0

I have a server that I'm pulling my hair out with. After total a reinstall, ipv6 works fine until I reboot the system. After that, it only ever picks up the suffix address:

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 0c:c4:7a:8f:66:10 brd ff:ff:ff:ff:ff:ff
    inet removed/23 brd 45.77.111.255 scope global dynamic enp1s0
       valid_lft 86365sec preferred_lft 86365sec
    inet6 fe80::ec4:7aff:fe8f:6610/64 scope link 
       valid_lft forever preferred_lft forever

:ec4:7aff:fe8f:6610 is the correct suffix of the ipv6 address that has been assigned to this server. But no matter what I do, after the reboot, I cannot get it to pick up the full address from the router again.

My /etc/sysconfg/network-scripts/enp1s0 file is pretty simple:

DEVICE="enp1s0"
BOOTPROTO="dhcp"
ONBOOT="yes"
TYPE="Ethernet"
NM_CONTROLLED="no"
IPV6_AUTOCONF="yes"
IPV6INIT="yes"
NOZEROCONF="yes"
ZONE=public

This is unmodified from the "out of the box" working state, so I expect it to be correct.

I do run some commands in my setup script to prepare the firewall, which is the only thing I suspect could be to blame:

firewall-cmd --zone=public --change-interface=enp1s0 --permanent;
firewall-cmd --zone=public --remove-service=ssh --permanent;
firewall-cmd --zone=public --add-port=<other port for ssh>/tcp --permanent;
firewall-cmd --reload;

But unless changing the zone on the interface removes vital information from ifcfg-enp1s0, I don't see how this could be to blame.

I really don't want to use static addressing because dynamic addressing works fine out of the box, I want to figure out how I'm breaking it.

Update: Output of firewall-cmd --list-all is

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: dhcpv6-client http https
  ports: <redacted>/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
Thom McGrath
  • 1
  • 2
  • That's not a "suffix", it's a link-local address. Anyway, what is your firewall config? And what is the state of the interface after you run `ifdown enp1s0; ifup enp1s0`? – Michael Hampton Aug 29 '18 at 14:42
  • @MichaelHampton No change after restarting the interface with that command. I know that's a link-local address, but the reason I say suffix is because the full address the server has been assigned is `2001:19f0:5:5435:0ec4:7aff:fe8f:6610`, so there's no chance in hell that's just a coincidence. It's getting the tail-end of the address from somewhere. – Thom McGrath Aug 29 '18 at 14:49
  • That's modified EUI-64 format. It's derived from the interface MAC address. But there's no reason it must be the same for all IPv6 addresses on the interface. The system could be using privacy addresses, stable privacy, DHCPv6, manual assignment, who knows what else. So what is your firewall configuration? – Michael Hampton Aug 29 '18 at 14:55
  • @MichaelHampton Ah, I didn't even notice that. Ok I learned something new already. I'm not sure which firewall output I can give you, but `firewall-cmd --list-all` says `see OP` -edit: Looks like the commend gloriously screwed up formatting. I'll put it in the OP. – Thom McGrath Aug 29 '18 at 15:02
  • Hmm. I noticed you're on Vultr. You are aware that they only support manual address assignment? If you got an IPv6 address from RA, I wouldn't expect that to actually work properly. – Michael Hampton Aug 29 '18 at 15:10
  • @MichaelHampton Their docs are out of date. Any server I spin up has ipv6 working without manual assignment. This one has been working fine for the past 2 weeks until I restarted it yesterday. – Thom McGrath Aug 29 '18 at 15:12
  • Did you file a support ticket with them, then? That should be your first stop before coming here or any other third party forum. If their docs really are out of date, then they ought to be updated. If their docs are correct and they didn't intend for customers to get working SLAAC addresses, then they can tell you that too. – Michael Hampton Aug 29 '18 at 15:19
  • @MichaelHampton Yeah, I've done a ticket. They don't really care. They tell me it's a self-managed instance and to reinstall the server. That doesn't help me figure out what is wrong so I can avoid it happening a third time. – Thom McGrath Aug 29 '18 at 15:23
  • I would escalate, then. That's not proper support. – Michael Hampton Aug 29 '18 at 15:23
  • you should check directly `ip6tables-save -c`'s output. if ICMPv6 is blocked, then IPv6 won't work correctly, ra, autoconfig etc will fail and no ip(v6) beside the default link local will exist. The IPv4 equivalent would be to have blocked ARP. Check this Q&A too: https://serverfault.com/questions/769374/firewalld-blocks-ipv6-ignores-config – A.B Aug 31 '18 at 19:55
  • 1
    Thanks @A.B but I've seen that question already. The output includes `[17598:1140528] -A INPUT_direct -p ipv6-icmp -j ACCEPT` because I've done that step. Best I can tell, ICMPv6 is not being blocked by the firewall. – Thom McGrath Sep 04 '18 at 03:26

0 Answers0