IPv6 network on Ubuntu Server v22

[nick1231]

Hello.

Can't seem to get the IPv6 network to work.
Given: dedicated IPv4 like: 45.80.XX.XX/32 and gateway 10.0.0.1; IPv6 subnet: 2a03:XX:XX::5b8/125 (/125 prefix) and gateway 2a03:XX:XX::5b9
Bottom line: IPv4 works fine, but IPv6 doesn’t want to do anything...


Question: Tell me, please, a possible solution to the problem with IPv6. Need help!

========================
My config is in /etc/netplan/00-network-all.yaml

Code:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens3:
      dhcp4: no
      dhcp6: no
      addresses:
        - 45.80.XX.XX/32
        - 2a03:XX:XX::5b8/125
        - 2a03:XX:XX::5ba/128
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
        - 2606:4700:4700::1111
        - 2001:4860:4860::8888
      routes:
        - to: 0.0.0.0/0 # default
          via: 10.0.0.1
          metric: 20
          on-link: true
        - to: ::/0 # default
          via: 2a03:XX:XX::5b9
          metric: 10
          on-link: true

ip a

Code:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 45.80.XX.XX/32 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2a03:XX:XX::5ba/128 scope global
       valid_lft forever preferred_lft forever
    inet6 2a03:XX:XX::5b8/125 scope global
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.66.66.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd42:42:42::1/64 scope global
       valid_lft forever preferred_lft forever

ip -6 r

Code:

::1 dev lo proto kernel metric 256 pref medium
2a03:XX:XX::5ba dev ens3 proto kernel metric 256 pref medium
2a03:XX:XX::5b8/125 dev ens3 proto kernel metric 256 pref medium
fd42:42:42::/64 dev wg0 proto kernel metric 256 pref medium
default via 2a03:XX:XX::5b9 dev ens3 proto static metric 10 onlink pref medium

ip neigh

Code:

10.0.0.1 dev ens3 lladdr 02:00:00:00:00:01 REACHABLE
2a03:XX:XX::5b9 dev ens3  FAILED

mtr google.com -6

Code:

Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. (no route to host)

[The Cog]

Have you configured any firewall rules? Please post the output of these commands:

Code:

sudo iptables-save
sudo nft list ruleset

Also, I gather that a Neighbor Solicitation request must come from the Link Local address of the sender, and you don't seem to have a Link Local address. This might be the source of the problem.

[nick1231]

Have you configured any firewall rules? Please post the output of these commands:

Code:

sudo iptables-save
sudo nft list ruleset

Also, I gather that a Neighbor Solicitation request must come from the Link Local address of the sender, and you don't seem to have a Link Local address. This might be the source of the problem.

First, thank you for reply!

1) No, I didn't set up any firewall rules.
2)

...and you don't seem to have a Link Local address.

Could you help me to add correct Link-Local address via terminal, please???

sudo iptables-save

Code:

# Generated by iptables-save v1.8.7 on Mon Nov 21 12:36:40 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i ens3 -o wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
COMMIT
# Completed on Mon Nov 21 12:36:40 2022
# Generated by iptables-save v1.8.7 on Mon Nov 21 12:36:40 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens3 -j MASQUERADE
COMMIT
# Completed on Mon Nov 21 12:36:40 2022

sudo nft list ruleset

Code:

 
table ip filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                iifname "ens3" oifname "wg0" counter packets 0 bytes 0 accept
                iifname "wg0" counter packets 0 bytes 0 accept
        }
}
table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "ens3" counter packets 50 bytes 3449 masquerade
        }
}
table ip6 filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                iifname "wg0" counter packets 0 bytes 0 accept
        }
}
table ip6 nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "ens3" counter packets 43 bytes 4143 masquerade
        }
}

[The Cog]

"Could you help me to add correct Link-Local address via terminal, please???"
I don't know. I'll try to figure something out this evening but I'm not sure I'll get anywhere.

I'm surprised to see that you have NAT rules on both iptables and nftables. There are warnings in the nftables docs that you must not do that. In general, I would suggest you use one firewall configuration only, although I gather that it's only NAT where they specifically say don't do that. I don't think that's your IPv6 problem though.

Afterthought - it may be that the iptables-save is just translating the nft ruleset, for backwards compatibility. I gather that iptables is regarded as legacy in recent Ubuntus. I don't know how to tell if that's why you see both types of rules though. maybe "lsmod |grep tables".

[The Cog]

OK, I give up. My machines all have link-local addresses e:g:

Code:

2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fc00:1111::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::1d5c:c681:9ad:bb67/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

and if I manually delete it, another (different) one appears instantly. At this stage, I don't understand why I have one and you don't.
I did confirm with tcpdump that the neighbor solicitation request (== ipv4 ARP request) is sent to the link-local multicast address, even when trying to resolve an IP address that is on the same global network. So you really do need a link-local address.
One thing you might try is creating one manually. perhaps:

Code:

sudo ip addr add fe80::1234/128 dev ens0

but I'm guessing. If anyone knows better, I'd be very happy for an explanation, or a link to one.

