IPv6 Notes

Get IPv6 public address from CLI

From: https://serverfault.com/a/1143196

curl -6 ip.sb

Example ~/.ssh/config for IPv6

Here is example how I can reach SSH server on Link-local address (address that starts with fe80:.... and requires appending interface name with %ethX, because it is not globally unique.

# ~/.ssh/config
Host deb12-ipv6
        HostName fe80::6250:40ff:fe30:2010%%eth0
        User USERNAME
        IdentityFile ~/.ssh/MY_KEY
        IdentitiesOnly yes
        HostKeyAlias deb12-ipv6

Notice that we have to escape % as %% (!).

firewall-cmd breaks ICMPv6

Following ping command should reveal all link-local addresses (from https://learningnetwork.cisco.com/s/question/0D53i00000Kt61BCAR/how-to-ping-all-global-ipv6-addresses)

# to reveal link-local addresses - replace eth0 with your NIC name:
ping -6 -I eth0 ff02::1
# to reveal routers
ping -6 -I eth0 ff02::2

But not on openSUSE LEAP 15.6 with firewall-cmd, because it rejects reply as invalid (from dmesg):

STATE_INVALID_DROP: IN=eth0 OUT= MAC=X SRC=fe80:... DST=fe80:... LEN=104 TC=0 HOPLIMIT=255 FLOWLBL=0 \
     PROTO=ICMPv6 TYPE=129 CODE=0 ID=6 SEQ=4 

There is reported bug on:

• https://github.com/firewalld/firewalld/issues/1046
• https://github.com/firewalld/firewalld/issues/1089
• https://forums.opensuse.org/t/nftables-blocks-ipv6-icmp-multicast-echos-after-upgrade/153968/3

Workaround from SUSE forums:

firewall-cmd --permanent --direct --add-rule ipv6 raw PREROUTING 0 -p icmpv6 -j CT --notrack
firewall-cmd --reload

Debian as IPv6 only

Experiment: configure Debian as IPv6 only system.

• My /etc/network/interfaces

  source /etc/network/interfaces.d/*
  
  auto lo eth0
  iface lo inet loopback
  iface lo inet6 loopback
  iface eth0 inet6 auto
  	privext 2
  

  • WARNING! privext 2 does not work (!)
  • Workaround: create file /etc/sysctl.d/98-tempaddr.conf

    # Ensure that Debian uses random IPv6 address (interfaces/privext 2 does not work)
    net.ipv6.conf.eth0.use_tempaddr = 2
    

• Use IPv6 public DNS /etc/resolv.conf:

  # CloudFlare public IPv6 DNS: https://developers.cloudflare.com/1.1.1.1/ip-addresses/
  nameserver 2606:4700:4700::1111
  nameserver 2606:4700:4700::1001
  

• Ensure that SSH server is listening on IPv6 address only in /etc/ssh/sshd_config

  AddressFamily inet6
  ListenAddress ::
  

IPv6 and TP-Link routers

Some routers do not allow incoming IPv6 connections - even if you have public IPv6 address (which is nearly always public when you have IPv6 access from ISP). Firewall simply allows only outgoing IPv6 connections (and so called "NAT Forwarding" is only for IPv4).

• https://community.tp-link.com/en/home/forum/topic/220864

Resources

• create dual-stack in Azure (not yet tested)
  • https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/create-vm-dual-stack-ipv6-cli