No IPv6 for wired device with Flint 2

Hi, I experienced a strange phenomenon after switching from an Asus router to a Flint 2. Everything works as expected, except for the IPv6 connectivity of one Ubuntu server connected to the Flint 2 via Ethernet. This server still receives an IPv6 address from my the subnet provided by the ISP, and is accessible via this address, but it cannot reach any external IPv6 address. The setup looks like this:

$ ip -6 route show
2a02:908:532:bca0::/64 dev eno1 proto ra metric 100 expires 86398sec hoplimit 64 pref medium
fe80::/64 dev eno1 proto kernel metric 256 pref medium
default via fe80::9683:c4ff:feaa:be4e dev eno1 proto ra metric 100 expires 178sec hoplimit 64 pref medium

$ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:908:532:bca0:1e69:7aff:feaf:7455/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86399sec preferred_lft 86399sec
    inet6 fe80::1e69:7aff:feaf:7455/64 scope link 
       valid_lft forever preferred_lft forever

I can ping6 the local-link address and other addresses on the internal subnet, but no external IPs (e.g. 2001:4860:4860::8888) and not 2a02:908:532:bca0:10:18ff:fe3f:3194 (the gateway). All other devices (connected via WiFi) do not have this issue.

To illustrate, this is the respective output of traceroute:

# working device
traceroute6 to 2001:4860:4860::8888 (2001:4860:4860::8888) from 2a02:908:532:bca0:f9be:6fbe:dc81:3c2d, 64 hops max, 28 byte packets
 1  fd7d:9594:ca69::1  1049.690 ms  1.897 ms  1.752 ms
 2  2a02:908:532:bca0:10:18ff:fe3f:3194  10.221 ms  4.115 ms  3.975 ms
 3  2a02:908:500:3::1  11.705 ms  14.077 ms  12.003 ms
 4  2a02:908:0:182::1  11.603 ms  12.695 ms  12.387 ms
 5  * * *
 6  * * *
 7  2a00:1450:8154::1  23.142 ms
    2a00:1450:8163::1  18.704 ms
    2a00:1450:8152::1  15.087 ms

# Ubuntu server
traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
 1  fd7d:9594:ca69::1 (fd7d:9594:ca69::1)  0.576 ms  0.498 ms  0.508 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 #...

fd7d:9594:ca69::/64 is listed as lan interface in LuCI, 2a02:908:532:bca0:10:18ff:fe3f:3194 as wan6. So all WiFi devices route successfully from lan to wan6, but the wired server does not. What am I missing here?

Hi

Please check the configuration of the Ubuntu server; it appears that the IPv6 prefix has not been updated.

Ubuntu server: 2a01:908:532:bca0
working device: 2a02:908:532:bca0
Gateway: 2a02:908:532:bca0

Sorry, that was a copy&paste error – the IPv6 prefixes match on all machines (corrected now in my post).

That does sound a bit unusual.

If no settings have been changed, both the LAN and Wi-Fi AP should normally belong to the same bridge (br-lan), so their behavior should be the same.

Could you please also check the firewall settings on your Ubuntu, just to make sure that IPv6-related traffic is fully allowed?

The firewall (ufw) is inactive on the Ubuntu server, and I do not see where and why the IPv6 routing should deviate from all other devices connected to the Flint 2 (via WiFi). I checked the netplan config and added dhcp6 –

network:
  ethernets:
    eno1:
      dhcp4: true
      dhcp4-overrides:
        use-dns: false
      dhcp6: true
      dhcp6-overrides:
        use-dns: false
      nameservers:
        addresses: [127.0.0.1, "2a02:908:532:bca0:1e69:7aff:feaf:7455"]
  version: 2

– but that did not change anything. bind9 is running on the server (for resolving my local domain), and it uses Cloudflare as forwarder.

Is there anything else I could test? I cannot ping the gateway IP (2a02:908:532:bca0:10:18ff:fe3f:3194), but I can ping other IPs in my IPv6 subnet.

Please SSH into Flint 2 and then run these commands to capture packets for further check what happen.

