Manjaro IPv6 no ping, maybe my ISP not support it?

Support Network
1

Hello,
on 5.13.19-2-MANJARO x86_64 i am trying to find out if my IPv6 configuration is wrong or missing anything or my router or my ISP does not support IPv6.

$ ping -6 google.com -c 3 -w 3

PING google.com(prg03s05-in-x0e.1e100.net (2a00:1450:4014:80c::200e)) 56 data bytes

--- google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

$ sudo ip6tables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

$ ip a show maininterfacename

2: maininterfacename: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff permaddr aa:bb:cc:dd:ee:ff
    altname enp3s0f1
    inet 192.168.0.2/24 brd 192.168.0.255 scope global noprefixroute eno1
       valid_lft forever preferred_lft forever
    inet6 fe80::aaaa:bbb:ccc:ddd/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

(so it detects some IPv6, NetworkManager is set to IPv6 Automatic method.)

$ ip -6 r

::1 dev lo proto kernel metric 256 pref medium
myvpnserveripv6subnet::2 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev maininterfacename proto kernel metric 100 pref medium
fe80::/64 dev ifb0 proto kernel metric 256 pref medium

the wg0 VPN server through which i am sending the traffic is i believe well configured for IPv6 (AllowedIPs=sfe80::/64, myvpnserveripv6subnet::2/128) and pings to google. Is able to ping self (myvpnserveripv6subnet::1), but not VPN client myvpnserveripv6subnet::2

$ cat /proc/sys/net/ipv6/conf/all/forwarding

1

(on the client where IPv6 may be issue is 0)

so assuming that server is well configured, i would like to discover what are IPv6 obstacles on the client - 5.13.19-2-MANJARO x86_64. NetworkManager GUI wired configuration shows IPv6 is set to Automatic and “$ ip a show” detects some IPv6 as shown above. Please do you have an idea about command, what to look for?

UPDATE: this issue was fixed by xabbu, thanks to his help i have summarized steps to do in this comment. :white_check_mark:

2

IPv6 have application in large networks - very, very large networks.

IPv6 has little application within a local private network - so I suggest you don’t waste your time on it.

If you want to learn about it you should look towards documentation targeting network topology, layers, switches and routing. The Arch wiki is most likely the best place to begin

3

There is no usable IPv6 address attached to your maininterfacename device. The fe80:: address is called link local, and can only be used to reach other devices in the same local network. Link local addresses are no routable and you need to specify a device that be used.

For example, your router has a link local address like fe80::z:y:x:w . You can ping it with

ping fe80::z:y:x:w%maininterfacename

If you want to know if your ISP supports IPv6, ask your ISP. You can also log in to your routers Web interface and look there.

If you set up w wiregurad network, always use IPv4 and IPv6. This makes it a lot easier. The using of private IPv6 address also make it a little bit easier, but if you want to can use real global routable IPv6 address from a prefix you got from your ISP. The downside of private IPv6 addresses is the NAT.

Maybe it is because of your disguise, but you really need to specify the network mask. Do this in the “Interface” section at the Address line.

4

NetworkManager sets IPv6 Automatic method, in physical router webUI i have not found IPv6 anywhere (it is older deivice), maybe i am getting no usable IPv6 (only link local) because ISP does not support it…

just did and they does NOT support IPv6

But is necessary my ISP support it? While i am using proxy server for my internet activity and this server supports IPv6… I have found this article and he adds fd00:11:12:14::2/64 to the Wireguard (proxy software) client wg0.conf file Address line. I just did that and on server’s wg0.conf added the same to the [Peers] section, AllowedIPs line. Restarted WG and i can now ping -6 from client to my remote internet VPN server :: (ping -6 ServersPublicIPv6) :: though not beyond it (to google for example).

The server’s ip6tables has FORWARD policy ACCEPT and following rules are used:

ip6tables -A FORWARD -i wg0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

beside eth0 i have also tried eth1 interface, but no luck.
Server sysctl -a|grep -i forward|grep 6:

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0
net.ipv6.conf.wg0.forwarding = 1
net.ipv6.conf.wg0.mc_forwarding = 0

The server’s networking looks like this. Thank You for your time if you try to examine it.

