News items for tag ipv6 - Koos van den Hout

2020-08-31 Adding static IPv4 routes for devices that still need those 1 month ago
I decided to have a look whether I can set up the static routes like those needed to get ads-b data out to plane finder via the dhcp server. This works a lot better than having to set those routes by hand after a reboot.

This can be done with the rfc3442 classless static routes extension in DHCP, which isn't supported out of the box by isc dhcpd. But there is support in the dhclient configuration on raspbian, so I only had to add the server side.

All the samples I could find for adding this to the server side added arrays of bytes which is harder to read/comprehend. I had a look at the dhcp-options manpage which showed the option to add a structured record with IPv4 addresses.

Main configuration adding the option:
option rfc3442-classless-static-routes code 121 = array of { integer 8, ip-address, ip-address };
# netmask bit count, destination, via
Specific host configuration using the option with the current address for Which may change!
        host joy {
            hardware ethernet b8:27:eb:ae:ad:47;
            option rfc3442-classless-static-routes 32;
This pushes route to via

Hosts that get this option via dhcp should ignore the default router option so if you need that too you will need to add a route for In my specific usecase I don't want to set a default IPv4 route.

Tags: , , ,
2020-05-04 A fault in my firewall 5 months ago
I have a Synology NAS at home running DSM, so I had a look at the certificate options. According to the documentation it can get a LetsEncrypt certificate so I tried that. And it worked... which wasn't what I expected.

Some testing later found out port 80 tcp was open for every IPv6 address at home. That's now fixed and limited to those few IPv6 addresses that need to be reachable from the outside world.

Browsing the opinions about allowing outside access to the webserver on the Synology versus not allowing it showed me some differing opinions, but an article listening some malware and ransomware targetting Synology systems made me decide to close the system. Looking at the nginx configuration on the Synology gives me the idea some of the web-accessible functionality is available via port 80.

Tags: , ,
2020-03-25 It's 2020 and github doesn't support IP version 6 7 months ago
Several of the machines here at home have IPv4 to the outside world disabled, simply to find every ancient service or program that still lives in the old world. Today I found one of those while installing dehydrated to automatically renew Let's Encrypt certificates.

Indeed, github has no IPv6 support. It tries to be a modern service, but lacks an AAAA record.

The solution is simple: use a webproxy to solve this. The only reason I still have a squid webproxy running is to be able to access IPv4-only http/https services from those hosts, so setting the http proxy in the global git config helped. I'm just surprised github doesn't support IPv6.

Update: After some searching I found Github users have been asking about IPv6 connectivity since at least 2018 and the "solution" is that they currently don't support IPv6 and the request is on some list.

Tags: , ,
2020-01-24 Longest matching IPv6 address selection biting me 9 months ago
Trying to get devuan updates, I see:
Err:5 ascii Release
  404  Not Found [IP: 2001:878:346::116 80]
Err:6 ascii-security Release
  404  Not Found [IP: 2001:878:346::116 80]
Err:7 ascii-updates Release
  404  Not Found [IP: 2001:878:346::116 80]
While has no shortage of IPv6 and IPv4 addresses:
;; ANSWER SECTION:   78083   IN      CNAME         78083   IN      CNAME  845     IN      AAAA    2001:638:a000:1021:21::1  845     IN      AAAA    2a01:4f8:140:1102:2b76:955d:b48f:bdf3  845     IN      AAAA    2001:878:346::116  845     IN      AAAA    2a01:4f8:162:7293::14  845     IN      AAAA    2800:a8:c001::a  845     IN      AAAA    2a01:4f9:2a:fa9::2  845     IN      AAAA    2001:590:3803::31:151  845     IN      AAAA    2001:4ca0:4300::1:19  845     IN      AAAA    2a02:2a38:1:400:422a:422a:422a:422a  845     IN      AAAA    2a0a:e5c0:2:2:400:c8ff:fe68:bef3

;; ANSWER SECTION:   78063   IN      CNAME         78063   IN      CNAME  824     IN      A  824     IN      A  824     IN      A  824     IN      A  824     IN      A  824     IN      A  824     IN      A  824     IN      A  824     IN      A  824     IN      A  824     IN      A
I always get the error for 2001:878:346::116 when connecting. This site seems to have a problem with the devuan mirror at the moment, so I'd like to use another one, but apt keeps going back to the same source. This has to do with IPv6 address destination selection (RFC 3484 / RFC 6724).

A good explanation at IPv6 Destination Address Selection – what, why, how - Karl Auer with:
Rule 9, “use longest matching prefix“, will prefer the candidate destination address that shares the greatest number of contiguous leading bits with the source address that would be chosen for it. Such an address is likely to be topologically closer to the source address.
Indeed that address is close to my home network addresses:
So the "roundr" round robin isn't very round for IPv6 users.

