SixXS::Sunset 2017-06-06

Unable to ping6 internet from ipv6 "LAN"
[ca] Carmen Sandiego on Monday, 21 May 2012 06:56:45
Hi all, This is my radvd.conf file: #internal "LAN" interface interface p3p1 { AdvSendAdvert on; MinRtrAdvInterval 30; MaxRtrAdvInterval 100; prefix 2001:db8:1:0::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; }; This is my router interface config: [root@mydomain /]# ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:622 errors:0 dropped:0 overruns:0 frame:0 TX packets:622 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:80177 (78.2 KiB) TX bytes:80177 (78.2 KiB) p34p1 Link encap:Ethernet HWaddr 00:1F:C6:5E:58:B1 inet addr:PUBLICIP Bcast:BCAST Mask:MASK inet6 addr: fe80::21f:c6ff:fe5e:58b1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:193614 errors:0 dropped:0 overruns:0 frame:0 TX packets:233355 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16102849 (15.3 MiB) TX bytes:331270091 (315.9 MiB) Interrupt:45 Base address:0xe000 p3p1 Link encap:Ethernet HWaddr 00:19:5B:2F:0E:30 inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: 2001:db8:1:0:219:5bff:fe2f:e30/64 Scope:Global inet6 addr: fe80::219:5bff:fe2f:e30/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5896 errors:0 dropped:0 overruns:0 frame:0 TX packets:5494 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:716243 (699.4 KiB) TX bytes:3505732 (3.3 MiB) Interrupt:17 sixxs Link encap:IPv6-in-IPv4 inet6 addr: fe80::b847:c15a/128 Scope:Link inet6 addr: 2610:100:4fff:31::2/64 Scope:Global UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1 RX packets:378 errors:0 dropped:0 overruns:0 frame:0 TX packets:432 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:219783 (214.6 KiB) TX bytes:60893 (59.4 KiB) I get the 2001:db8:1:0::/64 IP behind the router and I can ping the router lan interface (aka gateway): [bogdan@LinuxGUI ~]$ ping6 2001:db8:1:0:219:5bff:fe2f:e30 PING 2001:db8:1:0:219:5bff:fe2f:e30(2001:db8:1:0:219:5bff:fe2f:e30) 56 data bytes 64 bytes from 2001:db8:1:0:219:5bff:fe2f:e30: icmp_seq=1 ttl=64 time=0.271 ms From the router I can ping sixxs.net: [root@mydomain /]# ping6 sixxs.net PING sixxs.net(uschi03.sixxs.net) 56 data bytes 64 bytes from uschi03.sixxs.net: icmp_seq=1 ttl=51 time=175 ms This is my "LAN" workstation routing table: [bogdan@LinuxGUI ~]$ route -A inet6 Kernel IPv6 routing table Destination Next Hop Flags Metric Ref Use Iface localhost/128 * U 256 0 0 lo www.arin.net/128 fe80::219:5bff:fe2f:e30 UG 1024 0 0 eth0 www.arin.net/128 fe80::219:5bff:fe2f:e30 UG 1024 0 0 eth0 www.ipv6.ripe.net/128 fe80::219:5bff:fe2f:e30 UG 1024 0 0 eth0 gatey.sixxs.net/128 fe80::219:5bff:fe2f:e30 UG 1024 31 0 eth0 tunnelserver.concepts-ict.net/128 fe80::219:5bff:fe2f:e30 UG 1024 32 0 eth0 broker04.ams.nl.sixxs.net/128 fe80::219:5bff:fe2f:e30 UG 1024 345 0 eth0 2001:db8:1::/64 * UA 256 0 0 eth0 2001:dc0:2001:11::211/128 fe80::219:5bff:fe2f:e30 UG 1024 0 0 eth0 www.lacnic.net/128 fe80::219:5bff:fe2f:e30 UG 1024 0 0 eth0 www.nanog.org/128 fe80::219:5bff:fe2f:e30 UG 1024 0 0 eth0 2001:1af8:4050::2/128 fe80::219:5bff:fe2f:e30 UG 1024 31 0 eth0 meeting.afrinic.net/128 fe80::219:5bff:fe2f:e30 UG 1024 0 0 eth0 uschi03.sixxs.net/128 fe80::219:5bff:fe2f:e30 UG 1024 31 0 eth0 2a02:920:212e::213/128 fe80::219:5bff:fe2f:e30 UG 1024 0 0 eth0 fe80::/64 * U 256 0 0 eth0 */0 fe80::219:5bff:fe2f:e30 