Score:0

Binding to random IP from IPv6 subnet (/64) doesn't work

cn flag

I got a scaleway.com server (DEV1-S) which offers me a /64 IPv6 subnet. I want to use an IP from this subnet to make a HTTP request (will use wget in the examples) but I can't get it to work. The request (with wget but also with other programs & programming languages) will hang.

The IPv6 adress is 2001:bc8:1830:1b18::1, the gateway is 2001:bc8:1830:1b18:: and the netmask is 64.

Running ip -6 addr, on the clean / just created server, will output the following:

root@test:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:bc8:1830:1b18::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::dc2e:4cff:fe57:a019/64 scope link 
       valid_lft forever preferred_lft forever

I read on forums and other questions/answers that in order for you to be able to bind to an address from a subnet, you need to run the following commands:

ip add add local 2001:bc8:1830:1b18::/64 dev lo
ip route add local 2001:bc8:1830:1b18::/64 dev ens2
sysctl -w net.ipv6.ip_nonlocal_bind=1

After these commands, the output of ip -6 addr is the following:

root@test:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 2001:bc8:1830:1b18::/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:bc8:1830:1b18::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::dc2e:4cff:fe57:a019/64 scope link 
       valid_lft forever preferred_lft forever

I can now ping6 e.g. 2001:bc8:1830:1b18::9 instead of only 2001:bc8:1830:1b18::1, but only from my own server. Not from other servers/networks.

Without the sysctl -w net.ipv6.ip_nonlocal_bind=1, wget would return this:

root@test:~# wget --bind-address=2001:bc8:1830:1b18::2 -v google.com
--2021-08-13 00:29:45--  http://google.com/
Resolving google.com (google.com)... 2a00:1450:400e:802::200e, 142.250.179.174
Connecting to google.com (google.com)|2a00:1450:400e:802::200e|:80... failed: Cannot assign requested address.
Connecting to google.com (google.com)|142.250.179.174|:80... failed: Address family not supported by protocol.

Now after the 3 commands, when I run wget with the --bind-address flag set to an address in the subnet other than 2001:bc8:1830:1b18::1, the request will hang forever:

root@test:~# wget --bind-address=2001:bc8:1830:1b18::1 google.com
--2021-08-12 23:55:48--  http://google.com/
Resolving google.com (google.com)... 2a00:1450:400e:802::200e, 142.250.179.174
Connecting to google.com (google.com)|2a00:1450:400e:802::200e|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2021-08-12 23:55:48--  http://www.google.com/
Resolving www.google.com (www.google.com)... 2a00:1450:400e:80f::2004, 142.251.36.4
Connecting to www.google.com (www.google.com)|2a00:1450:400e:80f::2004|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                                                       [ <=>                                                                                                                                                                                         ]  13.03K  --.-KB/s    in 0.009s  

2021-08-12 23:55:48 (1.44 MB/s) - ‘index.html’ saved [13342]

root@test:~# wget --bind-address=2001:bc8:1830:1b18::2 google.com
--2021-08-12 23:55:52--  http://google.com/
Resolving google.com (google.com)... 2a00:1450:400e:802::200e, 142.250.179.174
Connecting to google.com (google.com)|2a00:1450:400e:802::200e|:80... 

lsof for the wget process says the following: wget 3413 root 3u IPv6 58660 0t0 TCP [2001:bc8:1830:1b18::2]:56623->ams15s41-in-x0e.1e100.net:http (SYN_SENT)

What am I doing wrong? Thanks a lot in advance!

Michael Hampton avatar
cz flag
This process only allows for accepting incoming connections on the specified network. It does not support outgoing connections. Add such IPv6 addresses directly to the network interface.
003random avatar
cn flag
@MichaelHampton thanks for your reply. I can confirm that it works when I add the IPs I want to use directly to the interface, but this wouldnt scale right? There are a lot of addresses in the subnet and I bet adding all of them to the interface wouldn't go well. I read something about freebind, and anyIP. do those also only apply to in coming connections?
Michael Hampton avatar
cz flag
Yes, FreeBind and AnyIP apply to incoming connections, and yes, it doesn't scale very well to add individual addresses to the interface. Adding large numbers of addresses for outgoing connections is not something one would normally do or even think about. Do you _really_ need to do that? I would guess that you do not.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.