New native IPv6 Fiber in SF: Receiving packets, but cannot send them out

[julianoster]

I saw the announcement that some SF customers did get IPv6 two nights ago, and indeed I seem to be one of the lucky ones! Sadly, I can't get it fully working.

After opening up my packet filter and setting up a DHCP6 client, I indeed get an IP address, and even a prefix delegation if I request one.

While I can receive packets on that address (tested from another host), I cannot send them out. All I ever get is some Sonic host with an IP ending in :0:63 telling me that the route for anything is unreachable. Here for Google:

Code: Select all

00:01:19.887984 2001:<redacted>:0:63 > 2001:<redacted>: icmp6: 2607:f8b0:4005:80e::2004 unreachable route [icmp6 cksum ok] (len 112, hlim 64)

The default route that was setup is to a link local address starting with fe80 on the interface, which I indeed see as advertising itself:

Code: Select all

00:09:27.237380 fe80::<redacted> > ff02::1: icmp6: router advertisement(chlim=64, M, pref=medium, router_ltime=1800, reachable_time=0, retrans_time=0)(src lladdr: <redacted>) [icmp6 cksum ok] [class 0xc0] (len 24, hlim 255)

I can ping that gateway. I also see packets from an IP which is the same as I got but with ::1 at the end, and I can ping that, but trying to use that as the gateway (even though I saw no advertisements) leads to the exact same result: ::0:63 will say unreachable route.

Is the problem on my side or with Sonic?

[ernestl]

I am in SF. My firewall is able to obtain a DHCPv6 address (GUA in /128) from WAN interface and IPv6 PD in /56. The IPv6 default route points to link local address (not mine.). I can ping that link local address. But I can't ping6 or traceroute6 to other IPv6 sites as well.

[julianoster]

Looks like we have the same situation then. I'm also able to ping my /128 address but with ::1 at the end, which seems to be the global address of the gateway of that subnet, and I'm also able to ping another likely Sonic gateway IP that I saw in another thread here.

So it seems like the packets are making it to Sonic just fine, but not beyond.

Funnily, if I send out my packets through the still existing 6rd tunnel, but with a native address, I do get the answers back through the native interface (as said, receiving works), and the 6rd tunnel does not seem to care that I "spoof" my native IP through the 6rd interface. Sort of a quirky "half tunnel" mode...

[dane]

Which CPE are you using? IPv6 should be turnkey with the Eero gear.

[julianoster]

Just my own OpenBSD box with the Sonic ONT.

[ernestl]

my own built opnsense box connect to the Sonic ONT.

[kgc]

Just my own OpenBSD box with the Sonic ONT.

If you haven't already, try disabling the pf rules just to make sure your ruleset isn't the problem. (pfctl -d/pfctl -e)

[julianoster]

Just my own OpenBSD box with the Sonic ONT.

If you haven't already, try disabling the pf rules just to make sure your ruleset isn't the problem. (pfctl -d/pfctl -e)

I did, and as noted above, I do actually get an "unreachable route" packet back, from a host that's definitely not mine. I also seem to be able to ping other hosts inside (part of) Sonic's net.

It's still possible that I do something different from Sonic equipment. But this appears to be the router with the highest preference advertised on the interface (and autoconf picks it up as the default gateway), and I'm able to get the native address and delegated prefix without issues...

[julianoster]

Any ideas? Maybe I'm doing something wrong, but then what? This is, in essence, my dhcpcd configuration:

Code: Select all

duid
option rapid_commit
ipv6only
noipv6rs
require dhcp_server_identifier
slaac private
option interface_mtu

allowinterfaces em1
interface em1
	  ipv6rs
	  ia_na 1
	  ia_pd 3 em0/2/64/1

I tried lots of different variants (e.g. different iaids), to no avail.

It really looks like some Sonic router in the path is not letting my packets out past a certain boundary. Do I need to do a secret handshake first or anything?

[ernestl]

I connected my laptop directly to ONT, the laptop got assigned a public IPv4 address and a IPv6 GUA address. I got both IPv4 and IPV6 default route. When I tried to https to ping6 to www.google.com. I just don't get any reply. Attached is the cli output.

Code: Select all

en8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=6467<RXCSUM,TXCSUM,VLAN_MTU,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	ether 58:ef:<redux> 
	inet6 fe80::89d:b1c2:5801:2148%en8 prefixlen 64 secured scopeid 0xd 
	inet6 2001:5a8:601:2a::4a1e prefixlen 128 dynamic 
	inet 135.180.111.57 netmask 0xfffff800 broadcast 135.180.111.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (1000baseT <full-duplex>)
	status: active
	
admin@laptop ~ % route -n get default
   route to: default
destination: default
       mask: default
    gateway: 135.180.104.1
  interface: en8
      flags: <UP,GATEWAY,DONE,STATIC,PRCLONING,GLOBAL>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 

admin@laptop ~ % route -n get -inet6 default
   route to: ::
destination: ::
       mask: default
    gateway: fe80::5e5e:abff:fed8:57c0%en8
  interface: en8
      flags: <UP,GATEWAY,DONE,PRCLONING,GLOBAL>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 
admin@laptop ~ % 

admin@laptop ~ % traceroute6 www.google.com
traceroute6 to www.google.com (2607:f8b0:4005:806::2004) from 2001:5a8:601:2a::4a1e, 64 hops max, 12 byte packets
 1  * *
    2001:5a8:601:2a:42e3:1acc:0:63  6.009 ms !N
 2  2001:5a8:601:2a:42e3:1acc:0:63  5.096 ms !N  6.181 ms !N  5.930 ms !N
admin@laptop ~ %