linux IPv6 policy based routing fails

Question

I have a VPN server that act as my IPv6 connection to the Internet. The setup us like this:

I have been assigned a /48 address pool, that I want to subnet to my VPN clients. For argument sake lets call the pool 2001:DB8:CAFE::/48.

I have split that network up into the following parts: 2001:DB8:CAFE::/64 is assigned to the actual VPN link between VPN server and each client.

`2001:DB8:CAFE:100:/56` is assigned to the network behind Client 1

`2001:DB8:CAFE:200:/56` is assigned to the network behind Client 2

This gives us this layout:

+--------------+  2001:470:xxxx:xxx::/64  +---------------+     /-> Client 1 network (2001:DB8:CAFE:100::/56)
|              + <-- Tunnelbroker link -> +               |    /
| The internet |                          | My VPN Server + <-*---> VPN link - network topology (2001:DB8:CAFE::/64)
|              + <- Native IPv6 link ---> +               |    \
+--------------+ 2a01:xxxx:xxxx:xxxx::/48 +---------------+     \-> Client 2 network (2001:DB8:CAFE:200::/56)

Want I want is that all traffic comming from 2001:DB8:CAFE::/48 is routed over my Tunnelbroker link - and only that link.

This leads me to the following script:

# Reset IPv6 routing table.
ip -6 rule flush

# Reset Tunnelbroker routing table (table name: "he-ipv6").
ip -6 route flush table he-ipv6

# Add routeable VPN subnets to Tunnelbroker routing table
ip -6 rule add from 2001:DB8:CAFE::/48 table he-ipv6

# Any traffic that originates from VPN has to be forwarded via Tunnelbroker routing table 
# using the tunnelbroker link (link name: he-ipv6).
ip -6 route add default via 2001:470:xxxx:xxx::1 dev he-ipv6 table he-ipv6

# Add default IPv6 rules again - since they gets deleted by the initial rule flush command.
ip -6 rule add priority 32766 from all table main

However: when I run the ip -6 route add default ...-command I get the following error back:

RTNETLINK answers: No route to host

The problem is that could ping 2001:470:xxxx:xxx::1 before I ran script, but not after.

What am I missing?

Just FYI: The IPv6 documentation address range is `2001:db8::/32`, not `db0`. (`db8` as in "debate"). :) — Dubu, Jun 07 '17 at 11:51
Oh right. :-) Anyway answer is going to be edited again. Apparently server does not agree wit — Lasse Michael Mølgaard, Jun 07 '17 at 11:53

Lasse Michael Mølgaard · Accepted Answer · 2022-11-16T09:54:25.390

Do'h! Order of commands matters.

The reason the command ip -6 route add default via 2001:470:xxxx:xxx::1 dev he-ipv6 table he-ipv6 didnt work was the route was defined in the main table.

But since the initial flush command removes the main table, you have to add it again before you do the ip route default command.

Correct script is therefore:

# Reset IPv6 routing table.
ip -6 rule flush

# Add default IPv6 rules again - since they gets deleted by the initial rule flush command.
ip -6 rule add priority 32766 from all table main

# Reset Tunnelbroker routing table (table name: "he-ipv6").
ip -6 route flush table he-ipv6

# Add routeable VPN subnets to Tunnelbroker routing table
ip -6 rule add from 2001:DB8:CAFE::/48 table he-ipv6

# Remember to add a rule that if no machine does not respond to a 
# packet address in my /48, then we should return unreachable. 
# Else the package will be forwarded by default out through the 
# Hurricane Electric connection.

#(From the Internet)
ip -6 route add unreachable 2001:DB8:CAFE::/48

#(From my /48 subnet)
ip -6 route add unreachable 2001:DB8:CAFE::/48 table he-ipv6

# Any traffic that originates from VPN has to be forwarded via Tunnelbroker routing table 
# using the tunnelbroker link (link name: he-ipv6).
ip -6 route add default via 2001:470:xxxx:xxx::1 dev he-ipv6 table he-ipv6

I will leave the question and answer in here, since I am problebly not the only one trying todo IPv6 routing based on source.

The most recent infomation I have found on the subject was from 2010.

linux IPv6 policy based routing fails

1 Answers1