RT-AC68U can't ping IPv6 but clients can?

[tramchamploo]

I finally figured it out, it's a firewall issue.
Run this:

ip6tables -nvL INPUT --line-numbers

And it shows that the default rule for incoming packets are dropped except the lan's.
You can clearly see the count of dropped there.
Manually add your custom rules does the work.

 

[learning_curve]

I finally figured it out, it's a firewall issue.
Run this:

ip6tables -nvL INPUT --line-numbers

And it shows that the default rule for incoming packets are dropped except the lan's.
You can clearly see the count of dropped there.
Manually add your custom rules does the work.

I can't confirm / reply for @bengalih but in my case, no, that's not correct. As you may have already read, I can ping6 ANY domain from Client and/or Router, apart from www.google.com & its variants.

ip6tables -nvL INPUT --line-numbers

in my case (only on the Router, N/A on a Client) I do not see: "...the default rule for incoming packets are dropped except the lan's" as you do, in your case. Just guessing that might be due to current setup differences? You can use ip6tables for clearer, helpful views of your current config, that's very true, eg:

ip6tables -L -n -v

What is again a little odd though, is that I can run this (IPv4)

iptables -L -n -v -t nat --line-numbers

But not this (IPv6)

ip6tables -L -n -v -t nat --line-numbers

Because if I do, the error is this:

ip6tables v1.4.15: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

After reading your post @tramchamploo it made me quickly re-test a few things and I think my previous Google DNS guess being related to the ping6 issue that @bengalih has, was wrong, because, as I posted earlier: from either Router or Client, although I can easily do this via ping (IPv4) I cannot do this:

ping6 www.google.com

Yet, I can easily do this (and the IPv4 version of it) successfully, from either Router or Client:

curl -6 www.google.com

Thus proving to myself that a Google DNS related ping6 issue, was not actually the case for me.
Let's see what @bengalih has found out / posts next, before anything else

 

[tramchamploo]

I can't confirm / reply for @bengalih but in my case, no, that's not correct. As you may have already read, I can ping6 ANY domain from Client and/or Router, apart from www.google.com & its variants.

ip6tables -nvL INPUT --line-numbers

in my case (only on the Router, N/A on a Client) I do not see: "...the default rule for incoming packets are dropped except the lan's" as you do, in your case. Just guessing that might be due to current setup differences? You can use ip6tables for clearer, helpful views of your current config, that's very true, eg:

ip6tables -L -n -v

What is again a little odd though, is that I can run this (IPv4)

iptables -L -n -v -t nat --line-numbers

But not this (IPv6)

ip6tables -L -n -v -t nat --line-numbers

Because if I do, the error is this:

ip6tables v1.4.15: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

After reading your post @tramchamploo it made me quickly re-test a few things and I think my previous Google DNS guess being related to the ping6 issue that @bengalih has, was wrong, because, as I posted earlier: from either Router or Client, although I can easily do this via ping (IPv4) I cannot do this:

ping6 www.google.com

Yet, I can easily do this (and the IPv4 version of it) successfully, from either Router or Client:

curl -6 www.google.com

Thus proving to myself that a Google DNS related ping6 issue, was not actually the case for me.
Let's see what @bengalih has found out / posts next, before anything else

Your case is really weird.
I tried to ping6 a local site and turned out fine. I have no access to google.com here because of some censorship reason here. We are likely experiencing different issues here.
ip6tables on asus merlin have rather complicate ICMP chain, maybe check on that? Or just disable the firewall.

 

[bengalih]

@tramchamploo and @learning_curve
Apologies, I apparently wasn't getting any notifications on this thread despite being subscribed.
It became a non-issue for a while, but I am trying to learn more about IPv6 and get some other things setup and this may be a sticking point.

Right now my IPv6 is configured using "Native" mode and is getting a /60 block from my ISP. It appears my internal clients are also properly receiving their v6 addresses.
My clients (Windows) call all ping each other using either their global IPv6 or their Link Local (if I disable firewall).
The router is able to ping my internal clients by their global IPv6, but not their link local.
The router is unable to ping any external IPv6 (e.g. www.cloudflare.com [2606:4700::6810:7b60]).

This is what my iptables currently looks like:

root@router-asus:/tmp/home/root# ip6tables -nvL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      194 22495 ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
2     6189  802K ACCEPT     all      br0    *       ::/0                 ::/0                 state NEW
3        2   208 ACCEPT     all      lo     *       ::/0                 ::/0                 state NEW
4        0     0 logdrop    all      *      *       ::/0                 ::/0                 state INVALID
5        0     0 ACCEPT     59       *      *       ::/0                 ::/0                 length 40
6     2595  261K ACCEPT     all      br0    *       ::/0                 ::/0
7        5  1040 ACCEPT     all      lo     *       ::/0                 ::/0
8        4   676 ACCEPT     udp      *      *       ::/0                 ::/0                 udp spt:547 dpt:546
9      187 13424 ICMP_V6_LOCAL  icmpv6    *      *       ::/0                 ::/0
10       0     0 ICMP_V6    icmpv6    *      *       ::/0                 ::/0
11       0     0 logdrop    all      *      *       ::/0                 ::/0

I would really like to get this working as I have a feeling some of the other things I am trying to configure with IPv6 are failing due to whatever this is.

