Web Sites Unreachable with IPv6

NodeWorx General Discussion
1

Hello to all,

We are implementing IPv6 on our Interworx Box.
We have added the sub-net to NodeWorx successfully and have changed the box network configuration accordingly including IPv6 Gateway and a IPv6 static IP for the box.
We can ping6 and traceroute6 from shell to internet host successfully, so everything seems to be working fine.

The problem is the websites are not reachable by IPv6
I used this service IPv6 test - web site reachability to test a domain with IPv6 and I get :
[TABLE=“class: table”]
[TR]
[TH]“IPv6 web server is unreachable”[/TH]
[TD][/TD]
[TD][/TD]
[/TR]
[/TABLE]
Additionally, my Nodeworx IPv6 Status screen looks like it does not recognize my gateway:

Can anybody explain the screen above?
What could be the problem?
Any ideas would be greatly appreciated.

Regards,

ipv6_status.PNG

2

Hi Crservers

I’m not too sure if you have used IW to configure network or manually configured sorry, so I have a few ideas as follows

Are your aaaa records setup in dns for domain

Can you still ping from external source to your ipv6 if you disable the ipv6 network

Can you ping from your IW server to an external ipv6 network

Is it a tunnel ipv6

Please can you show your ipv6 setup

It does look likely it is your gateway stopping it, but as you have stated you can ping external to your IW server, that would suggest your gateway is fine, but as it shows unreachable I’m wondering if your ping higher up the chain and the returned ping is not coming from your IW server.

I hope you don’t mind my thoughts and sorry if I’m wrong

Many thanks

John

3

I have problems with IPv6 as well … seems the DNS doesn’t respond on IPv6.
We disabled IPv6 until this could be fixed, and now we are getting the same issue as you, despite the gateway being configured in the IPv6 page.

The problem is that if you have IPv6 configured, it will get added to the email headers, and mail services like Gmail, won’t accept the mail if you don’t have a correct PTR for that IPv6, that returns the senders domain.

We had to request our DC to let us handle the PTR for our IPv6 range.

4

Hi Evanion

I hope your well

We had the same issues, but slightly different in that we do not have any ipv6 ranges, yet a system higher upstream started to give out ipv6 via dhcp I believe, so we were assigned local route. IW had a look and on our network, the ipv6 was turned off.

I believe ipv6 has a higher preference over ipv4 in qmail, and that’s why it uses any ipv6 address if assigned, even when the outgoing ip is manually set for ipv4 address.

It also showed in our dns, which would not work for obvious reasons.

I’m wondering if this might be one of the issues, if Crservers has the local route active in dns but of course, could be wrong sorry.

It would be nice if Crservers showed more details of current setup.

Many thanks

John

5

Hello John,
Thanks for your prompt answer.
Here are the answers to your questions:

I’ve added the IPv6 pool OK from Nodeworx.
Then I modified config files from shell and passed all tests as detailed here for CentOS:
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/
All seemed to work OK

Yes, that part worked OK and the AAA records were added automatically once I assigned a IPv6 to each domain.

Yes

PING 2001:13d8:1c01:5000:0:10:8:21(2001:13d8:1c01:5000:0:10:8:21) 32 data bytes
40 bytes from 2001:13d8:1c01:5000:0:10:8:21: icmp_seq=0 ttl=44 time=192 ms
40 bytes from 2001:13d8:1c01:5000:0:10:8:21: icmp_seq=1 ttl=44 time=189 ms
40 bytes from 2001:13d8:1c01:5000:0:10:8:21: icmp_seq=2 ttl=44 time=188 ms
40 bytes from 2001:13d8:1c01:5000:0:10:8:21: icmp_seq=3 ttl=44 time=187 ms

— 2001:13d8:1c01:5000:0:10:8:21 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3011ms
rtt min/avg/max/mdev = 187.950/189.497/192.425/1.814 ms, pipe 2

---- Finished ------

? What do you mean by this?
We were assigned a /48 subnet by our upstream provider.

