Dec 272020
 

I’m trying and failing to get IPv6 routing working on my AWS EC2 FreeBSD 12.2 instance.

My current status:

  • The host has an IPv6 address
  • rtsol is running
  • ping6 google.ca gives ping6: UDP connect: No route to host
  • no issues with IP4 traffic

In this post, I will work through Migrating to IPv6 with the goal of simultaneously solving the problem and documenting the current configuration for all who can help.

Some of these steps have already been completed but I will go through each one and show what I have.

All screenshots show the actual IP addresses used.

Step 1: Associate an IPv6 CIDR block with your VPC and subnets

Here is the screen shot of my IPv6 CIDR for the VPC. It is using 2600:1f18:461f:1a00::/56 in us-east-1.

In this screenshot, we have “To associate an IPv6 CIDR block with a VPC“. Note the routing table is rtb-033e8134b548d2107 as it will be referenced in a future section.

vpc-details

vpc-details

This is the “To associate an IPv6 CIDR block with a subnet” section where we have 2600:1f18:461f:1a17::/64 and 10.0.17.0/24 assigned.

subnet

subnet

Step 2: Update your route tables

We will follow “To update your route table for a public subnet” – public because we are dealing with the webserver.

From the previous screen shot, we have routing table rtb-033e8134b548d2107.

routing

routing

We do nothing with “To update your route table for a private subnet“.

Step 3: Update your security group rules

In this section, I am deviating from the instructions. Let’s start with the EC2 instance and list the security groups involved.

This is the instance:

ec2 instance

ec2 instance

Scrolling down, we see the four security groups involved:

Security groups

Security groups

And then the inbound and outbound rules.

inbound and outbound rules

inbound and outbound rules

Mentioned in this section is Update your network ACL rules. Here we have them. First inbound:

Network ACL - inbound

Network ACL – inbound

And then outbound:

Network ACL - outbound

Network ACL – outbound

Step 4: Change your instance type

In this step, the instance type is t2.micro – this is type was chosen for testing and will be changed when (or if) we move to production.

No action was taken in this step.

Step 5: Assign IPv6 addresses to your instances

We have IPv6 addresses. There were no actions taken in this step.

/etc/rc.conf

Here are some /etc/rc.conf settings I thought were relevant to the topic.

rtsold_enable="YES"
rtsold_flags="-aF"
ipv6_activate_all_interfaces="YES"
dhclient_program="/usr/local/sbin/dual-dhclient"
cloned_interfaces="lo1"
gateway_enable="YES"
ipv6_gateway_enable="YES"
pf_enable="YES"

ifconfig

The ifconfig output:

[ec2-user@aws-1 ~]$ ifconfig
lo0: flags=8049 metric 0 mtu 16384
	options=680003
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21
xn0: flags=8843 metric 0 mtu 9001
	options=503
	ether 0a:78:25:f1:f6:eb
	inet6 fe80::878:25ff:fef1:f6eb%xn0 prefixlen 64 scopeid 0x2
	inet6 2600:1f18:461f:1a17:644b:2b95:c4ec:80 prefixlen 128
	inet6 2600:1f18:461f:1a17:644b:2b95:c4ec:901f prefixlen 128
	inet 10.0.17.21 netmask 0xffffff00 broadcast 10.0.17.255
	media: Ethernet manual
	status: active
	nd6 options=23
lo1: flags=8049 metric 0 mtu 16384
	options=680003
	inet6 fe80::1%lo1 prefixlen 64 scopeid 0x3
	inet6 fd80::10 prefixlen 128
	inet6 fd80::25 prefixlen 128
	inet6 fd00::80 prefixlen 128
	inet 127.163.0.53 netmask 0xffffffff
	inet 127.163.0.10 netmask 0xffffffff
	inet 127.163.0.25 netmask 0xffffffff
	inet 127.163.0.80 netmask 0xffffffff
	groups: lo
	nd6 options=21
[ec2-user@aws-1 ~]$ 

routes

The netstat -nr output.

[ec2-user@aws-1 ~]$ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            10.0.17.1          UGS         xn0
10.0.17.0/24       link#2             U           xn0
10.0.17.21         link#2             UHS         lo0
127.0.0.1          link#1             UH          lo0
127.163.0.10       link#3             UH          lo1
127.163.0.25       link#3             UH          lo1
127.163.0.53       link#3             UH          lo1
127.163.0.80       link#3             UH          lo1

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#1                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2600:1f18:461f:1a17::/64          link#2                        U           xn0
2600:1f18:461f:1a17:644b:2b95:c4ec:80 link#2                    UHS         lo0
2600:1f18:461f:1a17:644b:2b95:c4ec:901f link#2                  UHS         lo0
fd00::80                          link#3                        UHS         lo0
fd80::10                          link#3                        UHS         lo0
fd80::25                          link#3                        UHS         lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#1                        U           lo0
fe80::1%lo0                       link#1                        UHS         lo0
fe80::%xn0/64                     link#2                        U           xn0
fe80::878:25ff:fef1:f6eb%xn0      link#2                        UHS         lo0
fe80::%lo1/64                     link#3                        U           lo1
fe80::1%lo1                       link#3                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0
[ec2-user@aws-1 ~]$ 

tests

A ping on IP4 works, IPv6 no.

[ec2-user@aws-1 ~]$ ping -c 5 google.ca
PING google.ca (172.217.13.227): 56 data bytes
64 bytes from 172.217.13.227: icmp_seq=0 ttl=54 time=0.924 ms
64 bytes from 172.217.13.227: icmp_seq=1 ttl=54 time=0.993 ms
64 bytes from 172.217.13.227: icmp_seq=2 ttl=54 time=1.018 ms
64 bytes from 172.217.13.227: icmp_seq=3 ttl=54 time=0.935 ms
64 bytes from 172.217.13.227: icmp_seq=4 ttl=54 time=0.961 ms

--- google.ca ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.924/0.966/1.018/0.035 ms

[ec2-user@aws-1 ~]$ ping6 -c 5 google.ca
ping6: UDP connect: No route to host
[ec2-user@aws-1 ~]$ 

Why am I not getting routes? Well, I do have a route, see a previous section for routes.

firewall

The firewall passes all, and does some redirect.

[ec2-user@aws-1 ~]$ sudo pfctl -f /etc/pf.conf
[ec2-user@aws-1 ~]$ cat /etc/pf.conf
PUBLIC="xn0"

FRESHPORTS_WWW_JAIL="127.163.0.80"
FRESHPORTS_WWW_JAIL_IPV6="fd00::80"


nat on $PUBLIC from 127.163.0.0/24 to any -> 10.0.17.21

rdr pass on $PUBLIC inet  proto tcp from any to ($PUBLIC) port = http  -> $FRESHPORTS_WWW_JAIL
rdr pass on $PUBLIC inet  proto tcp from any to ($PUBLIC) port = https -> $FRESHPORTS_WWW_JAIL

rdr pass on $PUBLIC inet6 proto tcp from any to ($PUBLIC) port = http  -> $FRESHPORTS_WWW_JAIL_IPV6
rdr pass on $PUBLIC inet6 proto tcp from any to ($PUBLIC) port = https -> $FRESHPORTS_WWW_JAIL_IPV6

pass all
[ec2-user@aws-1 ~]$ 
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive