Can't reach public ipv6 address

Hello Networking Wizards

I get delegated prefix public ipv6 from my ISP.

I would like to have one machine (server) on the network to be accessible through such a public ipv6 addresse.

So far everything works and is reachable on my private network for ipv4 and ipv6.

I did give the server a static ipv6 address. And I opened the router to the needet port:

config rule
        option name 'port 22 svr0'
        option src 'wan'
        option proto 'tcp'
        option dest 'lan'
        option dest_ip '2a0d:aa:bb:cc::2'
        option dest_port '22'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'port 80 svr0'
        option src 'wan'
        option proto 'tcp'
        option dest 'lan'
        option dest_ip '2a0d:aa:bb:cc::2'
        option dest_port '80'
        option family 'ipv6'
        option target 'ACCEPT'

when scanning those ports with http://www.ipv6scanner.com it says they are open.

On the server firewall those ports are also open.

Still I cant connect over those ports from outside my private network! It says host not reachable ...

What could be the Issue?

Help is very much appreciated!

  • What says Host Not Reachable (do you get an IP of the router that says that thru ping, traceroute or some other means like the browser or SSH)?
  • Also, I assume you've already verified that IPv6 is working on LAN with a regular desktop/laptop (e.g. via test-ipv6.com)
2 Likes

Hello Ileachii, thank you for your answer! Glad to have you with an entire Solution Institution helping :slight_smile:

Blockquote
What says Host Not Reachable (do you get an IP of the router that says that thru ping, traceroute or some other means like the browser or SSH)?

SSH says:
Could not resolve hostname [2a00:aa:bb:cc::2]: Name or service not known

http says:
Unable to connect
An error occurred during a connection to [2a00:aa:bb:cc::2].

ping6: unknown host [2a00:aa:bb:cc::2]

Blockquote
Also, I assume you've already verified that IPv6 is working on LAN with a regular desktop/laptop (e.g. via test-ipv6.com )

Test results:

Test with IPv4 DNS record ok (0.213s) using ipv4
Test with IPv6 DNS record ok (0.208s) using ipv6
Test with Dual Stack DNS record ok (0.274s) using ipv6
Test for Dual Stack DNS and large packet ok (0.213s) using ipv6
Test IPv6 large packet ok (0.207s) using ipv6
Test if your ISP's DNS server uses IPv6 ok (0.306s) using ipv6
Find IPv4 Service Provider ok (0.570s) using ipv4 ASN 14593
Find IPv6 Service Provider ok (0.124s) using ipv6 ASN 14593

when I ping6 my ipv6 address on the same network from another machine I get:

sudo ping6 2a00:aa:bb:cc::2
64 bytes from customer.frntdeu1.pop.starlinkisp.net: icmp_seq=0 ttl=64 time=2.952 ms
64 bytes from customer.frntdeu1.pop.starlinkisp.net: icmp_seq=1 ttl=64 time=2.849 ms
64 bytes from customer.frntdeu1.pop.starlinkisp.net: icmp_seq=2 ttl=64 time=3.422 ms

when I do an ordinary ping:
64 bytes from 2a00:aa:bb:cc::2: icmp_seq=1 ttl=64 time=1.66 ms

Check SSH and ping again without square brackets.
Even if it fails, the error messages should be different.

2 Likes

Thank you vgaetera, that was a mistake of me

but without the bracket it's the same when I'm trying to reach my server from outside the network.

As said before, inside my network ipv6 connections are working ...

Do you maybe know of something I could test out on my side?

  • May I ask - what process did you use to assign a static prefix and IP if you have a PD?
  • I actually wanted you to verify the IPv6 address displayed
  • Assuming you ran it from the server, does it match the IP you issued?

Since you shouldn't get:

We need to know what's "the same"?

We need to know the error message - because as @vgaetera noted, there should be a different error message unrelated to host resolution errors.

1 Like

Ileachii, thank you for not giving up on me! I will try to answer your questions as best I can.

I did set the static address on the server manually:

Run from the server it didn't match the IP I issued.

w/o brackets:

$ ssh -i ~/.ssh/svr svr@2a00:aa:bb:cc::2
ssh: Could not resolve hostname 2a00:aa:bb:cc::2: Address family for hostname not supported

with brackets:

$ ssh -i ~/.ssh/svr svr@2a00:aa:bb:cc::2
ssh: Could not resolve hostname 2a00:aa:bb:cc::2: Name or service not known

Are you appending a colon on the end?

If so, why?

???

Brackets are invalid for SSH.

1 Like

This depends on your ISP, but typically the delegated prefix is not really static.
In general case, you should configure dynamic prefix forwarding:
Port forwarding to a dynamic IPv6 address - #2 by vgaetera

Also check your IPv6 connectivity from the same host:

ip route get 1::
ping -6 -c 3 example.org
wget -6 -O /dev/null https://example.org/
2 Likes

This is a good question: is your test machine properly connected to the v6 Internet, and is it outside your LAN?

On the Ubuntu server turn off v6 privacy (because you want it to be findable) and configure only the interface id (last 64 of the IP) statically. Obtain the first 64 automatically from the router. Use a ddns, running the ddns client on the server machine so you know the IP registered in public DNS will be that of the server, even if the prefix from the ISP changes. If the ISP changes the prefix, static IP on the server machine will become obsolete and not work.

3 Likes

no, colon at the end. It's just how the error message is summed up

ok, comprende, thank you for the clarification

$ ip route get 1::
1:: from :: via 2a00:aa:bb:cc::1 dev enp3s0f0 proto static src 2a00:aa:bb:cc::xxx metric 1024 pref medium

2a00:aa:bb:cc::1 -> my lan's ipv6 (Network -> Interfaces)
2a00:aa:bb:cc::xxx -> not the ipv6 I did set manually

$ ping -6 -c 3 example.org
PING example.org(2606:2800:220:1:248:1893:25c8:1946 (2606:2800:220:1:248:1893:25c8:1946)) 56 data bytes
64 bytes from 2606:2800:220:1:248:1893:25c8:1946 (2606:2800:220:1:248:1893:25c8:1946): icmp_seq=1 ttl=55 time=141 ms
64 bytes from 2606:2800:220:1:248:1893:25c8:1946 (2606:2800:220:1:248:1893:25c8:1946): icmp_seq=2 ttl=55 time=146 ms
64 bytes from 2606:2800:220:1:248:1893:25c8:1946 (2606:2800:220:1:248:1893:25c8:1946): icmp_seq=3 ttl=55 time=144 ms
$ wget -6 -O /dev/null https://example.org/
--2023-11-03 19:58:03--  https://example.org/
Resolving example.org (example.org)... 2606:2800:220:1:248:1893:25c8:1946
Connecting to example.org (example.org)|2606:2800:220:1:248:1893:25c8:1946|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1256 (1.2K) [text/html]
Saving to: ‘/dev/null’
1 Like

test machine (server) is in the same lan and in the lan I have connectivity to my webserver etc ...

This sounds like a good solution but no idea how to set this up. will have to look in to it