Some IPv6 addresses from the tunnel can't be used?

[ptirc]

Hello everyone!

First of all, let me congratulate you for this amazing service!

I'm new to this tunnel things and kinda new on Linux well and I just recently received my tunnel.

After going through the procedure to become a Sage and unlock IRC and SMTP access I decided to test a few things with the tunnel.

I've figured out that I couldn't use some addresses, although the tunnel is properly set with netplan.

I have a bash script that generates a random IP from the /64 subnet, to be assigned to each ZNC (IRC Bouncer) user.

The script is the following:

Code Select Expand


#!/bin/bash
randomize=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
printf "2001:470:1f12:136$(echo -n $randomize | sha1sum | head -c 16 | sed 's/..../:&/g')\n"


And it ouputs something like:

2001:470:1f12:136:4fec:c00a:acd0:3fdd
2001:470:1f12:136:af49:1934:ae1b:2289
2001:470:1f12:136:3b17:a031:d793:bd67

Those IPs are correct, as far as I know.

I can successfully make ZNC, eggdrops and such connect to IRC with IPs like:

2001:470:1f12:136::1
2001:470:1f12:136::2
2001:470:1f12:136::3

But when comes to those long IPs, some are usable and some others aren't.

Worth to mention that I can ping the server via those long IPs and even telnet to some bots and other programs via those same IPs, but outgoing/outbound connections doesn't always work.

Any ideas/thoughts?

TIA

[ptirc]

Any ideas from anyone?

This is kinda annoying because, as far as I know the generated IPS are valid except that not every one of them are usable.

Cheers!

[broquea]

You should really be using your statically routed /64, not the link point-to-point range. Try with that. Also, 2001:470:1f12:136::1/64 is the IP on our side of the tunnel interface. Try not using that, ever.

[ptirc]

My current netplan config is the following:

Code Select Expand


network:
  version: 2
  tunnels:
    he-ipv6:
      mode: sit
      remote: 216.66.84.42
      local: 37.187.124.211
      addresses:
        - "2001:470:1f12:136::2/64"
        - "2001:470:1f12:136::3/64"
      gateway6: "2001:470:1f12:136::1"

This seems to be valid, unless I'm doing something wrong here.

Some of the long IPS that I've generated were for testing purposes and removed afterwards.

[mikma]

This seems to be valid, unless I'm doing something wrong here.

Some of the long IPS that I've generated were for testing purposes and removed afterwards.

As already mentioned if you want to use more addresses than the "Client IPv6 Address" then you should use addresses from the "Routed /64" (or from "Routed /48" if you already use the /64 on a LAN). Reserve a /64 that you aren't going to use on a LAN, and configure the addresses you want with a /128 prefix.

[ptirc]

Alright.
So, my "Routed /64" is:

Code Select Expand

2001:470:1f13:136::/64

So, generating a random IP, for user "convos" which is a znc user gave me the following ip:

Code Select Expand

2001:470:1f13:136:1b8d:a290:6be6:3f6d

I've added it  to my netplan config;

Code Select Expand

network:
  version: 2
  tunnels:
    he-ipv6:
      mode: sit
      remote: 216.66.84.42
      local: 37.187.124.211
      gateway6: "2001:470:1f12:136::1"
      nameservers:
        addresses:
        - "2001:470:20::2"
        - "2001:4860:4860::8888"
        - "2001:4860:4860::8844"
      addresses:
        # Client IPv6 Address
        - "2001:470:1f12:136::2/64"
        # Routed /64: 2001:470:1f13:136::/64
        - "2001:470:1f13:136::1/64"
        # convos
        - "2001:470:1f13:136:1b8d:a290:6be6:3f6d/64"


But whenever I try to connect to IRC via the 2001:470:1f13:136:1b8d:a290:6be6:3f6d IP, the connection just times out (outgoing).

But I stil can connect to my machine via 2001:470:1f13:136:1b8d:a290:6be6:3f6d.

Example of a SSH connection via 2001:470:1f13:136:1b8d:a290:6be6:3f6d to my machine:

Code Select Expand

$ ssh eggdrop@2001:470:1f13:136:1b8d:a290:6be6:3f6d
The authenticity of host '2001:470:1f13:136:1b8d:a290:6be6:3f6d (2001:470:1f13:136:1b8d:a290:6be6:3f6d)' can't be established.
ECDSA key fingerprint is SHA256:jTQXO+w4f75dOYYoHbAp4M05asip/D7H2RR3t6ewrZw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '2001:470:1f13:136:1b8d:a290:6be6:3f6d' (ECDSA) to the list of known hosts.
eggdrop@2001:470:1f13:136:1b8d:a290:6be6:3f6d's password:
Last login: Fri Feb 26 16:45:59 2021 from 127.0.0.1


Thoughts?

[tjeske]

I've added it  to my netplan config;

You probably should add the routed /64 to your network interface, not to your tunnel interface:

Code Select Expand

network:
  version: 2
  tunnels:
    he-ipv6:
      mode: sit
      remote: 216.66.84.42
      local: 37.187.124.211
      gateway6: "2001:470:1f12:136::1"
      nameservers:
        addresses:
        - "2001:470:20::2"
        - "2001:4860:4860::8888"
        - "2001:4860:4860::8844"
      addresses:
        # Client IPv6 Address
        - "2001:470:1f12:136::2/64"
  ethernets:
    eth0:
      addresses:
        - x.x.x.x/24
        # Routed /64: 2001:470:1f13:136::/64
        - "2001:470:1f13:136::1/64"
        # convos
        - "2001:470:1f13:136:1b8d:a290:6be6:3f6d/64"
      gateway4: x.x.x.y