5

If you want to have a public IPv6 address assigned to your maininterfacename, yes. Also if you mean by proxy, a real http/https proxy, yes. But looks more you mean by proxy a VPN.

If you just want IPv6 connectivity thru your wiregurad VPN, then no. Let’s focus on this.

This is good, so it is a problem with the NAT rules. The fd00::/8 address space is private, which mean you need to use a NAT. I usually explicitly set the source IP address space ( -s fd00:11:12:14::/64)

how does your NAT table looks like?

ip6tables -t nat -L
6

ip6tables -t nat -L on client is empty, policy ACCEPT.

On server it is like this:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all      anywhere             anywhere

v4 on the other hand:

SNAT       all  --  10.66.66.0/24        anywhere             to:serverIPhere
MASQUERADE  all  --  anywhere             anywhere

server sysctl -a:
net.ipv6.conf.all.forwarding = 1

server’s /etc/wireguard/wg0.conf uses following v6 rules:

PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

some person instead using following FORWARD rules

PostUp = ip6tables -A FORWARD -i %i -j ACCEPT
PostUp = ip6tables -A FORWARD -o %i -j ACCEPT

Please do You have idea on an ip6tables command for this server so it ads the proper NAT rule/s that will process the client IPv6 fd00:11:12:14::2/64 traffic out to internet and back? I was trying some, but no luck so far.

7

That is correct. It is just about the server.

I always specify the source network range in the nat table rules.

For example

ip6tables -A POSTROUTING -s fd00:11:12:14::/64 -o eth0 -j MASQUERADE

A IPv6 range ends usually in ::. So fd00:11:12:14::/64 means all possible IPv6 address in this subnet.

Sometimes it is quite hard to get rid of all iptables rules, so you might want to reboot if you want to test something new.

Also there are multiple ways to achieve this, pick the one you like and works for you.

1 Like
8

i think that it should be:

ip6tables -t nat -A POSTROUTING

i have tried it, and also other interfaces like eth1 (as you can see in my quotation below), but the client can not ping google through this server. Traceroute to google from client shows no routing point (nor my server), does it mean it does not even reach server? But ping -6 serverpublicip works as high latency indicate that it goes to the remote server.

When i ping -6 google.com, it shows the line that contains: 2a00:1450:4014:80c::200e
even the result is 100% packet loss.

in Wireguard server wg0.conf i set as server Address itspublicipv6::1/56 (hopefully this subnet size is correct - my serv. provider mention it under ETH1_IP6_PREFIX_LENGTH - it seems like they mention IPv6 on eth1), maybe IP6tables NAT rules should be like that. But @xabbu your previous command only modified for eth1 does not make it work either.

# ip6tables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wg0 -j MASQUERADE
-A POSTROUTING -s fd00:11:12:14::/64 -o eth1 -j MASQUERADE
-A POSTROUTING -s fd00:11:12:14::/64 -o eth0 -j MASQUERADE
-A POSTROUTING -s fd00:11:12:14::/64 -o wg0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE

# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT
9

I’m sorry I forgot the -t nat , you are of course correct.

I don’t think this will work. You have to pick one.

I created a little test network. The server has a device eth0 with multiple global routable IPv6 address attached to.

$ cat /etc/sysctl.d/61-wireguard.conf
net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1

$ cat /etc/wireguard/wg0.conf
[Interface]
Address = fd44:44:44::1/64
ListenPort = 66666
PrivateKey = abcde=

[Peer]
PublicKey =  zyxwv=
AllowedIPs = fd44:44:44::2/128

The client config:


[Interface]
PrivateKey = vwxyz=
Address = fd44:44:44::2/64
DNS = fd44:44:44::1

[Peer]
PublicKey = edcba=
Endpoint = wireguard.domain:66666
AllowedIPs = ::/0

After that I can ping from the client the IP fd44:44:44::1 and also the IPv6 from the eth0 device on the server. But no other public IPv6 address.

