Unable to connect to IPv6

[Remco00]

Followed the exact steps as described in https://help.directadmin.com/item.php?id=353 on two Centos 7 machines (one VM and other dedicated). But tests show that webserver and nameservers are unable to connect. Still, ifconfig -a shows the correct IPv6 adresses. Also disabled CSF for testing purposes but makes no different. I can however see IPv6 ports scans comming in and blocked by CSF when enabled.

What am I missing here?

 

[Remco00]

I'me also unable to ping any outside ipv6 host. Do I need to do some manual IPv6 configuration inside /etc/sysconfig/network-scripts/ or is just following the above described steps sufficient?

 

[zEitEr]

Hello,

Can you ping your own IPv6 from the server?

Did you try with temporary disabled firewall?

 

[Remco00]

Hi Alex, yes I can ping the local IPv6 adress. The Centos7 firewall is disabled.

[root@s09 ~]# systemctl status firewalld
? firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

 

[zEitEr]

And you have IPv6 enabled in CSF?

What do you see with

grep ^IPV6 /etc/csf/csf.conf

?

ping -6 google.com -c3

?

ip -6 ro li

?

sysctl -a | grep disable_ipv6

?

 

[Remco00]

Thanks Alex, please see below:

# grep ^IPV6 /etc/csf/csf.conf
IPV6 = "1"
IPV6_ICMP_STRICT = "0"
IPV6_SPI = "1"

# ping -6 google.com -c3
connect: Network is unreachable

# ip -6 ro li
unreachable ::/96 dev lo metric 1024 error -113
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
2001:1af8:4700:masked::/64 dev eth0 proto kernel metric 256
unreachable 2002:a00::/24 dev lo metric 1024 error -113
unreachable 2002:7f00::/24 dev lo metric 1024 error -113
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
unreachable 2002:ac10::/28 dev lo metric 1024 error -113
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
unreachable 2002:e000::/19 dev lo metric 1024 error -113
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
fe80::/64 dev eth0 proto kernel metric 256

# sysctl -a | grep disable_ipv6
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.eth0.disable_ipv6 = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.disable_ipv6 = 0

 

[zEitEr]

You need to install a default route for IPv6 in /etc/sysconfig/network, add lines:

IPV6_DEFAULTGW=2a01:7xxx:xxx::1
IPV6_AUTOCONF=no

where you should replace 2a01:7xxx:xxx::1 with a real ip6 of your GW, and then restart network.

 

[Remco00]

Thank again Alex, do you mean the file network (which now is empty) or the file ifcfg-eth0 under /etc/sysconfig/network-scripts which noiw is:

# Generated by dracut initrd
DEVICE="eth0"
ONBOOT=yes
NETBOOT=yes
IPV6INIT=yes
BOOTPROTO=dhcp
TYPE=Ethernet
NAME="eth0"
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

 

[zEitEr]

On CentOS 7 it might be /etc/sysconfig/network-scripts/ifcfg-eth0 or any other file for your network device.

 

[Remco00]

Thanks, that didn't work. I now changed etc/sysconfig/network-scripts/ifcfg-eth0 into

# Generated by dracut initrd
DEVICE="eth0"
ONBOOT=yes
NETBOOT=yes
IPV6INIT=yes
BOOTPROTO=dhcp
TYPE=Ethernet
NAME="eth0"
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
# IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
PEERDNS=yes
PEERROUTES=yes
IPV6ADDR=2001:1af8:4700:masked
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_DEFAULTGW=2001:1af8:masked
IPV6_AUTOCONF=no

All seems fine now. But does that mean that every IPv6 adress has to be added manually in this file?

 

[zEitEr]

No, it does not mean. I did not write a word of it.

Did you restart network?

You might need to change the config from BOOTPROTO=dhcp to BOOTPROTO=static and specify all the details for IPv4. Read documentation on how to do it.

 

[Remco00]

Solved. I wasn't aware of the DA script startips. The help page was edited by DA on the same date as the tread. Coincidence? Anyway, if you experience the same problem with adding IPv6, look at https://help.directadmin.com/item.php?id=418 for more info about when using startips.

 

[zEitEr]

So you executed the DA script startips and IPv6 routes were successfully created. Correct? That's good.

 

[bcx]

@Remco00 @zEitEr I have the same problem I think.

IPv6 Connectivity
FAIL
Could not connect to mystie.com on port 80 over IPv6.

Port 80 is open in CSF.


My output is the following:

grep ^IPV6 /etc/csf/csf.conf

IPV6 = "1"
IPV6_ICMP_STRICT = "0"
IPV6_SPI = "1"

# ping -6 google.com -c3
connect: Network is unreachable

~# IP -6 ro li
::1 dev lo proto kernel metric 256 pref medium
4a45:6c80:0:3e::/64 dev eno2 proto kernel metric 256 pref medium
fe80::/64 dev eno2 proto kernel metric 256 pref medium

# sysctl -a | grep disable_ipv6
: command not found
~# net.ipv6.conf.all.disable_ipv6 = 0
-bash: net.ipv6.conf.all.disable_ipv6: command not found
:~# net.ipv6.conf.default.disable_ipv6 = 0
-bash: net.ipv6.conf.default.disable_ipv6: command not found
:~# net.ipv6.conf.eno1.disable_ipv6 = 0
-bash: net.ipv6.conf.eno1.disable_ipv6: command not found
:~# net.ipv6.conf.eno2.disable_ipv6 = 0
-bash: net.ipv6.conf.eno2.disable_ipv6: command not found
:~# net.ipv6.conf.lo.disable_ipv6 = 0
-bash: net.ipv6.conf.lo.disable_ipv6: command not found

I'm running on debian 10 with openlitespeed


Do i need to do the same steps? If yes, the first 4 as well or only the Debian part?

https://help.directadmin.com/item.php?id=418