| View previous topic :: View next topic |
| Author |
Message |
lytenyn
n00b
Joined: 29 Jan 2004
Posts: 44
|
 Posted: Mon Jan 06, 2025 2:22 pm Post subject: IPv6 forwarding broken? [solved] |
 |
|
Dear all, I would really appreciate your help with the following issue: I have a network topology like this:
ISP router --------- (public interface) Router (private interface) --------- Client
The router and client are Gentoo boxes that I (try to) maintain.
For IPv4, both the ISP router and my own router (on the private interface) run a DHCP server, and IPv4 forwarding is enabled on the router. Everything works fine.
For IPv6. I use systemd-networkd to request a delegated prefix from the ISP router, which seems to work.
The router gets a IPv6 address in the correct subnet on both interfaces, the client also gets a IPv6 address in the delegated prefix as expected
Everything looks ok, but the router does not seem to forward any IPv6 traffic at all. Using tcpdump to print ICMP6 packets shows that pings from the client arrive at the router, but never leave the router on the public interface.
I have a firewall set up using nftables, but it is set to accept any ICMP6 packets, and I can see them being accepted in the forward and prerouting tables.
I have also set up docker on the host which might complicate things, but the problem persists even if I disable all docker containers and remove all relevant network interfaces.
systemd-networkd is properly configured (IPv6Forwarding=yes in /etc/systemd/networkd.conf, which results correctly in:
| Code: | % sysctl net.ipv6.conf | grep forwarding
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.docker0.forwarding = 1
net.ipv6.conf.docker0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.priv.forwarding = 1
net.ipv6.conf.priv.mc_forwarding = 0
net.ipv6.conf.publ.forwarding = 1
net.ipv6.conf.publ.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0 |
Routing tables on both router and client look good, e.g. the router one looks like this
| Code: | % ip -6 route
2003:aaaa:bbbb:cc00::/64 dev publ proto ra metric 1024 expires 6892sec pref medium
2003:aaaa:bbbb:ccfd::/64 dev priv proto kernel metric 256 expires 6008sec pref medium
unreachable 2003:aaaa:bbbb:ccfc::/62 dev lo proto dhcp metric 1024 pref medium
2003:aaaa:bbbb:cc00::/56 nhid 1148212772 via fe80::2e3a:fdff:fef7:c952 dev publ proto ra metric 1024 expires 1492sec pref medium
fe80::/64 dev priv proto kernel metric 256 pref medium
fe80::/64 dev publ proto kernel metric 256 pref medium
default nhid 1148212772 via fe80::2e3a:fdff:fef7:c952 dev publ proto ra metric 1024 expires 1492sec pref medium |
I have been debugging this on and off for months and I cannot find anything. I would be very grateful for any ideas. Thanks in advance!
Last edited by lytenyn on Mon Jan 06, 2025 11:05 pm; edited 1 time in total |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54673
Location: 56N 3W
|
| Posted: Mon Jan 06, 2025 6:53 pm Post subject: |
|
|
lytenyn,
| Quote: | | The router gets a IPv6 address in the correct subnet on both interfaces, |
What does that mean?
Both interfaces get a /64 from your delegated prefix or you get an IPv6 address (maybe whole /64) for your uplink and a delegated prefix fro your LAN?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
lytenyn
n00b
Joined: 29 Jan 2004
Posts: 44
|
| Posted: Mon Jan 06, 2025 7:28 pm Post subject: |
|
|
Thanks a lot for looking at my issue!
Not sure, I fully understand you: Using ip -6 addr, I get something like:
| Code: | publ: 2003:aaaa:bbbb:cc00:xxxx:yyyy:zzzz:4458/64
priv: 2003:aaaa:bbbb:ccfd:xxxx:yyyy:zzzz:4459/64 |
From systemd-networkd, I get
| Code: | Jan 06 20:18:22 jupiter systemd-networkd[30511]: publ: DHCP: received delegated prefix 2003:aaaa:bbbb:ccfc::/62
Jan 06 20:18:22 jupiter systemd-networkd[30511]: priv: DHCP-PD address 2003:aaaa:bbbb:ccfd:xxxx:yyyy:zzzz:4458/64 (valid for 1h 59min 59s, preferred for 59min 59s) |
If I understand it correctly, this is how it works. My ISP router gets a /56 prefix and delegates a /62 to my router, which assigns one /64 to my private network.
Last edited by lytenyn on Mon Jan 06, 2025 8:45 pm; edited 1 time in total |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54673
Location: 56N 3W
|
| Posted: Mon Jan 06, 2025 8:34 pm Post subject: |
|
|
lytenyn,
Rewording what I think you said.
You have a /56 delegated prefix for your use. hats 256 /64 subnets.
You use prefix delegation to get a /64 for your LAN. Your ISP will drop unused nets in your /56 at its boundary router for two reasons.
1. It saves your ISP network bandwidth.
2. It saves your network bandwidth too, as you don't get junk to throw away.
| Code: | | DHCP: received delegated prefix 2003:aaaa:bbbb:ccfc::/62 |
is four /64 Using your example it will be
| Code: | 2003:aaaa:bbbb:ccfc::/64
2003:aaaa:bbbb:ccfd::/64
2003:aaaa:bbbb:ccfe::/64
2003:aaaa:bbbb:ccff::/64 |
The address on your ISP uplink must not be frow your /56 as your delegated prefix addresses will be routed over the ISP link.
Your /56 is 2003:aaaa:bbbb:cc00/56
If it helps any, I use a Pi4 Router
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
lytenyn
n00b
Joined: 29 Jan 2004
Posts: 44
|
| Posted: Mon Jan 06, 2025 8:44 pm Post subject: |
|
|
Again, sorry, I'm not 100% sure that I understand correctly. I have two routers in series, my ISP router and my own, problematic one like this:
ISP router -------------- (publ) router (priv) ---------- client
The IPv6 addresses of these are:
ISP router:
- has an external IP address 2003:aaaa:bbqq:something/64 which is outside its own prefix which is:
- Prefix: 2003:aaaa:bbbb:cc00::/56
- It also listens to some address in this prefix of the form 2003:aaaa:bbbb:cc00:mac_address
My own router has two interfaces, a public and a private one with addresses:
- publ: 2003:aaaa:bbbb:cc00:xxxx:yyyy:zzzz:4458/64
- priv: 2003:aaaa:bbbb:ccfd:xxxx:yyyy:zzzz:4459/64
According to systemd-networkd, it has received the prefix 2003:aaaa:bbbb:ccfc::/62, and I infer that it has assigned 2003:aaaa:bbbb:ccfd::/64 to the priv interface.
Correspondingly, my client receives an address of the form 2003:aaaa:bbbb:ccfd:mac_address/64.
As far as I can tell, this is all ok. Do you agree?
Also, as far as I can see from tcpdump, a ICMP6 ping from the client towards the internet arrives at the router on the priv interface, but never leaves the router at the publ interface. I do not understand why. |
|
| Back to top |
|
|
lytenyn
n00b
Joined: 29 Jan 2004
Posts: 44
|
| Posted: Mon Jan 06, 2025 11:05 pm Post subject: |
|
|
I just found it. I have set up a firewall manually using nftables which accepts all ICMP6 packets.
However, I have also docker installed, which apparently comes with a second set of ip6tables rules which I knew nothing about.
These rules seem to block ICMP6 packets.
Now I just have to find out where these rules are set and how to remove them.
Thanks for your help! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