Ubuntu

ping -6 dns.google

Flint 2

# install the tcpdump for packet capture
opkg update && opkg install tcpdump
# Check whether ICMPv6 request be sent to br-lan
tcpdump -i br-lan icmp6
# Check whether ICMPv6 request be forwarded to WAN
tcpdump -i eth1 icmp6

You should be able to see something like this.

image1823×163 19.7 KB

image1831×226 25.4 KB

Thank you, this is the output of tcpdump on the Flint 2:

tcpdump -i br-lan icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
10:58:50.958390 IP6 2a02:908:532:bca0:1e69:7aff:feaf:7455 > dns.google: ICMP6, echo request, seq 2, length 64
10:58:51.091701 IP6 GL-MT6000.lan > 2a02:908:532:bca0:dc3b:ad14:b993:b752: ICMP6, echo request, seq 0, length 8
10:58:51.982514 IP6 2a02:908:532:bca0:1e69:7aff:feaf:7455 > dns.google: ICMP6, echo request, seq 3, length 64
10:58:52.160428 IP6 fe80::9683:c4ff:feaa:be4e > ip6-allnodes: ICMP6, router advertisement, length 104
10:58:52.916708 IP6 fe80::642:1aff:fe33:a5c0 > fe80::9683:c4ff:feaa:be4e: ICMP6, neighbor solicitation, who has fe80::9683:c4ff:feaa:be4e, length 32
10:58:52.916842 IP6 fe80::9683:c4ff:feaa:be4e > fe80::642:1aff:fe33:a5c0: ICMP6, neighbor advertisement, tgt is fe80::9683:c4ff:feaa:be4e, length 24

and

tcpdump -i eth1 icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:59:17.583092 IP6 2a02:908:532:bca0:1e69:7aff:feaf:7455 > dns.google: ICMP6, echo request, seq 28, length 64
10:59:18.607086 IP6 2a02:908:532:bca0:1e69:7aff:feaf:7455 > dns.google: ICMP6, echo request, seq 29, length 64
10:59:19.185493 IP6 fe80::10:18ff:fe3f:3194 > ip6-allnodes: ICMP6, router advertisement, length 104
10:59:19.631094 IP6 2a02:908:532:bca0:1e69:7aff:feaf:7455 > dns.google: ICMP6, echo request, seq 30, length 64
10:59:20.655064 IP6 2a02:908:532:bca0:1e69:7aff:feaf:7455 > dns.google: ICMP6, echo request, seq 31, length 64
10:59:20.749724 IP6 fe80::9683:c4ff:feaa:be4c > fe80::10:18ff:fe3f:3194: ICMP6, neighbor solicitation, who has fe80::10:18ff:fe3f:3194, length 32
10:59:20.751727 IP6 fe80::10:18ff:fe3f:3194 > fe80::9683:c4ff:feaa:be4c: ICMP6, neighbor advertisement, tgt is fe80::10:18ff:fe3f:3194, length 24

No reply packets, as far as I can see.

When I ping dns.google from a different client (WiFi), tcpdump shows this:

tcpdump -i br-lan icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
11:04:08.714900 IP6 2a02:908:532:bca0:2c8a:ae13:4136:881a > dns.google: ICMP6, echo request, seq 5, length 16
11:04:08.726944 IP6 dns.google > 2a02:908:532:bca0:2c8a:ae13:4136:881a: ICMP6, echo reply, seq 5, length 16
11:04:09.044433 IP6 GL-MT6000.lan > 2a02:908:532:bca0:2c8a:ae13:4136:881a: ICMP6, echo request, seq 0, length 8
11:04:09.096063 IP6 2a02:908:532:bca0:2c8a:ae13:4136:881a > GL-MT6000.lan: ICMP6, echo reply, seq 0, length 8
11:04:09.644195 IP6 2a02:908:532:bca0:2c8a:ae13:4136:881a > 2a02:908:532:bca0:10:18ff:fe3f:3194: ICMP6, neighbor solicitation, who has 2a02:908:532:bca0:10:18ff:fe3f:3194, length 32

It looks like the firewall on your Flint 2 may be blocking the traffic.

Have you added any custom rules in Luci that could be related?

If possible, could you please SSH into the router and run:

iptables-save

After that, try searching for icmp6 or the IP/MAC address of your Ubuntu server in the output.

The output of iptables-save does not contain the IP or MAC address of the Ubuntu server, or the string icmp6.

I did not add any firewall rules in LuCI, and I assume there is some difference between the wired and wireless interfaces on the Flint 2 (although I cannot prove that). Thanks for your help so far, any suggestion is much appreciated.

Could you please let Ubuntu server keep ping dns.google, then connect Flint 2 to GoodCloud and share it with us?

So that we can remote check to figure out what happened.

I appreciate your offer, but I would rather not provide full access to my router. I am aware that this hinders the solution of my problem, and I am willing to follow any instructions on what to test and/or configure on the device.

I've discovered some errors in the previous commands.

If possible, please run ip6tables-save and search for `ipv6-icmp` or `IP/MAC address of your Ubuntu server`.

Alternatively, try running the following on Flint 2 to see if this resolves the issue.

ip6tables -I FORWARD -p ipv6-icmp -j ACCEPT

Here’s the output of ip6tables-save | grep ipv6-icmp:

-A zone_guest_input -p ipv6-icmp -m comment --comment "!fw3: Allow-ICMP-IPV6" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT

The server’s IP does not appear anywhere (according to ip6tables-save | grep "2a02:908:532:bca0:1e69:7aff:feaf:7455").

BTW, I connected another device temporarily to the Ubuntu server’s LAN port with the same Ethernet cable – and everything works. So there is something about the IPv6 routing for this server, but it did work flawlessly with an Asus router before, and IPv4 still works:

15:08:42.615739 IP charonserver.lan > one.one.one.one: ICMP echo request, id 6674, seq 1, length 64
15:08:42.629288 IP one.one.one.one > charonserver.lan: ICMP echo reply, id 6674, seq 1, length 64

From what we can see so far, this doesn’t seem to be related to the firewall or routing.
May I ask if you have enabled any additional features, such as a VPN?

No, I applied very few changes relative to the default configuration, and I have not (yet) configured a VPN.

Double check all posts.

From your traceroute results, it looks like traffic from the Ubuntu server is being stopped at the LAN → WAN boundary.

This suggests that something in Flint 2’s configuration may be blocking input / forwarding traffic from the server.

# working device
traceroute6 to 2001:4860:4860::8888 (2001:4860:4860::8888) from 2a02:908:532:bca0:f9be:6fbe:dc81:3c2d, 64 hops max, 28 byte packets
 1  fd7d:9594:ca69::1  1049.690 ms  1.897 ms  1.752 ms
 2  2a02:908:532:bca0:10:18ff:fe3f:3194  10.221 ms  4.115 ms  3.975 ms

# Ubuntu server
traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
 1  fd7d:9594:ca69::1 (fd7d:9594:ca69::1)  0.576 ms  0.498 ms  0.508 ms
 2  * * *

Since we can’t directly review all configuration details on your device, could you please try resetting Flint 2 to factory settings and setting it up with only the minimum configuration needed for internet access?

This will help confirm whether the issue is caused by a custom setting.

Also, may we know have you tried running the following command?

ip6tables -I FORWARD -p ipv6-icmp -j ACCEPT

Yes, I did try the FORWARD rule for ip6tables (it did not help). Can I backup and restore my settings before/after a factory reset? I configured certificates and SSH keys on the router.

Standby... I have something you'll quite want for that.

Add anything you need to keep to /etc/sysupgrade.conf. Be mindful it'll also grab the /etc/config/firewall so you may not want to restore that one. They're just UTF-8/LF text files in the resulting tarball.

opkg update && openssh-sftp-server is recommended.

I might have found something. The server in question only has one IPv6 address with a /64 subnet and the tag noprefixroute:

inet6 <ip-address>/64 scope global dynamic mngtmpaddr noprefixroute

Could it be that this affects connections to external machines using IPv6? I compared this with another Ubuntu server, which has the static address with noprefixroute, but also a temporary address without that tag.