
/proc/sys/net/ipv6/conf/all/forwarding:1
/proc/sys/net/ipv6/conf/default/forwarding:1
/proc/sys/net/ipv6/conf/wan/forwarding:1
/proc/sys/net/ipv6/conf/lan/forwarding:1

 - accept_ra
/proc/sys/net/ipv6/conf/all/accept_ra:1
/proc/sys/net/ipv6/conf/default/accept_ra:1
/proc/sys/net/ipv6/conf/wan/accept_ra:0
/proc/sys/net/ipv6/conf/lan/accept_ra:0

/etc/dnsmasq.conf

$ grep -Ev '#|^ *$' /etc/dnsmasq.conf
domain-needed
bogus-priv
no-resolv
no-poll
server=1.1.1.1
server=1.0.0.1
server=2606:4700:4700::1111
server=2606:4700:4700::1001
local=/lan/
interface=lan
interface=vpn
no-dhcp-interface=vpn
expand-hosts
domain=lan
dhcp-fqdn
dhcp-range=interface=lan,192.168.10.10,192.168.10.50,12h
dhcp-range=interface=lan,fdde:4834:7c86:0::10,fdde:4834:7c86:0::50,64,12h
enable-ra
dhcp-option=option6:dns-server,[fd00::],[fe80::]
dhcp-authoritative
cache-size=1000

Router network settings

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:b9:46:45:7c brd ff:ff:ff:ff:ff:ff
    inet 91.89.84.91/22 metric 1024 brd 91.89.87.255 scope global dynamic wan
       valid_lft 84915sec preferred_lft 84915sec
    inet6 2a02:8070:9900::1a7f/128 scope global dynamic noprefixroute 
       valid_lft 84915sec preferred_lft 84915sec
    inet6 fe80::20d:b9ff:fe46:457c/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
3: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:b9:46:45:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.1/24 brd 192.168.10.255 scope global lan
       valid_lft forever preferred_lft forever
    inet6 2a02:8070:9989:bb01:20d:b9ff:fe46:457d/64 metric 256 scope global dynamic mngtmpaddr 
       valid_lft 84915sec preferred_lft 84915sec
    inet6 fdde:4834:7c86::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:b9ff:fe46:457d/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

$ ip -6 route
2a02:8070:9989:bb01::/64 dev lan proto kernel metric 256 expires 84485sec pref medium
unreachable 2a02:8070:9989:bb00::/59 dev lo proto dhcp metric 1024 pref medium
fdde:4834:7c86::/64 dev lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev lan proto kernel metric 256 pref medium
default via fe80::201:5cff:fe75:6246 dev wan proto ra metric 1024 expires 1798sec pref medium

Clients

First client (Linux Mint 22)

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 3c:07:54:0f:bc:b1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.33/24 brd 192.168.10.255 scope global dynamic noprefixroute lan
       valid_lft 27704sec preferred_lft 27704sec
    inet6 fdde:4834:7c86::30/128 scope global dynamic noprefixroute 
       valid_lft 31641sec preferred_lft 31641sec
    inet6 2a02:8070:9989:bb01:402e:2c97:f7ef:a02d/64 scope global temporary dynamic 
       valid_lft 3303sec preferred_lft 1503sec
    inet6 2a02:8070:9989:bb01:7553:a905:edb0:a7b5/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 3303sec preferred_lft 1503sec
    inet6 fe80::70f1:c577:68ab:595e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether e4:ce:8f:64:51:f1 brd ff:ff:ff:ff:ff:ff

$ ip -6 route
2a02:8070:9989:bb01::/64 dev lan proto ra metric 100 pref medium
fdde:4834:7c86::30 dev lan proto kernel metric 100 pref medium
fdde:4834:7c86::/64 dev lan proto ra metric 100 pref medium
fe80::/64 dev lan proto kernel metric 1024 pref medium
default via fe80::20d:b9ff:fe46:457d dev lan proto ra metric 20100 pref medium

