IPv6 routing / Debian
Tony
Gandi, which has IPv6 enabled.
I use arno-iptables-firewall, which has been fine with IPv4, but the
Debian stable version doesn't provide any IPv6 rules. A new version has
just gone into Unstable which does.
The IPv6 support on the VPS was a surprise, Gandi enabled it across
their estate and I've been playing catch-up since.
It seemed to work okay for a bit. I then backported
arno-iptables-firewall 2.0.0a to Squeeze to get the full IPv6 support
(before the version on Unstable turned up). I ran that for a few days
until someone pointed out that IPv6 was no longer working to the host.
I tested it (from another Gandi VPS) and it seemed fine, but it still
wasn't working outside of Gandi's network. I cleared the ip6tables
chains but that didn't help.
Further investigation suggested it was the routing table, after a
reboot, the routing table looks like this (spaces removed to help with
formatting)
netstat -6 -r
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: Un 0 1 1 lo
2001:4b98:dc0:43:216:3eff:fe5e:54d0/128 :: Un 0 1 94 lo
2001:4b98:dc0:43::/64 :: UAe 256 0 1 eth0
fe80::216:3eff:fe5e:54d0/128 :: Un 0 1 6 lo
fe80::/64 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth0
::/0 fe80::643 UGDAe 1024 1 14 eth0
::/0 :: !n -1 1 13 lo
After starting arno-iptables-firewall I was losing the "::/0 fe80::643"
route, thinking I'd solved it, I switched the IPv6 support back off in
arno-iptables-firewall. However, overnight it looks like the route has
vanished again.
netstat -r -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: Un 0 1 139 lo
2001:4b98:dc0:43:216:3eff:fe5e:54d0/128 :: Un 0 1 265 lo
2001:4b98:dc0:43::/64 :: UAe 256 0 1 eth0
fe80::216:3eff:fe5e:54d0/128 :: Un 0 1 6 lo
fe80::/64 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth0
::/0 :: !n -1 1 137 lo
and the server is again no longer contactable over IPv6 outside of the
Gandi network.
I don't know enough about IPv6 routing to decide if this is something
happening on the Gandi network, or something on the VPS. Any pointers
appreciated.
Am I right in thinking the IPv6 routing table is dynamic, based on icmp6
discovery stuff?
--
Tony Evans
Saving trees and wasting electrons since 1993
blog -> http://perceptionistruth.com/
books -> http://www.bookthing.co.uk
[ anything below this line wasn't written by me ]
Tony
> I've got a Debian based VPS (recently upgraded to Squeeze), hosted by
> Gandi, which has IPv6 enabled.
After a very useful conversation with Arno and a contact he included in
the e-mail chain, I've resolved this. It was related to
arno-iptables-firewall, but specifically to my config options.
Although I had left autoconf enabled, I had also left ipforwarding
enabled and that breaks autoconf.
# Only disable this if you're NOT using forwarding (required for NAT
# etc.) for increased security.
# Note: If enabled and IPV6 enabled, local IPv6 autoconf will be
# disabled.
#
-----------------------------------------------------------------------------
IP_FORWARDING=0
# (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and
# you do not use autoconf to obtain your IPv6 address.
# Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only)
#
-----------------------------------------------------------------------------
IPV6_AUTO_CONFIGURATION=1
The above config works, the default (which is 1 for both fields) results
in the routing table losing the route.