On 4/28/2020 4:22 PM, Chris Adams wrote:> What's in /etc/sysconfig/network-scripts/ifcfg-<name>? I wonder if you > have IPv6 disabled.Pasted below. V6 definitely works. I have a second server and gave it a WAN address and I can connect between them using their WAN addresses. That's what told me that my ip6tables weren't screwed up and that the problem lay elsewhere. That's when I hit on looking at the route table and seeing no default IPv6 route.> I'm not using a "regular" (CentOS, Fedora, etc.) Linux as a gateway; I > have OpenWRT on a dedicated box. I couldn't find a way to handle the > prefix delegation with the typical desktop/server tools (but it has been > a while since I looked). OpenWRT has their own daemon for that. > > However, my local systems are all sending RA solicitations and getting > DHCPv6-assigned addresses with NetworkManager (which matches the first > steps of what you need on the WAN, just not the prefix delegation).I'm using OpenWrt at home and it's working mostly fine there. Except with my Android phone. I'm not getting a DNS setting for V6, but I do have the setting in the router's config file. The Win10 clients work fine, though. Apparently Android has issues with DHCPv6, and I'm betting it's interfering with my SLAAC config. LAN config, ifcfg-em1: TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=no IPV6_DEFROUTE=no IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=em1 UUID=fbf59f72-2d60-4dd3-8870-c14a1acb4337 DEVICE=em1 ONBOOT=yes DHCP_CLIENT_ID=saruman IPV6_PRIVACY=no ZONE=internal IPADDR=10.169.1.128 PREFIX=9 IPV6ADDR=2001:1890:1837:5B11::100/60 WAN config, ifcfg-em2: TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=em2 UUID=fe08c9df-9913-47f5-be8b-47dad168bcc4 DEVICE=em2 ONBOOT=yes IPADDR=12.3.140.156 PREFIX=29 GATEWAY=12.3.140.153 DNS1=127.0.0.1 DOMAIN="mpa.lan dhcp.mpa.lan microprecisionautomation.com" ZONE=external IPV6FORWARDING=yes IPV6_PEERDNS=no # AT&T assigns us 2001:1890:1837:5B00::/56 # we use the 2nd /64 for our DMZ IPV6ADDR_SECONDARIES=2001:1890:1837:5B01::100/64
Once upon a time, Kenneth Porter <shiva at sewingwitch.com> said:> I'm using OpenWrt at home and it's working mostly fine there. Except > with my Android phone. I'm not getting a DNS setting for V6, but I > do have the setting in the router's config file. The Win10 clients > work fine, though. Apparently Android has issues with DHCPv6, and > I'm betting it's interfering with my SLAAC config.Yeah, Android refuses to support DHCPv6, so you either have to have IPv4 DNS or SLAAC. I have IPv4 DNS on my home network, so don't have an issue. I did just look, and OpenWRT is putting the DNS option for SLAAC in the RA, so that should work too (but I think that's something relatively recent for OpenWRT). I didn't get that you have a static assignment (presumably a business connection) - they may not do RAs on that (I don't at my ISP job). Business connections (or at least, connections with static assignments) tend to operate differently. For that, they should have given you a static v6 address and gateway, just like they did for v4. So... there's one thing you could try (but probably won't work to a regular router interface) - see if there's a MAC-derived fe80::/64 link-local address on their end. Get the MAC of the gateway from the v4 ARP entry and expand it to a LL v6 address as fe80::xxxx:xxff:fexx:xxxx (split the MAC, put ff:fe in the middle). Try ping6 that address with %em2 appended (have to append the interface when using link-local addresses). I doubt it'll work, since I know Juniper (which IIRC AT&T likes) doesn't assign those (I can't remember for sure about Cisco and don't have a handy test target). And frankly, giving you a /56 is pretty crappy, since ARIN rules say to give every site a /48. I'd only do a /56 for a home connection prefix delegation. But, that's AT&T! :) -- Chris Adams <linux at cmadams.net>
--On Tuesday, April 28, 2020 10:16 PM -0500 Chris Adams <linux at cmadams.net> wrote:> I didn't get that you have a static assignment (presumably a business > connection) - they may not do RAs on that (I don't at my ISP job). > Business connections (or at least, connections with static assignments) > tend to operate differently. For that, they should have given you a > static v6 address and gateway, just like they did for v4.I didn't think to ask when we were turning up the v4 and phones. I'm betting there's a setting in their gateway box but I'm waiting for them to give me the credentials to log into it.> So... there's one thing you could try (but probably won't work to a > regular router interface) - see if there's a MAC-derived fe80::/64 > link-local address on their end. Get the MAC of the gateway from the v4 > ARP entry and expand it to a LL v6 address as fe80::xxxx:xxff:fexx:xxxx > (split the MAC, put ff:fe in the middle). Try ping6 that address with > %em2 appended (have to append the interface when using link-local > addresses). I doubt it'll work, since I know Juniper (which IIRC AT&T > likes) doesn't assign those (I can't remember for sure about Cisco and > don't have a handy test target).Good idea but alas it's not routing. I can ping6 their gateway but it won't route after I add it to the route table for the WAN interface. While pinging a remote server, in a second shell I can tcpdump icmp6 packets and I see the packets going out but no replies coming back.> And frankly, giving you a /56 is pretty crappy, since ARIN rules say to > give every site a /48. I'd only do a /56 for a home connection prefix > delegation. But, that's AT&T! :)I'd just read about that when researching this. Maybe they decided that since we only have about a dozen people at our site, we won't have a lot of subnets. What do small offices DO with 256 public subnets, anyway? I suppose eventually we'll have an IoT subnet on every person.