Sep 262013
When doing some tests on Suricata, I needed to setup a small IPv6 network. The setup is simple with one laptop which is Ethernet connected to a desktop. And the desktop host a Virtualbox system. This way, the desktop can act as a router with laptop on eth0 and Vbox on vboxnet0. To setup the desktop/router, I’ve used:
ip a a 4::1/64 dev eth0
ip a a 2::1/64 dev vboxnet0
echo "1">/proc/sys/net/ipv6/conf/all/forwarding
To setup the laptop who already has a IPv6 public address on eth0, I’ve done:
ip a a 4::4/64 dev wlan0
ip -6 r a 2::2/128 via 4::1 src 4::2 metric 128
Almost same thing on the Vbox:
ip a a 2::2/64 dev eth0
ip -6 r a default via 2::1
This setup should be enough but when I tried to do from the laptop:
ping6 2::2
I got a failure. I then checked the routing on the laptop:
# ip r g 2::2
2::2 via 4::1 dev wlan0  src 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d  metric 128
A public IPv6 address is used as source address and this is confirmed by a tcpdump on the desktop:
# tcpdump -i eth0 icmp6 -nv
10:54:48.841761 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d > 4::1: [icmp6 sum ok] ICMP6, echo request, seq 11
And the desktop does not know how to reach this IP address because it does not have a public IPv6 address. On the laptop, I’ve dumped wlan0 config to check the address:
# ip a l dev wlan0
3: wlan0:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether c4:85:08:33:c4:c8 brd ff:ff:ff:ff:ff:ff
    inet brd scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 4::4/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2a01:e35:1434:5bd0:f8b3:5a98:2715:6c8d/64 scope global temporary dynamic
       valid_lft 86251sec preferred_lft 84589sec
    inet6 2a01:e35:1434:5bd0:c685:8ff:fe33:c4c8/64 scope global dynamic
       valid_lft 86251sec preferred_lft 86251sec
    inet6 fe80::c685:8ff:fe33:c4c8/64 scope link
       valid_lft forever preferred_lft forever
And, yes, 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d is a dynamic IPv6 address which is used by default to get out (and bring a little privacy). Deleting the address did fix the ping issue:
# ip a d 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d/64 dev wlan0
# ping6 2::2
PING 2::2(2::2) 56 data bytes
64 bytes from 2::2: icmp_seq=1 ttl=63 time=5.47 ms
And getting the route did confirm the fix was working:
# ip r g 2::2
2::2 via 4::1 dev wlan0  src 4::4  metric 128 
All that to say, that it can be useful to desactivate temporary IPv6 address before setting up a test network:
echo "0" > /proc/sys/net/ipv6/conf/wlan0/use_tempaddr

  2 Responses to “A bit of fun with IPv6 setup”

  1. To keep thinks a little bit cleaner, you should use ULA addresses from the fc00::/7 network.

  2. Thanks for pointing me to this be4stie. I will do that next time.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>