# ping -6 google.fr
PING google.fr (2a00:1450:4007:808::2003): 56 data bytes
64 bytes from 2a00:1450:4007:808::2003: seq=0 ttl=116 time=12.530 ms
# traceroute -6 google.fr
traceroute to google.fr (2a00:1450:4007:808::2003), 30 hops max, 64 byte packets
1 2a01:e0a:22a:xxxx::1 (2a01:e0a:22a:xxxx::1) 0.448 ms 0.412 ms 0.405 ms
2 2a01:e01:4:f836:8c82::ffff (2a01:e01:4:f836:8c82::ffff) 4.156 ms 3.340 ms 2.684 ms
Envoi d’une requête 'Ping' fe80::b27f:b9ff:yyyy:1fd6 avec 32 octets de données :
Réponse de fe80::b27f:b9ff:yyyy:1fd6 : temps<1ms
$ ping -6 google.fr
Envoi d’une requête 'ping' sur google.fr [2a00:1450:4007:808::2003] avec 32 octets de données :
Délai d’attente de la demande dépassé.
You can see that I cannot ping outside:
I think I forgot a "bridge" between both router interfaces eth0 and br0
I also try a DHCP with Prefix delegation with radvd prefix config but I have exactly the same issue
Is someone have an idea of this issue?
Thanks,
========== [Solved] ==========
So, My ISP Box is plugged on the DD-WRT WAN Port
1/ First I configured my ISP Box.
- I don't enabled dhcpv6
- I don't enabled Ipv6 firewall
- I set the link-local address of the DD-WRT WAN Interface (eth0) as Next Hop of 2 /64 prefix of my ISP
> 2a01:e0a:22a:xxx0::/64 => fe80::b27f:b9ff:yyyy:1fd7 => Optional - For router itself
> 2a01:e0a:22a:xxx1::/64 => fe80::b27f:b9ff:yyyy:1fd7 => For LAN behind the router
# Add default route to indicate how to access LAN network
ip -6 route add 2a01:e0a:22a:xxx1::/64 dev br0
# Optional but allows to avoid waiting on connection. It seems that the box take a lot of time (~ 5-10 minutes) to emit Router Advertisement
# Add default route to the ISP box
ip -6 route add via fe80::8e97:eaff:wwww:a52a dev eth0
# Add public address in the WAN interface
ip -6 address add 2a01:e0a:22a:xxx0:b27f:b9ff:yyyy:1fd7/64 dev eth0
- Admin / shell / firewall: DD-WRT and LAN security firewall rules:
ip6tables -I INPUT -m state --state NEW -i eth0 -m multiport -p tcp --dport 22,443 -j ACCEPT
ip6tables -I FORWARD -m state --state NEW -i eth0 -o br0 -m multiport -p tcp -j ACCEPT \
-d 2a01:e0a:22a:xxx1:211:32ff:vvvv:5b --dport 443,8181
Last edited by xes_ on Sun Nov 01, 2020 13:32; edited 5 times in total
Envoi d’une requête 'Ping' fe80::b27f:b9ff:yyyy:1fd7 avec 32 octets de données :
Impossible de joindre l’hôte de destination.
$ ping 2a01:e0a:22a:xxxx:b27f:b9ff:yyyy:1fd7
Envoi d’une requête 'Ping' 2a01:e0a:22a:xxxx:b27f:b9ff:yyyy:1fd7 avec 32 octets de données :
Impossible de joindre l’hôte de destination.
My ISP do both SLAAC and DHCPv6. I can enable or not DHCPv6 but I tried both and it doesn't work
On the DDWRT:
Code:
# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
2a01:e0a:22a:xxxx::/64 :: UA 256 2 504 eth0
fe80::/64 :: U 256 2 760 br0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 ath0
fe80::/64 :: U 256 0 0 ath1
fe80::/64 :: U 256 0 0 ath1.1
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 tun2
::/0 fe80::8e97:eaff:wwww:a52a UGDA 1024 2 2533 eth0
::/0 :: U 2048 2 1039 eth0
::/0 :: !n -1 1 4943 lo
::1/128 :: Un 0 3 25 lo
2a01:e0a:22a:xxxx::/128 :: Un 0 1 0 lo
2a01:e0a:22a:xxxx:b27f:b9ff:yyyy:1fd7/128 :: Un 0 3 172 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::76cc:628c:vvvv:2d5/128 :: Un 0 1 0 lo
fe80::b07f:b9ff:yyyy:1fd9/128 :: Un 0 1 0 lo
fe80::b27f:b9ff:yyyy:1fd6/128 :: Un 0 3 1277 lo
fe80::b27f:b9ff:yyyy:1fd6/128 :: Un 0 1 0 lo
fe80::b27f:b9ff:yyyy:1fd7/128 :: Un 0 3 339 lo
fe80::b27f:b9ff:yyyy:1fd8/128 :: Un 0 1 0 lo
fe80::b27f:b9ff:yyyy:1fd9/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 2 2841 br0
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 ath0
ff00::/8 :: U 256 0 0 ath1
ff00::/8 :: U 256 0 0 ath1.1
ff00::/8 :: U 256 2 3126 eth0
ff00::/8 :: U 256 0 0 tun2
ff00::/8 :: U 256 0 0 oet1
::/0 :: !n -1 1 4943 lo
On the Windows:
Code:
$ netsh interface ipv6 show route
Publier Type Mét Préfixe Idx Nom passerelle/interface
------- -------- --- ------------------------ --- ------------------------
Non Manuel 256 ::/0 9 fe80::b27f:b9ff:yyyy:1fd6
Non Système 256 ::1/128 1 Loopback Pseudo-Interface 1
Non Manuel 256 2a01:e0a:22a:xxxx::/64 9 Ethernet 6
Non Système 256 2a01:e0a:22a:xxxx:6dbc:aa69:23f4:df31/128 9 Ethernet 6
Non Système 256 2a01:e0a:22a:xxxx:c8c7:41f1:b383:4885/128 9 Ethernet 6
Non Système 256 fe80::/64 8 Ethernet 3
Non Système 256 fe80::/64 10 Connexion réseau Bluetooth 3
Non Système 256 fe80::/64 4 Wi-Fi
Non Système 256 fe80::/64 9 Ethernet 6
Non Système 256 fe80::/64 68 vEthernet (WSL)
Non Système 256 fe80::/64 20 Connexion au réseau local* 3
Non Système 256 fe80::/64 13 VMware Network Adapter VMnet8
Non Système 256 fe80::/64 30 VMware Network Adapter VMnet1
Non Système 256 fe80::/64 23 Ethernet 9
Non Système 256 fe80::/64 31 vEthernet (Default Switch)
Non Système 256 fe80::/64 22 Connexion au réseau local* 12
Non Système 256 fe80::545:ea92:tttt:590f/128 23 Ethernet 9
Non Système 256 fe80::280d:bb62:tttt:46c9/128 31 vEthernet (Default Switch)
Non Système 256 fe80::554a:6e3c:tttt:e4dc/128 68 vEthernet (WSL)
Non Système 256 fe80::600d:2bb3:tttt:ca25/128 4 Wi-Fi
Non Système 256 fe80::6054:87b8:tttt:1fce/128 10 Connexion réseau Bluetooth 3
Non Système 256 fe80::6dbc:aa69:tttt:df31/128 9 Ethernet 6
Non Système 256 fe80::8838:61e4:tttt:d8d2/128 22 Connexion au réseau local* 12
Non Système 256 fe80::ac0d:5986:tttt:c3be/128 30 VMware Network Adapter VMnet1
Non Système 256 fe80::c5f3:4516:tttt:57d6/128 8 Ethernet 3
Non Système 256 fe80::c880:2a70:tttt:716c/128 20 Connexion au réseau local* 3
Non Système 256 fe80::d154:9421:tttt:8641/128 13 VMware Network Adapter VMnet8
Non Système 256 ff00::/8 1 Loopback Pseudo-Interface 1
Non Système 256 ff00::/8 8 Ethernet 3
Non Système 256 ff00::/8 10 Connexion réseau Bluetooth 3
Non Système 256 ff00::/8 4 Wi-Fi
Non Système 256 ff00::/8 9 Ethernet 6
Non Système 256 ff00::/8 68 vEthernet (WSL)
Non Système 256 ff00::/8 20 Connexion au réseau local* 3
Non Système 256 ff00::/8 13 VMware Network Adapter VMnet8
Non Système 256 ff00::/8 30 VMware Network Adapter VMnet1
Non Système 256 ff00::/8 23 Ethernet 9
Non Système 256 ff00::/8 31 vEthernet (Default Switch)
Non Système 256 ff00::/8 22 Connexion au réseau local* 12
I see that you already did the local-link ipv6 ping and that worked that was here:
xes_ wrote:
$ ping -6 fe80::b27f:b9ff:yyyy:1fd6
Envoi d’une requête 'Ping' fe80::b27f:b9ff:yyyy:1fd6 avec 32 octets de données :
Réponse de fe80::b27f:b9ff:yyyy:1fd6 : temps<1ms
This means that you are able to ping the link local address of the router (ie the windows machine connects to the router) which was what I was wanting to do in the first place.
I see that you have VMware adapters up and running. I have had it happen before that with a virtual machine adapter up and running the system will send the packets there. So a sanity thing would be to bring down all of the VMWare interfaces.
I do not see it right now, but on the router can you run:
ip6tables -vnL
and
ip6tables -t raw -vnL
and
ip6tables -t mangle -vnL
I need to check something myself/my notes. will come back later
I think I am just not seeing it currently. I know I have done this before but I am seeing too many ipv6 letters and such that it is all blurring together
Envoi d’une requête 'ping' sur google.fr [2a00:1450:4007:808::2003] avec 32 octets de données :
Défaillance générale.