Workaround: reject the address that is giving me problems:
# ip -6 route add unreachable 2001:878:346::116
# apt update
Get:1 ascii InRelease [25.6 kB]
Get:2 ascii-security InRelease [25.6 kB]
Get:3 ascii-updates InRelease [25.6 kB]
Get:5 ascii-security/main Sources [185 kB]
Hit:4 ascii InRelease
Get:6 ascii-security/main amd64 Packages [480 kB]

Tags: , ,
2020-01-17 Added the javascript IPv6 test 9 months ago
With very little javascript programming experience I managed to program a version of the IPv6 inline test that is what I wanted for a while: a simple IPv6 check in the right hand column of my homepage. With credit to the IPv6 test by Iljitsch van Beijnum. A needed test, because we really ran out of IPv4 addresses.

It took a lot of tries and debugging because I have absolutely zero javascript experience. But I learned slowly and managed to get what I want.

This is where I like having test environments. There were a lot of broken versions of the test on a separate minimal test page, then I implemented it on the developer version of my homepage and fixed the last errors in that combination and after that I committed the change to the versioning system and updated the production version which showed the update without problems in one go.

Tags: , ,
2019-12-08 Out of IPv4 addresses, way past time to start using IPv6 10 months ago
Based on the fact that RIPE has really run out of IPv4 addresses it is way overdue to start using IPv6.

To help that I wanted to have a way to show visitors to my site whether they can use the new protocol. The current box on the righthandside is based on the connection with the webserver and most browsers prefer the fastest connection to just give the user the best experience. The so-called 'happy eyeballs'.

But I want to show visitors whether their browser/system/network supports the new Internet protocol. So I'm looking into ways to check for IP versions with Javascript. Ages ago their was a test (mainly to test for systems with broken IPv6 connectivity) but that one is gone and not completely what I want.

So I asked around and Iljitsch van Beijnum responded with his version of the IP version test.

So my current version is at Plan is to add an option to have true/false values in javascript available and make updates to parts of the page using that.

I could imagine turning a page black-and-white if you only have 'old' Internet protocols. I just have to learn a lot more javascript to do that.

Tags: ,
2019-11-21 First setup of the remoterig interfaces 11 months ago
The remoterig set I ordered arrived.

At first I found the box somewhat empty: no manuals. But the entire manual can be found on-line: User manuals - RemoteRig. The manual is about 200 pages so printing it would be a bad idea. The remoterig site is somewhat slow so I downloaded the PDF manual to my computer.

Most of the setup is done via a webinterface, but the initial network setup needs either the right IP addresses hardcoded or a USB connection and the Microbit setup software which is only available for Windows. I did try to see whether one of the four com-ports via USB that showed up would allow me to do a minimal setup via a terminal program but that wasn't true. So I booted Windows to change the units to DHCP. For the radio-side I made an address allocation in the DHCP server, for the client side it is fine to have any usable address.

And for my next minor issue: they only use IPv4. So my inner linux and networking geek is a bit dissapointed, but my inner radio geek will do just fine.

After that bit I went back to Linux, the rest of the software setup is via a webbrowser. For the hardware setup, which is how it connects to the radio (which pin has audio, which pin has power) it needs a number of internal jumpers and jumper wires connected.

Tags: , , ,
2019-09-19 Real IPv6 port scan/network mapping attempts 1 year ago
I noticed some interesting traffic in my home network this morning, an attempt at finding IPv6 systems. Since IPv6 privacy enhancements are enabled on most systems this is exactly like finding a needle in a haystack.

