• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Client gets an fe80 address as it's router (gateway?) address

Started by jdishongh, January 24, 2014, 09:32:59 AM

Previous topic - Next topic

jdishongh

In short: My MacOSX hosts are getting an fe80... v6 "router" address. I'm not able to browse v6 sites and the router address (essentially my gateway, right?) is fe80::5257:a8ff:fe54:d461. Assuming my fe80 router address is incorrect, how can hosts get a valid router address so they can get out to v6 sites?

What works: I've configured my HE tunnel using the example code. From my Cisco 1921 router I can ping the far end of the tunnel and ipv6.google.com and ipv6.he.net, so I'm *assuming* that I can get out to the v6 world. I can ping various external v6 addresses. I can also ping the v6 address of my router from an external client.

Unfortunately my Mac laptop doesn't seem to get a valid address -- but then maybe it does? In my network settings I receive two v6 addresses, both of which start with 2001:470:83ad:2:deviceID.... which coincide with the vlan/ssid I'm associated to (and the /48 I got from HE) -- so I *assume* that my laptop has a routable address. (And test-ipv6.com says "Your IPv6 address on the public Internet appears to be 2001:470:83ad:2:6d21:9275:74a9:7271.")

However.. when I check my network settings, the *router* address I receive is fe80::5257:a8ff:fe54:d461. Again, I assume that the router address is the equivalent of a v6 gateway address, and since that address is fe80, I'm not going anywhere even though I have a valid, routable host address.



Is there a config line I'm missing on the router? (A Cisco 1921)
Are my v6 addresses correct and applied to the interfaces correctly? I'm given this from HE: 2001:470:83ad::/48 and I am trying to subnet it into 8 subnets.

Also from test-ipv6.com: "Your IPv6 connections work, but connections using DNS names do not use IPv6. For some reason, your browser or your OS is not doing IPv6 DNS 'AAAA' lookups."

Thanks in advance. I'm new at this, could use a second set of eyes on this, and I'm not sure what "success" looks like.

My router code..truncated of course:
!
ipv6 unicast-routing
ipv6 cef
no ip source-route
ip cef
!
!
ip name-server 8.8.8.8
ip name-server 2620:0:CCC::2
!
!
interface Tunnel1
description HE Tunnelbroker PSP to Fremont
no ip address
ipv6 address 2001:470:1F04:CE4::2/64
ipv6 enable
tunnel source 76.79.100.15
tunnel mode ipv6ip
tunnel destination 72.52.104.74
!
!
interface GigabitEthernet0/0
description WAN INTERFACE
ip address 76.79.100.15 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 enable
!
interface GigabitEthernet0/1
description LAN INTERFACE
no ip address
duplex auto
speed auto
ipv6 enable
!
interface GigabitEthernet0/1.1
description MANAGE
encapsulation dot1Q 1 native
ip address 10.100.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
ipv6 address 2001:470:83AD:2::1/64
ipv6 enable
!
interface GigabitEthernet0/1.4
description OPEN
encapsulation dot1Q 4
ip address 10.100.4.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
ipv6 address 2001:470:83AD:3::1/64
ipv6 enable
!
interface GigabitEthernet0/1.8
description SECURE
encapsulation dot1Q 8
ip address 10.100.8.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
ipv6 address 2001:470:83AD:4::1/64
ipv6 enable
!
ip default-gateway 76.79.100.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 76.79.100.1
!
access-list 1 permit 10.0.0.0 0.255.255.255
ipv6 route ::/0 Tunnel1
!

cholzhauer

The fe80 address is correct...that is the private IP address of your router.   You're seeing two 2001... addresses because one is your "real" one and the other is a random one because you have privacy extensions still turned on.

Can you ping something like ipv6.google.com from your mac?


jdishongh

Yes, but with mixed/odd results. Pinging from my mac client:

Pinging a v6 address works...
james$ ping6 2620:0:CCC::2  {this is an OpenDNS server}
PING6(56=40+8+8 bytes) 2001:470:83ad:2:6d21:9275:74a9:7271 --> 2620:0:ccc::2
16 bytes from 2620:0:ccc::2, icmp_seq=0 hlim=58 time=30.485 ms
16 bytes from 2620:0:ccc::2, icmp_seq=1 hlim=58 time=30.578 ms

but not regular ping to a name...
james$ ping ipv6.google.com
ping: cannot resolve ipv6.google.com: Unknown host

nor does ping6 to a name...
james$ ping6 ipv6.google.com
ping6: getaddrinfo -- nodename nor servname provided, or not known

but wait... regular ping to a name DOES work...
james$ ping ipv6.he.net
PING ipv6.he.net (66.220.2.75): 56 data bytes
64 bytes from 66.220.2.75: icmp_seq=0 ttl=54 time=19.340 ms
64 bytes from 66.220.2.75: icmp_seq=1 ttl=54 time=23.918 ms

but not with a ping6...
james$ ping6 ipv6.he.net
ping6: getaddrinfo -- nodename nor servname provided, or not known
james$




cholzhauer

On a mac, ping will only do ipv4 addresses, ping6 gets you the IPv6 address.

What if you use a different DNS server? 8.8.8.8 should get you IPv6 addresses of what you want

jdishongh

I was running dual stack on my mac, and using 8.8.8.8 as my DNS.

So... I turned v4 off, added the OpenDNS resolver at 2620:0:ccc::2 to my laptop's DNS, and then wah-lah! I could ping6 multiple v6 domains (google.com, yahoo.com, facebook.com) and I saw the dancing turtle on kame.net. I would consider that success.

Thank you!

Another question though: I was told that my clients running a dual stack would be able to browse to v6 sites even if they were provided with DNS on v4 only (in my case 8.8.8.8). Is this correct? And if so, then why was I not able to browse to v6 sites until I manually added the v6 resolver to my network settings?

Thanks again.

cholzhauer

I can't speak for Macs, but on Windows, that is the case.  I can use 8.8.8.8 or any other DNS server that's IPv6 aware and as long as I have IPv6 connectivity, it "just works"

You know what, I have access to a Mac, let me try.

EDIT:

I can confirm it works the same as Windows (at least on 10.6)

I joined my wireless network, got DNS and IPv4/6 via DHCP (v4) and was able to ping IPv6 sites

jdishongh

Ok.. good to know.

Still curious as to 'why' my 8.8.8.8 DNS isn't resolving. But happy things are working. I assume I can assign the v6 DNS address to v4 clients via DHCP, so I'll give that a try.

Again, thanks for your help.

cholzhauer

Sorta.  You need DHCPv6 to do that, although some RA daemons will do it also.

kasperd

Quote from: jdishongh on January 24, 2014, 12:20:38 PMStill curious as to 'why' my 8.8.8.8 DNS isn't resolving.
I have three guesses for possible explanations.
  • Your ISP is hijacking DNS queries to 8.8.8.8 and redirecting them to a broken DNS server.
  • Your query reaches Google, but Google has experienced some problem with your ISP and is trying to work around that problem by filtering the replies.
  • One of Google's DNS servers is having a problem, and your query happens to end up there.
A few things you can try, which may tell us, which of the above is happening.
  • dig -t aaaa mydnsv6.kasperd.net @8.8.8.8
  • traceroute 8.8.8.8
  • traceroute -Up 53 8.8.8.8
  • dig -t any $RANDOM.he.i11.test-ipv6.easyv6.net @8.8.4.4