# IPv6 gateway ping network unreachable



## davorin (Dec 2, 2016)

Hello

I just placed my server running FreeBSD 11 in a data center which provides IPv4 and IPv6 connectivity....IPv4 is no problem of course...

For the IPv6 setup I've been giving this information:

Prefix: 2a02:xxx:xxxx::/48
Gateway: fe80::1

So I changed rc.conf to read:

```
ifconfig_bce0_ipv6="inet6 2a02:xxx:xxxx::5 prefixlen 48"
ipv6_defaultrouter="fe80::1"
```

But I can't reach any IPv6 destination at all....also tried with ACCEPT_RTADV to the ifconfig bce0 statement.

Interestingly though is the fact that local bind daemon can resolve IPv6 names...


----------



## SirDice (Dec 2, 2016)

Can you ping the gateway address? If that's not possible you should contact the hoster. 



> Interestingly though is the fact that local bind daemon can resolve IPv6 names...


The DNS server doesn't need to be running on IPv6 to be able to resolve IPv6 addresses or hosts.


----------



## davorin (Dec 2, 2016)

This is what I thought...but doesn't help me further (o;

```
root@davorin:/usr/home/me # ping6 fe80::1
ping6: UDP connect: Network is unreachable
```


----------



## SirDice (Dec 2, 2016)

Try pinging the 2a02:xxx:xxxx::1 address. My hoster has its gateways on the X:X:X::1 addresses. 

Oh, and I just realized something. When using the fe80::1 address you need to specify the interface: `ping6 fe80::1%bce0`

If pinging that works change the line in rc.conf:

```
ipv6_defaultrouter="fe80::1%bce0"
```


----------



## davorin (Dec 2, 2016)

Ah right....this works:

```
root@davorin:/usr/home/me # ping6 fe80::1%bce0

PING6(56=40+8+8 bytes) fe80::3e4a:92ff:fef5:72a4%bce0 --> fe80::1%bce0
16 bytes from fe80::1%bce0, icmp_seq=0 hlim=64 time=15.591 ms
16 bytes from fe80::1%bce0, icmp_seq=1 hlim=64 time=0.342 ms
16 bytes from fe80::1%bce0, icmp_seq=2 hlim=64 time=0.341 ms
16 bytes from fe80::1%bce0, icmp_seq=3 hlim=64 time=0.375 ms
```
The  2a02:xxx:xxxx::1 - 2a02:xxx:xxxx::3 are reserved by the hoster....but all of them are not pingable...


----------



## SirDice (Dec 2, 2016)

davorin said:


> The 2a02:xxx:xxxx::1 - 2a02:xxx:xxxx::3 are reserved by the hoster....but all of them are not pingable...


Odd, I would expect those to work. Typically the 1 address is the VRRP (virtual) address with 2 and 3 being the actual routers.


----------



## davorin (Dec 3, 2016)

Not even traceroute6(1) works....sends back that it is not allowed...

```
root@davorin:/usr/home/me # traceroute6 google.com
traceroute6 to google.com (2a00:1450:4001:81d::200e) from 2a02:xxx:xxxx::5, 64 hops max, 12 byte packets
 1  2a02:xxx:xxxx::5  3172.599 ms !A  3169.249 ms !A  3173.994 ms !A
```
So my own interface send back that it is prohibited....and this without any firewall running.


When doing a trace with an online tool I see lots of UDP packets being blocked on my server...whatever those UDP packets have to do with traceroute?

```
Dec  3 12:17:51 davorin kernel: ipfw: 55555 Deny UDP [2a02:348:82:cb69::6]:56000 [2a02:xxx:xxxx::5]:33455 in via bce0
Dec  3 12:17:51 davorin kernel: ipfw: 55555 Deny UDP [2a02:348:82:cb69::6]:42923 [2a02:xxx:xxxx::5]:33456 in via bce0
Dec  3 12:17:51 davorin kernel: ipfw: 55555 Deny UDP [2a02:348:82:cb69::6]:36071 [2a02:xxx:xxxx::5]:33457 in via bce0
Dec  3 12:17:51 davorin kernel: ipfw: 55555 Deny UDP [2a02:348:82:cb69::6]:45787 [2a02:xxx:xxxx::5]:33458 in via bce0
Dec  3 12:17:51 davorin kernel: ipfw: 55555 Deny UDP [2a02:348:82:cb69::6]:56452 [2a02:xxx:xxxx::5]:33460 in via bce0
Dec  3 12:17:51 davorin kernel: ipfw: 55555 Deny UDP [2a02:348:82:cb69::6]:47304 [2a02:xxx:xxxx::5]:33464 in via bce0
Dec  3 12:17:51 davorin kernel: ipfw: 55555 Deny UDP [2a02:348:82:cb69::6]:44380 [2a02:xxx:xxxx::5]:33465 in via bce0
```


----------



## davorin (Dec 3, 2016)

Hmm...read somewhere else that someone need to add in /etc/rc.conf the "ipv6_cpe_wanif" option...

Now I see in the ipfw logs when I try to ssh from my tunnelbroker network to my server:

Dec  3 14:31:03 davorin kernel: ipfw: 55555 Deny TCP [2001:470:xx:xxx::2]:6910 [2a02:xxx:xxxx::5]:22 in via bce0

But when switching off ipfw I can't ssh into the box....also still no pings and traceroutes possible...

So something is wrong with the ipv6 routing from the box as there are no packets sent back...


----------



## Nat_RH (Dec 3, 2016)

What does netstat -r look like?


----------



## davorin (Dec 3, 2016)

Just the output of netstat -rn -f inet6 shown:


```
root@davorin:/usr/home/me # netstat -rn -f inet6
Routing tables

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
default                           fe80::1                       UGS         lo0
::1                               link#5                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2a02:xxx:xxxx::/48                link#1                        U          bce0
2a02:xxx:xxxx::5                  link#1                        UHS         lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%bce0/64                    link#1                        U          bce0
fe80::3e4a:92ff:fef5:72a4%bce0    link#1                        UHS         lo0
fe80::%lo0/64                     link#5                        U           lo0
fe80::1%lo0                       link#5                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0
```

Well as mentioned....ipv6 packets are coming in as I can see them blocked in ipfw...
but they never go back out again...

For completeness...this is the ipv6 rc.conf part I use currently:


```
ifconfig_bce0_ipv6="inet6 2a02:xxx:xxxx::5 prefixlen 48"
ipv6_cpe_wanif="bce0"
ipv6_defaultrouter="fe80::1"
```


----------



## davorin (Dec 3, 2016)

Okay...works now 

It should read:


```
ipv6_defaultrouter="fe80::1%bce0"
```

And not:


```
ipv6_defaultrouter="fe80::1"
```


----------

