| View previous topic :: View next topic |
| Author |
Message |
flatmodel
n00b
Joined: 01 Mar 2013
Posts: 28
Location: UK
|
 Posted: Sun Mar 02, 2025 5:41 pm Post subject: IPv6 forwarding |
 |
|
I have an IPv4 local area network managed by a bastion server which is also a gateway to the Internet. I have lately added IPv6 on top of this so that the server and LAN clients operate a dual-stack IPv4/6 stack. The server communicates perfectly with the Internet be it on IPv6 or IPv4. I run radvd on the LAN interfaces using the /48 prefix granted by my ISP. All my IPv6 devices on the LAN use this prefix and interfaces end-up with a suitable SLAAC address. Everything works just fine on the LAN on IPv6, but I seem to have an intractable problem where something like this constantly fails:-
| Code: | | ping -6 -c3 google.com |
My Internet connection consists of a PPPoE connection over VDSL, and the server's interface has both an IPv4 address and an IPv6 address. I have to use dhcpcd to keep the IPv6 address on the PPP connection, otherwise it disappears once the valid_lft time expires. This is all working satisfactorily though.
I have used tcpdump and subsequently analysed the resultant file using wireshark and it would appear that the ping echo requests are arriving at the PPP connection, but either they terminate there, or any reply is lost. If I attempt the exact same command at the server console, it works as one might hope.
Incidentally, I use the squid proxy server, and that connects LAN clients to IPv6 sites no problem at all.
I am using iptables (and ip6tables) generated by firehol. I have no reason to think that there's a problem with any of that since there is nothing appearing in the logs.
If I take my server out of the picture and use my ISP's supplied domestic router, my LAN clients can talk both IPv6 and IPv4 to the Internet successfully. Clearly I'm doing something wrong, but I have run out of ideas.
I am very puzzled by this problem, and I wonder if anyone can shed any light on it?
Richard.
_________________
Richard |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3536
|
| Posted: Sun Mar 02, 2025 6:47 pm Post subject: |
|
|
So....
case1:
internet - server - PC
* connection via a proxy on server works
* ping to the internet does not work / reply can't get back from server to pc
case2:
internet - router - PC
* ping to the internet works
Do I get it right?
Looks like a missing routing rule on the server. Do you happen to call proxy from a link-local address by any chance and the internet from the ISP assigned address by any chance?
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
flatmodel
n00b
Joined: 01 Mar 2013
Posts: 28
Location: UK
|
| Posted: Sun Mar 02, 2025 7:32 pm Post subject: |
|
|
| szatox wrote: | So....
case1:
internet - server - PC
* connection via a proxy on server works
* ping to the internet does not work / reply can't get back from server to pc
case2:
internet - router - PC
* ping to the internet works
Do I get it right?
Looks like a missing routing rule on the server. Do you happen to call proxy from a link-local address by any chance and the internet from the ISP assigned address by any chance? |
You are correct. Ordinarily the server takes the place of the domestic router (case 1). I haven't examined the proxy situation in detail, but I think the connection and interaction with it is on IPv4, the proxy making IPv6 connections wherever necessary. I don't quite understand the question | Quote: | | Do you happen to call proxy from a link-local address by any chance and the internet from the ISP assigned address by any chance? |
.
I have considered the possibility of there being a missing routing rule on the server, but I'm uncertain of how to proceed. Many thanks for your assistance.
| Code: | # ip -6 addr show dev ppp0
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UP group default qlen 3
inet6 2001:8033:a001:16::1/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 2591889sec preferred_lft 604689sec
inet6 fe80::1 peer fe80::200:ff:fe00:0/128 scope link nodad
valid_lft forever preferred_lft forever |
The fe80::200:ff:fe00:0 address is the default IPv6 route. In the interests of security, I have obfuscated the global IP address.
_________________
Richard |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54955
Location: 56N 3W
|
| Posted: Sun Mar 02, 2025 8:09 pm Post subject: |
|
|
flatmodel,
I have the same setup as you. My setup in described in detail on the Wiki
That detail is for arm64 but the setup will be arch independent.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3536
|
| Posted: Sun Mar 02, 2025 8:24 pm Post subject: |
|
|
| Quote: | | Ordinarily the server takes the place of the domestic router (case 1). I haven't examined the proxy situation in detail, but I think the connection and interaction with it is on IPv4, the proxy making IPv6 connections wherever necessary. I don't quite understand the question |
It is significant precisely because it's the proxy that's making the connection to the internet. Which means you have 2 individual connections rather than a single one spanning 2 networks (from the server's perspective).
Your server and PC share the same ipv6 prefix, don't they?
What is in your ipv6 routing table?
# ip -6 r
Anonymizing it is fine, as long as you keep the structure intact. Same things must stay same, different things stay different.... Or just have a look at it yourself; at this point I expect your server to not have an entry pointing back to your PC with its routable ipv6 IP.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
