D-Link Forums

The Graveyard - Products No Longer Supported => Routers / COVR => DIR-857 => Topic started by: Eagle77 on November 17, 2012, 06:14:45 AM

Title: IPv6 problems
Post by: Eagle77 on November 17, 2012, 06:14:45 AM
Hi,

I'm experiencing problems with IPv6 on the LAN side. Everything seems to work when I try to ping from the WAN side from the router. But from the LAN side I get

Pinging 2a02:270:201f::1 with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.

Ping statistics for 2a02:270:201f::1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

And from the System Check on the router:

Response from 2a02:270:201f::1 received in 2 milliseconds. TTL = 64
Response from 2a02:270:201f::1 received in 2 milliseconds. TTL = 64
Response from 2a02:270:201f::1 received in 2 milliseconds. TTL = 64
Response from 2a02:270:201f::1 received in 2 milliseconds. TTL = 64
Response from 2a02:270:201f::1 received in 2 milliseconds. TTL = 64
Response from 2a02:270:201f::1 received in 3 milliseconds. TTL = 64
User stopped
Pings sent: 6
Pings received: 6
Pings lost: 0 (0% loss)
Shortest ping time (in milliseconds): 2
Longest ping time (in milliseconds): 3
Average ping time (in milliseconds): 2

Any idea why I can't ping the IPv6 addresses from the LAN side nor use IPv6.


Title: Re: IPv6 problems
Post by: PacketTracer on November 17, 2012, 02:10:48 PM
Hi Eagle77,

Quote
when I try to ping from the WAN side from the router

What do you mean by this? You are pinging a host on your LAN from a host outside your LAN (a host in another location that has access to the IPv6 Internet)? Or do you mean, you do a "IPv6 Ping Test" from the web interface of your DIR-857 (SYSTEM CHECK)?

Quote
2a02:270:201f::1

As I can see via whois, you are from Norway and your provider is "Hafslund Telekom Nettjenester". This provider owns the ipv6 address block 2a02:270::/32 and I guess you got the fraction 2a02:270:201f::/48 out of this block delegated to you for use inside your LAN? Or it might be the smaller fraction 2a02:270:201f::/56. But no matter what, for use inside your LAN you have to form a /64 out of the block delegated to you, and the most simple case is just 2a02:270:201f::/64, where the LAN interface of your router is configured to have the IPv6 address 2a02:270:201f::1. Am I right that this is your configuration? If not, tell us what you have configured within the IPv6 configuration of your DIR-857 box (e.g. a screenshot).

If I guessed right and 2a02:270:201f::1 is the address of the LAN interface of your router, then your results tell us, that the DIR-857 can ping itself (SYSTEM CHECK), which is trivial, but that you cannot ping the DIR-857 from any of your hosts inside your LAN.

What kind of hosts do you use? Did you check if they have IPv6 addresses out of your address block 2a02:270:201f::/64? For example, if you use Windows, what does the command "ipconfig /all" (command prompt window) tell you? Show us the output of this command.

In case, your LAN hosts don't have appropriate IPv6 addresses, maybe you didn't enable automatic IPv6 address assignment within the IPv6 configuration of your DIR-857?

PacketTracer
Title: Re: IPv6 problems
Post by: FurryNutz on November 17, 2012, 03:40:25 PM
Also be sure you are not effected by any of this:
http://forums.dlink.com/index.php?topic=50751.0 (http://forums.dlink.com/index.php?topic=50751.0)
Title: Re: IPv6 problems
Post by: Eagle77 on November 17, 2012, 04:53:30 PM
Hi Eagle77,

What do you mean by this? You are pinging a host on your LAN from a host outside your LAN (a host in another location that has access to the IPv6 Internet)? Or do you mean, you do a "IPv6 Ping Test" from the web interface of your DIR-857 (SYSTEM CHECK)?

That's correct. Everything works there. I can ping several hosts from the System check on the WEB gui on the DIR-857.


As I can see via whois, you are from Norway and your provider is "Hafslund Telekom Nettjenester". This provider owns the ipv6 address block 2a02:270::/32 and I guess you got the fraction 2a02:270:201f::/48 out of this block delegated to you for use inside your LAN? Or it might be the smaller fraction 2a02:270:201f::/56. But no matter what, for use inside your LAN you have to form a /64 out of the block delegated to you, and the most simple case is just 2a02:270:201f::/64, where the LAN interface of your router is configured to have the IPv6 address 2a02:270:201f::1. Am I right that this is your configuration? If not, tell us what you have configured within the IPv6 configuration of your DIR-857 box (e.g. a screenshot).

And you are correct that the ISP is Hafslund Telekom Nettjenester ( I work for that company.)
I have a /48 and a /64 net (picked them out myself.) I tried with a linknet as well too see if that worked.

