IPV6 Newby Setup Not Working

Hello. My ISP just told me they added IPV6 support. I don’t know much about it, but I thought I’d learn. I’m breaking this down piece by piece, first being to just get an address assigned to WAN. I’ll figure out my internal clients after that.

I asked details from my ISP and they said:

DHCPv6, and the prefix as /64

So, after investigating, I added this config:

# show interfaces ethernet eth0
 address dhcp
 address dhcpv6
 description WAN
 hw-id 00:e0:67:1b:71:a0
 ipv6 {
     address {
         autoconf
     }
 }

I read that even though I am using DHCPV6, I should add the autoconf bit to provide “provide default-gateway information”.
With this setup, I do not get an address on eth0. Am I missing something?

Hello @jbhardman,

Try configuring an IPv6 Prefix:

set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth1 address '1'
set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth1 sla-id '0'
set interfaces ethernet eth0 dhcpv6-options pd 0 length '64'

Also use the router-advert configuration for IPv6:

set service router-advert interface eth1 managed-flag
set service router-advert interface eth1 other-config-flag
set service router-advert interface eth1 prefix ::/64

For this example, the interface eth1 is the internal network.

Thank you. Unfortunately, no luck:

# show interfaces ethernet eth0
 address dhcp
 address dhcpv6
 description WAN
 dhcpv6-options {
     pd 0 {
         interface bond0 {
             address 1
             sla-id 0
         }
         length 64
     }
 }
 hw-id 00:e0:67:1b:71:a0
 ipv6 {
     address {
         autoconf
     }
 }
# show service router-advert
 interface bond0 {
     managed-flag
     other-config-flag
     prefix ::/64 {
     }
 }

Here’s my connections (bond0 is LAN):

$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
bond0            10.0.0.1/24                       u/u  Primary LAN Bond
bond0.2          10.0.2.1/24                       u/u  IOT
bond0.3          10.0.3.1/24                       u/u  VMS
bond0.4          10.0.4.1/24                       u/u  GUESTS
eth0             <public ipv4>/24                  u/u  WAN
eth1             -                                 u/u
eth2             -                                 u/u
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
wg0              10.0.6.2/24                       u/u  DO VPN SFO2
wg1              10.0.7.1/24                       u/u  Home Access VPN

Try to dump IPv6 traffic on eth0

I’m no master at reading this, but this pattern is continually repeated:

# tcpdump -i eth0 -vv ip6
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:21:08.399482 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::eaa2:45ff:feb5:837c > ff02::1:ff7b:5f2: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::3e28:6dff:fe7b:5f2
	  source link-address option (1), length 8 (1): e8:a2:45:b5:83:7c
	    0x0000:  e8a2 45b5 837c
13:21:10.399349 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::eaa2:45ff:feb5:837c > ff02::1:fff9:7b2a: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::b22a:43ff:fef9:7b2a
	  source link-address option (1), length 8 (1): e8:a2:45:b5:83:7c
	    0x0000:  e8a2 45b5 837c
13:21:11.399745 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::eaa2:45ff:feb5:837c > ff02::1:ffdf:8827: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::b22a:43ff:fedf:8827
	  source link-address option (1), length 8 (1): e8:a2:45:b5:83:7c
	    0x0000:  e8a2 45b5 837c
13:21:13.350950 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 96) fe80::eaa2:45ff:feb5:837c > ip6-allnodes: [icmp6 sum ok] ICMP6, router advertisement, length 96
	hop limit 255, Flags [managed, other stateful], pref high, router lifetime 1800s, reachable time 36000ms, retrans timer 5000ms
	  source link-address option (1), length 8 (1): e8:a2:45:b5:83:7c
	    0x0000:  e8a2 45b5 837c
	  rdnss option (25), length 40 (5):  lifetime 6000s, addr: cns1.xmission.com addr: cns2.xmission.com
	    0x0000:  0000 0000 1770 2607 fa18 0000 0000 0000
	    0x0010:  0000 0000 0001 2607 fa18 0000 0000 0000
	    0x0020:  0000 0000 0002
	  prefix info option (3), length 32 (4): 2607:fa18:4800::/37, Flags [onlink, auto], valid time 6499s, pref. time 6499s
	    0x0000:  25c0 0000 1963 0000 1963 0000 0000 2607
	    0x0010:  fa18 4800 0000 0000 0000 0000 0000

If you have a firewall set up, make sure your firewall rules allow for getting DHCPv6 response from ISP.
You will need to accept UDP packets with destination port 546, and source port 547.
For example:

set firewall ipv6-name OUTSIDE-LOCAL-ipv6  rule 100 action 'accept'
set firewall ipv6-name OUTSIDE-LOCAL-ipv6  rule 100 destination port '546'
set firewall ipv6-name OUTSIDE-LOCAL-ipv6  rule 100 protocol 'udp'
set firewall ipv6-name OUTSIDE-LOCAL-ipv6  rule 100 source port '547'

Thanks @_dk , that got me going. I had to do a little more to get my firewall setup, zones, etc. But now step 1 is working. Local ipv6.

