When doing some tests on Suricata, I needed to setup a small IPv6 network. The setup is simple with one laptop which is Ethernet connected to a desktop. And the desktop host a Virtualbox system.
This way, the desktop can act as a router with laptop on eth0 and Vbox on vboxnet0.
To setup the desktop/router, I’ve used:
ip a a 4::1/64 dev eth0 ip a a 2::1/64 dev vboxnet0 echo "1">/proc/sys/net/ipv6/conf/all/forwarding
To setup the laptop who already has a IPv6 public address on eth0, I’ve done:
ip a a 4::4/64 dev wlan0 ip -6 r a 2::2/128 via 4::1 src 4::2 metric 128
Almost same thing on the Vbox:
ip a a 2::2/64 dev eth0 ip -6 r a default via 2::1
This setup should be enough but when I tried to do from the laptop:
ping6 2::2
I got a failure.
I then checked the routing on the laptop:
# ip r g 2::2 2::2 via 4::1 dev wlan0 src 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d metric 128
A public IPv6 address is used as source address and this is confirmed by a tcpdump on the desktop:
# tcpdump -i eth0 icmp6 -nv 10:54:48.841761 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d > 4::1: [icmp6 sum ok] ICMP6, echo request, seq 11
And the desktop does not know how to reach this IP address because it does not have a public IPv6 address.
On the laptop, I’ve dumped wlan0 config to check the address:
# ip a l dev wlan0 3: wlan0:mtu 1500 qdisc mq state UP group default qlen 1000 link/ether c4:85:08:33:c4:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.137/24 brd 192.168.1.255 scope global wlan0 valid_lft forever preferred_lft forever inet6 4::4/64 scope global valid_lft forever preferred_lft forever inet6 2a01:e35:1434:5bd0:f8b3:5a98:2715:6c8d/64 scope global temporary dynamic valid_lft 86251sec preferred_lft 84589sec inet6 2a01:e35:1434:5bd0:c685:8ff:fe33:c4c8/64 scope global dynamic valid_lft 86251sec preferred_lft 86251sec inet6 fe80::c685:8ff:fe33:c4c8/64 scope link valid_lft forever preferred_lft forever
And, yes, 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d is a dynamic IPv6 address which is used by default to get out (and bring a little privacy).
Deleting the address did fix the ping issue:
# ip a d 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d/64 dev wlan0 # ping6 2::2 PING 2::2(2::2) 56 data bytes 64 bytes from 2::2: icmp_seq=1 ttl=63 time=5.47 ms
And getting the route did confirm the fix was working:
# ip r g 2::2 2::2 via 4::1 dev wlan0 src 4::4 metric 128
All that to say, that it can be useful to desactivate temporary IPv6 address before setting up a test network:
echo "0" > /proc/sys/net/ipv6/conf/wlan0/use_tempaddr
To keep thinks a little bit cleaner, you should use ULA addresses from the fc00::/7 network.
Thanks for pointing me to this be4stie. I will do that next time.