IPv6 only works after pinging the default gateway.

We now have 2013 and I thought it is long overdue to activate IPv6 on my server. But unfortunately, I ran in some problems. To be honest I only have litte experience with IPv6 So I hope you can help me with my "small" problem.

A small remark: The following addresses are obfuscated, it is not what I've used in my configs ;)

I am running a Debian squeeze (Debian 2.6.32-46) and I got a /64 IPv6 block from my provider: 2a01:4f8:a0:aaaa::/64

So I changed the /etc/network/interfaces file as follows (which is also the way my provider recommends it):

# Loopback device:
auto lo
iface lo inet loopback

# device: eth0
auto  eth0
iface eth0 inet static
  address   85.10.xxx.zz
  broadcast 85.10.xxx.yy
  netmask   255.255.255.224
  gateway   85.10.xxx.1


iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:a0:aaaa::2
  netmask 64
  gateway fe80::1


auto eth0:1
iface eth0:1 inet static
        address 85.10.xxxx.uu
        netmask 255.255.255.224

# default route to access subnet
up route add -net 85.10.xxx.0 netmask 255.255.255.224 gw 85.10.xxx.1 eth0

After a reboot (I am lazy and don't wanted to add everyhthing using route or ip) my eth0 interface looks like this:

eth0      < first line removed >  
          inet addr:85.10.xxx.zz  Bcast:85.10.xxx.yy  Mask:255.255.255.224
          inet6 addr: 2a01:4f8:a0:aaaa::2/64 Scope:Global
          inet6 addr: fe80::bbbb:cccc:dddd:eeee/64 Scope:Link <--- from MAC address
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24133 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21712 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3464246 (3.3 MiB)  TX bytes:5776451 (5.5 MiB)
          Interrupt:25 Base address:0x2000 

and the routes ip -6 route look like this:

2a01:4f8:a0:aaaa::/64 dev eth0  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev vboxnet0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
default via fe80::1 dev eth0  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295

Now, my problem is that my IPv6 isn't working properly. If I try to ping an IPv6 address e.g. ping6 ipv6.google.com. I get: "Destination unreachable: Address unreachable"

Which looks like this in tcpdump -i eth0 ip6:

00:29:05.386500 IP6 2a01:4f8:a0:aaaa::2 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has fe80::1, length 32
00:29:05.390869 IP6 2a01:4f8:a0:bbbb::1 > 2a01:4f8:a0:aaaa::2: ICMP6, neighbor advertisement, tgt is fe80::1, length 32

2a01:4f8:a0:bbbb::1 is btw. listed as my gateway (at my provider's online admin console).

I think, the reason for all this is the missing NDP entry / the missing MAC address of fe80::1. Because ip -6 neigh gives me:

fe80::1 dev eth0  router FAILED 

I think so because if I do: ping6 -I eth0 fe80::1 I get a proper echo reply and the desired mac address for my fe80::1 address as well as a perfectly working IPv6 stack:

$ip -6 neigh
fe80::1 dev eth0 lladdr ll:mm:nn:oo:pp:qq router REACHABLE

Here is also again the dump from tcpdump -i eth0 ip6:

00:30:37.555702 IP6 fe80::bbbb:cccc:dddd:eeee > fe80::1: ICMP6, echo request, seq 1, length 64
00:30:37.560219 IP6 fe80::1 > fe80::bbbb:cccc:dddd:eeee: ICMP6, echo reply, seq 1, length 64

(again: fe80::bbbb:cccc:dddd:eeee is my link-local address, derived from the MAC address)

From this point on, I can use IPv6: I can ping6 websites, I can connect to services using IPv6 or even connect to my server via ssh using IPv6.

So, what am I doing wrong here? I've spend a lot of time trying to find out how to "fix" this. I bet it can be solved using two commands. This is by the way the first time I am dealing with IPv6 on a server. So please forgive me for my inexperience. Btw. I also tried to alter some sysctl net.ipv6.* flags, but without success. If it is necessary for the solution, I can also post my configuration here.

Every hint is more than welcome!

Thank you very much in advance!

Which would be the gateway's IP address: 2a01:4f8:a0:bbbb::1. I already tried that. Unfortunately, that does not work either.

You sure about that? That's on a different subnet than your IP address.

You mean if I am sure about the address? I know what you mean, but that's what I've got from my provider. Just for fun I try the same network with ::1. Don't know why I haven't tried that yet.

UPDATE: 2a01:4f8:a0:aaaa::1 (same subnet) does not work either.

This isn't the Hetzner network is it? They have some weird configuration for IPv6 (such as default gateway outside your assigned subnet)

Oh yes, if it's Hetzner all bets are off; they do so much strange stuff that your best bet is to have them sort it.

Thank you for your response. At the beginning I had no firewall running at all. Later on I activated ip6tables and inserted: -A INPUT -p ipv6-icmp -j ACCEPT. But neither of this approaches worked. There is no other firewall configured. Only shorewall which is for IPv4 only since shorewall6 deals with IPv6. And it does not really make sense at all, because it works like a charm after pining fe80::1. If I send a packet to fe80::1 with ping6 -I eth0 fe80::1 I see other packages in tcpdump i.e. a neighbor solicitation from my link local address and not the global one, as I mentioned before.

Using link-local for neighbor solicitation messages is perfectly fine and nothing to worry about. Something makes your machine ignore certain incoming ICMPv6 messages though... Might be a kernel bug, might be something else...

Yes: contact Hetzner. They made a mess of their IPv6 setup so only they know how to solve it (probably)

Because Debian is crazy for not already having that in there?

The file was provided by hetzner: "### Hetzner Online AG - installimage" But it is definitely my fault, not seeing it in the first place :D.

Bizarre things happen when the loopback interface isn't configured. We can add this to the list, I suppose... :)

This is not correct. While the gateway address is generally in the same subnet, this is not a requirement for IPv6.

@wds And then how do you reach the gateway?

@MichaelHampton I got it slightly turned around, the on-link assumption does hold for your prefix (only in absence of routers it doesn't work). But anyway, you don't need any of that. The prefix can be advertised as on-link (after RS to the sollicited-node mc address), there's static configuration (obviously), or as this provider does, you use a link-local address on the internal link of your router. You seem to suggest there's something wrong with that last one, but the link-local address is an actual address, and works fine for routing.

@wds fe80::1 should work, but we don't live in a perfect world. I've seen quite a few routers which utterly fail to respond to it.

@MichaelHampton presumably, an ISP that tells you to use a certain address will make sure that address is working and the router is routing traffic incoming on that interface.

@wds With most service providers, that may be true. This is Hetzner. A brief Internet search - or even search of this site - will reveal just how bizarre and messed up their network is.

I'm not sure this adds anything to Sander Stefann's existing answer, and from the comments on that, we know that it didn't fix the OP's problem.