1

I'm new to IPv6 but I thought it would work in the same way as IPv4 (in regards to configuring in IIS)

My domain name provider states that I need to set up the AAAA record, not the A record. As such I do, and I point to my server

enter image description here

I bind my website and choose the IPv6 address in IIS

I'm not using HTTPS, so binding on Port 80. All other sites work fine, but this is the only site where I'm attempting to use IPv6 (all others are IPv4)

I have added IPv6 to the firewall. Oddly, it doesn't even return from a ping. I did this by adding a new rule-> custom -> all programs -> ProtocolType:ICMPv6 and then clicked on Customize to ensure All ICMP types are selected -> scope (any IP address) -> Allow the connection and I applied this to Domain, Private and Public

If I ping 2001:4ba0:cafe:c54::1 from my VPS, it replies. However, it's not visible to the outside world!

image

Yet I've tested my site on http://ipv6-test.com/validate.php enter image description here

The site in question is www.bmup.co.uk. If I browse it from within IIS, the site loads as expected so the issue is something to do with external requests.

If I perform a nslookup I get:

image

I have the issues (can't access via browser) from 3 machines in 2 different locations (although both in UK). The server is in Germany.

What can I do so I can view my website in a browser.

techraf
  • 4,243
  • 8
  • 29
  • 44
MyDaftQuestions
  • 69
  • 2
  • 9

3 Answers3

7

I can ping6 the IP address noted above from my office.

PING 2001:4ba0:cafe:c54::1(2001:4ba0:cafe:c54::1) 56 data bytes
64 bytes from 2001:4ba0:cafe:c54::1: icmp_seq=1 ttl=115 time=41.2 ms
64 bytes from 2001:4ba0:cafe:c54::1: icmp_seq=2 ttl=115 time=33.4 ms
64 bytes from 2001:4ba0:cafe:c54::1: icmp_seq=3 ttl=115 time=34.8 ms

When I access the website noted above, it says

This is my website! Hurray!

The IPvFoo plugin I use in chrome shows that all resources on the page are delivered using IPv6 from the IP address noted above.

IPvvFoo plugin result

I doubt that I am on your VPS so I guess that I'm part of the outside world and I don't appear to be having an issue.

Perhaps your part of the outside world is blocking or not IPv6 connected ?

What can I do so I can view my website in a browser.

Deploy Scientific Method from your sysadmin toolkit and start being structured and methodical.

You know that your system is correctly configured to deliver web pages over IPv6, you have verified this locally and I have verified this from the outside world. This answers your headline and original question.

Now you want to know why you can't access it from 2 locations. So start gathering information

  • What is the (extended) error message displayed in your browser when you try to access the website ?

  • Are the locations you are unable to access the system from IPv6 enabled ?

  • Can you connect to any IPv6 resources on the wide internet? try http://v6.testmyipv6.com/
  • Can you ping -6 / ping6 the server from those locations?
  • can you telnet to the webserver port 80 on it's IPv6 address ?
  • Does a path checking tool like mtr reveal anything useful ?
  • etc

Seriously, we can't even begin to answer the extended question you have posed with the information you have provided.

What an amazing edit. The fact I can't access v6.testmyipv6.com suggest that, as per your original answer, I'm just in an area which can't access IPv6?

IPv6 availability in the UK is not by area, it is by ISP. If you want IPv6 and your ISP doesn't (yet) provide it then you could try using a tunnel service e.g.

Community
  • 1
user9517
  • 115,471
  • 20
  • 215
  • 297
  • I'm... lost :S I've tried from 3 machines in 2 different locations. I can't even ping it, I get a "general transmit failure". I updated my question to show the error message. Both locations are in UK but work and home, so different networks etc... – MyDaftQuestions Jul 04 '16 at 07:45
  • What did you type in to access it via the browser? I guess not http://2001:4ba0:cafe:c54::1 – MyDaftQuestions Jul 04 '16 at 07:48
  • I typed in the URL in your image above. – user9517 Jul 04 '16 at 07:58
  • Can you think of any reason why my computers at work and home can't access the site? I'm based in N London, UK so I don't believe we're blocked for IPv6 – MyDaftQuestions Jul 04 '16 at 08:00
  • Also note that to access a plain IPv6 address over http, yoiu have to enclose it in `[` and `]` e.g. `[2001:4ba0:cafe:c54::1]` which in the case of that address takes you to the default IIS8 page. – user9517 Jul 04 '16 at 08:01
  • What an amazing edit. The fact I can't access http://v6.testmyipv6.com/ suggest that, as per your original answer, I'm just in an area which can't access IPv6? `Seriously, we can't even begin to answer the extended question you have posed with the information you have provided.` But I think you have? – MyDaftQuestions Jul 04 '16 at 09:16
  • There aren't areas that can't access IPV6, there are only networks. Does your ISP offer IPV6 connectivity? It's not a matter of your ISP having to take action to block IPV6 but quite the reverse -- they have to do a lot of work to enable it. – Mike Scott Jul 04 '16 at 11:51
  • SixXS is [no longer accepting new signups](https://www.sixxs.net/news/2015/#callyourispforipv6-1201). – Michael Hampton Jul 04 '16 at 17:38
  • @MichaelHampton does that make it not worth an upvote ? What do I have to do get get an upvote out of you? – user9517 Jul 04 '16 at 17:42
  • Ummm, I only have one account! – Michael Hampton Jul 04 '16 at 17:48
  • This is the answer, but I have to wait 11 hours before I can mark it as such... The points you gave have allowed me now to research in a productive manner (instead of me just hoping my google searches would help). Thanks – MyDaftQuestions Jul 04 '16 at 19:49
3

