8

We now have 2013 and I thought it is long overdue to activate IPv6 on my server. But unfortunately, I ran in some problems. To be honest I only have litte experience with IPv6 So I hope you can help me with my "small" problem.

A small remark: The following addresses are obfuscated, it is not what I've used in my configs ;)

I am running a Debian squeeze (Debian 2.6.32-46) and I got a /64 IPv6 block from my provider: 2a01:4f8:a0:aaaa::/64

So I changed the /etc/network/interfaces file as follows (which is also the way my provider recommends it):

# Loopback device:
auto lo
iface lo inet loopback

# device: eth0
auto  eth0
iface eth0 inet static
  address   85.10.xxx.zz
  broadcast 85.10.xxx.yy
  netmask   255.255.255.224
  gateway   85.10.xxx.1


iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:a0:aaaa::2
  netmask 64
  gateway fe80::1


auto eth0:1
iface eth0:1 inet static
        address 85.10.xxxx.uu
        netmask 255.255.255.224

# default route to access subnet
up route add -net 85.10.xxx.0 netmask 255.255.255.224 gw 85.10.xxx.1 eth0

After a reboot (I am lazy and don't wanted to add everyhthing using route or ip) my eth0 interface looks like this:

eth0      < first line removed >  
          inet addr:85.10.xxx.zz  Bcast:85.10.xxx.yy  Mask:255.255.255.224
          inet6 addr: 2a01:4f8:a0:aaaa::2/64 Scope:Global
          inet6 addr: fe80::bbbb:cccc:dddd:eeee/64 Scope:Link <--- from MAC address
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24133 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21712 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3464246 (3.3 MiB)  TX bytes:5776451 (5.5 MiB)
          Interrupt:25 Base address:0x2000

and the routes ip -6 route look like this:

2a01:4f8:a0:aaaa::/64 dev eth0  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev vboxnet0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
default via fe80::1 dev eth0  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295

Now, my problem is that my IPv6 isn't working properly. If I try to ping an IPv6 address e.g. ping6 ipv6.google.com. I get: "Destination unreachable: Address unreachable"

Which looks like this in tcpdump -i eth0 ip6:

00:29:05.386500 IP6 2a01:4f8:a0:aaaa::2 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has fe80::1, length 32
00:29:05.390869 IP6 2a01:4f8:a0:bbbb::1 > 2a01:4f8:a0:aaaa::2: ICMP6, neighbor advertisement, tgt is fe80::1, length 32

2a01:4f8:a0:bbbb::1 is btw. listed as my gateway (at my provider's online admin console).

I think, the reason for all this is the missing NDP entry / the missing MAC address of fe80::1. Because ip -6 neigh gives me:

fe80::1 dev eth0  router FAILED

I think so because if I do: ping6 -I eth0 fe80::1 I get a proper echo reply and the desired mac address for my fe80::1 address as well as a perfectly working IPv6 stack:

$ip -6 neigh
fe80::1 dev eth0 lladdr ll:mm:nn:oo:pp:qq router REACHABLE

Here is also again the dump from tcpdump -i eth0 ip6: 

00:30:37.555702 IP6 fe80::bbbb:cccc:dddd:eeee > fe80::1: ICMP6, echo request, seq 1, length 64
00:30:37.560219 IP6 fe80::1 > fe80::bbbb:cccc:dddd:eeee: ICMP6, echo reply, seq 1, length 64

(again: fe80::bbbb:cccc:dddd:eeee is my link-local address, derived from the MAC address)

From this point on, I can use IPv6: I can ping6 websites, I can connect to services using IPv6 or even connect to my server via ssh using IPv6.

So, what am I doing wrong here? I've spend a lot of time trying to find out how to "fix" this. I bet it can be solved using two commands. This is by the way the first time I am dealing with IPv6 on a server. So please forgive me for my inexperience. Btw. I also tried to alter some sysctl net.ipv6.* flags, but without success. If it is necessary for the solution, I can also post my configuration here.

Every hint is more than welcome!

Thank you very much in advance!

5 Answers5

10

I gave the whole problem another try today, a couple of weeks later. And what can I say, I fixed it. Can someone please explain me why adding a ipv6 loopback fixed my problem? Here is what I've added to my /etc/network/interfaces file:

iface lo inet6 loopback

I have no ideas why I've forgot to add it in the first place!^^ Thank you all for your responses!

1

I am looking at the bit of your question where you say:

Now, my problem is that my IPv6 isn't working properly. If I try to ping an IPv6 address e.g. ping6 ipv6.google.com. I get: "Destination unreachable: Address unreachable"

Which looks like this in tcpdump -i eth0 ip6:

00:29:05.386500 IP6 2a01:4f8:a0:aaaa::2 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has fe80::1, length 32 00:29:05.390869 IP6
2a01:4f8:a0:bbbb::1 > 2a01:4f8:a0:aaaa::2: ICMP6, neighbor advertisement, tgt is fe80::1, length 32

This is strange. Your system sends a correct (as far as I can see from your tcpdump) neighbor solicitation and the router sends back a correct (again AFAICT) neighbor advertisement. That would indicate a problem on your local machine.

