Fighting with IPv6
During the last weeks I finally got my hands dirty with IPv6. A comment on my blog and an email informed me that my server (hosting this blog) is not reachable via IPv6, albeit it has an IPv6 address. That said, I tried to get that running and fell into several holes, due to firewalls, my home provider not doing IPv6, and not the least due to my own ignorance of IPv6.
Fortunately, with the help of some good souls and the technical support I finally got IPv6 connectivity on both my server, as well as at home, up.
So my server is still running wheezy, which is a bit old, but upgrading with lots of hand-installed stuff is a bit a pain. The network interface was configured via a static IPv4 address, and no traces of IPv6 for now. Simple minded as I am, I assumed that this is the problem and started playing around with all kind of IPv6 configurations in the interfaces file, from using dhcp, and static configuration. The static configuration somehow worked out, but I never got a proper default route set. So I was really puzzled.
In addition, at home I don’t have IPv6, my provider is not distributing IPv6, so I couldn’t test it (but on this a bit later). Fortunately, the good soul from the Netherland Filip B., did a lot of testing and also send permanent suggestions and analysis of the IPv6 situation, I am very much indebted to him.
Anyway, his last advice about the problem with the default route was contacting the technical support of my provider, who within a very short time sent me an answer which made it clear to me: My firewall was blocking some ports that are necessary for IPv6 route autonegotiation.
As firewall I use ferm, kind of a meta iptables language. In my server’s setup the firewall blocks most of the ip traffic outside the expected servers, as well as does rate limit checks on ssh connections (those script kiddies). And while I have had some of the icmpv6 types allowed, it seemed that was insufficient.
The solution at the end was to open icmpv6-type‘s 1-4, 133-137, 141, 142, 148, 149, as well as 130-132 from link-local adresses (fe80::/10). After having changed my ferm.conf, even removing everything related to IPv6 from the interfaces file and rebooting finally provided the server with an IPv6 address and a proper route. Wow, first step done.
For Apache, fortunately I am doing already wildcard definitions, so no change was necessary and voilà, the server is reachable via IPv6.
As already mentioned, my provider at home does not provide IPv6 addresses. In addition, the DNS server of the provider is also very, well, peculiar about resolving IPv6 (i.e., AAAA records). Trying to get the AAAA record for ipv6.google.com works without a problem:
$ host -t AAAA ipv6.google.com
ipv6.google.com is an alias for ipv6.l.google.com.
ipv6.l.google.com has IPv6 address 2404:6800:4002:803::1003
but trying this with my own server, or for that matter any other server, resulted in no answer (
preining.info has no AAAA record). Well, that didn’t help.
Despite these problems, I tried to get an IPv6 address via 6-in-4 tunneling (tunnelbroker), but that didn’t work either, probably due to some reverse lookup and the fact that between the world and me there is a cable modem and a wlan router – that all on top of the slightly funny infrastructure here in Japan, where you have to rent lines from NTT, but use a different company as Internet provider.
I finally found the solution that worked for me, and that is installing miredo, available in Debian. Installation of the package, and starting the miredo service with
systemctl start miredo (or
/etc/init.d/miredo start) gave me in an instant a working IPv6 connectivity. ping6 worked on IPv6 addresses.
Still, I couldn’t fix the DNS lookup problem, so for the time being I have added IPv6 addresses for my own server in /etc/hosts, and by using the SixOrNot Firefox plugin I can actually check that it works.
It is 2016, and we are still far from end-to-end IPv6, and I have to admit that also my IPv6 knowledge is quite meager, and that I only recently have started to grasp some understanding. The good point was that Debian wheezy already works out of the box with IPv6 (if one is not as clumsy as me and blocks the necessary ports), including web servers and mail servers.
I have also contacted my provider (AsahiNet) in the hope that they can update their DNS server, and learned that they are planning to roll out IPv6 addresses in the near future – whatever that might mean in Japan, maybe next century?