Hello,
the situation: the Mini-PC (2 RJ45-interfaces and a WLAN antenna) is between the IPv4only NAT-router from my ISP and my own LAN;
eth0 and wlan0 is connected to a bridge (br0) and is the LAN "interface"
eth1 is the WAN interface
sit1 is the IPv6 tunnel end at my side (IPv6 address: 2001:470:1f0a:9c4::2/64)
the br0 has the following two addresses
2001:470:747b::1/48 (one IPv6 address from the routed /48)
2001:470:1f0b:9c8::1/64 (one IPv6 address from the routed /64)
my home LAN is for me and my roommate;
the time before I've been using this Mini-PC I used IPv6 only myself;
on my virtual machines (mostly Linux) I use fixed IPv6 addresses from the routed /64,
so there is as gateway the one IPv6 address from the routed /64 from above;
this works: the virtual machines to each other and also internet;
but: my roommate uses on his windows IPv6 addresses from the routed /48 like this:
IPV6 address: 2001:470:747b:13::10
Subnet prefix length: 48
Default gateway: 2001:470:747b::1
Preferred DNS server: 2001:470:747b::1
one of the virtual machines (mentioned above) has the
inet6 addr 2001:470:1f0b:9c8::17/64 with default gateway 2001:470:1f0b:9c8::1
and now the question that sounds really strange:
why can the mate's computer (has /48 routed IPv6 address) ping the virtual machine (has /64 routed IPv6 address)
but not the other way round?
except the only Linux is the mini-pc itself that can ping computers with /48 routed IPv6 addresses ...
(this is not specific to this two, every computer/virtual machine that has a /48 routed IPv6 address
can ping another one with /64 routed IPv6 address and not the other way round)
is there missing a routing between these to prefixes on my mini pc router?
I did run tcpdump -n icmpv6 on the mini-pc router while I ran ping6 on the virtual machine with a /64 routed IPv6 address
14:04:19.827501 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 7, length 64
14:04:19.827544 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:19.827552 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 7, length 64
14:04:20.827554 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 8, length 64
14:04:20.827664 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:20.827698 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 8, length 64
14:04:21.826572 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 9, length 64
14:04:21.826669 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:21.826701 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 9, length 64
14:04:22.825612 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 10, length 64
14:04:22.825717 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:22.825748 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 10, length 64
14:04:23.823205 IP6 fe80::264c:4eff:fe58:3124 > fe80::2646:57ff:fe30:3124: ICMP6, neighbor solicitation, who has fe80::2646:57ff:fe30:3124, length 32
14:04:23.823309 IP6 fe80::2646:57ff:fe30:3124 > fe80::264c:4eff:fe58:3124: ICMP6, neighbor advertisement, tgt is fe80::2646:57ff:fe30:3124, length 24
14:04:23.823620 IP6 fe80::2646:57ff:fe30:3124 > fe80::264c:4eff:fe58:3124: ICMP6, neighbor solicitation, who has fe80::264c:4eff:fe58:3124, length 32
14:04:23.823840 IP6 fe80::264c:4eff:fe58:3124 > fe80::2646:57ff:fe30:3124: ICMP6, neighbor advertisement, tgt is fe80::264c:4eff:fe58:3124, length 24
14:04:23.825545 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 11, length 64
14:04:23.825638 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:23.825673 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 11, length 64
14:04:24.824686 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 12, length 64
14:04:24.824790 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:24.824823 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 12, length 64
14:04:25.824695 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 13, length 64
14:04:25.824803 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:25.824835 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 13, length 64
14:04:26.824728 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 14, length 64
14:04:26.824831 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:26.824861 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 14, length 64
14:04:26.891918 IP6 fe80::2646:57ff:fe30:3124 > ff02::1: ICMP6, router advertisement, length 24
14:04:27.825023 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 15, length 64
14:04:27.825130 IP6 fe80::2646:57ff:fe30:3124 > 2001:470:1f0b:9c8::17: ICMP6, redirect, 2001:470:747b:13::10 to 2001:470:747b:13::10, length 160
14:04:27.825162 IP6 2001:470:1f0b:9c8::17 > 2001:470:747b:13::10: ICMP6, echo request, seq 15, length 64
please can someone give me a hint where the problem resides ...
