IPv6 ping to local server only works for one of two IPv6 addresses?

adworacz · September 16, 2021, 3:41pm

Hello IPv6 + routing experts -

I encountered this issue recently, on both 21.02 and master.

Specifically, when trying to ping a local server on my network by hostname, my ping command will work 50% of the time, depending on which ipv6 address was resolved at the time.

Here's an example:

╰─ ping server.lan
PING server.lan(server.lan (fdd7:68a2:2da1::2a2)) 56 data bytes
64 bytes from server.lan (fdd7:68a2:2da1::2a2): icmp_seq=1 ttl=64 time=1.89 ms
64 bytes from server.lan (fdd7:68a2:2da1::2a2): icmp_seq=2 ttl=64 time=5.24 ms
64 bytes from server.lan (fdd7:68a2:2da1::2a2): icmp_seq=3 ttl=64 time=3.64 ms
^C
--- server.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.891/3.588/5.236/1.366 ms

╭─ ~                                                                                                                                                                        ✔  08:28:06 AM
╰─ ping server.lan
PING server.lan(server.lan (2600:8802:5306:4105::2a2)) 56 data bytes
^C
--- server.lan ping statistics ---
68 packets transmitted, 0 received, 100% packet loss, time 67904ms

The commands were literally run in quick succession. The chosen IPv6 address seems to toggle.

As you can see, it works for the fdd7... local prefix, but not the 2600... prefix.

I guess I have two questions:

How do I only return a local prefix from my dns so I don't have two IPv6 IPs that resolve to my server?
If the above isn't possible, how do I fix routing so that the 2600 IP is properly reachable?

Interestingly, pinging openwr.lan always uses the fdd7 local prefix:

╭─ ~                                                                                                                                                                      1 ✘  08:39:10 AM
╰─ ping openwrt.lan
PING openwrt.lan(OpenWrt.lan (fdd7:68a2:2da1::1)) 56 data bytes
64 bytes from OpenWrt.lan (fdd7:68a2:2da1::1): icmp_seq=1 ttl=64 time=1.52 ms
^C
--- openwrt.lan ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.518/1.518/1.518/0.000 ms

╭─ ~                                                                                                                                                                        ✔  08:39:16 AM
╰─ ping openwrt.lan
PING openwrt.lan(OpenWrt.lan (fdd7:68a2:2da1::1)) 56 data bytes
64 bytes from OpenWrt.lan (fdd7:68a2:2da1::1): icmp_seq=1 ttl=64 time=1.72 ms
^C
--- openwrt.lan ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.720/1.720/1.720/0.000 ms

Thank you for your help!

trendy · September 16, 2021, 3:49pm

Just to make it clear, if both the initiator of the ping and the responder are in the same lan, then OpenWrt doesn't play any role in this. Under normal circumstances, a host should respond to both ULA and GUA addresses.

dietpi@RockPi:[~]$ ping raspi.mrv
PING raspi.mrv(raspi.mrv (fd00:bbbb::3)) 56 data bytes
64 bytes from raspi.mrv (fd00:bbbb::3): icmp_seq=1 ttl=63 time=0.948 ms
64 bytes from raspi.mrv (fd00:bbbb::3): icmp_seq=2 ttl=63 time=1.03 ms
^C
--- raspi.mrv ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 0.948/0.988/1.029/0.051 ms
dietpi@RockPi:[~]$ ping raspi.mrv
PING raspi.mrv(raspi.mrv (2aaa:aaaa:aaaa:7500::3)) 56 data bytes
64 bytes from raspi.mrv (2aaa:aaaa:aaaa:7500::3): icmp_seq=1 ttl=64 time=1.55 ms
64 bytes from raspi.mrv (2aaa:aaaa:aaaa:7500::3): icmp_seq=2 ttl=64 time=0.755 ms
^C
--- raspi.mrv ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 0.755/1.153/1.551/0.398 ms

So for your case I'd suggest to check the firewall settings of the server. Keep in mind that dhcp6 addresses are handed out with /128 mask, therefore any other address is considered external and windows by default block external requests.

adworacz · September 16, 2021, 4:35pm

Hmmm, okay I'll take a look at my server's firewall settings and see what I can find.

trendy · September 16, 2021, 6:58pm

You can quickly narrow down the suspect by disabling the firewall.

adworacz · September 16, 2021, 9:23pm

Yup I'll give that a shot. I just had a reboot so waiting for dnsmasq to pick up my server's hostname again, then I'll try disabling my firewall.

TBH, I'm thinking of disabling my server's firewall completely. I'm not sure what real benefit it's providing, considering that I use my OpenWrt's router firewall to handle everything at the edge.

I'll report back once I've been able to confirm that shutting down the firewall is the fix.

adworacz · September 20, 2021, 2:21am

Okay I figured it out - it was directly tied to my VPN setup on my server. My VPN client has a setting for allowing local LAN access. With that enabled, I could only access my server using local addresses (192.168.x.x or fxxx:: ).

So it was a firewall issue, just not the firewall I was expecting. I'm going to try and come up with a way to force my DNS server to always respond with local addresses for the server to work around it, but the main issue has been diagnosed.

system · September 30, 2021, 2:22am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.