Thanks.

 

[dave14305]

What are your current IPv6 routes? Default should be the link local address of your ISP next-hop router (at least mine is).

Try traceroute6 www.cloudflare.com

 

[bengalih]

What are your current IPv6 routes? Default should be the link local address of your ISP next-hop router (at least mine is).

Try traceroute6 www.cloudflare.com

I posted my routes here:

RT-AC68U can't ping IPv6 but clients can?

Can anyone explain, or tell me where I could look, to figure out why my router doesn't seem to have reachability to IPv6 addresses, even though the clients off the router can? For instance, from my machine connected to the RT-AC68U over wifi I can: Pinging www.google.com...

www.snbforums.com

the first entry is my WAN IPv6 and the second is my Local IPv6 as shown on my router IPv6 page.

I did a traceroute already from a client (which is able to ping) and my router to a google address.
You can see it here:

gist:1d32a8769c6cd53c1e2d8ab155fdd50b

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

What is interesting (I think) is the router doesn't make it past [2001:1890:ff:ffff:12:122:22:94].
I'm not sure what address this is. It identifies as AT&T (my ISP).
I'm not sure if it is external or internal....I don't see it tagged to any of my interfaces.
However, when I try to ping that address from my phone I am only able to access it when connected to my local WiFi, and not when I go onto cellular data.

 

[dave14305]

I posted my routes here:

RT-AC68U can't ping IPv6 but clients can?

Can anyone explain, or tell me where I could look, to figure out why my router doesn't seem to have reachability to IPv6 addresses, even though the clients off the router can? For instance, from my machine connected to the RT-AC68U over wifi I can: Pinging www.google.com...

www.snbforums.com

the first entry is my WAN IPv6 and the second is my Local IPv6 as shown on my router IPv6 page.

I did a traceroute already from a client (which is able to ping) and my router to a google address.
You can see it here:

gist:1d32a8769c6cd53c1e2d8ab155fdd50b

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

What is interesting (I think) is the router doesn't make it past [2001:1890:ff:ffff:12:122:22:94].
I'm not sure what address this is. It identifies as AT&T (my ISP).
I'm not sure if it is external or internal....I don't see it tagged to any of my interfaces.
However, when I try to ping that address from my phone I am only able to access it when connected to my local WiFi, and not when I go onto cellular data.

I think it’s safe to say the traffic leaves your network. Are the routes the same 6 months from your linked post?

Sounds like an ISP issue to me.

 

[bengalih]

I think it’s safe to say the traffic leaves your network. Are the routes the same 6 months from your linked post?

Sounds like an ISP issue to me.

Yes the routes are the same, i checked before linking the old post.

To clarify, it isn't just ICMP traffic, I am able to wget/curl a website, but not over IPv6.
Also, IPv6 obviously works as I can both ping out with clients AND if I open the address in the IPv6 firewall, I am able to forward external traffic onto an internal web server.

What could the ISP be doing that would restrict this on my Asus only?

 

[dave14305]

What could the ISP be doing that would restrict this on my Asus only?

My ISP (Comcast) gives the router an address from a different range (2001: ) than my LAN prefix delegation (2601: ). They could be treating them differently. I’m mostly guessing at this point.

 

[bengalih]

My ISP (Comcast) gives the router an address from a different range (2001: ) than my LAN prefix delegation (2601: ). They could be treating them differently. I’m mostly guessing at this point.

That appears to be the same as mine as per the info I provided before. My WAN IPv6 is a 2100: and my LAN IPv6 (and all my clients) are 2600:

I don't know if this will make a difference, but I am going to disable the wpa_supplicant on my device and put the provider's equipment back in front. I think I had their stuff configured in pass-through mode, so it might be the same behavior.

I'll have to check on some other forums I'm on that discuss AT&T more to see if anyone has heard of it.

That [2001:1890:ff:ffff:12:122:22:94] address is definitely a public IP? I am asking because again - if I try to ping it from my phone on my LAN(wifi) I am able to, but when I switch to data I cannot. I suppose it could be blocked to address outside of AT&T which is why that happens (?)

 

[bengalih]

Ok - well something is going on with the ISP, or at least how I'm getting addresses from them.
I went ahead and disabled my wpa_supplicant configuration which was bypassing the ISP equipment and allowing me to plug my ASUS directly into the ONT to authenticate onto the fiber. I put their gateway back configured in passthrough (pseudo-bridge) mode so that it still passes public IP info onto my Asus.
I still get the same public IPv4 address as before, but my IPv6 address is now also a 2600: address and not a 2100:.
In this configuration I am able to ping outside addresses.

I'm going to take this to my ISP forum and see if I can get any answers.
In the meantime, any more ideas are appreciated.

 

[learning_curve]

Your case is really weird.
I tried to ping6 a local site and turned out fine. I have no access to google.com here because of some censorship reason here. We are likely experiencing different issues here.
ip6tables on asus merlin have rather complicate ICMP chain, maybe check on that? Or just disable the firewall.