Per your comments and other peoples tests it seems that the most likely explanation is that your client systems simply don't have access to the IPv6 internet. Iain's answer does a great job of dealing with that side of things. This answer take a broader view of the background surrounding your problem and your options for moving forward.

IPv4 and IPv6 are largely seperate protocols. There are some transition mechanisms that can offer limited interoperability in some cases but they are all optional.

The idea with IPv6 was that we would all move from IPv4 to dual-stack configuratoins supporting both IPv4 and IPv6. Once everything was dual-stack then the process of dropping IPv4 could begin. The hope was that this would happen before IPv4 addresses ran out.

Unfortunately that didn't happen. Most organisations saw dual-stack as a lot of pain and little gain. It wasn't helped by the fact that the IPv6 proponents tried to make changes beyond fixing the address size issue, some of which were contravesial (for example for a long time you couldn't get provider-independent IPv6 addresses because of routing table size concerns).

There was a transition mechanism called teredo which was supposed allow IPv4 only hosts behind NATs to interoperate with IPv6 only hosts. However, due to concerns of bypassing firewalls, microsoft only enabled it by default on networks where no domain controller was detected (and i've seen false positives in the domain controller detection). It's also not great for performance and reliability. A couple of years ago MS was talking about disabling thier public teredo server essentially disabling teredo by default for everyone, but i'm not sure if they actually went through with it.

Now, with IPv4 exhaustion at the RIR level a reality, some ISPs are finally starting to take IPv6 seriously but there is still a large proportion of internet users without IPv6 connectivity and there probablly will be for at least another couple of years.

So what are your options?

  1. If you have a closed client group then you may be able to ensure all client machines have IPv6 connectivity, either through native support from their ISP, though a transition mechanism like teredo or 6to4 or through a point to point tunnel from a tunneling provider. This is not practical if your site needs to be accessible from the "internet in general".

  2. You could just get an IPv4 address for the service, unfortunately this option is likely to get more expensive over time as the IPv4 crisis bites deeper.

  3. You could use a reverse proxy that accepts client connections over IPv4 and forwards them to your servers over IPv6. The proxy can share one IPv4 address between multiple IPv6 origin servers. This proxy may be operated by yourself (if you have multiple servers), it may be provided by your hosting provider (Mythic Beasts is the only provider i'm aware of who do this) or it may be an external service (for example cloudflare).

Peter Green
  • 4,211
  • 12
  • 30
0

The image below shows a simple echo request and reply to an IPv6-capable website. As you can see, the Ping command includes the -6 flag, which forces Ping to use IPv6. If all goes well, you should see a reply. If you have a native IPv6 connection to the Internet, the response should be quite speedy. In the example shown in Figure 4, the response time is quite high, because I'm running IPv6 in an IPv4 tunnel with a tunnel broker (i.e., a company that provides IPv6 connectivity). If your echo request fails to elicit a reply, there might be a firewall or other networking device blocking ICMPv6 somewhere between your Windows system and the target.

enter image description here

When using firewalls and routers, you need to configure them with rules largely similar to those used for IPv4 networks. Your existing IPv4 rules won't work for the most part. The exception is when the rules are network-layer independent and focus on transport-layer protocols (TCP or UDP) and ports. Whatever you do, no matter how tempted you are, don't configure an IPv6 default rule that allows all traffic to flow between IPv6 interfaces in order to troubleshoot IPv6 connectivity. Cyber criminals, cyber terrorists, and nation states engaged in cyber warfare activities are all proficient in using IPv6.

Mark Twain
  • 111
  • 2