I noticed an amount of outgoing icmpv6 traffic, and looking at the destination addresses and the type of traffic found lots of 'unreachable route' messages to a few Chinese IPv6 addresses. Searching for the netblock '240e:f7:4f01:c' finds more reports of portscanning activity.
10:14:27.761704 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.12980 > 2001:980:14ca:1:5054:ff:feae:17.902: Flags [S], cksum 0xd0a9 (correct), seq 3726392987, win 29200, options [mss 1460], length 0
10:14:28.278108 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.19933 > 2001:980:14ca:1:5054:ff:feae:8003.12587: Flags [S], cksum 0xe1cc (correct), seq 95632679, win 29200, options [mss 1460], length 0
10:14:29.219766 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.41487 > 2001:980:14ca:1:5054:ff:feae:fff2.902: Flags [S], cksum 0x3c31 (correct), seq 500442149, win 29200, options [mss 1460], length 0
10:14:33.637405 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.35832 > 2001:980:14ca:1:5054:ff:feae:15.902: Flags [S], cksum 0xa6ea (correct), seq 2324914849, win 29200, options [mss 1460], length 0
10:14:34.468975 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.12470 > 2001:980:14ca:42::ffe8.16992: Flags [S], cksum 0x5a72 (correct), seq 3249792078, win 29200, options [mss 1460], length 0
10:14:34.469038 IP6 (flowlabel 0x63971, hlim 64, next-header ICMPv6 (58) payload length: 72) 2001:980:14ca:61::13 > 240e:f7:4f01:c::3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable route 2001:980:14ca:42::ffe8
10:14:35.230776 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.63145 > 2001:980:14ca:1:20d:56ff:fece:8006.19: Flags [S], cksum 0xb87b (correct), seq 4259180220, win 29200, options [mss 1460], length 0
10:14:35.952841 IP6 (hlim 239, next-header TCP (6) payload length: 24) 240e:f7:4f01:c::3.9056 > 2001:980:14ca:42::8013.16992: Flags [S], cksum 0xbb3b (correct), seq 2896438720, win 29200, options [mss 1460], length 0
10:14:35.952880 IP6 (flowlabel 0x63971, hlim 64, next-header ICMPv6 (58) payload length: 72) 2001:980:14ca:61::13 > 240e:f7:4f01:c::3: [icmp6 sum ok] ICMP6, destination unreachable, unreachable route 2001:980:14ca:42::8013

Tags: , ,
2019-08-01 IPv6 growing up: ssh attempts to an inside machine 1 year ago
IPv6 is growing up: I saw an ssh attempt to an inside machine, reachable only via IPv6. The source was a Chinese IPv6 address which had not tried anything on any other public service.
Jul 30 18:39:02 ritchie sshd[27454]: Bad protocol version identification '\026\003\001' from 240e:d9:d800:200::212 port 44926

Tags: , ,
2019-07-26 My Android phone gets an IPv6 address from t-mobile... but no routing 1 year ago
I just noticed in Network Info II that my android phone does get an IPv6 address from t-mobile. The address is something like 2a02:498:1fe1:9a02:2:3:xxxx:xxxx which is indeed in IPv6 address space allocated to T-Mobile Netherlands.
% Information related to '2a02:498::/29'

inet6num:       2a02:498::/29
netname:        NL-T-MOBILE-20080609
country:        NL
So I tested directly whether I could make an IPv6 connection to my website, but it fell back to IPv4. Network Info II saw no IPv6 route on the phone, but in later checking I also saw no IPv6 route when connected to the wifi at home, where IPv6 works fine. And doing a traceroute to that address from home shows that a core router at xs4all says network unreachable:
 3 (2001:888:1:4032::1)  6.105 ms !N  6.063 ms !N *
So T-Mobile has activated some IPv6 address management in their network, but stopped at that point.

Tags: , ,
2019-06-20 De afhankelijkheid van xs4all verminderen 1 year ago
Sinds april 1993 heb ik een xs4all login account (ja, van voor de start, mijn account is met de hand aangemaakt door Rop Gonggrijp). Sinds begin 1992 had ik al een xs4all uucp account voor, tegenwoordig omgezet naar een bsmtp account (waarbij mail binnenkomt bij de xs4all mailservers en na de spamfiltering doorgestuurd wordt naar mijn server). Maar met de laatste plannen van KPN om het merk xs4all te gaan stoppen en zaken samen te voegen ben ik toch bang dat de unieke redenen om daar te blijven langzaam zullen vervallen.

Wat ik nodig heb is een plek met vast IPv4/IPv6 en een aardige uplink snelheid. Via xs4all kan dat gewoon thuis, maar misschien is op den duur een virtuele private server en een goedkope thuisaansluiting met daartussen een vorm van vpn ook een werkende oplossing.

Dus dan is het ook tijd om langzaam minder afhankelijk te worden van de bsmtp service voor en langzaam maar zeker mijn eigen domeinnaam voor e-mail in te voeren als primair adres. Wie weet heeft de bsmtp dienst bij KPN ook niet het eeuwige leven. De extra opties die van xs4all een goede provider maken voor een hobbyist zitten bij andere providers vaak in een zakelijk pakket of worden niet aangeboden.

Ik kon altijd beweren dat ik het e-mail adres wat ik gebruik gewoon ouder was dan spam e-mail.

Tags: , ,
2018-12-30 First annoyance with systemd on thompson 1 year ago
On reinstalling thompson I was not sure whether to pick ubuntu (with lots of package support for amateur radio) or devuan (without systemd). I chose ubuntu to keep access to lots of amateur radio packages but as expected the first systemd problem already got me. Names in the internal network with RFC1918 addresses weren't resolvable.

