Fighting with IPv6

During the last weeks I finally got my hands dirty with IPv6. A comment on my blog and an email informed me that my server (hosting this blog) is not reachable via IPv6, albeit it has an IPv6 address. That said, I tried to get that running and fell into several holes, due to firewalls, my home provider not doing IPv6, and not the least due to my own ignorance of IPv6.

ipv6-pain

Fortunately, with the help of some good souls and the technical support I finally got IPv6 connectivity on both my server, as well as at home, up.

Server

So my server is still running wheezy, which is a bit old, but upgrading with lots of hand-installed stuff is a bit a pain. The network interface was configured via a static IPv4 address, and no traces of IPv6 for now. Simple minded as I am, I assumed that this is the problem and started playing around with all kind of IPv6 configurations in the interfaces file, from using dhcp, and static configuration. The static configuration somehow worked out, but I never got a proper default route set. So I was really puzzled.

In addition, at home I don’t have IPv6, my provider is not distributing IPv6, so I couldn’t test it (but on this a bit later). Fortunately, the good soul from the Netherland Filip B., did a lot of testing and also send permanent suggestions and analysis of the IPv6 situation, I am very much indebted to him.

Anyway, his last advice about the problem with the default route was contacting the technical support of my provider, who within a very short time sent me an answer which made it clear to me: My firewall was blocking some ports that are necessary for IPv6 route autonegotiation.

As firewall I use ferm, kind of a meta iptables language. In my server’s setup the firewall blocks most of the ip traffic outside the expected servers, as well as does rate limit checks on ssh connections (those script kiddies). And while I have had some of the icmpv6 types allowed, it seemed that was insufficient.

The solution at the end was to open icmpv6-type‘s 1-4, 133-137, 141, 142, 148, 149, as well as 130-132 from link-local adresses (fe80::/10). After having changed my ferm.conf, even removing everything related to IPv6 from the interfaces file and rebooting finally provided the server with an IPv6 address and a proper route. Wow, first step done.

For Apache, fortunately I am doing already wildcard definitions, so no change was necessary and voilà, the server is reachable via IPv6.

Home

As already mentioned, my provider at home does not provide IPv6 addresses. In addition, the DNS server of the provider is also very, well, peculiar about resolving IPv6 (i.e., AAAA records). Trying to get the AAAA record for ipv6.google.com works without a problem:

$ host -t AAAA ipv6.google.com
ipv6.google.com is an alias for ipv6.l.google.com.
ipv6.l.google.com has IPv6 address 2404:6800:4002:803::1003

but trying this with my own server, or for that matter any other server, resulted in no answer (preining.info has no AAAA record). Well, that didn’t help.

Despite these problems, I tried to get an IPv6 address via 6-in-4 tunneling (tunnelbroker), but that didn’t work either, probably due to some reverse lookup and the fact that between the world and me there is a cable modem and a wlan router – that all on top of the slightly funny infrastructure here in Japan, where you have to rent lines from NTT, but use a different company as Internet provider.

I finally found the solution that worked for me, and that is installing miredo, available in Debian. Installation of the package, and starting the miredo service with systemctl start miredo (or /etc/init.d/miredo start) gave me in an instant a working IPv6 connectivity. ping6 worked on IPv6 addresses.

Still, I couldn’t fix the DNS lookup problem, so for the time being I have added IPv6 addresses for my own server in /etc/hosts, and by using the SixOrNot Firefox plugin I can actually check that it works.

Conclusion

It is 2016, and we are still far from end-to-end IPv6, and I have to admit that also my IPv6 knowledge is quite meager, and that I only recently have started to grasp some understanding. The good point was that Debian wheezy already works out of the box with IPv6 (if one is not as clumsy as me and blocks the necessary ports), including web servers and mail servers.

I have also contacted my provider (AsahiNet) in the hope that they can update their DNS server, and learned that they are planning to roll out IPv6 addresses in the near future – whatever that might mean in Japan, maybe next century?

4 Responses

  1. Anonymous says:

    I see you’re using AsahiNet. Are you live in Tokyo?
    I shared some IPv6 usage tips during Tokyo Debian meeting last Oct. [0]
    Maybe you can check my slides (PDF) on that page.
    You can join next Tokyo Debian meeting if possible. [1]

    [0]: http://tokyodebian.alioth.debian.org/2015-10.html
    [1]: http://eventdots.jp/event/573464

    • Hi,
      thanks for your comment and slides, yes it is AsahiNet, and no, I am not living in Tokyo but Ishikawa. Your slides look interesting, and I know about the NTT IPv6 option, but they want extra money for it 🙁 And yesterday I phoned with AsahiNet service and they told me that (a) AsahiNet does not support IPv6 and thus the DNS lookups are also not working, and (b) in the future … maybe I need to change provider?

      • 1. Yes, AsahiNet doesn’t support IPv6 currently, but a few other providers support without extra fee.
        2. You may continue your NTT Flets contract, and only change the provider. Other option is keep AsahiNet’s contract but buy another plan from IPv6 enabled provider, such as Plala/OCN/so-net, as described in my slides
        3. For tunnelbroker, I guess you tested on the host behind your PPPoE gateway. You can try setting up on your PPPoe gateway if possible => this is simplest way.
        Otherwise, you need to set up a packet forward on your gateway to forward all protocol 41 traffic to the host, such as: iptables -t nat -A PREROUTING -p 41 -i ppp0 -j DNAT –to $HOST_IP
        For such case, you can refer my tested config via: https://github.com/rogers0/config/tree/network/stateful_v6gateway

  1. 2016/01/09

    […] Source: Fighting with IPv6 – There and back again […]

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>