Setting up IPv6 routing

Support Network
1

Hello all!
I have set up a NAS/router thing (now on referred to as “router”) to route my network traffic, and it works beautifully with IPv4.
However, I just can’t get my networked computers to see the outside world. But I can ping/curl wan sources from the router.
I use systemd-networkd, dnsmasq, radvd and shorewall (and shorewall6) for all this.
I followed the ArchWiki article on setting up a router: https://wiki.archlinux.org/index.php/router
It is a two-interface router, local network if: int0, out-facing network if: ext0

The router’s configs gist: ipv6 · GitHub

ip -6 a (global ips censored, but they are related, meaning xxx,yyy,zzzz,wwww is the exact same in every instance, the ‘u’ in the ext0 is on purpose, it’s a different number)

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: int0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:4c4c:12c6:5d00:xxx:yyy:zzzz:wwww/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86398sec preferred_lft 14398sec
    inet6 2001:4c4c:12c6:5df0:xxx:yyy:zzzz:wwww/64 scope global dynamic 
       valid_lft 1060902sec preferred_lft 1060902sec
    inet6 fe80::21e:6ff:fe45:4afa/64 scope link 
       valid_lft forever preferred_lft forever
3: ext0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:4c4c:12c6:5d00::1001/128 scope global dynamic noprefixroute 
       valid_lft 1060902sec preferred_lft 1060902sec
    inet6 2001:4c4c:12c6:5d00:xxx:yyy:zzzz:wwwu/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 1062571sec preferred_lft 604776sec
    inet6 fe80::21e:6ff:fe45:4afb/64 scope link 
       valid_lft forever preferred_lft forever

ip -6 r

::1 dev lo proto kernel metric 256 pref medium
2001:4c4c:12c6:5d00::/64 dev ext0 proto ra metric 1024 expires 1062571sec pref medium
2001:4c4c:12c6:5d00::/64 dev int0 proto ra metric 1024 expires 86394sec pref medium
2001:4c4c:12c6:5df0::/64 dev int0 proto kernel metric 256 expires 1060512sec pref medium
2001:4c4c:12c6:5df0::/64 dev int0 metric 1024 pref medium
unreachable 2001:4c4c:12c6:5df0::/60 dev lo metric 1024 pref medium
2001:4c4c:12c6:5d00::/56 via fe80::4265:a3ff:feec:1e74 dev ext0 proto ra metric 1024 expires 1062571sec pref medium
fe80::/64 dev ext0 proto kernel metric 256 pref medium
fe80::/64 dev int0 proto kernel metric 256 pref medium
default via fe80::4265:a3ff:feec:1e74 dev ext0 proto ra metric 1024 expires 1776sec mtu 1500 pref medium

ping -6 ipv6.google.com

PING ipv6.google.com(prg03s01-in-x0e.1e100.net (2a00:1450:4014:800::200e)) 56 data bytes
64 bytes from prg03s01-in-x0e.1e100.net (2a00:1450:4014:800::200e): icmp_seq=1 ttl=115 time=27.8 ms
64 bytes from prg03s01-in-x0e.1e100.net (2a00:1450:4014:800::200e): icmp_seq=2 ttl=115 time=27.8 ms
64 bytes from prg03s01-in-x0e.1e100.net (2a00:1450:4014:800::200e): icmp_seq=3 ttl=115 time=27.9 ms

curl -6 ipv6.icanhazip.com

2001:4c4c:12c6:5d00::1001

A host computer on the network:

ip -6 a (global ips censored, they are completely different)

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:4c4c:12c6:5d00:iiii:jjjj:kkkk:llll/64 scope global dynamic noprefixroute 
       valid_lft 86392sec preferred_lft 14392sec
    inet6 2001:4c4c:12c6:5df0:uuuu:vvvv:oooo:pppp/64 scope global dynamic noprefixroute 
       valid_lft 1060281sec preferred_lft 1060281sec
    inet6 fe80::da34:5d23:f44c:3e23/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

ip -6 r

::1 dev lo proto kernel metric 256 pref medium
2001:4c4c:12c6:5d00::/64 dev eno1 proto ra metric 100 pref medium
2001:4c4c:12c6:5df0::/64 dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 100 pref medium
default via fe80::21e:6ff:fe45:4afa dev eno1 proto ra metric 20100 pref medium

traceroute -6 ipv6.google.com

traceroute to ipv6.google.com (2a00:1450:4014:80d::200e), 30 hops max, 80 byte packets
 1  * * *
 2  * * *
 3  * * *

ping -6 2001:4c4c:12c6:5d00::1001 (idk where the from address in the output comes from)

PING 2001:4c4c:12c6:5d00::1001(2001:4c4c:12c6:5d00::1001) 56 data bytes
From 2001:4c4c:12c6:5d00:dc53:16a8:a474:44cd icmp_seq=1 Destination unreachable: Address unre
achable

Sorry for the long wall of text, but I am hitting my head against a concrete wall for about 2 days straight now.
Thank you for anyone helping in advance :slight_smile:

2

Unfortunately it is a little bit chaotic.
Maybe start with the basics. Did you configured IPv6 Forwarding? Do you get a Prefix form your ISP? Is it a stable prefix or does it change? If it changes, it wont work nicely. Use a NATv6. It is ugly but works.

