IPv6 Issue cascade (Fritzbox --> TurrisOmnia)

Software SW help
1

Hey,
i got a Modem(Router) FritzBox 7490 which etablishes the Internetconnection to my provider (German Telekom) behind that i put my TurrisOmnia,
the TurrisOmnia can use IPv6 but all clients connected to theTurrisOmnia can only use IPv4 not IPv6 …
How can i fix this?

Thx

2

Does your TO get a single IPv6 Adress or a IPv6-Block? Is IPv6 Prefix-Delegation enabled on your Fritzbox (you can google it, it may give you some explanation how to configure a „chain of routers“ with IPv6.

Edit: Tutorial for Fritzbox (German): https://avm.de/service/fritzbox/fritzbox-3270/wissensdatenbank/publication/show/1239_IPv6-Subnetz-in-FRITZ-Box-einrichten/

TO should work with prefix delegation in standard configuration for lan-interface (at least in my setup behind another provider-router with ipv6 prefix delegation enabled)

2 Likes
3

Thanks u made my day, it works!

One question if i do the ipv6 test on http://ipv6-test.com/ it says that ICMP is filtert how to fix that:

turris
turris1609×1077 122 KB

4

You‘re welcome! I‘m not sure about ICMP. Sometimes ipv6-test.com prints this error for me, too, sometimes it doesn‘t. I didn‘t look into this yet…

1 Like
5

@ib54003 has reported the ICMP issue in ipv6-test.com. Well, it is real. The solution is not in Turris. The solution is in the Internet Router. In FritzBox you have to enable IPv6 Ping (!) to disable filtering of ICMP messages. It is hidden under “Freigaben Gerät” (german) By default it does not work. Then you actually see ICMP working.

I checked back: Comparing 2 similar Turris Omnia devices made clear, how to achieve IPv6 ICMP working (German edition, I’m sorry):

How to enable ICMP in IPv6 with Fritz Box and Turris Omnia

In FritzBox do this:

  1. Go to Internet / Freigaben.

  2. Select a device for port -Freigaben from drop down. That device is your Turris Omnia. In drop down there has to be your Turris. Avoid entering anything manually!

  3. In IPv6-Einstellungen check 2 boxes:
    a) PING6 freigeben.
    b) Firewall für delegierte IPv6-Präfixe dieses Gerätes öffnen.

Do not define opened ports as the naming suggests. Except you know what you do.

Make sure under
Heimnetz / Netzwerk / Netzwerkeinstellungen / IP-Adressen / IP-Adressen (wow!)
you check

  • Unique Local Addresses (ULA) zuweisen, solange keine IPv6-Internetverbindung besteht (empfohlen)
  • Auch IPv6-Präfixe zulassen, die andere IPv6-Router im Heimnetz bekanntgeben
  • Diese FRITZ!Box stellt den Standard-Internetzugang zur Verfügung
    • Hoch
  • DHCPv6-Server in der FRITZ!Box für das Heimnetz aktivieren:
    • DNS-Server und IPv6-Präfix (IA_PD) zuweisen

Turris Omnia has to be rebooted second (!!) after rebooting FritzBox. And then you experience: By default Turris Omnia does work with PD and with ICMP.

I do need help with this no-PD-without-restarting-second …

Proven to work fine.
This does actually work fine and has a high score in https://ipv6-test.com/ :slight_smile:

6

Thanks to @protree for the valuable hints!
I experience the same problem: v4 always working, v6 sometimes perfect, mostly defunct.

2 remarks:

  1. The above quoted Fritz wiki entry is VERY good in explaining what to do.
    except one point (I doubt it is right):
    Do choose IP-PD but NOT the IA-NA because static v6 addresses may kill your SLAAC. And you need to define the addresses stated in IA-NA. Want that?!?

(other opinion? please explain! I do need to learn more about v6! )

Tip für alle Deutsch-sprachigen: Der brilliante podcast mit Clemens Schrimpe ist das Beste, was zu IPv6 in letzter Zeit erklärt wurde (auch wenn die Form fremd und seltsam ist):

  1. If you re-boot the fritz box Turris will fail to get the Prefix Delegation. I consider that a problem, however. If you first reboot the Fritz and then later the Turris it will work.
    It took me 1 month and 2 physical Turris Omnia devices to find that. Now it is 100% reproducible: Wrong boot order and you’re doomed.
    It is a BIG problem if your routers are restarted after power outage in arbitrary order: No more IPv6!

Question:
Can someone (more skilled than me) describe a configuration to frequently check for PD availability and subsequent request by Turris for new PD from IN-router if the PD based global addresses failed? In other words: HOW TO IMMEDIATELY REFRESH IP-PD in a successful way?

