0

My system is running Debian GNU/Linux 11 (bullseye) My network is configured with two interfaces, one to my ISP and one to my lan. I am using systemd-networkd to manage the interfaces. The problem is IPv6 is not being forwarded. (systemd version 247.3-6 )

I can ping -6 my upstream from the router but not from an internal host. Internal hosts are unable to connect to external IPv6 servers but can connect to external IPv4 servers via a NAT connection.

cat /etc/systemd/network/eth0.network [Match] Name=eth0 [Network] DHCP=yes IPv6AcceptRA=yes IPForward=ipv6 LLDP=yes [DHCPv6] PrefixDelegationHint=::/56 cat /etc/systemd/network/lan0.network [Match] Name=lan0 [Network] Address=192.168.1.2/24 Address=192.168.1.1/24 Address=192.168.1.5/24 Address=192.0.2.5/24 Address=2001:0DB8:c101:b700::1/64 Address=2001:0DB8:c101:b700:beef::5/64 Domains=lan example.com IPForward=ipv6 LLDP=yes ip -6 route show table all ::1 dev lo proto kernel metric 256 pref medium 2001:0DB8:c101:b700::/64 dev lan0 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev lan0 proto kernel metric 256 pref medium default via fe80::2a2:ff:feb2:c2 dev eth0 proto ra metric 1024 expires 1724sec mtu 1500 pref high local ::1 dev lo table local proto kernel metric 0 pref medium local 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f dev eth0 table local proto kernel metric 0 pref medium anycast 2001:0DB8:c101:b700:: dev lan0 table local proto kernel metric 0 pref medium local 2001:0DB8:c101:b700::1 dev lan0 table local proto kernel metric 0 pref medium local 2001:0DB8:c101:b700:beef::5 dev lan0 table local proto kernel metric 0 pref medium anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium anycast fe80:: dev lan0 table local proto kernel metric 0 pref medium local fe80::fca5:6fff:fe75:6109 dev eth0 table local proto kernel metric 0 pref medium local fe80::fca5:6fff:fe75:6129 dev lan0 table local proto kernel metric 0 pref medium multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium multicast ff00::/8 dev lan0 table local proto kernel metric 256 pref medium ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether fe:a5:6f:75:61:09 brd ff:ff:ff:ff:ff:ff inet 192.0.2.199/23 brd 192.0.2.255 scope global dynamic eth0 valid_lft 1602sec preferred_lft 1602sec inet6 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 scope global dynamic noprefixroute valid_lft 3802sec preferred_lft 2802sec inet6 fe80::fca5:6fff:fe75:6109/64 scope link valid_lft forever preferred_lft forever 3: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether fe:a5:6f:75:61:29 brd ff:ff:ff:ff:ff:ff inet 192.0.2.5/24 brd 192.0.2.255 scope global lan0 valid_lft forever preferred_lft forever inet 192.168.1.1/24 brd 192.168.1.255 scope global lan0 valid_lft forever preferred_lft forever inet 192.168.1.5/24 brd 192.168.1.255 scope global secondary lan0 valid_lft forever preferred_lft forever inet6 2001:0DB8:c101:b700:beef::5/64 scope global valid_lft forever preferred_lft forever inet6 2001:0DB8:c101:b700::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::fca5:6fff:fe75:6129/64 scope link valid_lft forever preferred_lft forever ip6tables-save # Generated by ip6tables-save v1.8.7 on Sun Mar 27 06:29:25 2022 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127035:902105282] :client_in - [0:0] :client_out - [0:0] :nameserver_in - [0:0] :server_in - [0:0] :server_out - [0:0] -A INPUT -m rt --rt-type 0 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i lan0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s fe80::/10 -j ACCEPT -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -d 2001:0DB8:c101:b700::1/128 -i eth0 -j nameserver_in -A INPUT -d 2001:0DB8:c101:b700::5/128 -i eth0 -j nameserver_in -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -j DROP -A FORWARD -m rt --rt-type 0 -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT -A FORWARD -s 2001:0DB8:c101:b700::/56 -i lan0 -j ACCEPT -A FORWARD -d 2001:0DB8:c101:b700:beef::/80 -i eth0 -j server_in -A FORWARD -d 2001:0DB8:c101:b700::/125 -i eth0 -j nameserver_in -A FORWARD -j DROP -A OUTPUT -m rt --rt-type 0 -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT -A OUTPUT -p ipv6-icmp -j ACCEPT -A client_in -m state --state RELATED,ESTABLISHED -j ACCEPT -A client_out -j ACCEPT -A nameserver_in -p udp -m udp --dport 53 -j ACCEPT -A nameserver_in -p tcp -m tcp --dport 53 -j ACCEPT -A server_in -m state --state RELATED,ESTABLISHED -j ACCEPT -A server_in -p tcp -m tcp --dport 80 -j ACCEPT -A server_in -p tcp -m tcp --dport 443 -j ACCEPT -A server_in -p tcp -m tcp --dport 25 -j ACCEPT -A server_out -j ACCEPT COMMIT # Completed on Sun Mar 27 06:29:25 2022 networkctl status lan0 ● 3: lan0 Link File: /lib/systemd/network/73-usb-net-by-mac.link Network File: /etc/systemd/network/lan0.network Type: ether State: routable (configured) Path: platform-xhci-hcd.0.auto-usb-0:1:1.0 Driver: r8152 Vendor: Realtek Semiconductor Corp. Model: RTL8153 Gigabit Ethernet Adapter HW Address: fe:a5:6f:75:61:29 MTU: 1500 (min: 68, max: 9194) QDisc: pfifo_fast IPv6 Address Generation Mode: eui64 Queue Length (Tx/Rx): 1/1 Auto negotiation: yes Speed: 1Gbps Duplex: full Port: mii Address: 192.168.1.1 192.168.1.5 192.0.2.5 2001:0DB8:c101:b700::1 2001:0DB8:c101:b700:beef::5 fe80::fca5:6fff:fe75:6129 Search Domains: lan example.com Mar 27 05:35:20 firewall systemd-networkd[6691]: lan0: Gained IPv6LL Mar 27 05:44:47 firewall systemd-networkd[6750]: lan0: Gained IPv6LL Mar 27 06:19:05 firewall systemd-networkd[7041]: lan0: Gained IPv6LL networkctl status eth0 ● 2: eth0 Link File: /lib/systemd/network/99-default.link Network File: /etc/systemd/network/eth0.network Type: ether State: routable (configured) Path: platform-ff540000.ethernet HW Address: fe:a5:6f:75:61:09 MTU: 1500 (min: 46, max: 3712) QDisc: mq IPv6 Address Generation Mode: eui64 Queue Length (Tx/Rx): 8/8 Auto negotiation: yes Speed: 1Gbps Duplex: full Port: tp Address: 192.0.2.199 (DHCP4 via 202.90.244.1) 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f fe80::fca5:6fff:fe75:6109 Gateway: 202.90.244.1 fe80::2a2:ff:feb2:c2 DNS: 202.142.142.142 202.142.142.242 2001:0DB8:100:1::142 2001:0DB8:1:5::242 DHCP4 Client ID: IAID:0xa3d03369/DUID DHCP6 Client IAID: 0xa3d03369 DHCP6 Client DUID: DUID-EN/Vendor:0000ab111f00fd4412b87eae0000 Mar 27 05:44:47 firewall systemd-networkd[6691]: eth0: DHCPv6 lease lost Mar 27 05:44:47 firewall systemd-networkd[6750]: eth0: Gained IPv6LL Mar 27 05:44:50 firewall systemd-networkd[6750]: eth0: DHCPv4 address 192.0.2.199/23 via 202.90.244.1 Mar 27 05:44:51 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000 Mar 27 06:00:17 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000 Mar 27 06:15:52 firewall systemd-networkd[6750]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000 Mar 27 06:19:04 firewall systemd-networkd[6750]: eth0: DHCPv6 lease lost Mar 27 06:19:05 firewall systemd-networkd[7041]: eth0: Gained IPv6LL Mar 27 06:19:07 firewall systemd-networkd[7041]: eth0: DHCPv6 address 2001:0DB8:c000:1b7:f3d4:d970:ca28:bf4f/128 timeout preferred 3000 valid 4000 Mar 27 06:19:08 firewall systemd-networkd[7041]: eth0: DHCPv4 address 192.0.2.199/23 via 202.90.244 sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 1
Improve this question
2
  • (The system should allow 546/UDP for DHCPv6 to not timeout I guess.) Is there a setting to apply somewhere for your upstream router to know about 2001:0DB8:c101:b700::/64? Commented Mar 27, 2022 at 8:21
  • The networkctl status eth0 statement indicates DHCP is working as IPv4 and IPv6 addresses are released at Mar 27 06:19:04 and re-assigned at Mar 27 06:19:07 (NB addresses have been obfusticated) Commented Mar 28, 2022 at 10:14

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.