| View previous topic :: View next topic |
| Author |
Message |
flatmodel
n00b
Joined: 01 Mar 2013
Posts: 30
Location: UK
|
 Posted: Sun Mar 02, 2025 5:41 pm Post subject: IPv6 forwarding |
 |
|
I have an IPv4 local area network managed by a bastion server which is also a gateway to the Internet. I have lately added IPv6 on top of this so that the server and LAN clients operate a dual-stack IPv4/6 stack. The server communicates perfectly with the Internet be it on IPv6 or IPv4. I run radvd on the LAN interfaces using the /48 prefix granted by my ISP. All my IPv6 devices on the LAN use this prefix and interfaces end-up with a suitable SLAAC address. Everything works just fine on the LAN on IPv6, but I seem to have an intractable problem where something like this constantly fails:-
| Code: | | ping -6 -c3 google.com |
My Internet connection consists of a PPPoE connection over VDSL, and the server's interface has both an IPv4 address and an IPv6 address. I have to use dhcpcd to keep the IPv6 address on the PPP connection, otherwise it disappears once the valid_lft time expires. This is all working satisfactorily though.
I have used tcpdump and subsequently analysed the resultant file using wireshark and it would appear that the ping echo requests are arriving at the PPP connection, but either they terminate there, or any reply is lost. If I attempt the exact same command at the server console, it works as one might hope.
Incidentally, I use the squid proxy server, and that connects LAN clients to IPv6 sites no problem at all.
I am using iptables (and ip6tables) generated by firehol. I have no reason to think that there's a problem with any of that since there is nothing appearing in the logs.
If I take my server out of the picture and use my ISP's supplied domestic router, my LAN clients can talk both IPv6 and IPv4 to the Internet successfully. Clearly I'm doing something wrong, but I have run out of ideas.
I am very puzzled by this problem, and I wonder if anyone can shed any light on it?
Richard.
_________________
Richard |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3538
|
| Posted: Sun Mar 02, 2025 6:47 pm Post subject: |
|
|
So....
case1:
internet - server - PC
* connection via a proxy on server works
* ping to the internet does not work / reply can't get back from server to pc
case2:
internet - router - PC
* ping to the internet works
Do I get it right?
Looks like a missing routing rule on the server. Do you happen to call proxy from a link-local address by any chance and the internet from the ISP assigned address by any chance?
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
flatmodel
n00b
Joined: 01 Mar 2013
Posts: 30
Location: UK
|
| Posted: Sun Mar 02, 2025 7:32 pm Post subject: |
|
|
| szatox wrote: | So....
case1:
internet - server - PC
* connection via a proxy on server works
* ping to the internet does not work / reply can't get back from server to pc
case2:
internet - router - PC
* ping to the internet works
Do I get it right?
Looks like a missing routing rule on the server. Do you happen to call proxy from a link-local address by any chance and the internet from the ISP assigned address by any chance? |
You are correct. Ordinarily the server takes the place of the domestic router (case 1). I haven't examined the proxy situation in detail, but I think the connection and interaction with it is on IPv4, the proxy making IPv6 connections wherever necessary. I don't quite understand the question | Quote: | | Do you happen to call proxy from a link-local address by any chance and the internet from the ISP assigned address by any chance? |
.
I have considered the possibility of there being a missing routing rule on the server, but I'm uncertain of how to proceed. Many thanks for your assistance.
| Code: | # ip -6 addr show dev ppp0
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UP group default qlen 3
inet6 2001:8033:a001:16::1/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 2591889sec preferred_lft 604689sec
inet6 fe80::1 peer fe80::200:ff:fe00:0/128 scope link nodad
valid_lft forever preferred_lft forever |
The fe80::200:ff:fe00:0 address is the default IPv6 route. In the interests of security, I have obfuscated the global IP address.
_________________
Richard |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54961
Location: 56N 3W
|
| Posted: Sun Mar 02, 2025 8:09 pm Post subject: |
|
|
flatmodel,
I have the same setup as you. My setup in described in detail on the Wiki
That detail is for arm64 but the setup will be arch independent.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3538
|
| Posted: Sun Mar 02, 2025 8:24 pm Post subject: |
|
|
| Quote: | | Ordinarily the server takes the place of the domestic router (case 1). I haven't examined the proxy situation in detail, but I think the connection and interaction with it is on IPv4, the proxy making IPv6 connections wherever necessary. I don't quite understand the question |
It is significant precisely because it's the proxy that's making the connection to the internet. Which means you have 2 individual connections rather than a single one spanning 2 networks (from the server's perspective).
Your server and PC share the same ipv6 prefix, don't they?
What is in your ipv6 routing table?
# ip -6 r
Anonymizing it is fine, as long as you keep the structure intact. Same things must stay same, different things stay different.... Or just have a look at it yourself; at this point I expect your server to not have an entry pointing back to your PC with its routable ipv6 IP.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
flatmodel
n00b
Joined: 01 Mar 2013
Posts: 30
Location: UK
|
| Posted: Mon Mar 03, 2025 8:19 pm Post subject: |
|
|
| Quote: |
Your server and PC share the same ipv6 prefix, don't they?
What is in your ipv6 routing table?
# ip -6 r |
I apologise for being selective in my reply; but I think that the above quoted text might well be the crux of the matter. The IPv6 address of the PPPoE connection (to the Internet) is completely different from the IP subnet granted to me from my ISP, i.e. the Internet IP address is NOT in the prefix address range.
I'm doing battle with illness right now, so I'll post more when I'm feeling better.
