Score:0

Unable to reach WAN from LAN host on IPv6

ru flag

In my router, I have 2 interfaces enp1s0 (assumed as WAN) and enp4s0(assumed as LAN). I connected a LAN host and a WAN host. I can ping from LAN host to WAN port of the router but not to the gateway of WAN. The setting is as follows :

  • LAN host IP : 8888::5/64
  • LAN gateway IP (router's enp4s0) : 8888::1/64
  • WAN port IP (router's enp1s0) : 2401:fb00:0:1ff::1fd/64
  • WAN gateway IP : 2401:fb00:0:1ff::1fc/64

IPv6 forwarding is enabled in /etc/sysctl.conf i.e net.ipv6.conf.all.forwarding=1 and restarted the network service.

/proc/sys/net/ipv6/conf/enp1s0/forwarding = 1
/proc/sys/net/ipv6/conf/enp4s0/forwarding = 1
/proc/sys/net/ipv6/conf/default/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding = 1

Ping happens from LAN host to LAN gateway and WAN port of router. Default route is there in router to reach WAN gateway. But still I can't access WAN gateway from LAN host. Any help would be appreciated.

tcpdump on router WAN port(enp1s0) is when ping from 8888::5 to 2401:fb00:0:1ff::1fc runs.

11:40:26.986609 IP6 8888::5 > 2401:fb00:0:1ff::1fc: ICMP6, echo request, seq 632, length 64
11:40:27.597211 IP6 2401:fb00:0:1ff::1fd.35373 > 2401:fb00:0:1ff::1fc.domain: 41163+ A? relay-4a21c05c.net.anydesk.com. (48)
11:40:27.601687 IP6 2401:fb00:0:1ff::1fc > 2401:fb00:0:1ff::1fd: ICMP6, destination unreachable, unreachable port, 2401:fb00:0:1ff::1fc udp port domain, length 104
vidarlo avatar
ar flag
Why do you use 8888::/64? It's not an allocated adress for *any* purpose. Your setup won't work with 8888::/64 adresses anyway.
Ron Maupin avatar
us flag
You seem to be using invalid IPv6 addressing. For example, `888::/64`, is in the RESERVED IPv6 address space and should not be use. For the Internet, you use Global addressing in the `2000::/3` address space. For traffic that never goes on the Internet, you use ULA addressing (locally assigned in the `fd00::/8 space but the next 40 bits must be randomly chosen).
Mani Varma Indukuri avatar
ru flag
I thought 8888::/64 is global ipv6 address. When I added SNAT rule to change source IP of any incoming packet to IP of WAN port in NF tables, it worked. I can ping web on IPv6. If 8888::/64 is invalid addressing, why is it working ?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.