Second client (Archlinux)

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:c2:07:35 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.36/24 metric 1024 brd 192.168.10.255 scope global dynamic lan
       valid_lft 36734sec preferred_lft 36734sec
    inet6 2a02:8070:9989:bb01:5054:ff:fec2:735/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 3142sec preferred_lft 1342sec
    inet6 fdde:4834:7c86::44/128 scope global dynamic noprefixroute 
       valid_lft 34341sec preferred_lft 34341sec
    inet6 fe80::5054:ff:fec2:735/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

$ ip -6 route
2a02:8070:9989:bb01::/64 dev lan proto ra metric 1024 expires 3120sec pref medium
fdde:4834:7c86::/64 dev lan proto ra metric 1024 expires 42731sec pref medium
fe80::/64 dev lan proto kernel metric 256 pref medium
default via fe80::20d:b9ff:fe46:457d dev lan proto ra metric 1024 expires 1331sec pref medium

On router I can contact https://showipv6.de to get information about IP addresses. On clients I can
get access via IPv4 to https://showipv6.de. IPv6 connection to https://showipv6.de is not possible. Why?

Firewall?
Issue in systemd?
Misconfiguration in systemd?
Misconfiguration in dnsmasq?
Kernel?

Thank you for further assistance and tips how to solve this situation.

Last edited by cooldiver2 (2024-10-07 07:19:40)

-thc · 2024-10-07 08:23:33

cooldiver2 wrote:

Thank you for this explanation. With this configuration, the delegated prefix is fix. My provider is updating or changing it from time to time. So it should be dynamically assigned. Is this also possible with dnsmasq?

IMHO no - only radvd does that. But since your clients get a correct prefix systemd-networkd seems to the job properly and you need no additional software or configuration.

cooldiver2 wrote:

On router I can contact https://showipv6.de to get information about IP addresses. On clients I can
get access via IPv4 to https://showipv6.de. IPv6 connection to https://showipv6.de is not possible. Why?

On your clients try

ping -6 2a02:8070:9989:bb01:20d:b9ff:fe46:457d    (Router LAN)
ping -6 2a02:8070:9900::1a7f                      (Router WAN)
ping -6 2a01:4f8:c012:3db4::1                     (showipv6.de)

cooldiver2 · 2024-10-07 09:22:23

-thc wrote:

ping -6 2a02:8070:9989:bb01:20d:b9ff:fe46:457d (Router LAN)
ping -6 2a02:8070:9900::1a7f (Router WAN)
ping -6 2a01:4f8:c012:3db4::1 (showipv6.de)

On both clients I get the same result:

$ ping -6 2a02:8070:9989:bb01:20d:b9ff:fe46:457d    (Router LAN)
# Working

$ ping -6 2a02:8070:9900::1a7f                      (Router WAN)
# Working

$ ping -6 2a01:4f8:c012:3db4::1                     (showipv6.de) 
# Not working

I do not understand, why those internal IPv6 packages are not routed.

Lone_Wolf · 2024-10-07 09:35:46

Please post the output of

$ tracepath -b showipv6.de

cooldiver2 · 2024-10-07 09:48:06

In both situations I am using the same configuration from above. Only the kernel is switched.

Router is using linux (6.11.2)

Linux Mint

$ tracepath -b showipv6.de
 1?: [LOCALHOST]                        0.008ms pmtu 1500
 1:  vsr01.lan (fdde:4834:7c86::1)                         0.823ms !N
 1:  vsr01.lan (fdde:4834:7c86::1)                         0.557ms !N
     Resume: pmtu 1500

Archlinux

$ tracepath -b showipv6.de
 1?: [LOCALHOST]                        0.019ms pmtu 1500
 1:  fdde:4834:7c86::1 (fdde:4834:7c86::1)                 1.082ms !N
 1:  fdde:4834:7c86::1 (fdde:4834:7c86::1)                 1.220ms !N
     Resume: pmtu 1500

