IPv6 not working from LAN, but does from Turris

The_ERROR · October 10, 2018, 12:24am

I know, that there where similar posts, but none fully covered my case. I do have prefix and I’m getting IPv6 address on local clients, but there is not possible to ping router address (RA) from LAN, however it is work from router directly, so I guess I miss some small thing, but I can’t figure out, what.

ifstatus wan6
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 8510,
	"l3_device": "eth2",
	"proto": "dhcpv6",
	"device": "eth2",
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [

	],
	"ipv6-address": [
		{
			"address": "2a00:ca8:a1f:6076:xxxx:xxxx:xxxx:ad3",
			"mask": 64
		},
		{
			"address": "2a00:ca8:a1f:6076::5",
			"mask": 128
		}
	],
	"ipv6-prefix": [
		{
			"address": "2a00:ca8:a1f:6076::",
			"mask": 64,
			"class": "wan6",
			"assigned": {
				"lan": {
					"address": "2a00:ca8:a1f:6076::",
					"mask": 64
				}
			}
		}
	],
	"ipv6-prefix-assignment": [

	],
	"route": [
		{
			"target": "2a00:ca8:a1f:6076::",
			"mask": 64,
			"nexthop": "::",
			"metric": 256,
			"source": "::\/0"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::4682:e5ff:fe76:9b5a",
			"metric": 512,
			"valid": 1791,
			"source": "2a00:ca8:a1f:6076::\/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::4682:e5ff:fe76:9b5a",
			"metric": 512,
			"valid": 1791,
			"source": "2a00:ca8:a1f:xxxx:xxxx:xxxx:xxxx:ad3\/64"
		},
		{
			"target": "::",
			"mask": 0,
			"nexthop": "fe80::4682:e5ff:fe76:9b5a",
			"metric": 512,
			"valid": 1791,
			"source": "2a00:ca8:xxx:xxxx::5\/128"
		}
	],
	"dns-server": [
		"2a00:ca8::100",
		"2a00:ca8:0:1::20"
	],
	"dns-search": [

	],
	"inactive": {
		"ipv4-address": [

		],
		"ipv6-address": [

		],
		"route": [

		],
		"dns-server": [

		],
		"dns-search": [

		]
	},
	"data": {
		"passthru": "xxxxx....xxxxx"
	}
}

LAN conf:

ifstatus lan
{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 991,
	"l3_device": "br-lan",
	"proto": "static",
	"device": "br-lan",
	"updated": [
		"addresses"
	],
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "192.168.1.1",
			"mask": 24
		}
	],
	"ipv6-address": [

	],
	"ipv6-prefix": [

	],
	"ipv6-prefix-assignment": [
		{
			"address": "2a00:ca8:xxx:xxxx::",
			"mask": 64,
			"local-address": {
				"address": "2a00:ca8:xxxx:xxxx::1",
				"mask": 64
			}
		}
	],
	"route": [

	],
	"dns-server": [

	],
	"dns-search": [

	],
	"inactive": {
		"ipv4-address": [

		],
		"ipv6-address": [

		],
		"route": [

		],
		"dns-server": [

		],
		"dns-search": [

		]
	},
	"data": {

	}
}

Routes, network on client

ping6 google.com
PING6(56=40+8+8 bytes) 2a00:ca8:xxxx:xxxx:xxxxx:xxxxx:f9e4:d90 --> 2a00:1450:4014:80c::200e
^C
--- google.com ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

IPs

# ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 8c:85:90:35:75:e9
	inet6 fe80::106d:xxxx:xxxxx:d7ad%en0 prefixlen 64 secured scopeid 0x8
	inet 192.168.1.106 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 2a00:ca8:a1f:6076:xxxx:xxxx:xxxx:73e8 prefixlen 64 autoconf secured
	inet6 2a00:ca8:a1f:6076:xxxx:xxxx:xxxx:d90 prefixlen 64 autoconf temporary
	inet6 2a00:ca8:a1f:6076::xxxx prefixlen 64 dynamic
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active