UG 1 0 0 eth0 */0 fe80::219:5bff:fe2f:e30 UGDA 1024 0 0 eth0 localhost/128 * U 0 151 1 lo LinuxGUI.mydomain/128 * U 0 28 1 lo LinuxGUI.mydomain/128 * U 0 25 1 lo ff02::1/128 ff02::1 UC 0 1 0 eth0 ff00::/8 * U 256 0 0 eth0 When I ping from the router, ipv6 ping works so the tunnel is open. The PC can ping the router over ipv6, but when I ping from the lan PC something on the internet, I net NOTHING: [bogdan@LinuxGUI ~]$ ping6 sixxs.net PING sixxs.net(broker04.ams.nl.sixxs.net) 56 data bytes And the ping stays there forever... What am I doing wrong? I have IPv6 forwarding enabled... From what I can see, the ping cannot get to the internet, or it cannot get back... This cannot be sixxs since my router traffic works to ping6 from the router. What am I missing??? Thanks!
Unable to ping6 internet from ipv6 "LAN"
[ch] Jeroen Massar SixXS Staff on Monday, 21 May 2012 10:03:35
prefix 2001:db8:1:0::/64
I assume that you realize that 2001:db8::/32 is the IPv6 Documentation Prefix. It cannot be used in reallife. You need to use the subnet shown in your user home. That would be 2610:100:4fff:8031::/64 in your case.
Unable to ping6 internet from ipv6 "LAN"
[ca] Carmen Sandiego on Monday, 21 May 2012 14:54:42
I tried assigning that in radvd and it fully works. So from what I understand then, SixXS assigned a full subnet to me. That must be a loft of hosts if I can use all /64. Is this true? My only concern (and this is something I was trying to avoid) is not to open my LAN to public Internet. How is this issue resolved in reality? I noticed there are FC00::/7 blocks that are suppose to be private, but I previously tried with that and it doesn't seem to work. What do you recommend? For example, you cannot put a samba4 server out there on IPv6. It has to stay within a LAN not accessible from outside. Let me know! Thanks!
Unable to ping6 internet from ipv6 "LAN"
[ch] Jeroen Massar SixXS Staff on Monday, 21 May 2012 17:37:14
SixXS assigned a full subnet to me. That must be a loft of hosts if I can use all /64. Is this true?
The default subnet that comes with every tunnel is indeed a single /64, thus 2^64 host could theoretically use it. If you request a subnet though you will get a /48 which is thus 65536 /64's and thus that times bigger than the default one.
What do you recommend?
First configure proper firewalls on your hosts. if deemed necessary configure a stateful firewall on your network edge. If you want to make sure that hosts cannot be reached then do not connect them in the first place (and verify that they stay disconnected ;)
For example, you cannot put a samba4 server out there on IPv6. It has to stay within a LAN not accessible from outside. Let me know! Thanks!
Firewall port 445 on the host (and 138/139 if you still use those, which one should not), presto, problem resolved.
Unable to ping6 internet from ipv6 "LAN"
[ch] Shadow Hawkins on Tuesday, 22 May 2012 11:44:26
Hi Bogdan I have posted earlier here in the forum my iptables/ip6tables script I use to keep outsiders outside: All incoming IPv6 TCP/UDP packets are dropped except when they a) access certain selected ports b) are reply packets to sessions that have been initiated from the inside Please be aware that your setup might be different, do not just blindly copy the code. Nicolas

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker