IPv6 to v4 relay?

Kernels, Network, and Services configuration
Post Reply
Message
Author
kingqueen
Posts: 13
Joined: 2021-06-05 23:28

IPv6 to v4 relay?

#1 Post by kingqueen »

Good afternoon

My ISP (Starlink) has CGNAT so I have a VPS with a public IPv4, configured to forward all ports to my router thus effectively acting as if my router has the public IP exposed on the Internet.

My ISP doesn't do IPv6. My VPS does; and my router supports IPv6.
My VPS has an IPv6 address - 2a00:da00:xxxx:xx::1

My VPS provider, ionos.co.uk, has very little information as to the IPv6 allocation. It allows me to assign a single IPv6 port to my VPS, and says nothing about allocating a range of IPv6 addresses.

I am wondering if it is possible and practicable to set up a 6 to 4 relay or tunnel server / service such that my router is able to communicate using IPv6 (even though the ISP only supports IPv4) - using my VPS as some form of proxy / relay / tunnel?

Thank you

p.H
Posts: 1891
Joined: 2017-09-17 07:12

Re: IPv6 to v4 relay?

#2 Post by p.H »

If I understand correctly, not only your ISP does not provide a public IPv4 address and uses CGNAT instead, but also it does not even provide IPv6 connectivity ? What a pity ! IPv4 addresses have become so scarce that I understand CGNAT, but IPv6 addresses are plentiful and cheap, so there is no excuse for not providing a decent IPv6 connectivity.

A PPP session like the one in the L2TP tunnel can transport IPv6, or you can tunnel IPv6 into IPv4. It is important to know whether your VPS provider assigns a single IPv6 address or a whole prefix. With only one address, you will have to do IPv6 NAT on the VPS, which is not desirable.

kingqueen
Posts: 13
Joined: 2021-06-05 23:28

Re: IPv6 to v4 relay?

#3 Post by kingqueen »

p.H wrote:If I understand correctly, not only your ISP does not provide a public IPv4 address and uses CGNAT instead, but also it does not even provide IPv6 connectivity ? What a pity ! IPv4 addresses have become so scarce that I understand CGNAT, but IPv6 addresses are plentiful and cheap, so there is no excuse for not providing a decent IPv6 connectivity.
Yes; far from ideal, isn't it!
It is Starlink from SpaceX.
The reason I am with them is because the broadband infrastructure where I am is so limited and there's no sign of improvement. I'm in North Yorkshire, UK, on what they call an "Exchange Only" line, which means there's no chance of VDSL / any kind of fibre for the foreseeable future, and there's no cable internet either, so I was limited to 1mbps up / 2.4mbps up at a premium (and 20 mbps down, which is less important to me.) So Starlink was the only alternative - low Earth orbit satellite. It works really well; but it is IP4 only, no IPV6 and CGNAT. Prices worth paying. It is the only realistic option for increased upload speed, other than a prohibitively expensive leased line or something.
Starlink say that they intend on introducing IPv6 at some point in the future.
p.H wrote:A PPP session like the one in the L2TP tunnel can transport IPv6, or you can tunnel IPv6 into IPv4. It is important to know whether your VPS provider assigns a single IPv6 address or a whole prefix. With only one address, you will have to do IPv6 NAT on the VPS, which is not desirable.
Thank you. I shall check with the host. The ::1 at the end makes me think that it might be a block of IPv6, but their (not overly descriptive) help text doesn't say that, and their control panel gives the impression of only allocating one IPv6 address...
Thank you

kingqueen
Posts: 13
Joined: 2021-06-05 23:28

Re: IPv6 to v4 relay?

#4 Post by kingqueen »

It is just a single IPv6 for the server, not a prefix or whatever.
I agree that NAT on IPv6 is an anathema
Starlink currently do provide IPv6 but it is unadvertised and broken. It can apparently be made to work with e.g. a PF router, but I don't fancy that.
I may just go with Hurricane Electric's tunnel broker service for now, using my server's public static IPv4 address and port forwarding. Hurricane Electric delegate a /64 prefix.
Then when Starlink sort out their IPv6, I can just use that.
Thank you

p.H
Posts: 1891
Joined: 2017-09-17 07:12

Re: IPv6 to v4 relay?

