# ipv6 issue: ping works but nothing else works



## safal (Oct 10, 2011)

I have a FreeBSD 7.0 system and I recently enabled ipv6. I configured Apache, Exim and Dovecot to use newly added ipv6 address. I can ping the ipv6 address but when I try to browse or ssh to the system, it doesn't work. I tried tcpdump and I can see SYN packet coming to the server but the server is not sending back ACK. I think the problem is with TCP stack but have no clue what might be wrong.

Any help will be highly appreciated.


----------



## SirDice (Oct 10, 2011)

Make sure your services are also configured to accept IPv6.


----------



## safal (Oct 10, 2011)

Yes, the services are configured to accept ipv6 connection. Here is my output of the sockstat command. 


```
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
apache   httpd      62387 4  tcp46  *:80                  *:*
apache   httpd      62387 6  tcp46  *:443                 *:*
apache   httpd      62386 4  tcp46  *:80                  *:*
apache   httpd      62386 6  tcp46  *:443                 *:*
apache   httpd      62385 4  tcp46  *:80                  *:*
apache   httpd      62385 6  tcp46  *:443                 *:*
apache   httpd      62384 4  tcp46  *:80                  *:*
apache   httpd      62384 6  tcp46  *:443                 *:*
apache   httpd      62383 4  tcp46  *:80                  *:*
apache   httpd      62383 6  tcp46  *:443                 *:*
nobody   directadmi 61205 0  tcp46  *:2222                *:*
nobody   directadmi 59743 0  tcp46  *:2222                *:*
root     sshd       89320 3  tcp46  *:22022               *:*
mail     exim       39378 3  tcp6   *:25                  *:*
mail     exim       39378 5  tcp6   *:587                 *:*
```

I've even stopped the ipfw firewall to make sure nothing is being blocked.

In my test FreeBSD box, I just put 
	
	



```
enable_ipv6="YES"
```
 in /etc/rc.conf then when I restarted, I could immediately ssh to the box using ipv6 address but it's not the case with my server.


----------



## safal (Oct 10, 2011)

I can telnet to IPV6 localhost address, ::1 on all the open ports. That means, the TCP/IP is working fine right?


----------



## SirDice (Oct 10, 2011)

Is there a firewall running on the server? It might be configured to only accept IPv4.


----------



## safal (Oct 10, 2011)

SirDice said:
			
		

> Is there a firewall running on the server? It might be configured to only accept IPv4.


There is no firewall running.


----------



## SirDice (Oct 10, 2011)

Does DNS actually return an IPv6 address? Or does it only return an IPv4 address?


----------



## safal (Oct 10, 2011)

I'm not using hostname to connect. I'm just trying to connect to an IPV6 address.


----------



## torcod (Oct 10, 2011)

Is the system running the services also the main IPv6 router or do you have another box handling that?

When I set up IPv6 on my box a few years ago I had a similiar issue.

Make sure that the physical interfaces have global IPv6 addresses. Otherwise the system will send everything out of the tunneling interface instead of the proper interface. 

If you aren't familiar with IPv6 link local addresses are in the fe80::/64 subnet you want addresses starting with something else (normally 2001:xxx... depending on the tunnel broker you used).

http://www.freebsddiary.org/ipv6.php
This issue is described here at the bottom of the page.


----------



## bbzz (Oct 10, 2011)

^ 
If the above suggestion doesn't work, it would be nice if we could look at how actual packet you get looks like.


----------



## SirDice (Oct 11, 2011)

I think torcot got the right idea. At least that would be my next suggestion, what IPv6 addresses are you using and are you crossing one or more routers?

Keep in mind that link-local addresses do not route.


----------



## safal (Oct 11, 2011)

The IPV6 box is not handling the routing nor I'm doing a tunneling. I have a block of 2001:1af8:****:****/64, IPV6 addresses assigned to me by my hosting provider.
It responds to ping6 and it can access ipv6.google.com, which means TCP/IP and routing is working fine. 

But when I telnet to any port using ipv6 address, it doesn't work. (Note: firewall is turned off).
Here is the output of TCPDUMP command:


```
tcpdump -vvnn host 2001:1af8:**:**:1::196
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
08:38:12.659055 IP6 (hlim 54, next-header TCP (6) payload length: 40)
 2001:470:1f05:**:**:**:fe3f:315c.54361 > 2001:1af8:**:**:1::196.80: S, cksum 0xff80 (correct), 1824547451:1824547451(0) win 4880 <mss 1220,sackOK,timestamp 3277792 0,nop,wscale 6>
08:38:15.656378 IP6 (hlim 54, next-header TCP (6) payload length: 40)
 2001:470:1f05:**:**:**:fe3f:315c.54361 > 2001:1af8:**:**:1::196.80: S, cksum 0xf3c8 (correct), 1824547451:1824547451(0) win 4880 <mss 1220,sackOK,timestamp 3280792 0,nop,wscale 6>
08:38:21.657825 IP6 (hlim 54, next-header TCP (6) payload length: 40)
 2001:470:1f05:**:**:**:fe3f:315c.54361 > 2001:1af8:**:**:1::196.80: S, cksum 0xdc58 (correct), 1824547451:1824547451(0) win 4880 <mss 1220,sackOK,timestamp 3286792 0,nop,wscale 6>
```


----------



## safal (Oct 11, 2011)

Its solved!! 
The problem was in fact with firewall. I had stopped the firewall before trying things out, since I didn't want it to cause any problem. But, what I didn't know was, even when stopped, ipfw would continue to block everything, which it was not configured to allow 

Thank you all for your responses and I'm sorry for bugging you with my silliness.


----------

