Solved SSH via IPv6

elgrande · Saturday at 11:27 AM

I am trying to ssh into my server via IPv6 but I receive an error:

Code:

ssh: connect to host XXX port 22: Operation timed out

The network config in my /etc/rc.conf:

Code:

ifconfig_re0="DHCP -rxcsum -txcsum -rxcsum6 -txcsum6"
ifconfig_re0_ipv6="inet6 accept_rtadv"
ipv6_activate_all_interfaces="YES"
ipv6_defaultrouter="fe80::1%re0"
rtsold_enable="YES"
rtsold_flags="-aF"

IPv6 itself somehow seems work:

Code:

elgrande@elfreebsdo1 ~> ping -c 1 google.de
PING(56=40+8+8 bytes) 2003:e9:5f13:e100:82fa:5bff:fe92:eb0e --> 2a00:1450:4016:808::2003
16 bytes from 2a00:1450:4016:808::2003, icmp_seq=0 hlim=120 time=9.914 ms

--- google.de ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.914/9.914/9.914/0.000 ms
elgrande@elfreebsdo1 ~>

Also in the servers security group (AWS) SSH is enabled per default via IPv4 and IPv6.

Network config on the server (untouched default):

Code:

ifconfig_DEFAULT="SYNCDHCP accept_rtadv"
dhclient_arpwait="NO"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-M /usr/local/libexec/rtsold-M -a"

SSH via IPv4 works without problems.

VladiBG · Saturday at 11:32 AM

do you have ping to your machine over ipv6

elgrande · Saturday at 11:38 AM

VladiBG said:
do you have ping to your machine over ipv6

No, timeout, although I enabled ICMP via IPv6 in AWS security group (I did the same for IPv4, there ping works.)

JordanG · Saturday at 2:43 PM

The most basic information that you should provide is the output of ifconfig and netstat -rnf inet6 from the client and the server. Also, tell us if you have any packet filters enabled.

When you make a connection attempt, the various statistics that netstat can display might provide a useful hint.

One small trick for simplifying the debugging is to debug the connectivity between two machines on the same network first before you try debugging connectivity over the Internet. Just start a second AWS EC2 instance in the same virtual network as your first one and debug between them.

Last, you can run tcpdump -i ena0 -n ip6 proto tcp on the server while connected over IPv4 and observe what packets are exchanged.

elgrande · Saturday at 6:57 PM

JordanG said:
One small trick for simplifying the debugging is to debug the connectivity between two machines on the same network first before you try debugging connectivity over the Internet. Just start a second AWS EC2 instance in the same virtual network as your first one and debug between them.

I deployed an EC2 Debian instance to test.
ping6 works in both directions (Debian <-> FreeBSD).
Now I am a bit out of ideas, since the EC2 instance security setup seems correct to me (cf. attachment).

P.S.: the tcpdump command fails for me.

Code:

root@freebsd:~ # tcpdump -i ena0 -n ip6 proto tcp
tcpdump: can't parse filter expression: syntax error
root@freebsd:~ #

JordanG · Saturday at 9:05 PM

elgrande said:
I deployed an EC2 Debian instance to test.
ping6 works in both directions (Debian <-> FreeBSD).

That's a great result and it shows that the problem is either in routing (on the client or on the server), or in some firewall somewhere.

elgrande said:
Now I am a bit out of ideas, since the EC2 instance security setup seems correct to me (cf. attachment).

The configuration looks good to me.

elgrande said:
P.S.: the tcpdump command fails for me.

Code:

root@freebsd:~ # tcpdump -i ena0 -n ip6 proto tcp tcpdump: can't parse filter expression: syntax error root@freebsd:~ #

Try tcpdump -i ena0 -n ip6 proto 6 instead. Apparently specifying the protocol name tcp which is listed in /etc/protocols doesn't work.

Please note that you failed to provide the output of ifconfig and netstat -rnf inet6.

elgrande · Saturday at 9:19 PM

JordanG said:
That's a great result and it shows that the problem is either in routing (on the client or on the server), or in some firewall somewhere.

The configuration looks good to me.

Try tcpdump -i ena0 -n ip6 proto 6 instead. Apparently specifying the protocol name tcp which is listed in /etc/protocols doesn't work.

Please note that you failed to provide the output of ifconfig and netstat -rnf inet6.

Sorry for not providing the output - I though it might be irrelevant since the ping6 from the AWS Debian machine worked (I can even curl the hosted website there via curl -6).
Anyhow here you go:

Code:

root@freebsd:~ # ifconfig
ena0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 9001
    options=422<TXCSUM,JUMBO_MTU,LRO>
    ether 06:f6:7b:fe:af:b9
    inet 172.31.42.87 netmask 0xfffff000 broadcast 172.31.47.255
    inet6 fe80::4f6:7bff:fefe:afb9%ena0 prefixlen 64 scopeid 0x1
    inet6 2a05:d014:181:8ad1:601d:aaea:c628:4db9 prefixlen 128
    media: Ethernet autoselect (Unknown <full-duplex>)
    status: active
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
root@freebsd:~ # netstat -rnf inet6
Routing tables

Internet6:
Destination                       Gateway                       Flags         Netif Expire
::/96                             link#2                        URS             lo0
default                           fe80::441:8cff:feaa:373c%ena0 UG             ena0
::1                               link#2                        UHS             lo0
::ffff:0.0.0.0/96                 link#2                        URS             lo0
2a05:d014:181:8a00::/56           link#1                        U              ena0
2a05:d014:181:8ad1:601d:aaea:c628:4db9 link#2                   UHS             lo0
fe80::%lo0/10                     link#2                        URS             lo0
fe80::%ena0/64                    link#1                        U              ena0
fe80::4f6:7bff:fefe:afb9%lo0      link#2                        UHS             lo0
fe80::%lo0/64                     link#2                        U               lo0
fe80::1%lo0                       link#2                        UHS             lo0
ff02::/16                         link#2                        URS             lo0
root@freebsd:~ #

tcpdump -i ena0 -n ip6 proto 6 works when curl'ing data from the Debian machine, but from outside AWS I seem to not reach the host at all.

Thanks for your help!

VladiBG · Saturday at 9:50 PM

If you are using egress-only internet gateway in aws you will be unable to reach the machine from outside on ipv6.

Example dual-stack VPC configuration - Amazon Virtual Private Cloud

With a dual-stack configuration, you can use both IPv4 and IPv6 addresses for communication between resources in your VPC and resources over the internet.

docs.aws.amazon.com

elgrande · 2025-08-10T11:34:29+0100

I fixed the issue by creating a route for ::/0 to the default internet gateway for the instance VPC route table.

Solved SSH via IPv6

Attachments