Unable to connect to public IPv6 hosts from VLANs

primrose · Sun Jan 07, 2024 9:11 am

Hello everyone,

I am trying to set up IPv6 connectivity on some VLANs I have on my CRS326-24G-2S+RM switch. These VLANs already have working v4 connectivity.

The switch is sitting behind a firewall, which is requesting the v6 prefixes, and then I manually split and configure them on the switch, using the firewall only as a gateway for internet bound traffic.

The following is my routing table:

[primrose@hyacinth] /interface/bridge> /ipv6/route
[primrose@hyacinth] /ipv6/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, g - SLAAC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS               GATEWAY                           DISTANCE
DAgH ::/0                      fe80::xxxx:xxxx:xxxx:543e%bridge         1
DAcH 26xx:xxxx:xxxx:7100::/64  bridge                                   0
DAcH 26xx:xxxx:xxxx:7103::/64  gardenia                                 0
DAcH fe80::%bridge/64          bridge                                   0
DAcH fe80::%aconite/64         aconite                                  0
DAcH fe80::%bellflower/64      bellflower                               0
DAcH fe80::%gardenia/64        gardenia                                 0
DAcH fe80::%iris/64            iris                                     0
DAcH fe80::%periwinkle/64      periwinkle                               0
DAcH fe80::%senna/64           senna                                    0
[primrose@hyacinth] /ipv6/route>

As you can see, the default IPv6 route is configured to send all other traffic (i.e internet bound traffic) to the firewall for routing.

The following are my addresses assigned to my interfaces:

[primrose@hyacinth] /ipv6/route> /ipv6/address
[primrose@hyacinth] /ipv6/address> print
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
#    ADDRESS                       INTERFACE   ADVERTISE
0 DL fe80::xxxx:xxxx:xxxx:906/64   bellflower  no       
1 DL fe80::xxxx:xxxx:xxxx:906/64   iris        no       
2 DL fe80::xxxx:xxxx:xxxx:906/64   aconite     no       
3 DL fe80::xxxx:xxxx:xxxx:906/64   gardenia    no       
4 DL fe80::xxxx:xxxx:xxxx:906/64   bridge      no       
5 DL fe80::xxxx:xxxx:xxxx:906/64   periwinkle  no       
6 DL fe80::xxxx:xxxx:xxxx:906/64   senna       no       
7  G 26xx:xxxx:xxxx:7100::cafe/64  bridge      yes      
8  G 26xx:xxxx:xxxx:7103::1/64     gardenia    yes      
[primrose@hyacinth] /ipv6/address>

If I ping a public IPv6 host from the bridge interface's IPv6 address, it works as expected, and I get replies:

[primrose@hyacinth] /ipv6/address> /ping interface=bridge 2606:4700:4700::1111
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                
    0 2606:4700:4700::1111                       56  56 11ms488us  echo reply                                            
    1 2606:4700:4700::1111                       56  56 13ms10us   echo reply                                            
    2 2606:4700:4700::1111                       56  56 11ms404us  echo reply                                            
    3 2606:4700:4700::1111                       56  56 18ms635us  echo reply                                            
    4 2606:4700:4700::1111                       56  56 12ms445us  echo reply                                            
    5 2606:4700:4700::1111                       56  56 12ms537us  echo reply                                            
    6 2606:4700:4700::1111                       56  56 13ms186us  echo reply                                            
    sent=7 received=7 packet-loss=0% min-rtt=11ms404us avg-rtt=13ms243us max-rtt=18ms635us 

[primrose@hyacinth] /ipv6/address>

But, if I try to do the same using the "gardenia" VLAN interface, I get a "no route to host" error

[primrose@hyacinth] /ipv6/address> /ping interface=gardenia 2606:4700:4700::1111      
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                
    0                                                              no route to host                                      
    1                                                              no route to host                                      
    2                                                              no route to host                                      
    3                                                              no route to host                                      
    4                                                              no route to host                                      
    sent=5 received=0 packet-loss=100% 

[primrose@hyacinth] /ipv6/address>

Clients within this VLAN are also unable to ping public IPv6 addresses, only ones that are on the local VLAN.

I have tried everything, from disabling and enabling IPv6 forward, messing around with the routing table by pointing ::/0 to gardenia to see if that would solve anything, and have spent hours looking at similar issues online on places like reddit and this forum, but to no avail.

If anyone has any clue what is going on and can assist me, it would be very much appreciated. If any more information is needed to assist, please let me know and I will be happy to provide it.

Thank you in advance for your help.

primrose · Thu Mar 07, 2024 1:36 am

Ended up being that the firewall wasn't allowing the traffic through. I went ahead and put in an allow rule for traffic from the VLAN address spaces, and it now works fine.

Unable to connect to public IPv6 hosts from VLANs [SOLVED]

Unable to connect to public IPv6 hosts from VLANs

Re: Unable to connect to public IPv6 hosts from VLANs [SOLVED]

Who is online