7

I actually did two things meanwhile:

  • Write a script that has proven to work updating the PD prefix when necessary; deunglish language
  • create a presentation (in German) using this stuff to connect machines. If interested look at www.schweinekraftland.de and find the IPv6 stuff.

The script is run on Turris Omnia (I put it in ~/bin). Triggered by crontab.
Not perfect but reliable and without identified adverse side effects. Used in production for a longer time without issues :slight_smile:

#!/bin/bash 
  ## evtl sinnvoll:  #!/bin/bash -x

#  25jan2021
# script to detect change in PD address or assignment in Turris Onmia
# ACHTUNG: Needs to be started from cron min 10 min (preferred_lft is 600) up to 15 min
# Example crontab entry: 
# */10 * * * * bin/nett4turris004.sh
# detect and restart network to forward the PD info to Bridge
# the upstream link to FitzBox is  link00="eth2" or whatever
# the downstream link to nodes is link01="br-lan"

# mit der ( ) Konstruktion wird eine subshell geoeffnet (https://tldp.org/LDP/abs/html/subshells.html) 
# a) nach totalfehler hat eth2 eine PD aber br-lan nur eine deprecated >> Netz neu starten
# b) nach soft-reconnect hat eth2 no-deprecated UND deprecated 
##   aber br-lan hat KEINE(!) deprecated! bis PD-adresse auf br-lan preferred_lft =0 (EOL) ist / NICHT adressiert, gibt sich. 
# c) kommt vor: eth2 hat PD valide und br-lan hat keine PD >> benoetigt auch net restart

link00="eth2"
link01="br-lan"

## maxattempts=8	## max restart attempts per calendar day 	## 8 normal gut, bei Dauerfuckup der Telekom zu wenig 
maxattempts=120	## max restart attempts per calendar day

## statement like "ip -6 -o  address show scope global dynamic  "$link00" " returns all addresses and attributes available
## grep "inet6 2" 

restartstatus=0


##################################################################################################
## log

## Log - Verzeichnis und Datei
logdir01="/srv/log4me"

logrecordfile="networkPDrefresher.log"

# gibt es die log datei? Sonst lege eine an 

if [ -f $logdir01/$logrecordfile ] 
	then  
	### echo -e "\n ` date  +"%d%b%Y %H-%M-%S %Z-%s"` : eine log-Datei gefunden $logdir01/$logrecordfile "
		if [ ! -w $logdir01/$logrecordfile ]
		then
		echo -e  "Status: "$? "   " $0 " error: can not write to "  $logdir01/$logrecordfile
		break
		fi
	else 
		mkdir $logdir01
		touch $logdir01/$logrecordfile

		##   kleiner Header im Protokoll ########
		echo -e "new file " $logdir01/$logrecordfile "created. "
		echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` : Protokolldatei angelegt  durch $0 "   >>$logdir01/$logrecordfile
		echo -e "script started  \n   $(date  +"%d%b%Y %H-%M-%S %Z-%s")   Der ausfuehrende user $USER \n"   >>$logdir01/$logrecordfile
	
fi

## jetzt sollte doch wohl eine Protokolldatei verfuegbar sein! 
## wohin wird geschrieben?:  in die protocoltargetrecord
protocoltargetrecord=$logdir01/$logrecordfile
echo "geschrieben wird in  $protocoltargetrecord" 

##################################################################################################

## NOT implemented yet:  verify there is an internet connection - otherwise do nothing

## t.b.d. 
## not urgent because activity only if upstream PD is given 
## by condition (verify ip -6 -o  address show scope global dynamic -deprecated  "$link00")


##################################################################################################

# daycount		implemented .
# aim: limit number of restarts per calendar day
# based on date entries in log file
# Idee:   grep "` date  +"%d%b%Y"`" logfile.txt  | wc -l 

todaydate="` date  +"%d%b%Y"`"
## counts everything: ## daycount="`grep "$todaydate" $logdir01/$logrecordfile    | wc -l `" 
daycount="`grep "$todaydate" $logdir01/$logrecordfile | grep "planned"    | wc -l `" 
### 
echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"`  daycount on $todaydate is $daycount  "


##################################################################################################

# function to do a network restart (might be adapted)

netrest0()
	{
	/etc/init.d/network restart
	}

restart_network()
	{
	let "restartstatus++"
	if [ $restartstatus -le 1 ] && [ "$daycount" -le "$maxattempts" ] 
	then 
		sleep 1m  && touch ~/networkrestartattempt.txt &&  netrest0
		echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` do network restart using netrest0  \n"   >>$logdir01/$logrecordfile
		sleep 1m 	## make sure the restart is reflected in both interfaces. 
	else
		echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` other restart seems to be issued or  daycount exceeds $maxattempts (maxattempts) - not restarted.  \n"   >>$logdir01/$logrecordfile
	fi
	}




