Solved Weird problem with ipv6 | Can't access server from the internet

Hey guys :)

I recently noticed that I couldn't access my website on my server.

Some information:

OS: FreeBSD 11.2-RELEASE-p4
pf: disabled
ipv6 only?: YES
ISP supports ipv6 and SLAAC?: YES
Router: AVM Fritz!Box 7490


ping6 is enabled in my router settings (for the server) but fails when I use a ipv6 online ping website I always get a similar output:

Code:
ipv6 online ping website #1

PING 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx(2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx) 56 data bytes

--- 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4050ms <<<< ?????? why?



ipv6 online ping website #2

PING 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx(2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx) 56 data bytes

--- 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2055ms <<<< ?????? why?

Things I already tried:
  • Server reboot
  • I used several devices to access the server (not locally)
  • I did multiple DNS propagation checks (everything fine)
  • I disconnected the router from the internet multiple times with different settings and default settings
  • ....
I hope someone can help me... :/

Thanks in advance :D
 
Run tcpdump(1) on the host and see if your packets are actually arriving. I suspect it's your Fritz!box that's blocking it.
 
This is my output of tcpdump(1) (using a website availability checker):

Code:
root@server:~ # tcpdump port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bce0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:46:14.036820 IP6 2a01:4f8:c0c:4192::2.44058 > server.fritz.box.https: Flags [S], seq 3825619556, win 28800, options [mss 1440,sackOK,TS val 154518782 ecr 0,nop,wscale 7], length 0
11:46:15.070352 IP6 2a01:4f8:c0c:4192::2.44058 > server.fritz.box.https: Flags [S], seq 3825619556, win 28800, options [mss 1440,sackOK,TS val 154519041 ecr 0,nop,wscale 7], length 0
11:46:17.082372 IP6 2a01:4f8:c0c:4192::2.44058 > server.fritz.box.https: Flags [S], seq 3825619556, win 28800, options [mss 1440,sackOK,TS val 154519544 ecr 0,nop,wscale 7], length 0
11:46:19.039824 IP6 2a01:4f8:c0c:4192::2.44202 > server.fritz.box.https: Flags [S], seq 3117992140, win 28800, options [mss 1440,sackOK,TS val 154520033 ecr 0,nop,wscale 7], length 0
11:46:20.058340 IP6 2a01:4f8:c0c:4192::2.44202 > server.fritz.box.https: Flags [S], seq 3117992140, win 28800, options [mss 1440,sackOK,TS val 154520288 ecr 0,nop,wscale 7], length 0
11:46:22.074467 IP6 2a01:4f8:c0c:4192::2.44202 > server.fritz.box.https: Flags [S], seq 3117992140, win 28800, options [mss 1440,sackOK,TS val 154520792 ecr 0,nop,wscale 7], length 0
^C
6 packets captured
69 packets received by filter
0 packets dropped by kernel
root@server:~ #
 
Use something like tcpdump -ni bce0 icmp6 to filter on ICMP6 only. Then use one of those external sites to ping yourself. See if you can see the ICMP6 come in.

The -n will stop resolving IP addresses.
 
ping6 website no response and TimeOut :(

Code:
root@server:~ # tcpdump -ni bce0 icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bce0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:00:49.227667 IP6 2607:f0d0:1001:118::2 > 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: ICMP6, echo request, seq 6983, length 40
12:00:50.140461 IP6 2607:f0d0:1001:118::2 > 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: ICMP6, echo request, seq 6984, length 40
12:00:51.140289 IP6 2607:f0d0:1001:118::2 > 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: ICMP6, echo request, seq 6985, length 40
12:00:52.140393 IP6 2607:f0d0:1001:118::2 > 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: ICMP6, echo request, seq 6986, length 40
12:00:53.140490 IP6 2607:f0d0:1001:118::2 > 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: ICMP6, echo request, seq 6987, length 40
^C
5 packets captured
21 packets received by filter
0 packets dropped by kernel
root@server:~ #
 
I'm assuming the blanked address is yours? If that's the case there's definitely something coming in. Does the IPv6 address match with the address on the bce0 interface?
 
Yes, my address is the blanked one and it does match with the address on the bce0 interface.
 
Does netstat -rn6 show the correct default gateway for IPv6? Can you ping6(8) the gateway? And can you show the output of ifconfig bce0 (you can obfuscate your address, not the prefixlen).
 
I ran netstat -rn6 and it looks like there is no gateway

I also ran traceroute(8) and traceroute6(8):

Code:
WITH IPV4

root@server:~ # traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 40 byte packets
1  fritz.box (192.168.178.1)  0.400 ms  0.366 ms  0.352 ms
2  62.155.245.122 (62.155.245.122)  4.464 ms  4.440 ms  4.307 ms
3  217.239.42.234 (217.239.42.234)  11.378 ms  11.485 ms  11.364 ms
4  72.14.195.222 (72.14.195.222)  11.386 ms  11.370 ms  11.235 ms
^C
root@server:~ #

--------------------------------------------------------------------------

WITH IPV6

root@server:~ # traceroute6 2001:4860:4860::8888
connect: No route to host
root@server:~ #

Output of ifconfig bce0:

Code:
root@server:~ # ifconfig bce0
bce0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=c00b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
    ether e8:39:xx:xx:xx:xx
    hwaddr e8:39:xx:xx:xx:xx
    inet6 fe80::ea39:xxxx:xxxx:xxxx%bce0 prefixlen 64 scopeid 0x1
    inet6 2003:ed:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf
    inet 192.168.178.100 netmask 0xffffff00 broadcast 192.168.178.255
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
root@server:~ #
 
I ran netstat -rn6 and it looks like there is no gateway
That's probably why it doesn't work. It simply doesn't know where to route the outgoing traffic to. Find out what your gateway should be.
 
Now I have set the ipv6 gateway in the /etc/rc.conf file
Code:
ipv6_defaultrouter="fe80::3631:c4ff:fe16:4369%bce0"

It works now!!

Thank you very much SirDice
 
Back
Top