Routing table

# netstat -f inet6 -rn
Routing tables

Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::da58:d7ff:fe00:ad1%en0    UGc             en0
default                                 fe80::%utun0                    UGcI          utun0
::1                                     ::1                             UHL             lo0
2a00:ca8:a1f:6076::/64                  link#8                          UC              en0
2a00:ca8:a1f:6076::1                    d8:58:d7:0:a:d1                 UHLWIi          en0
2a00:ca8:a1f:6076::1a8                  0:11:32:74:1a:1b                UHLWI           en0
2a00:ca8:a1f:6076::ea0                  8c:85:90:35:75:e9               UHL             lo0
2a00:ca8:a1f:6076:xxxx:xxxx:xxxx:1a1b    0:11:32:74:1a:1b                UHLWI           en0
2a00:ca8:a1f:6076:xxxx:xxxx:xxxx:73e8   8c:85:90:35:75:e9               UHL             lo0
2a00:ca8:a1f:6076:xxxx:xxxx:xxxx:d90    8c:85:90:35:75:e9               UHL             lo0
fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0
fe80::1%lo0                             link#1                          UHLI            lo0
fe80::%en0/64                           link#8                          UCI             en0
fe80::106d:1ade:d5e5:d7ad%en0           8c:85:90:35:75:e9               UHLI            lo0
fe80::da58:d7ff:fe00:ad1%en0            d8:58:d7:0:a:d1                 UHLWIir         en0
fe80::%awdl0/64                         link#10                         UCI           awdl0
fe80::4839:cbff:fe79:7e5d%awdl0         4a:39:cb:79:7e:5d               UHLI            lo0
fe80::%bridge0/64                       link#11                         UCI         bridge0
fe80::8400:64ff:fe4a:ac00%bridge0       86.0.64.4a.ac.0                 UHLI            lo0
fe80::%utun0/64                         fe80::5d25:c3dd:a895:d7af%utun0 UcI           utun0
fe80::5d25:c3dd:a895:d7af%utun0         link#12                         UHLI            lo0
ff01::%lo0/32                           ::1                             UmCI            lo0
ff01::%en0/32                           link#8                          UmCI            en0
ff01::%awdl0/32                         link#10                         UmCI          awdl0
ff01::%bridge0/32                       link#11                         UmCI        bridge0
ff01::%utun0/32                         fe80::5d25:c3dd:a895:d7af%utun0 UmCI          utun0
ff02::%lo0/32                           ::1                             UmCI            lo0
ff02::%en0/32                           link#8                          UmCI            en0
ff02::%awdl0/32                         link#10                         UmCI          awdl0
ff02::%bridge0/32                       link#11                         UmCI        bridge0
ff02::%utun0/32                         fe80::5d25:c3dd:a895:d7af%utun0 UmCI          utun0

zajdee · June 20, 2020, 6:09am

I have somehow landed on this topic. It seems weird to have the same /64 prefix on LAN and WAN. So this was probably the case why it was failing.

anon82920800 · June 20, 2020, 8:07am

Depends on the ISP, whether providing a /48 or /56 or /64 GUA prefix, latter would seem to be case here, although that would not be good practice by the ISP. Some greedy ISP ask for a premium to provide a /56 prefix.

That should not be the cause since each interface still produces its GUA with the /128 prefix and which should respond to pings.

Suppose that IPv4 pings work ok it sounds a bit like firewall issue along the line. Turning on packet (firewall) logging on the involved interfaces (router and client) the logs may then provide a hint whether/where the firewall might be rejecting/dropping packets.

The_ERROR · June 20, 2020, 12:52pm

Actually I found some good hint on different (unfortunately czech) topic and it’s related indeed to IPv6 distribution where was wrong default route discovery.

Based on hint from Ondrej I adjusted accordingly and it start working just find.

Using just relay (because of /64) made the trick.

anon82920800 · June 20, 2020, 1:04pm

This seems something peculiar with (some) CZ ISP, wondering what they are doing to cause the trouble for their customers.

ostravak · June 20, 2020, 8:03pm

poda.cz strikes again!

@Mracek

vyse zminovany problem se tyka jen mene nez 0.1% klientu v siti PODA