Join Log in
Score:0
Jeremy Ardley avatar Server

IPv6 forwarding enabled but not working. How to get it to work?

in flag
Jeremy Ardley

My system is running Debian GNU/Linux 11 (bullseye) My network is configured with two interfaces, one to my ISP and one to my lan. I am using systemd-networkd to manage the interfaces. The problem is IPv6 is not being forwarded. (systemd version 247.3-6 )

I can ping -6 my upstream from the router but not from an internal host. Internal hosts are unable to connect to external IPv6 servers but can connect to external IPv4 servers via a NAT connection.

cat /etc/systemd/network/eth0.network
[Match]
Name=eth0

[Network]
DHCP=yes
IPv6AcceptRA=yes
IPForward=ipv6
LLDP=yes

[DHCPv6]
PrefixDelegationHint=::/56

cat /etc/systemd/network/lan0.network 
[Match]
Name=lan0

[Network]
Address=192.168.1.2/24
Address=192.168.1.1/24
Address=192.168.1.5/24
Address=192.0.2.5/24
Address=2001:0DB8:c101:b700::1/64
Address=2001:0DB8:c101:b700:beef::5/64

Domains=lan example.com

IPForward=ipv6
LLDP=yes

ip -6 route show table all
::1 dev lo proto kernel metric 256 pref medium
2001:0DB8:c101:b700::/64 dev lan0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev lan0 proto kernel metric 256 pref medium
default via fe80::2a2:ff:feb2:c2 dev eth0 proto ra metric 1024 expires 1724sec mtu 1500 pref high
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f dev eth0 table local proto kernel metric 0 pref medium
anycast 2001:0DB8:c101:b700:: dev lan0 table local proto kernel metric 0 pref medium
local 2001:0DB8:c101:b700::1 dev lan0 table local proto kernel metric 0 pref medium
local 2001:0DB8:c101:b700:beef::5 dev lan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev lan0 table local proto kernel metric 0 pref medium
local fe80::fca5:6fff:fe75:6109 dev eth0 table local proto kernel metric 0 pref medium
local fe80::fca5:6fff:fe75:6129 dev lan0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev lan0 table local proto kernel metric 256 pref medium

ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether fe:a5:6f:75:61:09 brd ff:ff:ff:ff:ff:ff
        inet 192.0.2.199/23 brd 192.0.2.255 scope global dynamic eth0
           valid_lft 1602sec preferred_lft 1602sec
        inet6 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 scope global dynamic noprefixroute 
           valid_lft 3802sec preferred_lft 2802sec
        inet6 fe80::fca5:6fff:fe75:6109/64 scope link 
           valid_lft forever preferred_lft forever
    3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether fe:a5:6f:75:61:29 brd ff:ff:ff:ff:ff:ff
        inet 192.0.2.5/24 brd 192.0.2.255 scope global lan0
           valid_lft forever preferred_lft forever
        inet 192.168.1.1/24 brd 192.168.1.255 scope global lan0
           valid_lft forever preferred_lft forever
        inet 192.168.1.5/24 brd 192.168.1.255 scope global secondary lan0
           valid_lft forever preferred_lft forever
        inet6 2001:0DB8:c101:b700:beef::5/64 scope global 
           valid_lft forever preferred_lft forever
        inet6 2001:0DB8:c101:b700::1/64 scope global 
           valid_lft forever preferred_lft forever
        inet6 fe80::fca5:6fff:fe75:6129/64 scope link 
           valid_lft forever preferred_lft forever

ip6tables-save
# Generated by ip6tables-save v1.8.7 on Sun Mar 27 06:29:25 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127035:902105282]
:client_in - [0:0]
:client_out - [0:0]
:nameserver_in - [0:0]
:server_in - [0:0]
:server_out - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -d 2001:0DB8:c101:b700::1/128 -i eth0 -j nameserver_in
-A INPUT -d 2001:0DB8:c101:b700::5/128 -i eth0 -j nameserver_in
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -s 2001:0DB8:c101:b700::/56 -i lan0 -j ACCEPT
-A FORWARD -d 2001:0DB8:c101:b700:beef::/80 -i eth0 -j server_in
-A FORWARD -d 2001:0DB8:c101:b700::/125 -i eth0 -j nameserver_in
-A FORWARD -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A client_in -m state --state RELATED,ESTABLISHED -j ACCEPT
-A client_out -j ACCEPT
-A nameserver_in -p udp -m udp --dport 53 -j ACCEPT
-A nameserver_in -p tcp -m tcp --dport 53 -j ACCEPT
-A server_in -m state --state RELATED,ESTABLISHED -j ACCEPT
-A server_in -p tcp -m tcp --dport 80 -j ACCEPT
-A server_in -p tcp -m tcp --dport 443 -j ACCEPT
-A server_in -p tcp -m tcp --dport 25 -j ACCEPT
-A server_out -j ACCEPT
COMMIT
# Completed on Sun Mar 27 06:29:25 2022