Router is using linux-lts (6.6.54)

Linux Mint

$ tracepath -b showipv6.de
 1?: [LOCALHOST]                        0.009ms pmtu 1500
 1:  2a02:8070:9989:bb01:20d:b9ff:fe46:457d (2a02:8070:9989:bb01:20d:b9ff:fe46:457d)   0.897ms 
 1:  2a02:8070:9989:bb01:20d:b9ff:fe46:457d (2a02:8070:9989:bb01:20d:b9ff:fe46:457d)   0.815ms 
 2:  no reply
 3:  no reply
 4:  no reply
 5:  no reply
 6:  no reply
 7:  no reply
 8:  no reply
 9:  no reply
10:  no reply
11:  no reply
12:  no reply
13:  no reply
14:  no reply
15:  no reply
16:  no reply
17:  no reply
18:  no reply
19:  no reply
20:  no reply
21:  no reply
22:  no reply
23:  no reply
24:  no reply
25:  no reply
26:  no reply
27:  no reply
28:  no reply
29:  no reply
30:  no reply
     Too many hops: pmtu 1500
     Resume: pmtu 1500

Archlinux

$ tracepath -b showipv6.de
 1?: [LOCALHOST]                        0.006ms pmtu 1500
 1:  2a02:8070:9989:bb01:20d:b9ff:fe46:457d (2a02:8070:9989:bb01:20d:b9ff:fe46:457d)   1.086ms 
 1:  2a02:8070:9989:bb01:20d:b9ff:fe46:457d (2a02:8070:9989:bb01:20d:b9ff:fe46:457d)   0.996ms 
 2:  no reply
 3:  no reply
 4:  no reply
 5:  no reply
 6:  no reply
 7:  no reply
 8:  no reply
 9:  no reply
10:  no reply
11:  no reply
12:  no reply
13:  no reply
14:  no reply
15:  no reply
16:  no reply
17:  no reply
18:  no reply
19:  no reply
20:  no reply
21:  no reply
22:  no reply
23:  no reply
24:  no reply
25:  no reply
26:  no reply
27:  no reply
28:  no reply
29:  no reply
30:  no reply
     Too many hops: pmtu 1500
     Resume: pmtu 1500

Last edited by cooldiver2 (2024-10-07 10:07:07)

Lone_Wolf · 2024-10-07 10:28:12

That looks very weird , below is the tracepath I get from my DSL connection from the netherlands for reference .

Running whois on 2a02:8070:9989:bb01:20d:b9ff:fe46:457d indicates it belongs to your provider, vodafone germany ?

$ tracepath -b showipv6.de
 1?: [LOCALHOST]                        0.007ms pmtu 1500
 1:  fritz.box (2a10:3781:9ad:1:2e91:abff:fe46:fcdc)       1.758ms 
 1:  fritz.box (2a10:3781:9ad:1:2e91:abff:fe46:fcdc)       1.325ms 
 2:  fritz.box (2a10:3781:9ad:1:2e91:abff:fe46:fcdc)       1.159ms pmtu 1492
 2:  lo0-3.bras0.fi001.nl.freedomnet.nl (2a10:3780::232)  11.210ms 
 3:  ae0-1000.core0.fi001.nl.freedomnet.nl (2a10:3780:1::1e)  13.834ms 
 4:  amsix-gw.hetzner.com (2001:7f8:1::a502:4940:1)        9.913ms asymm  6 
 5:  no reply
 6:  core0.fra.hetzner.com (2a01:4f8:0:3::ce)             15.381ms 
 7:  core22.fsn1.hetzner.com (2a01:4f8:0:3::4e5)          19.492ms 
 8:  no reply
 9:  spine10.cloud2.fsn1.hetzner.com (2a01:4f8:0:e172::a1e2)  35.739ms 
10:  no reply
11:  24935.your-cloud.host (2a01:4f8:0:e172::4405)        19.610ms 
12:  2a01:4f8:c012:3db4::1 (2a01:4f8:c012:3db4::1)        22.343ms reached
     Resume: pmtu 1492 hops 12 back 13 
$