The only ip6tables command I need to run on the server as root was

 ip6tables -t nat -A POSTROUTING -s fd44:44:44::/64 -o eth0 -j MASQUERADE

After that I was immediately able to ping other public IPv6 address like 2001:4860:4860::8888

# ip6tables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s fd44:44:44::/64 -o eth0 -j MASQUERADE

# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
1 Like
10

Thank you for your examples, this recent post of yours given good picture of the working setup and IPv6 started working.

Took me 2 hours to figure out one single digit typo in the configuration on server:
I had two [Peer] section and the IPv6 had same ::2 at the address end and this caused IPv6 traffic fail.

Without your help i would not have IPv6, so thank you very much!

Btw. apparently my IPv4 interface was eth0 and IPv6 was eth1 so the iptables rule had to be adjusted and also i have simplified it from:
ip6tables -t nat -A POSTROUTING -s fd44:44:44::/64 -o eth0 -j MASQUERADE
to:
ip6tables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
I have seen in numerous IPv4 online tutorials that they have not defined source, so maybe not a security issue.

If anyone still unable to setup IPv6, then thanks to xabbu here are some steps that may help to setup IPv6 WG:

CLIENT /etc/wireguard/wg0.conf setup as described in previous post except following:

  • not modify PublicKey, PrivateKey, PresharedKey (that are things one possibly already have from default setup. I have wireguard installed by GitHub - angristan/wireguard-install: WireGuard VPN installer for Linux servers)
  • not modify ListenPort in case you already have IPv4 working setup.
  • If “cat /etc/sysctl.d/61-wireguard.conf” is not found, try “cat /etc/sysctl.d/*wg*”
  • wireguard.domain you may replace by your server public IPv4 (or if you have hostname that resolve to its IP)
  • AllowedIPs variable for IPv4 setup too may rather be: 0.0.0.0/0, ::/0

SERVER /etc/wireguard/wg0.conf setup:

  • In the [Interface] section i have:
    PostUp = ip6tables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    PostDown = ip6tables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
    (replace eth1 by your server network interface under which is IPv6 entitled as global (command: ip -6 a)
    Possibly you can cleanup your iptables if you have messed it. ip6tables -t nat -S; ip6tables -t nat -D linenumber.
  • Address i have also IPv4: 10.66.66.1/24, fd44:44:44::1/64
  • AllowedIPs in the [Peer] section i have also for IPv4: 10.66.66.2/32, fd44:44:44::2/128

to open/forward port range 1234-1244 (both UDP and TCP) for IPv6 put in server’s wg0.conf:

PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1234:1244 -j DNAT --to-destination fd44:44:44::2
PostUp = ip6tables -t nat -A PREROUTING -i eth1 -p udp -m udp --dport 1234:1244 -j DNAT --to-destination fd44:44:44::2
PostUp = ip6tables -t nat -A POSTROUTING -s fd44:44:44::/64 -j SNAT --to-source SERVERSPUBLICIPV6HERE::1
PostUp = ip6tables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D PREROUTING -i eth1 -p tcp -m tcp --dport 1234:1244 -j DNAT --to-destination fd44:44:44::2
PostDown = ip6tables -t nat -D PREROUTING -i eth1 -p udp -m udp --dport 1234:1244 -j DNAT --to-destination fd44:44:44::2
PostDown = ip6tables -t nat -D POSTROUTING -s fd44:44:44::/64 -j SNAT --to-source SERVERSPUBLICIPV6HERE::1
PostDown = ip6tables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

(replace SERVERSPUBLICIPV6HERE and also eth1, by your interface for which is displayed IPv6 with global flag in command “ip -6 a”)
restart wireguard on server & client (after you have tested the rules or have way to access server if WG tunnel is not established due to fail in configuration)

ping from client:
ping -6 -c 2 -W 2 fd44:44:44::1;ping -c 2 -W 2 -6 2a00:1450:4014:80c::200e;ping -6 -c 2 -W 2 google.com

https://ipv6-test.com