If you get a stable Prefix. Split for it a smaller Prefix, like a /54 or even smaller. Use only this in your local network. Do not mix. This also means your int0 has only IPv6 for one Prefix attached to it.

This does not look good, two different IPv6 prefixes attached to it.

From your radvd.conf :

prefix 2001:4c4c:12c6:5d00::/64

It is to big. Do not use your Prefix form the outside

3

Yes, sorry if it is chaotic, I must have something poorly configured, I have never configured IPv6 from the ground up before, apart from clicking buttons in an older ASUS router and setting a route. :smiley:

Yes, I have set sysctl net.ipv6.conf.all.forwarding to 1, also set them explicitly on the interfaces too.
Also I think shorewall6 configures that as well with the interfaces config…

Unfortunately, probably not, I can’t find anything related to prefixes in the modem firmware. I got those ips with SLAAC though…

I think the first 64 bits do not change, I had that 2001:4c4c:12c6:5d00:: prefix since I got that modem 3 years ago.

Should I do 2001:4c4c:12c6:5d00::/54 for the radvd.conf then?
I tried that some time ago, but it was complaining about it.

systemd[1]: Started IPv6 Router Advertisement Daemon.
radvd[1587]: radvd (1587): version 2.18 started
radvd[1587]: radvd (1587): int0 prefix length should be: 64
4

have you try
https://ipv6-test.com/

5

Okay, I have been working on this through the weekend.

I’ve done away with radvd, because it isn’t needed (I think).
I also added IPv6 prefix delegation related things to the networkd config files.

The updated configs are still at the same gist ipv6 · GitHub.

And yes, now I have confirmed that I do indeed get a prefix from the ISP, as seen by the 2001:4c4c:12c6:5d00::/56 route below.

Now ping doesn’t say Destination unreachable, but still fails to actually ping the target, so I guess that’s somewhat of an improvement.
I am also able to get a route hop with traceroute, but it stops at the router every time. I tried pinging my PC with my phone (while not connected to wlan), and it failed as well.

Router’s ips and routes:

ip -6 a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
    valid_lft forever preferred_lft forever
2: int0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:4c4c:12c6:5df0:xxx:yyy:zzzz:4afa/64 scope global dynamic 
    valid_lft 759966sec preferred_lft 759966sec
    inet6 fe80::21e:6ff:fe45:4afa/64 scope link 
    valid_lft forever preferred_lft forever
3: ext0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:4c4c:12c6:5d00::1000/128 scope global dynamic noprefixroute 
    valid_lft 759966sec preferred_lft 759966sec
    inet6 2001:4c4c:12c6:5d00:xxx:yyy:zzzz:4afb/64 scope global dynamic mngtmpaddr noprefixroute 
    valid_lft 760962sec preferred_lft 303167sec
    inet6 fe80::21e:6ff:fe45:4afb/64 scope link 
    valid_lft forever preferred_lft forever

ip -6 r

::1 dev lo proto kernel metric 256 pref medium
2001:4c4c:12c6:5d00::/64 dev ext0 proto ra metric 1024 expires 760956sec pref medium
2001:4c4c:12c6:5df0::/64 dev int0 proto kernel metric 256 expires 759901sec pref medium
2001:4c4c:12c6:5df0::/64 dev int0 metric 1024 pref medium
unreachable 2001:4c4c:12c6:5df0::/60 dev lo metric 1024 pref medium
2001:4c4c:12c6:5d00::/56 via fe80::4265:a3ff:feec:1e74 dev ext0 proto ra metric 1024 expires 760956sec pref medium
fe80::/64 dev int0 proto kernel metric 256 pref medium
fe80::/64 dev ext0 proto kernel metric 256 pref medium
default via fe80::4265:a3ff:feec:1e74 dev ext0 proto ra metric 1024 expires 1773sec mtu 1500 pref medium

Host PC’s ips and routes:

ip -6 a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
    valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:4c4c:12c6:5df0:uuuu:vvvv:wwww:9b3c/64 scope global dynamic noprefixroute 
    valid_lft 760520sec preferred_lft 760520sec
    inet6 fe80::da34:5d23:f44c:3e23/64 scope link noprefixroute 
    valid_lft forever preferred_lft forever

ip -6 r

::1 dev lo proto kernel metric 256 pref medium
2001:4c4c:12c6:5df0::/64 dev eno1 proto ra metric 100 pref medium
fe80::/64 dev eno1 proto kernel metric 100 pref medium
default via fe80::21e:6ff:fe45:4afa dev eno1 proto ra metric 20100 pref medium

ping -6 ipv6.google.com

PING ipv6.google.com(bud02s25-in-x0e.1e100.net (2a00:1450:400d:808::200e)) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
21 packets transmitted, 0 received, 100% packet loss, time 20498ms

traceroute -6 ipv6.google.com

traceroute to ipv6.google.com (2a00:1450:400d:808::200e), 30 hops max, 80 byte packets
1  20014C4C12C65DF00XXX0YYYZZZZ4AFA.catv.pool.telekom.hu (2001:4c4c:12c6:5df0:xxx:yyy:zzzz:4afa)  0.586 ms  0.555 ms  0.544 ms
2  * * *
3  * * *
4  * * *
[...]
6

I decided to nerf everything except networkd (and ipv4 dnsmasq, but that’s not relevant here).