Thanks,
Walter
He shouldn't use the entire /48
Split it into /64's and assign those.
how is this done?
or other question how many IPv6 addresses does the router have then?
the /48 routed prefix is
2001:470:747b::/48
the DHCPv6 server (also runs on the Mini-PC) uses 2001:470:747b:7::/48 for deploy
subnet6 2001:470:747b::/48 {
range6 2001:470:747b:7:0:0:0:0 2001:470:747b:7:0:0:0:ffff;
ddns-rev-domainname "7.0.0.0.b.7.4.7.0.7.4.0.1.0.0.2.ip6.arpa";
}
does the router need to have for each
2001:470:747b:xxxx::/64 subnet an IPv6-address
like 2001:470:747b:xxxx::1/64?
means: do I have to add several IPv6 addresses to br0 device?
one for DHCP part, one for roommate part, one for my extended part, ....
The router has one address per interface, same as an IPv4 router.
Split your /48 into /64s and assign one per interface via DHCP
Quote from: cholzhauer on September 14, 2016, 12:32:58 PM
The router has one address per interface, same as an IPv4 router.
in IPv4 I use 172.16.0.0/255.255.0.0
Quote
Split your /48 into /64s and assign one per interface via DHCP
the DHCPv6 assigns e.g. 2001:470:747b:7:0:0:0:1234/64 to a linux VM
and this IPv6 from the routed /48 I can ping from the above mentioned linux VM
but not when it's a Windows with an IPv6 from the routed /48;
Windows bug?
this is my radvd.conf
interface br0
{
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
MinRtrAdvInterval 5;
MaxRtrAdvInterval 15;
# for range see /etc/dhcp/dhcpd6.conf
};
Let me try another way.
Forget about your /48...you don't use this other than to subnet from.
If your range is 2001:db8:1234::/48, you take a /64, say 2001:db8:1234:4567::/64 and assign it to a vlan. Break off another and do the same thing.
What does this change to the origin problem
that a host which got its IPv6 address from the /64 routed prefix cannot ping
a Windows host which got its IPv6 address from the /48 routed prefix?
I did not understand that from your first question.
All of your hosts should get an address from the /48.
If you're trying to do something else, I'm not understanding.
I got two prefixes from HE
one /64 and
one /48
several hosts already have IPv6 addresses from the /64 prefix
and how do I have to use IPv6 addresses from the /48 in Windows?
this is a logik splitting not a physical splitting;
Don't use the /64. You only use the tunnel /64, don't bother with the routed /64
If your hosts already have addresses from the /64, now is a good time to migrate
Quote from: cholzhauer on September 15, 2016, 05:27:33 AM
Don't use the /64.
why?
Quote
You only use the tunnel /64, don't bother with the routed /64
why this, because there is no better logical splitting than the routed /64 for me and the routed /48 for my roommate, isn't it?
Quote
If your hosts already have addresses from the /64, now is a good time to migrate
why this?
let's be a little bit more in detail:
if 2001:db8:1234::/48 is my routed /48 prefix and
2001:db8:cafe:beef::/64 is my routed /64 prefix, how can I use e.g.
2001:db8:1234::dead::/64 (a part of the /48 prefix) in Windows hosts besides the already
existing (mostly linux) hosts with IPv6 addresses from the routed /64 prefix?
and if I would migrate the already existing hosts with the /64 addresses to the /48 addresses as you mentioned, then there would be the same problem because I need of more than one /64 subnet from the /48 routed prefix;
e.g. 2001:db8:1234:0::/64 for me,
2001:db8:1234:1::/64 for dynamically deployed IPv6 addresses by DHCPv6
2001:db8:1234:2::/64 for my mate ...
hosts from any subnet must be routed to the other subnets;
which address(es) does the router have on his LAN interface in this situation?
You have 64k of /64's in a /48, why do you need one more?
