Rookie

Spectrum gateway not forwarding IPv6 traffic?

I am trying to get IPv6 working on my CentOS 7 "firewall."  I am able to get an IPv6 address, but the default gateway does not appear to be forwarding any traffic (at least I'm not getting a response from anything beyond the gateway).

 

The firewall is a Banana Pi, with a single network interface, so the connection to the cable modem is eth0.256:

 

[root@firewall ~]# ifconfig eth0.256
eth0.256: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 70.119.136.2 netmask 255.255.192.0 broadcast 255.255.255.255
inet6 2605:6000:9fc0:71:7c36:b43a:f25e:5405 prefixlen 64 scopeid 0x0<global>
inet6 fe80::12:6ff:fe02:b070 prefixlen 64 scopeid 0x20<link>
ether 02:12:06:02:b0:70 txqueuelen 1000 (Ethernet)
RX packets 456108 bytes 184420403 (175.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 503146 bytes 416356968 (397.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

 

[root@firewall ~]# ip -6 r
unreachable ::/96 dev lo  metric 1024  error -113
unreachable ::ffff:0.0.0.0/96 dev lo  metric 1024  error -113
unreachable 2002:a00::/24 dev lo  metric 1024  error -113
unreachable 2002:7f00::/24 dev lo  metric 1024  error -113
unreachable 2002:a9fe::/32 dev lo  metric 1024  error -113
unreachable 2002:ac10::/28 dev lo  metric 1024  error -113
unreachable 2002:c0a8::/32 dev lo  metric 1024  error -113
unreachable 2002:e000::/19 dev lo  metric 1024  error -113
2605:6000:9fc0:71::/64 dev eth0.256  proto kernel  metric 256  expires 602070sec
unreachable 3ffe:ffff::/32 dev lo  metric 1024  error -113
fd00:dcaf:bad:f8::/64 via fd00:dcaf:bad:ff::1 dev eth0.255  metric 1024 
fd00:dcaf:bad:fa::/64 via fd00:dcaf:bad:ff::1 dev eth0.255  metric 1024 
fd00:dcaf:bad:ff::/64 dev eth0.255  proto kernel  metric 256 
fe80::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev eth0.255  proto kernel  metric 256 
fe80::/64 dev eth0.256  proto kernel  metric 256 
default via fe80::201:5cff:fe77:bc46 dev eth0.256  proto ra  metric 1024  expires 1798sec

 

My (global) IPv6 address is 2605:6000:9fc0:71:7c36:b43a:f25e:5405 and my default gateway is fe80::201:5cff:fe77:bc46.  I was a bit confused about the use of a link-local address as the default gateway, but this seems to be OK in IPv6.

 

I am able to ping the gateway (once I figured out how to ping a link-local address).

 

[root@firewall ~]# ping6 -c1 fe80::201:5cff:fe77:bc46%eth0.256
PING fe80::201:5cff:fe77:bc46%eth0.256(fe80::201:5cff:fe77:bc46%eth0.256) 56 data bytes
64 bytes from fe80::201:5cff:fe77:bc46%eth0.256: icmp_seq=1 ttl=64 time=11.3 ms

--- fe80::201:5cff:fe77:bc46%eth0.256 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 11.319/11.319/11.319/0.000 ms

 

The gateway's MAC address is 00:01:5c:77:bc:46.

 

[root@firewall ~]# ip -6 neigh show
fe80::201:5cff:fe77:bc46 dev eth0.256 lladdr 00:01:5c:77:bc:46 router REACHABLE

 

If I try to ping google.com (2607:f8b0:4000:801::200e), I can see the echo requests being sent to the gateway's MAC address, but I don't receive any responses.

 

[root@firewall ~]# tcpdump -e -nn -i eth0.256 host 2607:f8b0:4000:801::200e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.256, link-type EN10MB (Ethernet), capture size 65535 bytes
12:20:00.181470 02:12:06:02:b0:70 > 00:01:5c:77:bc:46, ethertype IPv6 (0x86dd), length 118: 2605:6000:9fc0:71:7c36:b43a:f25e:5405 > 2607:f8b0:4000:801::200e: ICMP6, echo request, seq 1, length 64

 

Anyone see anything wrong with my setup, or should I just give up on IPv6 for now?

3 REPLIES
Established Sharer

Re: Spectrum gateway not forwarding IPv6 traffic?

Many server farms ignore ping requests when they receive increasing volumes of valid network traffic.  It's a normal and common defense measure against DDOS attacks targeting commercial web sites.

Rookie

Re: Spectrum gateway not forwarding IPv6 traffic?

Well ... I found the problem, despite Spectrum support's best efforts to blame the problem on:

 

  • The fact that I'm using a Banana Pi as a firewall (apparently it isn't a "computer"),
  • My (certified) modem's signal is "out of spec" (no details provided when asked),
  • The alignment of Jupiter and Neptune, and
  • The color of the carpet in my house.

(Just kidding on the last two, but the conversation was definitely trending in that direction.)

 

The issue was the global address that I was getting from Spectrum's DHCP server (2605:6000:9fc0:71:7c36:b43a:f25e:5405).  I noticed that even though I was able to ping the upstream router's link-local address, I was not able to ping the router when I used the global address as the source address.  For whatever reason, the router simply refused to communicate with that particular address.

 

I was finally able to force the DHCP server to give me a different address by changing the "identity association identifier" (IAID) sent by my DHCP client.  On CentOS 7, you do this by creating an interface-specific configuration file - /etc/dhcp/dhclient6-${INTERFACE}.conf (so /etc/dhcp/dhclient6-eth0.256.conf in my case) containing:

 

send dhcp6.ia-na 0b:02:12:06:00:00:00:00:00:00:00:00;

The first four octets are the IAID.  The remaining 8 octets are used for the "preferred valid lifetime," which don't seem to matter.

 

With this configuration file in place, the DHCP server issues a different global IPv6 address (2605:6000:9fc0:71:19f0:e66d:eba9:bbb2) which works.

Expert

Re: Spectrum gateway not forwarding IPv6 traffic?

Copy and paste the modems signal level and error log pages, don't reset it, need to see real history.