Debugging IPv6 routing issues

ipv6routing

I have been given a native (no tunneling etc) IPv6 /64 block by my ISP. My pfSense router has successfully got an address, and from its WAN interface I can for instance ping ipv6.google.com and get a reply. However, on my internal network, it does not work, and I can't figure out why. I have a DHCPv6 server handing out addresses, and the router is doing router advertisements, and this seems fine to me.

I'll try to illustrate. Lets say I have a prefix 2001:a:b:c::/64. My router gets it's WAN address using SLAAC, and that becomes 2001:a:b:c:20c:29ff:fef9:b914. On the internal interface, I have assigned it 2001:a:b:c::1 (old IPv4 habit, I guess…). DNS and DHCP is hosted on a server with 2001:a:b:c::10 (static assignment). My workstation then requests an address using DHCP and has been assigned 2001:a:b:c::11ab.

My routing table contains two default (::/0) routes, one for the router's internal static IP, and one for it's link-local IP.

Pinging ipv6.google.com now gives Destination host unreachable. Where do I start to debug this? It seems to me that it is a routing issue, but I don't know where to start looking.

Best Answer

If you only have one /64 prefix and that prefix is on your WAN side then you can't do IPv6 for your LAN. An ISP is supposed to give you multiple /64s so that you can put a separate /64 on each LAN. It is common for an ISP to give everybody (residential and business) a /48 (65536 /64s). For residential customers they might hand out a /56 (256 /64s). That way you have plenty prefixes to number your network, even if it gets more complicated over time (Internet-of-Things deployment etc).

Some ISPs are still sticking too much to the IPv4 mentality and only giving out a /60 (16 /64s) or so. While that will probably be enough now it will cause problems as IP-capable devices become more common, and you don't really want your living room lighting and AC to be in the same subnet as the children's toys, do you? ;)

ISPs that only hand out a single /64 prevent you from any subnetting at all. If that /64 is on the WAN interface then you'll never get decent IPv6 on your LAN(s). This is the ISPs fault and they should fix this by giving out a decent amount (/48 or /56) of addresses.

Related Solutions

Linux – How to deploy IPv6 within a LAN using a Debian based router and prefix delegation

You didn't say who your ISP was, but the following works on Comcast in areas where they have rolled out IPv6.

I had to use wide-dhcpv6-client since none of the other DHCPv6 clients could handle all of getting an address for the ISP-facing interface, prefix delegation, and Comcast's maximum /60 network mask at the same time.

After installing wide-dhcpv6-client, edit /etc/network/interfaces so your eth1 IPv6 settings look like this:

iface eth1 inet6 auto
        post-up sysctl -w net.ipv6.conf.ext0.accept_ra=2

Edit /etc/wide-dhcpv6/dhcp6c.conf so it looks like this:

profile default
{
  information-only;

  request domain-name-servers;
  request domain-name;

  script "/etc/wide-dhcpv6/dhcp6c-script";
};

interface eth1 {
    send rapid-commit;

    send ia-na 0;
    send ia-pd 0;
};

id-assoc na 0 {

};

id-assoc pd 0 {
    prefix ::/60 infinity;

    # Internal interface (LAN)
    prefix-interface eth0 {
        sla-len 4;
        sla-id 0;
        ifid 1;
    };
};

The "na" section gets an IPv6 address for eth1 (facing your ISP). The "pd" section gets a prefix delegation for your internal network and will assign the IPv6 address "[prefix]::1" to eth0 (your internal interface). If you have additional internal networks, you can add additional "prefix-interface" sections for those interfaces and increment the "sla-id" for each one.

Then you need a router advertisement daemon on the system for your internal network. You can use either radvd or dnsmasq.

If you are using dnsmasq, the necessary additions to /etc/dnsmasq.conf for IPv6 are

# Enable IPv6 Router Advertisement (RA) features.
enable-ra

# Advertise delegated prefix based on the IPv6 address of eth0.
dhcp-range = ::1,constructor:eth0,   ra-stateless, ra-names, 4h

You'll need to install the dnsmasq from Debian testing since the version that ships with Debian wheezy does not do router advertisements properly.

Then ifdown and ifup your external interface, make sure dhcp6c is running, and see if both your external and internal interface have IPv6 addresses other than the link-local ones (the "fe80::..." addresses). If all of that worked, restart dnsmasq, and the systems on your LAN should start automatically configuring IPv6 addresses for themselves.

RADVD for IPv6 assignement, DNSMasq for DHCP handing out DNS for IPv6 clients – how to do

Circa March 2018, windows 10 support RDNSS from ICMPv6 router advertisements. As long as DNSmasq is listening on IPV6 port 53 (both udp and tcp), and as long it distributes AAAA (IPv6) records, you should be fine to advertise it with radvd.

Best Answer

Related Solutions

Linux – How to deploy IPv6 within a LAN using a Debian based router and prefix delegation

RADVD for IPv6 assignement, DNSMasq for DHCP handing out DNS for IPv6 clients – how to do

Related Question