_________________
Richard |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54961
Location: 56N 3W
|
| Posted: Mon Mar 03, 2025 8:59 pm Post subject: |
|
|
flatmodel,
| Quote: | | Internet IP address is NOT in the prefix address range. |
That's normal for IPv6
Your delegated prefix is routed over your ISP link, so all your delegated prefix IPv6 addresses are public.
I suspect either a missing route or a missing sysctrl to turn on IPv6 forwarding.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
flatmodel
n00b
Joined: 01 Mar 2013
Posts: 30
Location: UK
|
| Posted: Tue Mar 04, 2025 3:44 pm Post subject: |
|
|
| NeddySeagoon wrote: |
I suspect either a missing route or a missing sysctrl to turn on IPv6 forwarding. |
It's nothing so obvious as forwarding of that you can be sure!
The routing table is quite long, and I've massaged the addresses so as not to reveal global addresses; but the sense of the table is consistent.
| Code: | anycast 2001:8d8:501b:: dev lan0 proto kernel metric 0 pref medium
2001:8d8:501b::/64 dev lan0 proto kernel metric 256 pref medium
anycast 2001:8d8:501b:2:: dev lan0.2 proto kernel metric 0 pref medium
2001:8d8:501b:2::/64 dev lan0.2 proto kernel metric 256 pref medium
anycast 2001:8d8:501b:3:: dev lan0.3 proto kernel metric 0 pref medium
2001:8d8:501b:3::/64 dev lan0.3 proto kernel metric 256 pref medium
anycast 2001:8d8:501b:4:: dev lan0.4 proto kernel metric 0 pref medium
2001:8d8:501b:4::/64 dev lan0.4 proto kernel metric 256 pref medium
anycast 2001:8d8:d001:16:: dev ppp0 proto kernel metric 0 pref medium
2001:8d8:d001:16::/64 dev ppp0 proto ra metric 1008 pref medium
anycast fe80:: dev lan0 proto kernel metric 0 pref medium
anycast fe80:: dev lan0.2 proto kernel metric 0 pref medium
anycast fe80:: dev lan0.3 proto kernel metric 0 pref medium
anycast fe80:: dev lan0.4 proto kernel metric 0 pref medium
anycast fe80:: dev wan proto kernel metric 0 pref medium
fe80::1 dev ppp0 proto kernel metric 256 pref medium
fe80::200:ff:fe00:0 dev ppp0 proto kernel metric 256 pref medium
fe80::/64 dev lan0 proto kernel metric 256 pref medium
fe80::/64 dev lan0.2 proto kernel metric 256 pref medium
fe80::/64 dev lan0.3 proto kernel metric 256 pref medium
fe80::/64 dev lan0.4 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
multicast ff00::/8 dev lan0 proto kernel metric 256 pref medium
multicast ff00::/8 dev lan0.2 proto kernel metric 256 pref medium
multicast ff00::/8 dev lan0.3 proto kernel metric 256 pref medium
multicast ff00::/8 dev lan0.4 proto kernel metric 256 pref medium
multicast ff00::/8 dev wan proto kernel metric 256 pref medium
multicast ff00::/8 dev ppp0 proto kernel metric 256 pref medium
default via fe80::200:ff:fe00:0 dev ppp0 proto ra metric 1008 pref medium |
You will note that the addresses used for the LAN (and the vlans) are from my /48 prefix, but the ppp0 isn't. I probably need to add a route to make a bridge between these two, but I don't know how to do it. I did read Neddy's Pi4 article and didn't notice anything there that I've omitted to do in my config; but I'm happy to be corrected!
_________________
Richard |
|
| Back to top |
|
|
Ralphred
l33t
Joined: 31 Dec 2013
Posts: 742
|
| Posted: Tue Mar 04, 2025 6:18 pm Post subject: |
|
|
| flatmodel wrote: | | the addresses used for the LAN (and the vlans) are from my /48 prefix, but the ppp0 isn't. |
This is normal (if you assign an IPV6 address the the outside interface it will have the noprefixroute flag set), and correct as it matches the ppp0 peer - if it was wrong pinging from the server wouldn't work. The only function the public address on ppp0 serves in this context is to allow addressed access to the server from the outside world.
| Quote: | | it would appear that the ping echo requests are arriving at the PPP connection, but either they terminate there, or any reply is lost. |
They really shouldn't be "arriving" there on the way out, is this a case of semantic misunderstanding, or could the clients routing tables be wrong? |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54961
Location: 56N 3W
|
| Posted: Tue Mar 04, 2025 7:17 pm Post subject: |
|
|
flatmodel,
What does traceroute -6 -U google.com tell?
I get | Code: | $ traceroute -6 -U google.com
traceroute to google.com (2a00:1450:4009:821::200e), 30 hops max, 80 byte packets
1 2001:0DB8:c002:fe::1 (2a02:8010:c002:fe::1) 0.189 ms 0.324 ms 0.366 ms
2 2001:0DB8:c002:0:9a9b:cbff:fe25:3582 (2001:0DB8:c002:0:9a9b:cbff:fe25:3582) 1.199 ms 1.227 ms 1.277 ms
3 lo0-0.bng5.thn-lon.zen.net.uk (2a02:8010::15c) 22.339 ms 22.370 ms 22.418 ms
4 lag-15.p2.thn-lon.zen.net.uk (2a02:8010:0:700::52) 18.625 ms lag-15.p1.thn-lon.zen.net.uk (2a02:8010:0:700::50) 18.831 ms 18.822 ms
5 2001:4860:1:1::e8 (2001:4860:1:1::e8) 18.814 ms !X 2001:4860:1:1:0:32ed:0:1 (2001:4860:1:1:0:32ed:0:1) 20.691 ms *
|
The 2001:0DB8/32 prefix is reserved for documentation. You won't find me there. :)
It will be interesting to see where it breaks.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
Networking & Security