##################################################################################################


## check if incoming device eth2 has a valid PD prefix assigned
## then check if the outbound bridge br-lan shows a deprecated PD - address
## if both exist we need a network restart to provide the PD prefix from eth2 to br-lan

echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` status $link00:  "`ip -6 -o  address show scope global dynamic -deprecated  "$link00" ` 
echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` status $link01:  "`ip -6 -o  address show scope global dynamic  "$link01" ` 

if ip -6 -o  address show scope global dynamic -deprecated  "$link00" | grep -q "inet6 2"
then
	### echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` yes $link00 address present; go and check " $link01

	## check for deprecated PD on br-lan
	if ip -6 -o  address show scope global dynamic	deprecated  "$link01" | grep -q "inet6 2" 

	then
	echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` gueltige PD-IP auf $link00 plus deprecated auf $link01  sind beide da. Erforderlich: RESTARTEN Netzwerk  "
	##  DO NOT change the word "planned" !! s key word for counting restart attempts !!   ####
	echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` 	network restart planned! "   >>$logdir01/$logrecordfile
	ip -6 -o  address show scope global dynamic -deprecated  "$link00" >>$logdir01/$logrecordfile
	ip -6 -o  address show scope global dynamic  deprecated  "$link01"  >>$logdir01/$logrecordfile

			## network restart in a subshell
			(
			restart_network
			)

	else
		## check for missing  PD-IP on br-lan  $link01 (some should always exist - otherwise remediate)
		## after at most 600 sec preferred_lft  causes status deprecated for existing PD-IP
		if !  ip -6 -o  address show scope global dynamic "$link01" | grep -q "inet6 2"

		then
		echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` gueltige PD-IP auf $link00; PD-IP fehlt ganz auf $link01; RESTARTEN Netzwerk erforderlich \n"
		##  DO NOT change the word "planned" !! s key word for counting restart attempts !!   ####
		echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` missing PD-IP on $link01; 	network restart planned! "   >>$logdir01/$logrecordfile

				## network restart in a subshell
				(
				restart_network
				)

		else	## means: there is some PD-IP on $link00 and some PD-IP on on $link01 (ok). 
		echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` no \"missing\" PD-IP on $link01 identified.  "

		fi	

	echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` daycount is $daycount;  no deprecated PD address on $link01  identified. do nothing.  \n"  
	echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` daycount is $daycount;  no deprecated PD address on $link01  identified. no activity.  \n"   >>$logdir01/$logrecordfile 

	fi
###
	## tackle problem b) with non-deprecated + deprecated PD-IP both coexisting on $link00 (eth2)  and  br-lan does NOT have a deprecated (!)

	## non-deprecated PD-IP exixts; now check for additional deprecated PD-IP on eth2 PLUS no existing deprecated on br-lan 
	if ip -6 -o  address show scope global dynamic deprecated  "$link00" | grep -q "inet6 2" && ! ip -6 -o  address show scope global dynamic deprecated  "$link01" | grep -q "inet6 2"

	then	
	echo -e "` date  +"%d%b%Y %H-%M-%S %Z-%s"` on $link00 detected improper non-deprecated + deprecated PD-IP:    network restart planned! "   >>$logdir01/$logrecordfile

		## do the network restart
			## network restart in a subshell
			(
			restart_network
			)


	fi
	
else
echo -e ` date  +"%d%b%Y %H-%M-%S %Z-%s"` " "  $link00 " PD-IP IPv6 not found as expected; do nothing." 
echo -e ` date  +"%d%b%Y %H-%M-%S %Z-%s"` " "  $link00 " PD-IP IPv6 not found as expected; no activity.  \n"   >>$logdir01/$logrecordfile 
fi

 

 ## end
1 Like
8

Use https://test-ipv6.com instead.

9

PD!

I’m pleased to see the script is still working in Turris OS version 6.4.4
Three years IPv6 Prefix Delegation supported in Turris Omnia :slight_smile:
Sad: Unfortunately it is still necessary in Turris OS version 6.4.4 to have this script if you want to use IPv6 including Prefix Delegation.
If I did not miss something … please prove me wrong.
Experience for half a year now problems with failing ping commands while ssh is working fine to these established server machines. Did a total re-Setup of my Turris Omnia now. looks like now it works sometimes! Wow. Issues may have a connection to the wonder whizz named “dynamic firewall”. I am very suspicious about it.

10

or
https://www.ipv6.bieringer.de/