networkctl status lan0
● 3: lan0                                                                      
                     Link File: /lib/systemd/network/73-usb-net-by-mac.link
                  Network File: /etc/systemd/network/lan0.network
                          Type: ether
                         State: routable (configured)
                          Path: platform-xhci-hcd.0.auto-usb-0:1:1.0
                        Driver: r8152
                        Vendor: Realtek Semiconductor Corp.
                         Model: RTL8153 Gigabit Ethernet Adapter
                    HW Address: fe:a5:6f:75:61:29
                           MTU: 1500 (min: 68, max: 9194)
                         QDisc: pfifo_fast
  IPv6 Address Generation Mode: eui64
          Queue Length (Tx/Rx): 1/1
              Auto negotiation: yes
                         Speed: 1Gbps
                        Duplex: full
                          Port: mii
                       Address: 192.168.1.1
                                192.168.1.5
                                192.0.2.5
                                2001:0DB8:c101:b700::1
                                2001:0DB8:c101:b700:beef::5
                                fe80::fca5:6fff:fe75:6129
                Search Domains: lan
                                example.com

Mar 27 05:35:20 firewall systemd-networkd[6691]: lan0: Gained IPv6LL
Mar 27 05:44:47 firewall systemd-networkd[6750]: lan0: Gained IPv6LL
Mar 27 06:19:05 firewall systemd-networkd[7041]: lan0: Gained IPv6LL

networkctl status eth0
● 2: eth0                                                                      
                     Link File: /lib/systemd/network/99-default.link
                  Network File: /etc/systemd/network/eth0.network
                          Type: ether
                         State: routable (configured)
                          Path: platform-ff540000.ethernet
                    HW Address: fe:a5:6f:75:61:09
                           MTU: 1500 (min: 46, max: 3712)
                         QDisc: mq
  IPv6 Address Generation Mode: eui64
          Queue Length (Tx/Rx): 8/8
              Auto negotiation: yes
                         Speed: 1Gbps
                        Duplex: full
                          Port: tp
                       Address: 192.0.2.199 (DHCP4 via 202.90.244.1)
                                2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f
                                fe80::fca5:6fff:fe75:6109
                       Gateway: 202.90.244.1
                                fe80::2a2:ff:feb2:c2
                           DNS: 202.142.142.142
                                202.142.142.242
                                2001:0DB8:100:1::142
                                2001:0DB8:1:5::242
               DHCP4 Client ID: IAID:0xa3d03369/DUID
             DHCP6 Client IAID: 0xa3d03369
             DHCP6 Client DUID: DUID-EN/Vendor:0000ab111f00fd4412b87eae0000

Mar 27 05:44:47 firewall systemd-networkd[6691]: eth0: DHCPv6 lease lost
Mar 27 05:44:47 firewall systemd-networkd[6750]: eth0: Gained IPv6LL
Mar 27 05:44:50 firewall systemd-networkd[6750]: eth0: DHCPv4 address 192.0.2.199/23 via 202.90.244.1
Mar 27 05:44:51 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000
Mar 27 06:00:17 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000
Mar 27 06:15:52 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000
Mar 27 06:19:04 firewall systemd-networkd[6750]: eth0: DHCPv6 lease lost
Mar 27 06:19:05 firewall systemd-networkd[7041]: eth0: Gained IPv6LL
Mar 27 06:19:07 firewall systemd-networkd[7041]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000
Mar 27 06:19:08 firewall systemd-networkd[7041]: eth0: DHCPv4 address 192.0.2.199/23 via 202.90.244

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
47
0 + 0
A.B avatar
cl flag
A.B
(The system should allow 546/UDP for DHCPv6 to not timeout I guess.) Is there a setting to apply somewhere for your upstream router to know about `2001:0DB8:c101:b700::/64`?
0
Reply
Jeremy Ardley avatar
in flag
Jeremy Ardley
The networkctl status eth0 statement indicates DHCP is working as IPv4 and IPv6 addresses are released at Mar 27 06:19:04 and re-assigned at Mar 27 06:19:07 (NB addresses have been obfusticated)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.