NOTHING is running that could prevent packets to go through the router.
And it is still unable to ping anything outside the LAN.

Everything gets assigned a correct ip address… seemingly.
I’m starting to suspect that systemd-networkd is buggy somehow…

Here I go again… Router configs: (no gist, it is literally just two files now)

Internal interface:

#/etc/systemd/network/20-internal.network
[Match]
Name=int0

[Network]
Address=192.168.1.1/24
IPMasquerade=yes
IPv6SendRA=yes
DHCPv6PrefixDelegation=yes
IPv6DuplicateAddressDetection=1
IPv6PrivacyExtensions=no
LinkLocalAddressing=ipv6

[IPv6SendRA]
RouterLifetimeSec=3600

External interface:

#/etc/systemd/network/20-external.network
[Match]
Name=ext0

[Network]
DHCP=yes
IPForward=yes
IPv6AcceptRA=yes
IPv6DuplicateAddressDetection=1
IPv6PrivacyExtensions=kernel

ip -6 a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
        valid_lft forever preferred_lft forever
2: int0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:4c4c:12c6:5dc0:21e:6ff:fe45:4afa/64 scope global dynamic 
        valid_lft 1062131sec preferred_lft 1062131sec
    inet6 fe80::21e:6ff:fe45:4afa/64 scope link 
        valid_lft forever preferred_lft forever
3: ext0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:4c4c:12c6:5d00::1000/128 scope global dynamic noprefixroute 
        valid_lft 1062131sec preferred_lft 1062131sec
    inet6 2001:4c4c:12c6:5d00:21e:6ff:fe45:4afb/64 scope global dynamic mngtmpaddr noprefixroute 
        valid_lft 1062686sec preferred_lft 604793sec
    inet6 fe80::21e:6ff:fe45:4afb/64 scope link 
        valid_lft forever preferred_lft forever

ip -6 r

::1 dev lo proto kernel metric 256 pref medium
2001:4c4c:12c6:5d00::/64 dev ext0 proto ra metric 1024 expires 1062683sec pref medium
2001:4c4c:12c6:5dc0::/64 dev int0 proto kernel metric 256 expires 1061978sec pref medium
2001:4c4c:12c6:5dc0::/64 dev int0 metric 1024 pref medium
unreachable 2001:4c4c:12c6:5dc0::/60 dev lo metric 1024 pref medium
2001:4c4c:12c6:5d00::/56 via fe80::4265:a3ff:feec:1e74 dev ext0 proto ra metric 1024 expires 1062683sec pref medium
fe80::/64 dev ext0 proto kernel metric 256 pref medium
fe80::/64 dev int0 proto kernel metric 256 pref medium
default via fe80::4265:a3ff:feec:1e74 dev ext0 proto ra metric 1024 expires 1790sec mtu 1500 pref medium
7

When I run radvdump I get this:

#
# radvd configuration generated by radvdump 2.19
# based on Router Advertisement from fe80::4265:a3ff:feec:1e74
# received by interface ext0
#

interface ext0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag on;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvLinkMTU 1500;
        AdvSourceLLAddress on;

        prefix 2001:4c4c:12c6:5d00::/64
        {
                AdvValidLifetime 778977;
                AdvPreferredLifetime 321181;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        route 2001:4c4c:12c6:5d00::/56
        {
                AdvRoutePreference medium;
                AdvRouteLifetime 778977;
        }; # End of route definition


        RDNSS 2001:4c4c:12c6:5d00:4265:a3ff:feec:1e74
        {
                AdvRDNSSLifetime 778977;
        }; # End of RDNSS definition

}; # End of interface definition

and tcpdump -v -ni ext0 icmp6:

IP6 (hlim 255, next-header ICMPv6 (58) payload length: 112) fe80::4265:a3ff:feec:1e74 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 112
        hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          prefix info option (3), length 32 (4): 2001:4c4c:12c6:5d00::/64, Flags [onlink, auto], valid time 778977s, pref. time 321181s
          route info option (24), length 24 (3):  2001:4c4c:12c6:5d00::/56, pref=medium, lifetime=778977s
          rdnss option (25), length 24 (3):  lifetime 778977s, addr: 2001:4c4c:12c6:5d00:4265:a3ff:feec:1e74
          mtu option (5), length 8 (1):  1500
          source link-address option (1), length 8 (1): 40:65:a3:ec:1e:74

Does this mean I have a /64 or prefix from the ISP?