I am really surprised about this issue.
It seams really simple. I have 2 interfaces on my router. One for WAN and one for LAN.
Ipv6 works on my router and my PC on the LAN have a correct ipv6 but seems there is no link between both interfaces
Tell me if I'm wrong but I see everywhere that Ipv6 is ready for a long time but when I take a look of home "router" like Netgear R7800, it seems no true.
When I take a look of firmwares:
- netgear official
- dd-wrt
- potato
and even other that I can see on Internet,
Ipv6 settings are very poor.
I know that there is no need NAT anymore but on dd-wrt for instance (but it's true for others), we should have something to filter easilly input ports/ip from internet for security (firewall)
Instead of that, we need to write iptables rules else all machines on the LAN are exposed directly from Internet.
Joined: 13 Aug 2013 Posts: 6858 Location: Romerike, Norway
Posted: Sat Oct 31, 2020 21:05 Post subject:
Do you connect the router directly to the ISP, or do you have another routet upstream?
Most ISP routers do not have a wide dhcp6 server. You will not get a delegated prefix, but only a single end node address on the wan with no addresses for the clientd behind the router.
@xes_
Yes, I have found the same thing. PFsense does a good job though.
I am not a fan of IPv6 because of the underlying assumption that everything has to be on a "flat" space. Yes I get why everything should be routeable, but not every device needs a fully public IPv6 address, in my opinion.
@Per Yngve Berg
I have set up the exact example with virtual box and 3 VMs.
1. A PFsense router fully deploying IPv6
2. DD-WRT (with WAN) to LAN of PFsense, and (LAN)
3. Linux machine with network connected to LAN of DD-WRT
PFsense properly respponds to its IPv6 address and hands out the prefix delegation.
DD-WRT only picks up an WAN IPv6 address through SLAAC, (so I had to enable that on PFsense), but it easily picks up and assigns the delegated prefix from PFsense and assigns that to LAN and the Linux machine gets its proper IPv6 address.
What ends up happening (through a packet capature) is that when the ping6 is routed to the PFsense router, PFsense does a neighbor discover and then DD-WRT never responds to the ipv6 neighbor solicitations on the WAN interface for the LAN addresses. So the reply goes nowhere.
That is what I cannot figure out is why DD-WRT does not respond...
I can ping6 from PFsense to DD-WRT (and back), I can ping6 from DD-WRT to Linux (and back), and DD-WRT even responds to its WAN ipv6 from the Linux (or LAN side), but DD-WRT does not respond to its LAN address from the WAN side because of this no response
Since I am on an X86 VM it does have the full ipv6 nat tables and I can masquerade, but on a broadcom/atheros router that is not present and if I am masquerading that is esentially doing NAT which defeats the purpose.
Joined: 13 Aug 2013 Posts: 6858 Location: Romerike, Norway
Posted: Sat Oct 31, 2020 21:36 Post subject:
Wildlion wrote:
What ends up happening (through a packet capature) is that when the ping6 is routed to the PFsense router, PFsense does a neighbor discover and then DD-WRT never responds to the ipv6 neighbor solicitations on the WAN interface for the LAN addresses. So the reply goes nowhere.
The LAN addresses is not a neighbour of Pfsense. They are on a different sub-net. I presume you have allocated a PD larger than 64 from your ISP. Then you break it up to 64 sub-nets, one for the PFsense network and another behind dd-wrt.
On the Live setup I have my ISP gave me a /56 so yes, those are handed out as /64s.
In this scenario this is just a VM, the PFsense router is virtualized. It does not have a WAN IPv6 address, only a LAN IPv6 address.
So on the PFsense LAN address i have a static IPv6 address assigned as:
2001:db8:0:2011::1/64
Then in the dhcpv6 prefix delegation
2001:db8:0:115:: - 2001:db8:0:117:: by /64
The DD-WRT VM picks up:
Code:
1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:db8:0:2011:a00:27ff:fec3:e687/64 scope global dynamic
valid_lft 86393sec preferred_lft 14393sec
inet6 fe80::a00:27ff:fec3:e687/64 scope link
valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::a00:27ff:fe8f:1dd7/64 scope link
valid_lft forever preferred_lft forever
9: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:db8:0:2017:200:ff:fe00:0/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe8f:1dd7/64 scope link
valid_lft forever preferred_lft forever
and the linux VM picks up:
Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:db8:0:2017::1000/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe5b:4d54/64 scope link
valid_lft forever preferred_lft forever
PFsense VM can ping6 DD-WRT VM
DD-WRT VM can ping6 both PFsense VM and Linux VM
Linux VM can ping6 DD-WRT VM
Linux VM and PFsense VM cannot ping6 each other.
PFsense VM does record the ipv6-icmp packet, but when it does the solititation to see where to route the DD-WRT VM never responds to this. (sorry for the different ipv6 address at end but I have been playing around).
And yes I switched to the ipv6 documentation prefix, but the actual addresses are fully routable, so that is why picture has black marks.