IPv6 Forwarding working 1 way externally

Question

Originally Asked on Network Engineering but told to ask on here instead.

I'm having a problem with routing my own ipv6 prefix for anycast. I got my ASN and IPV6/48 sponsored with RIPE and I am struggling to get it to work properly. Any pointers of things to check would be greatly appreciated.

My problem at the moment is the destination server (VPS) is receiving the requests and processing them but not sending a response.

I have setup a dns server on the destination vps which is all working fine through the provider supplied IPv4 and IPv6 address aswell as working correctly via the lan but when I try to use it via and external connection it just hangs.

I have used ping dot pe mtr6 test which stops responding once it hits my "Edge Router" and issued dig requests from remote machines to test the dns server is responding but no luck.

I ran wireshark using sshdump on the lan vnic that communicates with the "Edge Router" and can see the icmp6 and dns requests coming into the correct server via the ipv6 ip i set it to so inbound works.

Wireshark is showing for the icmp6 requests:

126 17.162128   2001:19f0:7401:885e:5400:4ff:fe1e:3ed8  2001:67c:2284::1    ICMPv6  78  Echo (ping) request id=0x3532, seq=33089, hop limit=12 (no response found!)

NIC: enp1s0 (wan) NIC: enp6s0 (lan) NIC: bgp0 (Dummy interface for my ip range, I did try it as an additional ip to enp6s0 with same results)

Setup is as follows; Edge Router: Vultr VPS with virtual private network OS: Fedora 36 Routing: Bird2 announcing my /48 prefix and listening for ospfv3 data Firewall: iptables

ip -6 r:

::1 dev lo proto kernel metric 256 pref medium
unreachable ::/96 dev lo metric 1024 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 pref medium
2001:67c:2284::/64 via fe80::1eb1:e0d5:55fd:df73 dev enp6s0 proto bird metric 32 pref medium
unreachable 2001:67c:2284::/48 dev lo proto bird metric 32 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 pref medium
2a05:f480:1000:3ba::/64 dev enp1s0 proto ra metric 100 pref medium
2a05:f480:1000:3ba::/64 dev enp1s0 proto kernel metric 256 expires 2591658sec pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 pref medium
fd28:e0d9:543c:c651::/64 dev enp6s0 proto bird metric 32 pref medium
fd28:e0d9:543c:c651::/64 dev enp6s0 proto kernel metric 101 pref medium
fe80::/64 dev enp1s0 proto kernel metric 1024 pref medium
fe80::/64 dev enp6s0 proto kernel metric 1024 pref medium
default via fe80::fc00:4ff:fe1c:740d dev enp1s0 proto ra metric 100 pref medium
default via fe80::fc00:4ff:fe1c:740d dev enp1s0 proto ra metric 1024 expires 1458sec hoplimit 64 pref medium

ip6tables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp1s0 -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -i enp1s0 -o enp6s0 -j ACCEPT
-A FORWARD -i enp6s0 -o enp1so -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

SystemD runs the following as a StartExecPost to bird:

#!/bin/bash
/usr/sbin/sysctl -w net.ipv4.ip_forward=1
/usr/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/usr/sbin/sysctl -w net.ipv6.conf.default.forwarding=1
/usr/sbin/sysctl -w net.ipv6.conf.enp1s0.accept_ra=2

DNS Server: Vultr VPS with virtual private network OS: Fedora 36 Routing: Bird2 updating the "edge routers" routing table via OSPFv3 Firewall: iptables DNS Server: PowerDNS

ip -6 r:

::1 dev lo proto kernel metric 256 pref medium
unreachable ::/96 dev lo metric 1024 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 pref medium
2001:67c:2284::/64 dev bgp0 proto kernel metric 550 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 pref medium
2a05:f480:1000:210::/64 dev enp1s0 proto ra metric 100 pref medium
2a05:f480:1000:210::/64 dev enp1s0 proto kernel metric 256 expires 2591532sec pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 pref medium
fd28:e0d9:543c:c651::/64 dev enp6s0 proto kernel metric 101 pref medium
fe80::/64 dev enp1s0 proto kernel metric 1024 pref medium
fe80::/64 dev enp6s0 proto kernel metric 1024 pref medium
fe80::/64 dev bgp0 proto kernel metric 1024 pref medium
default via fe80::fc00:4ff:fe17:2945 dev enp1s0 proto ra metric 100 pref medium
default via fe80::fc00:4ff:fe17:2945 dev enp1s0 proto ra metric 1024 expires 1332sec hoplimit 64 pref medium

ip6tables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

Answer 1

I can see one typo that would disrupt egress traffic:

-A FORWARD -i enp6s0 -o enp1so -j ACCEPT

The output interface name is enp1so while it should be enp1s0. The effect would be that incoming traffic works, but any outgoing traffic including reply is rejected: outside world would not see anything, while inside world's attempts (or replies) would be rejected, probably not even leaving a trace of ongoing connection using netstat.

To discover this kind of issue ip6tables-save -c (emphasis on -c) can help by showing where rules don't match (no counter hit) when they should.