#5 Post by p.H »

kingqueen wrote:It is just a single IPv6 for the server, not a prefix or whatever.
Then it is surprising that the address ends in ::1. How long are the non-zero prefix and the assigned prefix ?

kingqueen
Posts: 13
Joined: 2021-06-05 23:28

Re: IPv6 to v4 relay?

#6 Post by kingqueen »

p.H wrote:
kingqueen wrote:It is just a single IPv6 for the server, not a prefix or whatever.
Then it is surprising that the address ends in ::1.
I thought that too. Their control panel lets me choose other IP addresses in the same subnet; e.g. I can change that to ::2. I think if I order multiple servers, I can set them to all be in the same subnet (/64 delegation, or whatever the correct term is with IPv6)
p.H wrote:How long are the non-zero prefix and the assigned prefix ?
er. My VPS provider's? In the following, each of my obfuscations are of two characters.
Image
Here's the relevant bits of my contact with them on the issue.
3) when I assign an IPv6 to the server, is that one single IPv6 address or is there (the option of) a prefix?
- What do you mean by this? The server itself only comes with x1 IPv4 & x1 IPv6.
The control panel indicates the server has a /64.
IPv6 subnet: 2a00:da00:1800:XX::/64
IPv4 address: 77.68.2.XX
IPv6 address: 2a00:da00:1800:XX::1
That /64: does it not indicate that the IPv6 addresses with that prefix are usable by me? What does the subnet information indicate otherwise?
There's no information on that in the help text.

Your server will deployed with a fixed IPV4 address. You have the ability to add a IPV6 record for free to the server which you have done.
You would then need to access the network interface to add the ipv6 information.
Subnet mask is utilized for isolating the network id and host id.
But elsewhere in the control panel, it indicates that the server have a /64 allocated:
Image
I'm thinking that maybe there is a /64 actually allocated, and that the support person may be in error.
If there is a /64, what would be the best way please to configure my Debian VPS to provide my LAN with addresses? Is there a tutorial that could help, or some keywords I should search for?
Thank you ever so much!

p.H
Posts: 1891
Joined: 2017-09-17 07:12

Re: IPv6 to v4 relay?

#7 Post by p.H »

First check the actual IPv6 configuration of the VPS with

Code: Select all

ip -6 addr
ip -6 route
Then I would check if and how the /64 prefix is routed to your VPS :
- on the VPS, start an IPv6 packet capture with tcpdump or the like ;
- from a remote IPv6-capable host, send IPv6 packets (e.g. ping6) to various addresses within the prefix

If the prefix is routed directly on the VPS ethernet link, you should see ICMPv6 "Neighbour Solicitation" requests for each individual probed IPv6 address from a local router. In this case, it should be possible to assign extra addresses in the prefix to the VPS ethernet interface. If you want to assign and route IPv6 addresses in the prefix to other hosts (through the L2TP tunnel), you will have to set up the VPS as an IPv6 ND (Neighbour Discovery) proxy for these addresses.

If the prefix is routed to your VPS global address (2a00) or link-local address (fe80), you should see ICMPv6 "Neighbour Solicitation" requests for this address from a local router, ICMPv6 "Neighbour Advertisement" replies from your VPS and the IPv6 packets sent from the remote host. In this case, the VPS does not have to act as an IPv6 ND proxy.

kingqueen
Posts: 13
Joined: 2021-06-05 23:28

Re: IPv6 to v4 relay?

#8 Post by kingqueen »

thank you ever so for this.

It doesn't look good. ping6 of the VPS's single IP address works; ping6 of any other address in the subnet fails (no reply) and there's no indication whatsoever of any related activity on the VPS's interface.

Code: Select all

ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a00:da00:1800:XX::1/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe1f:8ac2/64 scope link
       valid_lft forever preferred_lft forever
kingqueen@localhost:~$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2a00:da00:1800:XX::1 dev ens192 proto kernel metric 256 pref medium
fe80::/64 dev ens192 proto kernel metric 256 pref medium
default via fe80::250:56ff:febb:37a1 dev ens192 proto ra metric 1024 expires 4sec hoplimit 64 pref high

sudo tcpdump ip6 --interface ens192 -nn

10:33:02.302235 IP6 fe80::250:56ff:febb:37a1 > ff02::1: ICMP6, router advertisement, length 32
(repeats once every second)

ping6 2a00:da00:1800:XX::1
PING 2a00:da00:1800:XX::1(2a00:da00:1800:6a::1) 56 data bytes
64 bytes from 2a00:da00:1800:XX::1: icmp_seq=1 ttl=52 time=24.1 ms

10:33:24.346497 IP6 2001:41d0:a:16XX::1 > 2a00:da00:1800:XX::1: ICMP6, echo request, seq 1, length 64
10:33:24.346527 IP6 2a00:da00:1800:XX::1 > 2001:41d0:a:16XX::1: ICMP6, echo reply, seq 1, length 64

ping6 2a00:da00:1800:XX::2
PING 2a00:da00:1800:XX::2(2a00:da00:1800:XX::2) 56 data bytes
^C
--- 2a00:da00:1800:XX::2 ping statistics ---
43 packets transmitted, 0 received, 100% packet loss, time 42999ms

(nothing but router adertisements in the log)

kingqueen@ks3357022:~$ ping6 2a00:da00:1800:XX::1000
PING 2a00:da00:1800:6a::1000(2a00:da00:1800:XX::1000) 56 data bytes
^C
--- 2a00:da00:1800:XX::1000 ping statistics ---
45 packets transmitted, 0 received, 100% packet loss, time 45063ms

(nothing but router adertisements in the log)
(in the above, I have obfuscated by replacing two digits by XX)

I think this means I'm hosed: only one IPv6 address available, and no prefix or subnet or whatever allocated...

...oh well. I stay with Hurricane Electric :-)

Cheers

Doug

p.H
Posts: 1891
Joined: 2017-09-17 07:12

Re: IPv6 to v4 relay?

#9 Post by p.H »

The /128 prefix length looked promising, meaning that the /64 prefix was not assigned to the LAN attached to the ethernet interface, so it might be available for the VPS. But the packet capture is disappointing. I would still expect a reply (destination unreachable) from any polite router to the sender after some time.

It might be interesting to run traceroute to prefix addresses (including the VPS address) from a remote host and from the VPS and see how far it goes.

kingqueen
Posts: 13
Joined: 2021-06-05 23:28

Re: IPv6 to v4 relay?

#10 Post by kingqueen »

Thank you
To the server's allocated IPv6:

Code: Select all

traceroute 2a00:da00:1800:XX::1
traceroute to 2a00:da00:1800:XX::1 (2a00:da00:1800:XX::1), 30 hops max, 80 byte packets
 1  * * *
 2  2001:41d0:0:50::1:8706 (2001:41d0:0:50::1:8706)  1.091 ms  1.032 ms  1.183 ms
 3  2001:41d0:0:50::5:be (2001:41d0:0:50::5:be)  0.828 ms 2001:41d0:0:50::5:d4 (2001:41d0:0:50::5:d4)  0.721 ms 2001:41d0:0:50::5:96 (2001:41d0:0:50::5:96)  0.356 ms
 4  * * *
 5  * * *
 6  * * *
 7  decix.bb-a.fra3.fra.de.oneandone.net (2001:7f8::2170:0:1)  8.924 ms decix.bb-c.act.fra.de.oneandone.net (2001:7f8::2170:0:2)  9.969 ms decix.bb-a.fra3.fra.de.oneandone.net (2001:7f8::2170:0:1)  8.811 ms
 8  ae-11-0.bb-a.ba.slo.gb.oneandone.net (2001:8d8:0:2::f6)  20.066 ms  20.267 ms ae-14-0.bb-a.fra3.fra.de.oneandone.net (2001:8d8:0:2::e9)  9.129 ms
 9  ae-11-0.bb-a.ba.slo.gb.oneandone.net (2001:8d8:0:2::f6)  20.036 ms port-channel-4.gw-ngcs-1.dc1.con.glo.gb.oneandone.net (2001:8d8:0:1d::a3)  23.790 ms  23.610 ms
10  2a00:da00:0:3201::38 (2a00:da00:0:3201::38)  23.158 ms  23.101 ms  23.098 ms
11  2a00:da00:1800:XX::1 (2a00:da00:1800:XX::1)  23.313 ms 2a00:da00:0:3201::38 (2a00:da00:0:3201::38)  22.957 ms  22.920 ms 
To non-existent IPv6 2a00:da00:1800:XX::100 :

Code: Select all

traceroute 2a00:da00:1800:XX::100
traceroute to 2a00:da00:1800:XX::100 (2a00:da00:1800:XX::100), 30 hops max, 80 byte packets
 1  * * *
 2  2001:41d0:0:50::1:8704 (2001:41d0:0:50::1:8704)  1.113 ms  1.083 ms  1.190 ms
 3  2001:41d0:0:50::5:b8 (2001:41d0:0:50::5:b8)  0.428 ms 2001:41d0:0:50::5:ba (2001:41d0:0:50::5:ba)  0.709 ms 2001:41d0:0:50::5:90 (2001:41d0:0:50::5:90)  0.567 ms
 4  be100-100.gra-g1-nc5.fr.eu (2001:41d0::42c)  1.660 ms * *
 5  * * *
 6  * * *
 7  decix.bb-c.act.fra.de.oneandone.net (2001:7f8::2170:0:2)  9.972 ms decix.bb-a.fra3.fra.de.oneandone.net (2001:7f8::2170:0:1)  9.023 ms decix.bb-c.act.fra.de.oneandone.net (2001:7f8::2170:0:2)  9.783 ms
 8  ae-14-0.bb-a.fra3.fra.de.oneandone.net (2001:8d8:0:2::e9)  9.227 ms  9.080 ms  9.068 ms
 9  port-channel-4.gw-ngcs-2.dc1.con.glo.gb.oneandone.net (2001:8d8:0:1d::a4)  24.422 ms  24.343 ms ae-11-0.bb-a.ba.slo.gb.oneandone.net (2001:8d8:0:2::f6)  20.093 ms
10  port-channel-4.gw-ngcs-2.dc1.con.glo.gb.oneandone.net (2001:8d8:0:1d::a4)  24.441 ms  24.355 ms  24.343 ms
11  * 2a00:da00:0:3201::38 (2a00:da00:0:3201::38)  23.096 ms *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * * 
Hmm it seems to be diverted when I use a non-existent IPv6 in the subnet!

p.H
Posts: 1891
Joined: 2017-09-17 07:12

Re: IPv6 to v4 relay?

#11 Post by p.H »

It just stops after the same last router. This is expected, as the target address is assigned to nothing and the last router does not care to reply with "destination unreachable". Similarly, a traceroute from the VPS should stop after the first router.

You can try to assign another IPv6 address in the prefix to the ethernet interface but according to tcpdump's output it should not help.

Code: Select all

ip addr add 2a00:da00:1800:XX::2/128 dev ens192

kingqueen
Posts: 13
Joined: 2021-06-05 23:28

Re: IPv6 to v4 relay?

#12 Post by kingqueen »

p.H wrote:You can try to assign another IPv6 address in the prefix to the ethernet interface but according to tcpdump's output it should not help.
Hi. I tried adding another IPv6 address from the subnet to my VPS's Ethernet adapter then pinging that address from another machine, but no response to ping. I guess that's that, unless I want to do IPv6 NAT, which I don't, I'm stuck with Hurricane Electric or similar - which works just fine. Thanks for helping me troubleshoot.

Post Reply