rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:net:ipv6_on_ppp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:net:ipv6_on_ppp [2024/07/05 11:11] – [Configuring hosts in the LAN] niccolodoc:appunti:net:ipv6_on_ppp [2024/07/05 15:37] (current) – [Troubleshooting IPv6 problems] niccolo
Line 546: Line 546:
  
 To give a **persistent addresses** to the client, take note of the DUID received by the server and put it into a **host** section of the server configuration **dhcp6s.conf** (see above). The DUID is composed of a 64 bit random string and the MAC address of the client's network interface; once generated, it is stored into a file named **/var/lib/dhcpv6/dhcp6c_duid**. To give a **persistent addresses** to the client, take note of the DUID received by the server and put it into a **host** section of the server configuration **dhcp6s.conf** (see above). The DUID is composed of a 64 bit random string and the MAC address of the client's network interface; once generated, it is stored into a file named **/var/lib/dhcpv6/dhcp6c_duid**.
- 
-**WARNING**: Enabling only the DHCPv6 address (disabling SLAAC configuration) the IPv6 routing doese not work: we get the //Beyond scope of source address// error message. Sniffing the traffic on the default gateway we can see: 
- 
-<code> 
-IP6 fe80::225:22ff:fedd:4598 > 2a01:4f8:1c17:7636::1: ICMP6, echo request, id 56698, seq 1, length 64 
-IP6 fe80::d003:a6ff:fef2:6fe8 > fe80::225:22ff:fedd:4598: ICMP6, destination unreachable, beyond scope 
-    2a01:4f8:1c17:7636::1, source address fe80::225:22ff:fedd:4598, length 112 
-</code> 
- 
-So the default gateway on the client is OK (check it with **ip -6 route show**), but the source address is set to the **link scope** address instead of the **global** one. 
- 
-FIXME How to solve? 
  
 FIXME: What to do to protect LAN hosts from the internet? FIXME: What to do to protect LAN hosts from the internet?
Line 587: Line 575:
 ^ FF02::           | All-routers multicast address.  | ^ FF02::           | All-routers multicast address.  |
 ^ FF02::1:FFxx:xxxx  | Duplicate Address Detection multicast group.  | ^ FF02::1:FFxx:xxxx  | Duplicate Address Detection multicast group.  |
 +
 +
 +===== Troubleshooting IPv6 problems =====
 +
 +In general, to troubleshoot any networking issue, you use the **ping** command to check if the remote address is responding:
 +
 +<code>
 +# ping -6 2a01:4f8:1c17:7636::1
 +</code>
 +
 +In some cases it is useful also to **ping your own addresses** (you can have more than one). Discover all of them with:
 +
 +<code>
 +# ip -6 address show dev enp0s7
 +</code>
 +
 +<code>
 +2: enp0s7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
 +    inet6 2a02:2420:503:1c03::2/128 scope global dadfailed tentative 
 +       valid_lft forever preferred_lft forever
 +    inet6 2a02:2420:503:1c03:225:22ff:fedd:4598/64 scope global dynamic mngtmpaddr 
 +       valid_lft 86391sec preferred_lft 14391sec
 +    inet6 fe80::225:22ff:fedd:4598/64 scope link 
 +       valid_lft forever preferred_lft forever
 +</code>
 +
 +In the example above the interface have two **global** scope addresses, one assigned via DHCPv6 and the other obtained via SLAAC. The first one has the **dadfailed** flag, which means that the **duplicate address detection** has detected a conflict in the network. This means that the IP address in question will not be used as the source address and it does not even respond to a self-ping.
 +
 +If you have only one global IP address which is **dadfailed**, you cannot reach remote hosts on IPv6. It may be a difficult situation to diagnose, because using the simple **ifconfig** command you see the assigned IPv6 address and the **default route** is OK:
 +
 +<code>
 +# ip -6 route show
 +2a02:2420:503:1c03::2 dev enp0s7 proto kernel metric 256 pref medium
 +2a02:2420:503:1c03::/64 dev enp0s7 proto kernel metric 256 expires 86387sec pref medium
 +fe80::/64 dev enp0s7 proto kernel metric 256 pref medium
 +default via fe80::d003:a6ff:fef2:6fe8 dev enp0s7 proto ra metric 1024 expires 167sec hoplimit 64 pref medium
 +</code>
 +
 +**NOTICE**: The default router can be reached via its **link** scope address (as seen above) or via its **global** scope address: both can be used.
 +
 +If you sniff the ping request on the router, you can see the problem more clearly:
 +
 +<code>
 +# tcpdump -i eth0 -n 'icmp6'
 +...
 +IP6 fe80::225:22ff:fedd:4598 > 2a01:4f8:1c17:7636::1: ICMP6, echo request,
 +    id 56698, seq 1, length 64
 +IP6 fe80::d003:a6ff:fef2:6fe8 > fe80::225:22ff:fedd:4598: ICMP6, destination unreachable,
 +    beyond scope 2a01:4f8:1c17:7636::1, source address fe80::225:22ff:fedd:4598, length 112
 +</code>
 +
 +The client uses its link scope address as source address, which causes the **beyond scope** error. You can confirm this problem on the client using the ''ip route get'' command:
 +
 +
 +<code>
 +# ip -6 route get 2a01:4f8:1c17:7636::1
 +2a01:4f8:1c17:7636::1 from ::
 +    via 2a02:2420:503:1c03::1
 +    dev enp0s7
 +    src fe80::225:22ff:fedd:4598
 +    metric 1024 pref medium
 +</code>
 +
 +You can compare the result when you have at least one working global IP address:
 +
 +<code>
 +# ip -6 route get 2a01:4f8:1c17:7636::1
 +2a01:4f8:1c17:7636::1 from ::
 +    via fe80::d003:a6ff:fef2:6fe8
 +    dev enp0s7 proto ra
 +    src 2a02:2420:503:1c03:225:22ff:fedd:4598
 +    metric 1024 hoplimit 64 pref medium
 +</code>
 +
 +In the first case the **src** address is the **link scope** one, not suitable for routing. In the second case it is the one received via SLAAC, which has a **global scope** and indeed it is working. Notice that the address of the router (shown as the **via** address) is not releveant, even the //link scope// one does work.
 +
  
 ===== Web References ===== ===== Web References =====
doc/appunti/net/ipv6_on_ppp.1720170719.txt.gz · Last modified: 2024/07/05 11:11 by niccolo