-thc · 2024-10-07 11:38:26

cooldiver2 wrote:

$ tracepath -b showipv6.de
 1?: [LOCALHOST]                        0.008ms pmtu 1500
 1:  vsr01.lan (fdde:4834:7c86::1)                         0.823ms !N
 1:  vsr01.lan (fdde:4834:7c86::1)                         0.557ms !N
     Resume: pmtu 1500

This looks like the local IPv6 stack makes the wrong routing decision and picks the ULA address (fc00::/15). By design ULA addresses will never traverse routers - they work like private IPv4 networks.

By comparing your IPv6 routing table to mine I realized some routes are missing:

2a02:8070:9989:bb01::/59 via fe80::20d:b9ff:fe46:457d dev lan proto ra metric 100 pref medium
fdde:4834:7c86::/64 via fe80::20d:b9ff:fe46:457d dev lan proto ra metric 100 pref medium

This may be a quirk of my routers OS.
If not, the RAs send by systemd-networkd are possibly incomplete.

Additionally the router sends the delegation prefix to "lo":

cooldiver2 wrote:

unreachable 2a02:8070:9989:bb00::/59 dev lo proto dhcp metric 1024 pref medium

I can't say if this is normal for a delegating IPv6 router.

cooldiver2 · 2024-10-07 12:45:02

Lone_Wolf wrote:

That looks very weird , below is the tracepath I get from my DSL connection from the netherlands for reference .

Yes, because my packages never traverse my router and reach the word wide web.

Lone_Wolf wrote:

Running whois on 2a02:8070:9989:bb01:20d:b9ff:fe46:457d indicates it belongs to your provider, vodafone germany ?

Yes, this is correct. My provider is Vodafone. My old configuration from my first post was working for the last two years. With the new update I only get IPv4 running.

-thc wrote:

This looks like the local IPv6 stack makes the wrong routing decision and picks the ULA address (fc00::/15). By design ULA addresses will never traverse routers - they work like private IPv4 networks.

Is it possible, that I can change which address is used for routing? Systemd is creating those information in router advertisement? Perhaps I should ask the developer, which information is generated?
Otherwise I have to check my RAs from Vodafone, which information is included.

Perhaps dnsmasq is overwriting this information?

-thc wrote:

By comparing your IPv6 routing table to mine I realized some routes are missing:
2a02:8070:9989:bb01::/59 via fe80::20d:b9ff:fe46:457d dev lan proto ra metric 100 pref medium
fdde:4834:7c86::/64 via fe80::20d:b9ff:fe46:457d dev lan proto ra metric 100 pref medium
This may be a quirk of my routers OS.
If not, the RAs send by systemd-networkd are possibly incomplete.

I have added both routes on one client. I have similar rules existing for /64 subnet. Nothing changed.

-thc wrote:

Additionally the router sends the delegation prefix to "lo":
cooldiver2 wrote:
unreachable 2a02:8070:9989:bb00::/59 dev lo proto dhcp metric 1024 pref medium
I can't say if this is normal for a delegating IPv6 router.

I have deleted this rule. Nothing changed in behavior. Same as before.

-thc · 2024-10-07 14:00:20

I suspect systemd-networkd somehow not forwarding packets from the delegated prefix. But I have no idea why.

cooldiver2 · 2024-10-07 18:36:07

I created an issue at systemd for checking, if this is expected behavior or not. You can have a look here https://github.com/systemd/systemd/issues/34668. Further information is updated until I have it

cooldiver2 · 2024-11-04 20:33:06

After long hours of debugging with tcpdump I have found the issue.
I had to remove IPMasquerade=ipv4 from /etc/systemd/network/30-lan.network. Also I need to stop docker.service. Then my router is working as expected with IPv4 and IPv6. My single Docker container is moved to another host.

progandy · 2024-11-04 20:50:29

For IPv6 you should probably set up DHCPPrefixDelegation if possible to have an IPv6 subnet in managed by your router. https://wiki.archlinux.org/title/IPv6#s … networkd_3
Edit: I did a search on the thread and must have a wrong character in there, as I did not find anything.