Now I don’t get addresses on to clients on my LAN. Here’s my current config:

# show interfaces ethernet
 ethernet eth0 {
     address dhcp
     address dhcpv6
     description WAN
     dhcpv6-options {
         pd 0 {
             interface bond0 {
                 address 1
                 sla-id 0
             }
             length 64
         }
     }
     hw-id 00:e0:67:1b:71:a0
     ipv6 {
         address {
             autoconf
         }
     }
 }
# show service router-advert
 interface bond0 {
     managed-flag
     other-config-flag
     prefix ::/64 {
     }
 }
# show interfaces bonding
 bonding bond0 {
     address 10.0.0.1/24
     address dhcpv6
     description "Primary LAN Bond"
     ipv6 {
         address {
             autoconf
         }
     }
     member {
         interface eth2
         interface eth1
     }
     mode 802.3ad

I also set all of the same firewall rules that I did for WAN-LOCAL in WAN-LAN.
Here are my connections:

$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
bond0            10.0.0.1/24                       u/u  Primary LAN Bond
                 2607:fa18:4a8a:xxxx::1/64
bond0.2          10.0.2.1/24                       u/u  IOT
bond0.3          10.0.3.1/24                       u/u  VMS
bond0.4          10.0.4.1/24                       u/u  GUESTS
eth0             xx.xx.xx.xx/24                  u/u  WAN
                 2607:fa18:4800:14d0:3a45:xxxx:xxxx:xxxx/128

eth1             -                                 u/u
eth2             -                                 u/u
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
wg0              10.0.6.2/24                       u/u  DO VPN SFO2
wg1              10.0.7.1/24                       u/u  Home Access VPN

(I don’t know if the /64 address on bond0 needs to be privatized?)
From the vyos terminal I can ping outside IPv6 adresses.
No machines on LAN (aka bond0) get an IPv6 address. Using Arch Linux NetworkManager with default IPv6 set to auto. Same machine worked on previous ISP/Router setup.
How do I make that /64 pushed out so that all my clients can get an address?
Also, does bond0 need a /128 address itself?

I followed this guide http://soucy.org/vyos/DHCPv6-PD_on_VyOS.pdf

Only difference is, my firewall is much more basic than this. I believe mine is letting the right traffic through. Probably letting through more than necessary after reading that PDF. But once I get it working I can go back and trim it down.

Hello @jbhardman,
Also try set mtu for interface bond0:
set service router-advert interface bond0 link-mtu '1500'

It was more firewall stuff! I did a zone based firewall and there are sooooo many changes to make when adding stuff like this.

Thanks everyone!

I think I’m losing my mind. I had IPv6 working from the router. I could ping google’s IPv6 address and got a response every time. I went to bed, and now it’s not working. I contacted my ISP, they say everything is working on their end.

Here’s my configs:
WAN

# show interfaces ethernet
 ethernet eth0 {
     address dhcp
     address dhcpv6
     description WAN
     dhcpv6-options {
         pd 0 {
             interface bond0 {
                 address 1
                 sla-id 0
             }
             length 64
         }
     }
     hw-id 00:e0:67:1b:71:a0
     ipv6 {
         address {
             autoconf
         }
     }
 }

LAN

bonding bond0 {
     address 10.0.0.1/24
     address dhcpv6
     description "Primary LAN Bond"
     ipv6 {
         address {
             autoconf
         }
     }
     member {
         interface eth2
         interface eth1
     }
     mode 802.3ad
# show service router-advert
 interface bond0 {
     managed-flag
     name-server 2607:fa18:4a8a:xxxx::1/64
     other-config-flag
     prefix ::/64 {
     }
 }

I don’t have any static routes setup for this.
Here’s my connections:

$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
bond0            10.0.0.1/24                       u/u  Primary LAN Bond
                 2607:fa18:4a8a:xxxx::1/64
                 2607:fa18:4a8a:xxxx:xxx:xxxx:xxxx:xxxx/64

bond0.2          10.0.2.1/24                       u/u  IOT
bond0.3          10.0.3.1/24                       u/u  VMS
bond0.4          10.0.4.1/24                       u/u  GUESTS
eth0             xx.xx.xx.xx/24                  u/u  WAN
                 2607:fa18:4800:xxxx:xxxx:xxxx:xxxx:xxxx/128

eth1             -                                 u/u
eth2             -                                 u/u
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
wg0              10.0.6.2/24                       u/u  DO VPN SFO2
wg1              10.0.7.1/24                       u/u  Home Access VPN

Addresses are even being handed out to clients on LAN (linux servers and my MacBook).
Nothing, not the router itself or any client on LAN can ping an IPv6 address.

$ ping 2607:f8b0:4025:802::200e
/bin/ping6: connect: Network is unreachable
$ show ip route 2607:f8b0:4025:802::200e

^empty response, nothing on screen
But, v4:

$ show ip route 0.0.0.0
Routing entry for 0.0.0.0/0
  Known via "static", distance 210, metric 0, tag 210, best
  Last update 2d02h48m ago
  * xx.xx.xx.xx, via eth0, weight 1

I’ve got to be missing something. What could I look into? Why would it just stop?

Hello @jbhardman ,
Try using the command:
show ipv6 route

$ show ipv6 route
Codes: K - kernel route, C - connected, S - static, R - RIPng,
       O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
       v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

C>* 2607:fa18:4800:14d0:3a45:xxxx:xxxx:xxxx/128 is directly connected, eth0, 00:01:34
C * fe80::/64 is directly connected, wg0, 2d17h18m
C * fe80::/64 is directly connected, wg1, 2d17h18m
C * fe80::/64 is directly connected, bond0, 2d17h19m
C * fe80::/64 is directly connected, bond0.2, 2d17h19m
C * fe80::/64 is directly connected, bond0.3, 2d17h19m
C * fe80::/64 is directly connected, bond0.4, 2d17h19m
C * fe80::/64 is directly connected, eth0, 2d17h19m
C>* fe80::/64 is directly connected, lo, 2d17h19m
$ ping 2607:f8b0:4025:802::200e
/bin/ping6: connect: Network is unreachable

I’m becoming convinced it’s a routing issue. But I don’t know what changed or what to do about it.

Hello @jbhardman ,

You have no default ipv6 route and dhcpv6-pd. Can you provide your firewall rules?

Thank you for continuing on this with me.
I disabled PD to just try to get back to basics and get IPv6 working from the local firewall OS, and then I’ll extend it back out to the LAN. Here are the firewall bits that apply to WAN or LOCAL for IPv6.

# show firewall ipv6-name
ipv6-name LOCAL-WAN-ipv6 {
    default-action accept
}
ipv6-name WAN-LOCAL-ipv6 {
    default-action drop
    rule 10 {
        action accept
        description "Passing external DHCPv6 server (ISP)  to LOCAL (eth0) interface"
        destination {
            port 546
        }
        protocol udp
        source {
            port 547
        }
        state {
            new enable
        }
    }
}

# show firewall state-policy
established {
    action accept
}
invalid {
    action drop
}
related {
    action accept
}

# show firewall zone 
zone LOCAL {
    default-action drop
    from GUESTS {
        firewall {
            name GUESTS-LOCAL
        }
    }
    from IOT {
        firewall {
            name IOT-LOCAL
        }
    }
    from LAN {
        firewall {
            name LAN-LOCAL
        }
    }
    from WAN {
        firewall {
            ipv6-name WAN-LOCAL-ipv6
            name WAN-LOCAL
        }
    }
    local-zone
}
zone WAN {
    default-action drop
    from GUESTS {
        firewall {
            name GUESTS-WAN
        }
    }
    from IOT {
        firewall {
            name IOT-WAN
        }
    }
    from LAN {
        firewall {
            name LAN-WAN
        }
    }
    from LOCAL {
        firewall {
            ipv6-name LOCAL-WAN-ipv6
            name LOCAL-WAN
        }
    }
    interface eth0
}

The IPv6 address is assigned to WAN via DHCP6 just fine. There’s just no default route auto created.

I would have just assumed that a default route would be assigned when I obtained an IPv6 address via DHCPv6. Guess not?

Well, got it working. Ended up completely tearing down my firewall and reconfiguring from scratch. I think I had some missing inbound ICMPv6 type’s that I needed to allow from WAN to LOCAL.

Thanks for all the tips along the way!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.