/etc/sysconfig/network = NETWORKING_IPV6=yes

/etc/sysconfig/network-scripts/ifcfg-eth0 =

IPV6INIT=yes
IPV6ADDR=2001:13d8:1c01:5000:0:10:8:21
IPV6_DEFAULTGW=2001:13D8:1C01:0:0:0:0:1
IPV6ADDR_SECONDARIES=“2001:13d8:1c01:5000::1/96 2001:13d8:1c01:5000::2/96 2001:13d8:1c01:5000::3/96 2001:13d8:1c01:5000:0:10:8:21/64 2001:13d8:1c01:5000::4/96 2001:13d8:1c01:5000::5/96 2001:13d8:1c01:5000::6/96 2001:13d8:1c01:5000::7/96 2001:13d8:1c01:5000::8/96 2001:13d8:1c01:5000::9/96 2001:13d8:1c01:5000::a/96 2001:13d8:1c01:5000::b/96 2001:13d8:1c01:5000::c/96 2001:13d8:1c01:5000::d/96 2001:13d8:1c01:5000::e/96 2001:13d8:1c01:5000::f/96 2001:13d8:1c01:5000::10/96 2001:13d8:1c01:5000::11/96 2001:13d8:1c01:5000::12/96 2001:13d8:1c01:5000::13/96 2001:13d8:1c01:5000::14/96 2001:13d8:1c01:5000::15/96 2001:13d8:1c01:5000::16/96”
#IWORX_IPV6=“2001:13d8:1c01:5000::1/96 2001:13d8:1c01:5000::2/96 2001:13d8:1c01:5000::3/96 2001:13d8:1c01:5000:0:10:8:21/64 2001:13d8:1c01:5000::4/96 2001:13d8:1c01:5000::5/96 2001:13d8:1c01:5000::6/96 2001:13d8:1c01:5000::7/96 2001:13d8:1c01:5000::8/96 2001:13d8:1c01:5000::9/96 2001:13d8:1c01:5000::a/96 2001:13d8:1c01:5000::b/96 2001:13d8:1c01:5000::c/96 2001:13d8:1c01:5000::d/96 2001:13d8:1c01:5000::e/96 2001:13d8:1c01:5000::f/96 2001:13d8:1c01:5000::10/96 2001:13d8:1c01:5000::11/96 2001:13d8:1c01:5000::12/96 2001:13d8:1c01:5000::13/96 2001:13d8:1c01:5000::14/96 2001:13d8:1c01:5000::15/96 2001:13d8:1c01:5000::16/96”
#IWORX_LAST_EDIT=“2014-05-28 18:47:54”

All the stuff in “Bold” was added by NodeWorx after assigning IPv6 to some domains.

Thanks for your help.
Regards,

6

Hi Crservers

I hope you don’t mind, but I perhaps am thinking it might be tied in with firewall.

I am looking at the following ipv6 address only as below, and tested external ping fine, but when checking on port 80, or 53 etc… it shows as permission denied, so I am thinking if your firewall is open for port 80 on ipv6.

did you manually set ipv6 firewall or leave it to IW (ie. firewall, ipv6 status, managed by Interworx, and ICMP control.

Please can you check /etc/sysconfig/ip6tables and confirm port 80 and 53 are open, if not open, and you manually set ipv6 firewall rules, please add in and restart ipv6 firewall
(-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT)

service ip6tables restart

ip6tables -L -v -n

The reason why I am thinking this, is shown below, where your port 80 is permission denied, but port 22 is open but I am sorry if I am wrong though, and will have a little think more about it if alright.

Many thanks

John

2001:13d8:1c01:5000:0:10:8:21

Checked port 80 on Host/IP 2001:13d8:1c01:5000:0:10:8:21…

The checked port (80, service http) is offline/unreachable

Reason: Permission denied (13)

Portscan ran for 0.1888 seconds

Checked port 22 on Host/IP 2001:13d8:1c01:5000:0:10:8:21…

The checked port (22, service ssh) is online/reachable!

Completed portscan in 0.1903 seconds

7

Hi

Sorry, I’ve reread my post and if in ipv6 firewall port 53 not open, please also open it.

Thinking about it, you may want to open ports you need but for a test, I think port 53 and 80 should be fine.

I hope that helps a little

Many thanks

John

8

Hello John,

You hit the nail right on the head! :slight_smile:
It was a firewall issue.
Thanks and regards,

9

IPv6 Status screen + IPv6 Firewall

My apologies for prolonging this thread a little bit more, but there are still 2 things that are confusing to me.

1- My IPv6 Status screen now appears as:

Why is the IPv6 Gateway appear as NOT CONFIGURED?

2 - In the “Firewall IPv6 Settings” what option should I choose?

  • Off
  • Managed Manually, outside of Interworx
  • Manage by Interworx

Can somebody explain these options?

Thanks,

ipv6_status2.PNG

10

Hi Crservers

I believe it is as follows

Off - should only be set if your IW server is behind a ipv6 firewall

Managed manually - used as you have completed ie you manage your own rules

Managed by interworx - IW sets the rules as it does with ipv4

I think as you may have initially partly set ipv6, or not knowing what setting your ipv6 was set to, then you may have created your own issue, but of course, you may have discovered a bug, which I’m sure more bugs may be found as ipv6 is used more and more.

I’m sorry I have no idea why your gateway is shown not configured, other then perhaps there is another file which should contain your gateway.

I could be wrong sorry so I apologise in advance

Many thanks

John

11

I sent a ticket to Interworx about this a few days ago. And it seems to be a bug that the developers are working on solving. I recommend that you submit a ticket to have Interworx help you resolve it.

12

Hi Evanion

Ah, that would explain it

Please could I ask if your ticket was for gateway not configured or ipv6 firewall not appearing to update to allow normal ports, or both

Many thanks

John

13

Hi

I hope you don’t mind but I have been thinking about this, and I am wondering if the gateway not configured is because it is looking at network and not ifcfg…

The gateway should only display the gateway address, I don’t think it informs you if gateway is unreachable etc…

Is it possible for a test, to insert your ipv6 gateway within the network file as well, restart network and see if that resolves that issue. If it does not, please reverse back.

It is just my thoughts and I understand if you prefer not to test my theory, and ofcourse I could wrong sorry, so I apologise in advance.

I would test myself but we do not have any ipv6 addresses as yet sorry.

Many thanks

John

14

Hello Evanion,

Thanks for the information.
I just opened a ticket illustrating this issue and a few others that have pop-up after enabling IPv6 maybe related.
Regards,