I am trying to get IPv6 working on my CentOS 7 "firewall." I am able to get an IPv6 address, but the default gateway does not appear to be forwarding any traffic (at least I'm not getting a response from anything beyond the gateway).
The firewall is a Banana Pi, with a single network interface, so the connection to the cable modem is eth0.256:
[root@firewall ~]# ifconfig eth0.256 eth0.256: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 70.119.136.2 netmask 255.255.192.0 broadcast 255.255.255.255 inet6 2605:6000:9fc0:71:7c36:b43a:f25e:5405 prefixlen 64 scopeid 0x0<global> inet6 fe80::12:6ff:fe02:b070 prefixlen 64 scopeid 0x20<link> ether 02:12:06:02:b0:70 txqueuelen 1000 (Ethernet) RX packets 456108 bytes 184420403 (175.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 503146 bytes 416356968 (397.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@firewall ~]# ip -6 r unreachable ::/96 dev lo metric 1024 error -113 unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 unreachable 2002:a00::/24 dev lo metric 1024 error -113 unreachable 2002:7f00::/24 dev lo metric 1024 error -113 unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 unreachable 2002:ac10::/28 dev lo metric 1024 error -113 unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 unreachable 2002:e000::/19 dev lo metric 1024 error -113 2605:6000:9fc0:71::/64 dev eth0.256 proto kernel metric 256 expires 602070sec unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 fd00:dcaf:bad:f8::/64 via fd00:dcaf:bad:ff::1 dev eth0.255 metric 1024 fd00:dcaf:bad:fa::/64 via fd00:dcaf:bad:ff::1 dev eth0.255 metric 1024 fd00:dcaf:bad:ff::/64 dev eth0.255 proto kernel metric 256 fe80::/64 dev eth0 proto kernel metric 256 fe80::/64 dev eth0.255 proto kernel metric 256 fe80::/64 dev eth0.256 proto kernel metric 256 default via fe80::201:5cff:fe77:bc46 dev eth0.256 proto ra metric 1024 expires 1798sec
My (global) IPv6 address is 2605:6000:9fc0:71:7c36:b43a:f25e:5405 and my default gateway is fe80::201:5cff:fe77:bc46. I was a bit confused about the use of a link-local address as the default gateway, but this seems to be OK in IPv6.
I am able to ping the gateway (once I figured out how to ping a link-local address).
[root@firewall ~]# ping6 -c1 fe80::201:5cff:fe77:bc46%eth0.256 PING fe80::201:5cff:fe77:bc46%eth0.256(fe80::201:5cff:fe77:bc46%eth0.256) 56 data bytes 64 bytes from fe80::201:5cff:fe77:bc46%eth0.256: icmp_seq=1 ttl=64 time=11.3 ms --- fe80::201:5cff:fe77:bc46%eth0.256 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.319/11.319/11.319/0.000 ms
The gateway's MAC address is 00:01:5c:77:bc:46.
[root@firewall ~]# ip -6 neigh show fe80::201:5cff:fe77:bc46 dev eth0.256 lladdr 00:01:5c:77:bc:46 router REACHABLE
If I try to ping google.com (2607:f8b0:4000:801::200e), I can see the echo requests being sent to the gateway's MAC address, but I don't receive any responses.
[root@firewall ~]# tcpdump -e -nn -i eth0.256 host 2607:f8b0:4000:801::200e tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0.256, link-type EN10MB (Ethernet), capture size 65535 bytes 12:20:00.181470 02:12:06:02:b0:70 > 00:01:5c:77:bc:46, ethertype IPv6 (0x86dd), length 118: 2605:6000:9fc0:71:7c36:b43a:f25e:5405 > 2607:f8b0:4000:801::200e: ICMP6, echo request, seq 1, length 64
Anyone see anything wrong with my setup, or should I just give up on IPv6 for now?
Solved! Go to Solution.
Many server farms ignore ping requests when they receive increasing volumes of valid network traffic. It's a normal and common defense measure against DDOS attacks targeting commercial web sites.
Well ... I found the problem, despite Spectrum support's best efforts to blame the problem on:
(Just kidding on the last two, but the conversation was definitely trending in that direction.)
The issue was the global address that I was getting from Spectrum's DHCP server (2605:6000:9fc0:71:7c36:b43a:f25e:5405). I noticed that even though I was able to ping the upstream router's link-local address, I was not able to ping the router when I used the global address as the source address. For whatever reason, the router simply refused to communicate with that particular address.
I was finally able to force the DHCP server to give me a different address by changing the "identity association identifier" (IAID) sent by my DHCP client. On CentOS 7, you do this by creating an interface-specific configuration file - /etc/dhcp/dhclient6-${INTERFACE}.conf (so /etc/dhcp/dhclient6-eth0.256.conf in my case) containing:
send dhcp6.ia-na 0b:02:12:06:00:00:00:00:00:00:00:00;
The first four octets are the IAID. The remaining 8 octets are used for the "preferred valid lifetime," which don't seem to matter.
With this configuration file in place, the DHCP server issues a different global IPv6 address (2605:6000:9fc0:71:19f0:e66d:eba9:bbb2) which works.
Copy and paste the modems signal level and error log pages, don't reset it, need to see real history.