IPv6 setup trouble
After problems with delivery of mail sent from my linode Centos 7's IPv6 address, I followed advice from https://www.spamhaus.org/faq/section/Spamhaus%20CSS#426 and requested a /64 for my Linode. When I got it, I picked an IP address from the given range, ran nmtui to change the address from the SLAAC-assigned one to the new address, and rebooted.
And now IPv6 isn't working at all. I can log into my linode (over IPv4), but I can't reach it over IPv6, and I can't ping from it to anywhere. (OK, it can ping its own IPv6 address, but not, for example, the gateway or DNS servers.)
I don't know much about routing or IPv6 so I'm probably overlooking something obvious.
# ip addr list eth0 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether f2:3c:91:50:41:d6 brd ff:ff:ff:ff:ff:ff inet 126.96.36.199/24 brd 188.8.131.52 scope global noprefixroute dynamic eth0 valid_lft 83935sec preferred_lft 83935sec inet6 2600:3c00:e000:2f7::1/64 scope global noprefixroute valid_lft forever preferred_lft forever inet6 fe80::ea4e:558a:8db6:3262/64 scope link noprefixroute valid_lft forever preferred_lft forever
# ip -6 route unreachable ::/96 dev lo metric 1024 pref medium unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 pref medium unreachable 2002:a00::/24 dev lo metric 1024 pref medium unreachable 2002:7f00::/24 dev lo metric 1024 pref medium unreachable 2002:a9fe::/32 dev lo metric 1024 pref medium unreachable 2002:ac10::/28 dev lo metric 1024 pref medium unreachable 2002:c0a8::/32 dev lo metric 1024 pref medium unreachable 2002:e000::/19 dev lo metric 1024 pref medium 2600:3c00:e000:2f7::/64 dev eth0 proto kernel metric 100 pref medium unreachable 3ffe:ffff::/32 dev lo metric 1024 pref medium fe80::1 dev eth0 proto static metric 100 pref medium fe80::/64 dev eth0 proto kernel metric 100 pref medium default via fe80::1 dev eth0 proto static metric 100 pref medium
# ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
# traceroute6 2600:3c00::6 traceroute to 2600:3c00::6 (2600:3c00::6), 30 hops max, 80 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * fieldses.org (2600:3c00:e000:2f7::1) 3042.686 ms !H
I added the new IPv6 address second in nmtui, which results in it adding an IPV6ADDR_SECONDARIES=(new ip) line in the corresponding /etc/sysconfig/network-scripts/ file. Then I set I sent some email, and verified that it was transmitted from the new IPv6 address, without the need to do any additional postfix configuration. So, it all looks good now.
Thank you for helping sort out my confusion!
If you want to have this working in Ubuntu 18+, without explicitly limiting postfix to a specific IPv6, but rather have your dedicated /64 block IP selected as primary IP by Ubuntu, you need to:
- Remove all
- Remove all
- Create a new
/etc/systemd/networkd/10-eth0.networkconfig with the following content.
[Match] Name=eth0 [Network] DHCP=no Address=<your IPv4 address>/24 Gateway=<IPv4 gateway address> # SLAAC address needs to be statically configured as first entry in order to get it last in the IP list of `ip -6 a s dev eth0` Address=<your SLAAC IPv6 address>/64 Address=<your chosen /64 block IPv6 address>/64 DNS=<DNS IPv4> <DNS IPv6> <DNS2 IPv4> <DNS2 IPv6> Domains=members.linode.com [IPv6AcceptRA] # This option forbids networkd to generate the dynamic SLAAC-generated IPv6 based on the Router Advertisement (RA). This option does not exist for netplan so far. UseAutonomousPrefix=no # Note: MTU, default gateway and on-link prefix route are still configured automatically through the RA.
ran nmtui to change the address from the SLAAC-assigned one
You still need to have the SLAAC-assigned IPv6 address configured in order for things to work, as the /64 is routed to that address. Try statically configuring both the SLAAC-assigned IPv6 address and another address from the /64.
Oh, I see, thanks.
Does that mean I need to do some additional configuration for my mail daemon to make sure it's sending from the new IPv6 address one and not the (blacklisted) SLAAC address?
Linux will send from the last added IPv6 address by default, unless an application explicitly requests another.
Therefore in my static config, I have the SLAAC address first, then the ::1 address from my /64 pool, so apps use that as the default address. I only use my SLAAC address to connect to SSH.
Depending on your mailer daemon, you may also be able to configure it explicitly so you still use your SLAAC address as your default IPv6 address.
In Postfix, it's the smtp_bind_address6 option.