[The Cog]

I found this - might help. https://superuser.com/questions/1594...work-interface

[nick1231]

So you really do need a link-local address.
One thing you might try is creating one manually. perhaps:

Code:

sudo ip addr add fe80::1234/128 dev ens0

but I'm guessing. If anyone knows better, I'd be very happy for an explanation, or a link to one.

I manually create a Link-local address, but nothing changes with IPv6...

I found this - might help. https://superuser.com/questions/1594...work-interface

Code:

sudo nmcli --wait 0 device connect ens3
Error: Failed to add/activate new connection: Connection 'ens3' is not available on device ens3 because device is strictly unmanaged

Or am I doing something wrong?

[The Cog]

Silly me. Your netplan config says you're using networkd (I think that's ths systemctl network manager) rather than the gnome network-manager. I really don't know what to do from here, I'm afraid.

[nick1231]

I really don't know what to do from here, I'm afraid.

Unfortunately, I decided to reinstall the system anyway. And IPv6 doesn't work for me either.
=============

Given: Dedicated IPv4 like: 45.80.XX.XX/32 and gateway 10.0.0.1; IPv6 subnet: 2a03:XX:XX::5b8/125 (/125 prefix) and gateway 2a03:XX:XX::5b9

Here is my netplan config:

Code:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens3:
      dhcp4: no
      dhcp6: no
      addresses:
        - 45.80.XX.XX/32
        - 2a03:XX:XX::5b8/125
      nameservers:
       addresses:
        - 1.1.1.1
        - 8.8.8.8
        - 2606:4700:4700::1111
        - 2001:4860:4860::8888
      routes:
        - to: 0.0.0.0/0 # default
          via: 10.0.0.1 # Gateway IPv4
          metric: 100
          on-link: true
        - to: ::/0 # default
          via: 2a03:XX:XX::5b9 # Gateaway IPv6
          metric: 200
          on-link: true

ip neigh

Code:

10.0.0.1 dev ens3 lladdr 02:00:00:00:00:01 REACHABLE
2a03:XX:XX::5b9 dev ens3  FAILED

route -6

Code:

Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
ip6-localhost/128              [::]                       U    256 2     0 lo
myhost/125                     [::]                       U    256 1     0 ens3
fe80::/64                      [::]                       U    256 1     0 ens3
[::]/0                         _gateway                   UGH  200 1     0 ens3
ip6-localhost/128              [::]                       Un   0   5     0 lo
myhost/128                     [::]                       Un   0   2     0 ens3
myhost/128                     [::]                       Un   0   2     0 ens3
ip6-mcastprefix/8              [::]                       U    256 4     0 ens3
[::]/0                         [::]                       !n   -1  1     0 lo

ip -6 r

Code:

::1 dev lo proto kernel metric 256 pref medium
2a03:XX:XX::5b8/125 dev ens3 proto kernel metric 256 pref medium
fe80::/64 dev ens3 proto kernel metric 256 pref medium
default via 2a03:XX:XX::5b9 dev ens3 proto static metric 200 onlink pref medium

ip a

Code:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever


2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 45.80.XX.XX/32 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2a03:XX:XX::5b8/125 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::XX:XX:XX:1904/64 scope link
       valid_lft forever preferred_lft forever

In IPv6 routing table there is a strange "UGH" flag, maybe it should be just "UG" ???

Code:

 [::]/0           _gateway         UGH  200 1     0 ens3

P.S. Very need help with IPv6!

[The Cog]

I still think your problem is the lack of a link-local address, making it unable to send NDP requests. Here are some interesting bits that may help:
https://stackoverflow.com/questions/...-local-address
https://medium.com/opsops/how-to-res...x-737666a505f3
That second one links to https://www.kernel.org/doc/Documenta.../ip-sysctl.txt (search for addr_gen_mode) which says:

Code:

addr_gen_mode - INTEGER
	Defines how link-local and autoconf addresses are generated.

	0: generate address based on EUI64 (default)
	1: do no generate a link-local address, use EUI64 for addresses generated
	   from autoconf
	2: generate stable privacy addresses, using the secret from
	   stable_secret (RFC7217)
	3: generate stable privacy addresses, using a random secret if unset

So you could try setting it with the following (maybe try setting to 3 then back to 0 to make sure it changes to trigger generation)

Code:

sudo -i
echo 0 > /proc/sys/net/ipv6/conf/ens3/addr_gen_mode
exit

or alternatively:

Code:

sudo sysctl -w net/ipv6/conf/ens3/addr_gen_mode=0