2a02:270:201f::1/48 is the default gateway on the WAN side. (a Cisco ME3600)
2a02:270:201F::2/48 is the IPv6 Address (we use static IP addresses, no DHCP)


If I guessed right and 2a02:270:201f::1 is the address of the LAN interface of your router, then your results tell us, that the DIR-857 can ping itself (SYSTEM CHECK), which is trivial, but that you cannot ping the DIR-857 from any of your hosts inside your LAN.

I can't reach anything from the outside of my LAN, as you can see from the ping I tried earlier.

What kind of hosts do you use? Did you check if they have IPv6 addresses out of your address block 2a02:270:201f::/64? For example, if you use Windows, what does the command "ipconfig /all" (command prompt window) tell you? Show us the output of this command.

On the LAN side I use 2a02:270:1:27::2/64 both are gw's are terminated on the Cisco ME3600.
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Marvell Yukon 88E8059 PCI-E Gigabit Ether
net Controller #2
   Physical Address. . . . . . . . . : 20-CF-30-3D-05-E9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2a02:270:1:27:2454:a241:a046:ff6c(Preferr
ed)
   Temporary IPv6 Address. . . . . . : 2a02:270:1:27:2868:c17:1ab4:e603(Preferre
d)
   Link-local IPv6 Address . . . . . : fe80::2454:a241:a046:ff6c%21(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.141.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 17. november 2012 02:00:21
   Lease Expires . . . . . . . . . . : 18. november 2012 14:00:21
   Default Gateway . . . . . . . . . : fe80::baa3:86ff:fe65:5a77%21
                                       192.168.141.1
   DHCP Server . . . . . . . . . . . : 192.168.141.1
   DNS Servers . . . . . . . . . . . : 2001:840:0:100::1
                                       2001:4860:4860::8844
                                       192.168.141.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{CE448ED7-72A4-4850-BC11-7A6C8C08791A}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3091:a3c:bfe3:ffc3(Prefe
rred)
   Link-local IPv6 Address . . . . . : fe80::3091:a3c:bfe3:ffc3%12(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled
In case, your LAN hosts don't have appropriate IPv6 addresses, maybe you didn't enable automatic IPv6 address assignment within the IPv6 configuration of your DIR-857?

I have tried all the settings on the router regarding automatic IPv6 address assignment.
Use Link-Local Address: Unticked
IPv6 Address: 2A02:270:201F::2
Subnet Prefix Length: 48
Default Gateway: 2A02:270:201F::1
DNS: a local ISP in Norway and Google's IPv6 DNS server


LAN IPv6 Address: 2A02:270:1:27:2/64

Enable automatic IPv6 Address assignment: ticked
Autoconfiguration Type: SLAAC + RDNSS, also tried the other options as well without any luck.


Eagle
Title: Re: IPv6 problems
Post by: PacketTracer on November 18, 2012, 05:54:54 AM
Hi Eagle,

Quote
And you are correct that the ISP is Hafslund Telekom Nettjenester ( I work for that company.)
I have a /48 and a /64 net (picked them out myself.)

So, what is it? A testing installation for future native IPv6 rollout to your customers?

Just to assure that I understood your constellation:


So taking this given and looking at routing, I see from what you posted so far:


But what about the opposite direction? Your Cisco device needs an information how to route packets destined for 2a02:270:1:27::/64 back to your LAN via the WAN link. Did you configure an appropriate route within your Cisco ME3600? For example, if you ping 2a02:270:201f::1 (WAN interface Cisco device) from a host within your LAN (2a02:270:1:27:xxxx:xxxx:xxxx:xxxx), without this route the Cisco device doesn't know where to send the reply -- ping will fail as observed. Maybe this is the solution to your problem.

Finally some additional remarks:


PacketTracer
Title: Re: IPv6 problems
Post by: Eagle77 on November 18, 2012, 02:09:56 PM
Hi Eagle,

Hi PacketTracer,

So, what is it? A testing installation for future native IPv6 rollout to your customers?

Yes this is a test installation at my place. (we have a node approx 80 meters away from my place)

Just to assure that I understood your constellation:


  • You have a WAN link between your DIR-857 CPE and your ISP Cisco ME3600 access router and you use a /48 (2a02:270:201f::/48) for addressing this link, where the CPE gets host address ::2 and the Cisco device gets host address ::1
  • You have a /64 (2a02:270:1:27::/64) for addressing your LAN behind your CPE, where the CPE gets host address ::2

Yes, that is also correct and I have routed both networks together like this on ME3600:
ipv6 route 2A02:270:201F::/48 2A02:270:1:27::2 where ::2 is the host on the LAN side of the DIR-857.