If you have solved it, then please prefix your title with [SOLVED] or is that a workaround and you are still interested in a better soltion?

Last edited by progandy (2024-11-04 20:54:32)

cooldiver2 · 2024-11-05 08:58:58

No, that is solved now. My problem is only, that I can not change the title. I looked yesterday around but could not find a way to change the topic.
I will post my new configuration, that everyone can use it or this configuration is used as example for wiki.

cooldiver2 · 2024-11-05 09:17:22

Final router configuration:

/etc/systemd/networkd.conf

$ grep -Ev '#|^ *$' /etc/systemd/networkd.conf
[Network]
IPv4Forwarding=yes
IPv6Forwarding=yes
[IPv6AcceptRA]
[DHCPv4]
[DHCPv6]
[DHCPServer]

/etc/systemd/network/10-wan.network

$ grep -Ev '#|^ *$' /etc/systemd/network/10-wan.network
[Match]
Name=wan
[Link]
RequiredForOnline=no
[Network]
DHCP=yes
DNSSEC=no
LinkLocalAddressing=ipv6
IPv6AcceptRA=yes

/etc/systemd/network/30-lan.network

$ grep -Ev '#|^ *$' /etc/systemd/network/30-lan.network
[Match]
Name=lan
[Link]
RequiredForOnline=yes
[Network]
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
IPv6SendRA=yes
DHCPv6PrefixDelegation=yes
[Address]
Address=192.168.10.1/24
[Address]
Address=fdde:4834:7c86:0::1/64
[DHCPPrefixDelegation]
UplinkInterface=wan
SubnetId=1
Announce=yes

/etc/dnsmasq.conf

$ grep -Ev '#|^ *$' /etc/dnsmasq.conf
domain-needed
bogus-priv
no-resolv
no-poll
server=1.1.1.1
server=1.0.0.1
server=2606:4700:4700::1111
server=2606:4700:4700::1001
local=/lan/
interface=lan
interface=vpn
no-dhcp-interface=vpn
expand-hosts
domain=lan
dhcp-fqdn
dhcp-range=interface=lan,192.168.10.10,192.168.10.50,12h
dhcp-range=interface=lan,fdde:4834:7c86:0::10,fdde:4834:7c86:0::50,64,12h
enable-ra
dhcp-option=option6:dns-server,[fd00::],[fe80::]
dhcp-authoritative
cache-size=1000

Router is doing prefix delegation for internal clients and dnsmasq can be used to resolve hostnames to IPs.

Arch Linux

#1 2024-10-03 07:26:20

[SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#2 2024-10-03 09:30:15

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#3 2024-10-03 09:31:11

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#4 2024-10-05 00:27:11

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#5 2024-10-05 19:58:32

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#6 2024-10-06 08:11:02

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#7 2024-10-06 11:50:18

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#8 2024-10-07 07:12:38

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#9 2024-10-07 08:23:33

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#10 2024-10-07 09:22:23

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#11 2024-10-07 09:35:46

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#12 2024-10-07 09:48:06

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#13 2024-10-07 10:28:12

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#14 2024-10-07 11:38:26

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#15 2024-10-07 12:45:02

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#16 2024-10-07 14:00:20

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#17 2024-10-07 18:36:07

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#18 2024-11-04 20:33:06

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#19 2024-11-04 20:50:29

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#20 2024-11-05 08:58:58

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

#21 2024-11-05 09:17:22

Re: [SOLVED]Upgrade systemd 255.7-1 to 256.6-1 breaks router configuration

Board footer