I’m trying and failing to get IPv6 routing working on my AWS EC2 FreeBSD 12.2 instance.
My current status:
- The host has an IPv6 address
- rtsol is running
- ping6 google.ca gives ping6: UDP connect: No route to host
- no issues with IP4 traffic
In this post, I will work through Migrating to IPv6 with the goal of simultaneously solving the problem and documenting the current configuration for all who can help.
Some of these steps have already been completed but I will go through each one and show what I have.
All screenshots show the actual IP addresses used.
Step 1: Associate an IPv6 CIDR block with your VPC and subnets
Here is the screen shot of my IPv6 CIDR for the VPC. It is using 2600:1f18:461f:1a00::/56 in us-east-1.
In this screenshot, we have “To associate an IPv6 CIDR block with a VPC“. Note the routing table is rtb-033e8134b548d2107 as it will be referenced in a future section.
This is the “To associate an IPv6 CIDR block with a subnet” section where we have 2600:1f18:461f:1a17::/64 and 10.0.17.0/24 assigned.
Step 2: Update your route tables
We will follow “To update your route table for a public subnet” – public because we are dealing with the webserver.
From the previous screen shot, we have routing table rtb-033e8134b548d2107.
We do nothing with “To update your route table for a private subnet“.
Step 3: Update your security group rules
In this section, I am deviating from the instructions. Let’s start with the EC2 instance and list the security groups involved.
This is the instance:
Scrolling down, we see the four security groups involved:
And then the inbound and outbound rules.
Mentioned in this section is Update your network ACL rules. Here we have them. First inbound:
And then outbound:
Step 4: Change your instance type
In this step, the instance type is t2.micro – this is type was chosen for testing and will be changed when (or if) we move to production.
No action was taken in this step.
Step 5: Assign IPv6 addresses to your instances
We have IPv6 addresses. There were no actions taken in this step.
Here are some /etc/rc.conf settings I thought were relevant to the topic.
rtsold_enable="YES" rtsold_flags="-aF" ipv6_activate_all_interfaces="YES" dhclient_program="/usr/local/sbin/dual-dhclient" cloned_interfaces="lo1" gateway_enable="YES" ipv6_gateway_enable="YES" pf_enable="YES"
The ifconfig output:
[ec2-user@aws-1 ~]$ ifconfig lo0: flags=8049
metric 0 mtu 16384 options=680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21 xn0: flags=8843 metric 0 mtu 9001 options=503 ether 0a:78:25:f1:f6:eb inet6 fe80::878:25ff:fef1:f6eb%xn0 prefixlen 64 scopeid 0x2 inet6 2600:1f18:461f:1a17:644b:2b95:c4ec:80 prefixlen 128 inet6 2600:1f18:461f:1a17:644b:2b95:c4ec:901f prefixlen 128 inet 10.0.17.21 netmask 0xffffff00 broadcast 10.0.17.255 media: Ethernet manual status: active nd6 options=23 lo1: flags=8049 metric 0 mtu 16384 options=680003 inet6 fe80::1%lo1 prefixlen 64 scopeid 0x3 inet6 fd80::10 prefixlen 128 inet6 fd80::25 prefixlen 128 inet6 fd00::80 prefixlen 128 inet 127.163.0.53 netmask 0xffffffff inet 127.163.0.10 netmask 0xffffffff inet 127.163.0.25 netmask 0xffffffff inet 127.163.0.80 netmask 0xffffffff groups: lo nd6 options=21 [ec2-user@aws-1 ~]$
The netstat -nr output.
[ec2-user@aws-1 ~]$ netstat -nr Routing tables Internet: Destination Gateway Flags Netif Expire default 10.0.17.1 UGS xn0 10.0.17.0/24 link#2 U xn0 10.0.17.21 link#2 UHS lo0 127.0.0.1 link#1 UH lo0 127.163.0.10 link#3 UH lo1 127.163.0.25 link#3 UH lo1 127.163.0.53 link#3 UH lo1 127.163.0.80 link#3 UH lo1 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 link#1 UH lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 2600:1f18:461f:1a17::/64 link#2 U xn0 2600:1f18:461f:1a17:644b:2b95:c4ec:80 link#2 UHS lo0 2600:1f18:461f:1a17:644b:2b95:c4ec:901f link#2 UHS lo0 fd00::80 link#3 UHS lo0 fd80::10 link#3 UHS lo0 fd80::25 link#3 UHS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#1 U lo0 fe80::1%lo0 link#1 UHS lo0 fe80::%xn0/64 link#2 U xn0 fe80::878:25ff:fef1:f6eb%xn0 link#2 UHS lo0 fe80::%lo1/64 link#3 U lo1 fe80::1%lo1 link#3 UHS lo0 ff02::/16 ::1 UGRS lo0 [ec2-user@aws-1 ~]$
A ping on IP4 works, IPv6 no.
[ec2-user@aws-1 ~]$ ping -c 5 google.ca PING google.ca (184.108.40.206): 56 data bytes 64 bytes from 220.127.116.11: icmp_seq=0 ttl=54 time=0.924 ms 64 bytes from 18.104.22.168: icmp_seq=1 ttl=54 time=0.993 ms 64 bytes from 22.214.171.124: icmp_seq=2 ttl=54 time=1.018 ms 64 bytes from 126.96.36.199: icmp_seq=3 ttl=54 time=0.935 ms 64 bytes from 188.8.131.52: icmp_seq=4 ttl=54 time=0.961 ms --- google.ca ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.924/0.966/1.018/0.035 ms [ec2-user@aws-1 ~]$ ping6 -c 5 google.ca ping6: UDP connect: No route to host [ec2-user@aws-1 ~]$
Why am I not getting routes? Well, I do have a route, see a previous section for routes.
The firewall passes all, and does some redirect.
[ec2-user@aws-1 ~]$ sudo pfctl -f /etc/pf.conf [ec2-user@aws-1 ~]$ cat /etc/pf.conf PUBLIC="xn0" FRESHPORTS_WWW_JAIL="127.163.0.80" FRESHPORTS_WWW_JAIL_IPV6="fd00::80" nat on $PUBLIC from 127.163.0.0/24 to any -> 10.0.17.21 rdr pass on $PUBLIC inet proto tcp from any to ($PUBLIC) port = http -> $FRESHPORTS_WWW_JAIL rdr pass on $PUBLIC inet proto tcp from any to ($PUBLIC) port = https -> $FRESHPORTS_WWW_JAIL rdr pass on $PUBLIC inet6 proto tcp from any to ($PUBLIC) port = http -> $FRESHPORTS_WWW_JAIL_IPV6 rdr pass on $PUBLIC inet6 proto tcp from any to ($PUBLIC) port = https -> $FRESHPORTS_WWW_JAIL_IPV6 pass all [ec2-user@aws-1 ~]$