And on the VLAN:
 ipv6 address 2A02:270:1:27::1/64
 ipv6 address 2A02:270:201F::1/48

address-family ipv6:
 network 2A02:270:1:27::/64
 network 2A02:270:201F::/48

So taking this given and looking at routing, I see from what you posted so far:

  • Hosts within your LAN are configured automatically via SLAAC, hence they use the link local address fe80::baa3:86ff:fe65:5a77 of the LAN interface of your CPE as default gateway. Nothing wrong with this.
  • The WAN interface of your CPE is statically configured as described above, using the address of the Cisco access router at the opposite end as default gateway. Nothing wrong with this, too.

But what about the opposite direction? Your Cisco device needs an information how to route packets destined for 2a02:270:1:27::/64 back to your LAN via the WAN link. Did you configure an appropriate route within your Cisco ME3600? For example, if you ping 2a02:270:201f::1 (WAN interface Cisco device) from a host within your LAN (2a02:270:1:27:xxxx:xxxx:xxxx:xxxx), without this route the Cisco device doesn't know where to send the reply -- ping will fail as observed. Maybe this is the solution to your problem.

I think have covered this question in my reply here earlier. :)

Finally some additional remarks:

  • Why do you use a /48 for numbering a WAN link that in practice is a PPP link with no more than 2 devices, namely the routers on both ends? Standard for this case is to use a /64 or even a /127 only (see http://datatracker.ietf.org/doc/rfc6164/ (http://datatracker.ietf.org/doc/rfc6164/))
  • In general it is at least unusual to use a prefix with prefix length smaller than /64 (e. g. a /48) for direct addressing of any link. According to http://datatracker.ietf.org/doc/rfc4291/ (http://datatracker.ietf.org/doc/rfc4291/) with a few exceptions like the one mentioned above you always have to use a /64 to address any link. If you have a prefix with a smaller prefix length like a /48 then this is just ment to regard this as a pool you can form 216 networks of size /64 from. Hence in practise you would take a /64 or /127 for the WAN link and delegate a bigger block (/56 or /48) to the customer who picks 1 or more /64 out of this delegated pool for addressing his LAN link(s).
  • Your Windows hosts have Teredo active and working. While this is not a mistake, it is better you switch this off: Open a command shell with administrative rights and type netsh int ipv6 set ter dis. You may also disable ISATAP by typing netsh int ipv6 isa set st dis and 6to4 by typing netsh int ipv6 6to4 set st dis to set all tunneling techniques coming with Windows out of function.
  • RDNSS isn't supported by Windows, hence you better use SLAAC + stateless DHCPv6 to distribute DNS server addresses to the LAN hosts. But resolution of IPv6 addresses also works by asking DNS servers via IPv4, hence this point is not so important.
PacketTracer

I just picked up some net's we allready had ready, didn't wanna narrow it down to a smaller just for testing purpose.

I will try and turn off Teredo and 6to4 too see if this helps as well. Appreciate the help here PacketTracer. :)

Eagle

Title: Re: IPv6 problems
Post by: PacketTracer on November 18, 2012, 02:42:36 PM
Hi again,

Quote
ipv6 route 2A02:270:201F::/48 2A02:270:1:27::2

Shouldn't this be the other way around?

ipv6 route 2A02:270:1:27::/64 2A02:270:201F::2

Network to route to: 2A02:270:1:27::/64 (LAN)
Next Hop: 2A02:270:201F::2 (IPv6 address of DIR-825 WAN interface)

PacketTracer
Title: Re: IPv6 problems
Post by: Eagle77 on November 18, 2012, 02:55:23 PM
Hi again,

Hi,
Shouldn't this be the other way around?

ipv6 route 2A02:270:1:27::/64 2A02:270:201F::2

Network to route to: 2A02:270:1:27::/64 (LAN)
Next Hop: 2A02:270:201F::2 (IPv6 address of DIR-825 WAN interface)

PacketTracer

I have tried several different ways, but none of the ways work as intended. IPv6 Connectivity says: No Internet access on my IPv6 network either, but I can ping the WAN side on the router without any problems, but I can't ping anything from the LAN side, and btw I changed the route again now, so now it's
ipv6 route 2A02:270:1:27::/64 2A02:270:201F::2 but still no go. :(

Eagle
Title: Re: IPv6 problems
Post by: PacketTracer on November 18, 2012, 03:11:44 PM
Hi Eagle

within Windows the builtin firewall only allows to receive pings that were sent from the same local network the Windows host sits in.

So for testing purposes disable the Windows firewall competely to see if ping works afterwords.

If so widen the firewall filter for incoming icmpv6 echoes to allow any address instead of local subnet only.

PacketTracer

Edit:

By the way: AFAIK, the default of the IPv6 firewall within DIR-857 is to block everything in any direction! So for testing also disable the DIR-857 firewall.
Title: Re: IPv6 problems
Post by: Eagle77 on November 18, 2012, 03:21:09 PM
Hi Eagle

within Windows the builtin firewall only allows to receive pings that were sent from the same local network the Windows host sits in.

So for testing purposes disable the Windows firewall competely to see if ping works afterwords.

If so widen the firewall filter for incoming icmpv6 echoes to allow any address instead of local subnet only.

PacketTracer

Edit:

By the way: AFAIK, the default of the IPv6 firewall within DIR-857 is to block everything in any direction! So for testing also disable the DIR-857 firewall.

Hi PacketTracer,

I use PIS2013 (Panda Internet Security 2013) and the firewall is disabled. I can now ping 2A02:270:201F::2 but not 2A02:270:201F::1 (You should be able to ping 2A02:270:201F::2 as well since I have opened it up for ping atm.)

I have disabled the firewall and IPv6 Simple Security on the DIR-857

/Eagle
Title: Re: IPv6 problems
Post by: PacketTracer on November 18, 2012, 03:32:12 PM
Hi again,

here the results for pinging you from my site:

Code: [Select]
C:\>ping 2A02:270:201F::2

Ping wird ausgeführt für 2a02:270:201f::2 von 2001:4dd0:XXXX:0:6cf0:d15c:5f6d:1a30 mit 32 Bytes Date
n:
Antwort von 2a02:270:201f::2: Zeit=98ms
Antwort von 2a02:270:201f::2: Zeit=97ms
Antwort von 2a02:270:201f::2: Zeit=97ms
Antwort von 2a02:270:201f::2: Zeit=97ms

Ping-Statistik für 2a02:270:201f::2:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 97ms, Maximum = 98ms, Mittelwert = 97ms

C:\>ping 2A02:270:201F::1

Ping wird ausgeführt für 2a02:270:201f::1 von 2001:4dd0:XXXX:0:6cf0:d15c:5f6d:1a30 mit 32 Bytes Date
n:
Antwort von 2a02:270:201f::1: Zeit=96ms
Antwort von 2a02:270:201f::1: Zeit=99ms
Antwort von 2a02:270:201f::1: Zeit=96ms
Antwort von 2a02:270:201f::1: Zeit=97ms

Ping-Statistik für 2a02:270:201f::1:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 96ms, Maximum = 99ms, Mittelwert = 97ms

C:\>ping 2a02:270:1:27:2454:a241:a046:ff6c

Ping wird ausgeführt für 2a02:270:1:27:2454:a241:a046:ff6c von 2001:4dd0:XXXX:0:6cf0:d15c:5f6d:1a30
mit 32 Bytes Daten:
Zielhost nicht erreichbar.
Zielhost nicht erreichbar.
Zielhost nicht erreichbar.
Zielhost nicht erreichbar.

Ping-Statistik für 2a02:270:1:27:2454:a241:a046:ff6c:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),

I'm using a SixXS tunnel (so far no native IPv6 available via German Telekom)

PacketTracer
Title: Re: IPv6 problems
Post by: Eagle77 on November 18, 2012, 03:35:38 PM
Hmm weird, that I can't get internet access on IPv6, oh well gonna do some more research on the issue. Thanks a lot for the help m8. :)

/Eagle
Title: Re: IPv6 problems
Post by: PacketTracer on November 18, 2012, 03:49:41 PM
Last message:

What about the routing infrastructure within your ISP network: Does it forward packets for 2A02:270:1:27::/64 to your Cisco ME3600?

Good night
PT
Title: Re: IPv6 problems
Post by: Eagle77 on November 19, 2012, 10:36:33 AM
Last message:

What about the routing infrastructure within your ISP network: Does it forward packets for 2A02:270:1:27::/64 to your Cisco ME3600?

Good night
PT

Hi PT,

I fixed it. I removed 2a02:270:1:27::1/64 on the VLAN and now everything works. And this is my bad since I forgot to remove that when I added the other network address.

/Eagle
Title: Re: IPv6 problems
Post by: PacketTracer on November 19, 2012, 01:04:39 PM
Quote
I fixed it. I removed 2a02:270:1:27::1/64 on the VLAN and now everything works. And this is my bad since I forgot to remove that when I added the other network address.

Yes, when I saw this ...

Quote
And on the VLAN:
 ipv6 address 2A02:270:1:27::1/64
 ipv6 address 2A02:270:201F::1/48

... I was taken aback but didn't react to it.

Have fun!

PT
Title: Re: IPv6 problems (RESOLVED)
Post by: FurryNutz on November 19, 2012, 01:09:57 PM
Thank you PT for your help.  ;D

Glad it's working well for you Eagle77.

Enjoy.