Do you do any firewalling on that machine? ICMPv6 filtering is very different than ICMP filtering. Much more parts of IPv6 communication need properly working ICMPv6. If you filter too much or in the wrong way you get problems exactly like you are seeing now.

If you want to know more details please take a look at RFC 4890.

Sander Steffann
  • 7,712
  • 19
  • 29
  • Thank you for your response. At the beginning I had no firewall running at all. Later on I activated ip6tables and inserted: -A INPUT -p ipv6-icmp -j ACCEPT. But neither of this approaches worked. There is no other firewall configured. Only shorewall which is for IPv4 only since shorewall6 deals with IPv6. And it does not really make sense at all, because it works like a charm after pining fe80::1. If I send a packet to fe80::1 with **ping6 -I eth0 fe80::1** I see other packages in tcpdump i.e. a neighbor solicitation from my link local address and not the global one, as I mentioned before. –  Feb 11 '13 at 11:18
  • Using link-local for neighbor solicitation messages is perfectly fine and nothing to worry about. *Something* makes your machine ignore certain incoming ICMPv6 messages though... Might be a kernel bug, might be something else... – Sander Steffann Feb 12 '13 at 14:20
0

Try using one of the actual addresses of the router as the default gateway, instead of fe80::1.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Which would be the gateway's IP address: 2a01:4f8:a0:bbbb::1. I already tried that. Unfortunately, that does not work either. –  Feb 11 '13 at 00:40
  • You sure about that? That's on a different subnet than your IP address. – Michael Hampton Feb 11 '13 at 00:44
  • You mean if I am sure about the address? I know what you mean, but that's what I've got from my provider. Just for fun I try the same network with ::1. Don't know why I haven't tried that yet. –  Feb 11 '13 at 00:49
  • UPDATE: 2a01:4f8:a0:aaaa::1 (same subnet) does not work either. –  Feb 11 '13 at 00:56
  • This isn't the Hetzner network is it? They have some weird configuration for IPv6 (such as default gateway outside your assigned subnet) – fukawi2 Feb 11 '13 at 02:04
  • 2
    Oh yes, if it's Hetzner all bets are off; they do so much strange stuff that your best bet is to have them sort it. – Michael Hampton Feb 11 '13 at 02:11
  • Yes, my provider is Hetzner. Hm so you are suggesting to contact them? :D –  Feb 11 '13 at 11:12
  • Yes: contact Hetzner. They made a mess of their IPv6 setup so only they know how to solve it (probably) – Sander Steffann Feb 12 '13 at 14:21
  • @wds And then how do you reach the gateway? – Michael Hampton Jul 09 '14 at 14:20
  • @MichaelHampton I got it slightly turned around, the on-link assumption does hold for your prefix (only in absence of routers it doesn't work). But anyway, you don't need any of that. The prefix can be advertised as on-link (after RS to the sollicited-node mc address), there's static configuration (obviously), or as this provider does, you use a link-local address on the internal link of your router. You seem to suggest there's something wrong with that last one, but the link-local address _is_ an actual address, and works fine for routing. – wds Jul 10 '14 at 08:21
  • @wds `fe80::1` _should_ work, but we don't live in a perfect world. I've seen quite a few routers which utterly fail to respond to it. – Michael Hampton Jul 10 '14 at 11:39
  • @MichaelHampton presumably, an ISP that tells you to use a certain address will make sure that address is working and the router is routing traffic incoming on that interface. – wds Jul 14 '14 at 11:22
  • @wds With most service providers, that may be true. This is Hetzner. A brief Internet search - or even search of this site - will reveal just how bizarre and messed up their network is. – Michael Hampton Jul 14 '14 at 11:24
-1

your gateway for IPv6 should be in the same subnet

iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:a0:aaaa::2
  netmask 64
  gateway fe80::1

something like 2a01:4f8:a0:aaaa::1 this is set in the router or VLAN configuration, please check what you have in your router. a sample:

interface GigabitEthernet0/0/1.201
 encapsulation dot1Q 201
 ipv6 address 2A00:7XXX:100::1/48
!
Cem Karaca
  • 22
  • 3
  • 4
    This is not correct. While the gateway address is *generally* in the same subnet, this is not a requirement for IPv6. – devicenull May 23 '14 at 21:25
-1

The point is that IPv6 uses ICMPv6 to check link state as opposed to IPv4 where ARP serves this purpose. That's why after pinging everything starts working. Adjust your firewall rules:

ip6tables -A INPUT -p icmpv6 -j ACCEPT
Denis Scherbakov
  • 41
  • 1
  • 1
    I'm not sure this adds anything to Sander Stefann's existing answer, and from the comments on that, we know that it didn't fix the OP's problem. – MadHatter Feb 11 '17 at 09:53