Quote from: cholzhauer on September 15, 2016, 06:17:27 AM
You have 64k of /64's in a /48,
this is correct mathematics, but that's not all;
Quote
why do you need one more?
there is no need of more just a little bit logical splitting on a physical LAN;
like this: "packets doing strange and from the /48 are from my roommate; others are from myself;"
that's all;
tried the following:
my routed /48 prefix is 2001:470:747b::/48
a Win7 VM with IPv6address 2001:470:747b:1::314/64
a Linux VM this IPv6address 2001:470:747b::10/64
and both with fe80:.... as default gateway and this fe80:... is the scope local of the router (Mini-PC) on LAN side;
on the Win7 VM I can do ping 2001:470:747b::10
but on the Linux VM I can't do ping6 2001:470:747b:1::314 ...
why?
Unless your router has an address on its interfaces for those subnets, you need to add a route
this is the same behavior if you were trying to ping 10.0.0.1 from 192.168.1.1
Quote from: cholzhauer on September 15, 2016, 10:43:06 AM
Unless your router has an address on its interfaces for those subnets,
why talking about interface
S, when there is only
ONE on LAN side ...
Quote
you need to add a route
this can't be the solution, because Linux can be IPv6 pinged, only Windows can't ...
Quote
this is the same behavior if you were trying to ping 10.0.0.1 from 192.168.1.1
no because these are two different things
This is what you listed
a Win7 VM with IPv6address 2001:470:747b:1::314/64
a Linux VM this IPv6address 2001:470:747b::10/64
These are two different subnets.
If you route has an IP address in the 2001:470:747b:1 subnet, it knows nothing of the other subnet unless you add a route.
I solved it; first problem was Windows Firewall, that blocked ICMPv6 from other subnets ..., don't ask me why ...
seconds problem is the very suspicious IPv6 design: in IPv4 you can have a big net like this: 10.0.0.0/8
e.g. the gateway is 10.0.0.1 and two hosts have e.g. 10.27.0.254 and 10.44.1.1, they are in same IP-segment
and you have no problem to only deploy IP addresses by DHCP in only this part 10.0.1.0/28
in IPv6 you can't use e.g. 2001:db8:314::/48 as one whole net, you MUST split this, and so I configured my router box
with several IPv6 addresses from this big /48 prefix, e.g.
2001:db8:314::1/64 ; 2001:db8:314::1/48 doesn't work even if its logically correct;
2001:db8:314:17::1/64
2001:db8:314:31::1/64
2001:db8:314:47::1/64
2001:db8:314:101::1/64
2001:db8:314:223::1/64
2001:db8:314:fff::1/64
next strange fact of the IPv6 design: you have to use /64 for SLAAC; e.g. the following in /etc/radvd.conf
interface eth0
{
...
prefix 2001:db8:314:fff:7::/80
{
};
};
doesn't work; it must be 2001:db8:314:fff::/64 instead of 2001:db8:314:fff:7::/80
the following is more than suspicious:
as mentioned above my box has several global scope IPv6 addresses on only LAN interface but only one link local IPv6 address e.g. fe80::26de:adff:febe:ef24, and any host regardless from which /64-prefix part of the /48-prefix can have this only link local IPv6 address as gateway address;
this results in the following:
think of a host with this IPv6 address:
2001:db8:314:17::10/64 (1)
and another host with this IPv6 address
2001:db8:314:47::10/64 (2)
and both have e.g. fe80::26de:adff:febe:ef24 as gateway address;
as long everything works and no host was taken from the net,
you might get on host (1)
64 bytes from 2001:db8:314:47::10: icmp_seq=1 ttl=127 time=0.728 ms
or this on host (2)
64 bytes from 2001:db8:314:17::10: icmp_seq=1 ttl=127 time=0.728 ms
but when you take the host (1) from the net und you do ping6 on host (2)
you might get this:
From 2001:db8:314:47::1 icmp_seq=1 Destination unreachable: Address unreachable
look at this IPv6 address here, this is neither the one from host (1) nor the one you
have configured as gateway(!)
this is more than strange;
Greetings,
Walter H.
This is what I was telling you above...you should not use /48 unless you're setting up routes.
Glad it's working now