^^ This (and my posts before it) were when I was using a different Merlin firmware release (several Merlin firmware releases prior to the one I am using now) and... I'm guessing that it must be mainly due to lots of subsequent firmware improvements and some DNS setup changes made since back then, when running Merlin 386.5_2 now, I have no such issues any more, at all. Everything with IPv6, works exactly as it should.

@tramchamploo and @learning_curve
Apologies, I apparently wasn't getting any notifications on this thread despite being subscribed.
It became a non-issue for a while, but I am trying to learn more about IPv6 and get some other things setup and this may be a sticking point.

No worries. I'm lucky enough (see above) not too have any such issues with IPv6 now (with either my ISP or my router's setup / performance). I do use my ISP's modem in bridge mode though & then my router - FWIW.

 

[bengalih]

I'm just updating this thread after some time since I realized I never followed up on it. I was working on some optimization of this and thought I would detail in case someone else came looking.

The problem has to do specifically with using the wpa_supplicant configuration to bypass the AT&T fiber BGW device. If this is not what you are doing, then likely this particular problem doesn't apply to you. This might work for other people on other ISPs trying to remove their ISP's router, but no guarantees.

When you are using AT&T's device, what happens is that their device is handed a single (/128) IPv6 address over DHCPv6-NA in the [2001:] range. It is also assigned DHCPv-6 address, for example [2600:1700:] with a /60 bit mask. So, if you configure your ASUS in place of the BGW using IPv6 Native mode you will see something like this at the top of your routes:

keymaster@router-asus:/tmp/home/root# ip -6 route show
2001:506:XXXX:XXXX::1 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
2600:XXXX:XXXX:XXXX::/60 dev br0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0

This will hand out the [2600:] range to your clients which will route through br0. But the [2001:] address is not routable outside of AT&T's network.
In the above configuration while your clients will be able to access the Internet over IPv6, your router will not.

To get the proper configuration you basically need to examine what your Asus gets when configured in "Native IPv6" mode when it is *behind* the BGW (operating in "bridge" mode).

When we do this we see that the Asus gets a routable address with a /64 mask.

The problem is that you cannot add any additional routes manually to correct this on the Asus because the PD prefix length cannot be changed from /60 (i.e. you can't solicit for a /64, it will only provide a /60).

The solution is to configure the Asus in "Static IPv6" mode. You would use as your "WAN IPv6 Address" whatever your BGW would have normally passed you in "Bridge mode", for example:

2600:XXXX:XXXX:bfe0::48

And for your "WAN IPv6 Gateway" you would use whatever your BGW reports as its "Default IPv6 Gateway Address" when configured in bridge more. This should be a local link address like:

fe80::XXXX:XXXX:XXXX:45XX

Be sure to set the prefix length to 64.

Then, for your "LAN IPv6 Address" you simply choose any address in any other valid subnet from your /64 range. So, using the [2600:XXXX:XXXX:bfe0::48]/64 range that was set for the WAN above, you could use the following address for your LAN:

[2600:XXXX:XXXX:bfe1::1]/64
(incrementing the network from bfe0 to bfe1 and using ::1 as the unique address on that network)

Then choose "Stateless configuration" (stateful has its own raft of issues, especially with Android clients). Turn Router Announcements on:
This is now the range that will be sent to your clients when they solicit IPv6 addresses.

At this point, nothing will work. Since we configured our IP addresses as Static, there is no DHCPv6 client running to request DHCPv6-NA or PD from AT&T's delegating router. Without requesting these ranges (and renewing the leases) they will not be apportioned for your use. So, the secret sauce here is to manually run the odhcp6c client. You have to manually run it since the router is set to "Static IPv6".
While the router is running in "Native IPv6" you can see odhcp6c running like this:

root@router-asus:/tmp/home/root# ps | grep odhcp6c
15246 keymaste  4728 S    grep odhcp6c
28270 keymaste   760 S    odhcp6c -df -R -s /tmp/dhcp6c -N try -c 00030001f8XXXXXYYYYY -FP 0:YYYYY eth0

You basically want to copy this odhcp6c command down from your Native mode config and then run it manually when in static mode. This will request the IPv6 ranges from AT&T and they they will become active.

BTW: you should probably have already configured the "MAC Address" under WAN settings to be a clone of your BGW address. If you have then that first long string of numbers (following -c) should be ending with that MAC address. The "YYYYY" are the last 5 characters of that address. In reality, it appears to not matter what is added here, but this information is reported in the DHCP requests to AT&T and so it is probably beneficial to make it appear to be the BGW in case they ever decide to audit/filter on that information.

At this point your clients should start getting proper IPv6 information and all clients (and the router) should be able to communicate to external IPv6 addresses.

At this point, you will probably want to script odhcp6c to run on every boot (and possibly some error handling in case the network gets reloaded). I found creating an init.d script is the easiest way to handle this.

I'm sure there is a very small subset of people that this will help out, but at the very least I have it for my reference!