After some searching I found out systemd-resolved had decided the last nameserver advertised via IPv6 was the one to use. As I could not find a lot of information on how to do the ordering I just decided to kick it all out and switch to normal resolving. Some searching found How to disable systemd-resolved in Ubuntu? - ask ubuntu which has the right steps. Back to somewhat normal, the next step is to convince NetworkManager to use IPv6 resolving before IPv4.

Tags: , , ,
2018-12-07 Trying to kick spamassassin and perl into the 21st century and prefer IPv6 for DNS traffic 1 year ago
Or in short: Perl considered harmful

I want applications to use and prefer IPv6 whenever possible, so I have a /etc/resolv.conf with IPv6 addresses of the nameserver(s) listed first. But I noticed queries from the spamassassin processes still coming in over the legacy IP protocol. Even when listing them in order in /etc/spamassassin/ spamassassin prefers IPv4. And I want it to prefer IPv6 without leaving out IPv4. I like the redundancy but I want to change the preference. Also: I only want to maintain the list of nameservers in /etc/resolv.conf and not in other locations.

I wrote a simple test program to understand what the perl Net::DNS::Resolver is doing. With a standard test program like:
#!/usr/bin/perl -wT

use strict;
use Net::DNS;
my $resolver = new Net::DNS::Resolver();

print join ' ', $resolver->nameservers();

print "\n";
The IPv4 addresses will be listed first, independent of the order in /etc/resolv.conf. Only after changing to:
#!/usr/bin/perl -wT

use strict;
use Net::DNS;
my $resolver = new Net::DNS::Resolver();

print join ' ', $resolver->nameservers();

print "\n";
I will see the IPv6 resolver listed first. But now to convince spamassassin to do the same. Browsing the Net::DNS::Resolver shows the RES_OPTIONS="inet6" option but does not document it. This option confuses spamassassin when starting:
export RES_OPTIONS="inet6"
root@gosper:/etc/default# service spamassassin restart
Restarting SpamAssassin Mail Filter Daemon: Bad arg length for NetAddr::IP::Util::mask4to6, length is 128, should be 32 at /usr/lib/x86_64-linux-gnu/perl5/5.24/NetAddr/IP/ line 647.
Compilation failed in require at /usr/lib/x86_64-linux-gnu/perl5/5.24/NetAddr/ line 8.
BEGIN failed--compilation aborted at /usr/lib/x86_64-linux-gnu/perl5/5.24/NetAddr/ line 8.
Compilation failed in require at /usr/share/perl5/Mail/SpamAssassin/ line 70.
BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/ line 70.
Compilation failed in require at /usr/share/perl5/Mail/SpamAssassin/ line 85.
BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/ line 85.
Compilation failed in require at /usr/share/perl5/Mail/ line 71.
BEGIN failed--compilation aborted at /usr/share/perl5/Mail/ line 71.
Compilation failed in require at /usr/sbin/spamd line 240.
BEGIN failed--compilation aborted at /usr/sbin/spamd line 240.
So that was a bad idea and is not the answer. Looking at the resolv.conf manpage shows that the option indeed does different things which explains why that was wrong.
  inet6  Sets RES_USE_INET6 in _res.options.  This has the
		 effect of trying an AAAA query before an A query inside
		 the gethostbyname(3) function, and of mapping IPv4
		 responses in IPv6 "tunneled form" if no AAAA records
		 are found but an A record set exists.  Since glibc
		 2.25, this option is deprecated; applications should
		 use getaddrinfo(3), rather than gethostbyname(3).
So if I want perl programs to do what I want, I have to change every one of them to set $resolver->prefer_v6(1);. There is no sane default or a global "get into the 21st century" flag.

Changing /usr/share/perl5/Mail/SpamAssassin/ to include $res->prefer_v6(1); does help, but will need to be redone when updating spamassassin.

Tags: , , ,
2018-05-03 The preferring IPv6 policy is working 2 years ago
Yesterday I changed some IPv4 addresses on virtual machines on the new homeserver to make autofs work. This is a known issue with autofs: autofs does not appear to support IPv6 hostname lookups for NFS mounts - Debian Bug #737679 and for me the easy solution is to do NFS mounts over rfc1918 ipv4 addresses. I prefer autofs over 'fixed' NFS mounts for those filesystems that are nice to be available but aren't needed constantly.

It took about 9 hours before arpwatch on the central router noticed the new activity. I guess the policy to try to do everything over IPv6 is working.

Tags: , , ,
2018-04-06 Keeping squid webproxy running for network mismatches 2 years ago
I considered stopping using squid when upgrading to the new homeserver but I have now changed that decision: I need to keep it running for applications that want to do http connections to IPv6-only systems but can't handle those. There are some old scripts running that need it but it's also the way to fix the problem I noticed with linuxcounter.

Tags: , ,
2017-10-11 Haproxy on the new home server and devuan upgrades 3 years ago
I got around again to working on the new homeserver 2017 and I worked on the installation of a 'testing' virtual machine with virt-install. This test machine also runs devuan linux. The first application I was testing on there is haproxy.

haproxy I noticed some defaults I did not expect (such as preferring IPv4 over IPv6). It seems the 'stable' devuan has the same age issues as 'stable' debian. Otherwise haproxy does what it is supposed to and I may standardize on it.

Upgrading was easy, I looked at Upgrading Devuan Jessie to Ascii and just changed jessie to ascii in /etc/apt/sources.list and did an apt-get dist-upgrade. The only minor issue afterwards is that the system now insists on using framebuffer video, which I find overkill for a virtual machine. VGA 80x25 is fine.

Tags: , , ,
2017-10-09 Interesting NFS exports problem 3 years ago
I am used to being unable to unmount filesystems as long as they are NFS exported. It took me a while to find out how to correctly unexport filesystems before trying to unmount them. The easy solution would be to unexport everything and just export the other filesystems, but I'd rather not interrupt NFS availability of other filesystems.

So it was time to check some large filesystems again and I'd rather not do that during boot as it can delay booting for up to an hour. Currently those filesystems are exported via IPv4 and IPv6. Removing the export for IPv4 is easy:
# exportfs -u
But for IPv6 it gets harder:
# exportfs -u 2001:db8:a::/64:/export
exportfs: Invalid unexporting option: 2001
So it is still exported via IPv6. And next thing I try to unmount it and notice it's ok to unmount a filesystem that is only exported via IPv6. I guess this shows some interesting bug.

Tags: , ,
2017-09-28 Duelling standards and anti-spam measures 3 years ago
In today's mail problems:
   ----- Transcript of session follows -----
... while talking to
>>> DATA
<<< 450 4.7.26 Service does not accept messages sent over IPv6 [2001:980:14ca:61::13] unless they pass either SPF or DKIM validation (message not signed) []
<>... Deferred: 450 4.7.26 Service does not accept messages sent over IPv6 [2001:980:14ca:61::13] unless they pass either SPF or DKIM validation (message not signed) []
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old
Rerouting mail for via xs4all servers in the hopes of getting it delivered.

Some research shows me that the xs4all outgoing mailservers ( do offer incoming connectivity via IPv6 but don't connect to the IPv6 addresses of mailservers they are trying to reach.

Tags: , ,
2017-07-17 Now NetworkManager generates resolv.conf .. and starts with legacy IP 3 years ago
I removed rdnssd and resolvconf and fixed the symlink linking /var/run/NetworkManager/resolv.conf and /etc/resolv.conf by hand. The file /etc/NetworkManager/NetworkManager.conf now says:
But now I run into the 'NetworkManager prefers IPv4 resolvers' again, leaving me with the resolvers from the DHCP answer before those from the IPv6 route advertisment. The search domains are fine now.

Tags: , ,
2017-07-15 More resolving via IPv6 3 years ago
I was reading Debian Stretch - Het Lab Henk van de Kamer (in Dutch) which mentions removing package rdnssd to avoid a dependency problem. But I like rdnssd as it helps use the nameservers available via IPv6 in a network with only SLAAC and no DHCPv6.

Right away I had to check on my own laptop with Ubuntu 16.04 and noticed all traffic was going to the IPv4 address of the local resolver. Which is not what I want, I want to prefer IPv6 when possible. Searching found Bug #936712 “NetworkManager should put IPv6 DNS servers before I...” : Bugs : network-manager package : Ubuntu which is indeed what I saw, and it's still showing in Ubuntu 16.04 Xenial.

My solution was to stop using dnsmasq, and switch to a generated resolv.conf from NetworkManager. To do that I had to update /etc/NetworkManager/NetworkManager.conf to have:
And now I have a resolv.conf with only 3 IPv6 nameservers and no search domains. Not exactly what I want, but at least IPv6 is preferred. I considered something using only the first three resolvers because that is a maximum somewhere but just advertising two resolvers via radvd also makes two show up in the generated resolv.conf. This is not perfect. The generated resolv.conf has comments that it is generated by resolvconf so maybe this is a conflict between resolvconf and NetworkManager not in 'use resolvconf' mode.

Tags: , ,
  Older news items for tag ipv6 ⇒
, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews