Amazon VPC IPv6 – Missing Default Route in Ubuntu

amazon-vpcamazon-web-servicesdhcpv6ipv6

Now that Amazon has extended IPv6 support for VPC to most of their global regions including eu-west-1, I'm trying to get my instances connected. Unfortunately I can't get routing to work.

I've followed the steps in the migration guide, i.e. I've associated an IPv6 CIDR to our VPC, assigned a part of that to our 'public' subnet, updated the VPC route table to send ::/0 through the igw (internet gateway), made sure that route table is assigned to the public subnet and assigned IPv6 addresses to some new Ubuntu 16.04 instances from the Console.

I then configured Ubuntu to get the assigned address via DHCPv6 as described here, by adding iface eth0 inet6 dhcp to the networking setup and rebooting.

When I reboot the instance it takes a few minutes longer to start up but eventually I can log in and ip a s shows both a IPv4 and a global IPv6 address configured.

However, the v6 network isn't working:

# ping6 www.google.com
connect: Network is unreachable

The route table is indeed missing a default route:

# ip -6 route
2001:DB8:1234:1234:1234:1234:1234:1234 dev eth0  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256  mtu 9001

Manually adding a default v6 route, via ip -6 route add default dev eth0 leads to a routing table that look correct:

# ip -6 route
2001:DB8:1234:1234:1234:1234:1234:1234 dev eth0  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256  mtu 9001
default dev eth0  metric 1024

Unfortunately, this results in a different error:

# ping6 www.google.com
PING www.google.com(dh-in-x6a.1e100.net) 56 data bytes
From dh-in-x6a.1e100.net icmp_seq=1 Destination unreachable: Address unreachable
From dh-in-x6a.1e100.net icmp_seq=2 Destination unreachable: Address unreachable
From dh-in-x6a.1e100.net icmp_seq=3 Destination unreachable: Address unreachable

Isn't the DHCPv6-client supposed to take care of adding a default route? And why can I not reach the outside world even then?

Best Answer

Your routing table does not look correct. This line looks very wrong:

default dev eth0  metric 1024

This line says that the entire internet is connected directly to your eth0 interface without needing to go through any intermediate routers. This will cause your system to send neighor discovery requests onto the LAN for every host it tries to reach. And if that host is not directly connected to your LAN, it will not see the neighbor discovery request.

So you cannot really expect anything to work with that routing table. With some routers it is possible to configure a neighboring router to work around your misconfiguration. But you shouldn't count on it. Instead you should find out what the correct gateway address is and configure that.

Here is an example of what the routing table entry looks like on one particular machine with functional connectivity:

default via fe80::1 dev eth0  metric 1024  advmss 1220

The via fe80::1 part is what is missing from yours. The address you are supposed to use may be different from fe80::1, you would need to ask your provider what gateway address to use if they haven't told you so. The two ways I have mostly seen providers choose to address their gateway is either fe80::1 or the /64 prefix followed by ::1 which in your case would become 2001:DB8:1234:1234::1.

The advmss 1220 part is not absolutely necessary, but I include it because it will work around some MTU issues.

Once you have fixed the routing table entry the next steps to test is to verify that the router shows up in your neighbor cache. And then use traceroute6 or mtr to see how far you can get packets before they get lost.

Related Solutions

Linux – IPv6 works only after ping to routing box

Are the clients' prefixes being manually assigned? Usually they should automatically find the router via Neighbor Discovery Protocol (during which the router sends out advertisements and assign them prefixes automatically), but it sounds like that step might be missing.

Additionally, the router advertisement should be including its link-layer address as an option in the ICMP header of the router advertisement. If this field is missing, the client won't know how to send data to the router. It sounds like this could be the case. The client doesn't know how to reach the router, until it sends out the Neighbor Discovery message and it receives an Neighbor Advertisement from the router (with the router flag in the ICMP message set).

To include the source link layer address in your router advertisements, add the following into your radvd.conf

AdvSourceLLAddress on;

Ubuntu – Configure static IPv6 on Ubuntu

Default Gateways work a bit differently on IPv6.

What I suggest you do is fire up tcpdump and watch it for Router Advertisements (you might want to analyse the capture in WireShark - much easier). This is how your IPv6 host knows how to get out to the internet. Also watch for Neighbor Solicitation as this is the replacement for ARP.

If you see these requests coming in, but not going back out, then your internal firewall is blocking IPv6 traffic. If you see them going out (requests), but not back in, then you need to make sure that your prefix length is correct (that's the /64 part. Although I've seen a lot of /64s being passed out that are actually a /48).

Big Important Bold Bit

ICMP is absolutally critical for IPv6 functionality. In IPv4 it can be blocked without huge impact, but in IPv6, the whole network relies on ICMP for all its functionality. Don't block it.

In reference to

My provider gave me a "/64" (whatever that is - I'm still confused) of IPv6 addresses

That's your Prefix Length, previously known as your Subnet Mask that's used for CIDR. The lower the number, the more IP addresses you have. For IPv6, /64 and /48 are very common and should give you more IP addresses than you will ever need in your entire life.

Best Answer

Related Solutions

Linux – IPv6 works only after ping to routing box

Ubuntu – Configure static IPv6 on Ubuntu

Big Important Bold Bit

Related Topic