IPv6 broken on forum?

forum

#1

Hello,

I just noticed forum.f-droid.org has an AAAA record but it seems I can’t connect using IPv6:

*   Trying 2a00:c6c0:0:151:3::53...
* TCP_NODELAY set
* connect to 2a00:c6c0:0:151:3::53 port 443 failed: No route to host
* Failed to connect to forum.f-droid.org port 443: No route to host
* Closing connection 0
curl: (7) Failed to connect to forum.f-droid.org port 443: No route to host

Is something broken?


#2

@hans Do you know what happened to the IPv6 address of that machine?


#3

IPv6 is active on that box, perhaps it is something in the Docker setup?

$ host -t AAAA forum.f-droid.org
forum.f-droid.org has IPv6 address 2a00:c6c0:0:151:3::53
$ ping6 forum.f-droid.org
PING forum.f-droid.org(2a00:c6c0:0:151:3::53) 56 data bytes
64 bytes from 2a00:c6c0:0:151:3::53: icmp_seq=1 ttl=64 time=1.47 ms
64 bytes from 2a00:c6c0:0:151:3::53: icmp_seq=2 ttl=64 time=0.242 ms
64 bytes from 2a00:c6c0:0:151:3::53: icmp_seq=3 ttl=64 time=0.247 ms
64 bytes from 2a00:c6c0:0:151:3::53: icmp_seq=4 ttl=64 time=0.219 ms
64 bytes from 2a00:c6c0:0:151:3::53: icmp_seq=5 ttl=64 time=0.288 ms

Then on the box itself:

$ ip address | grep 2a00:c6c0:0:151:3::53
    inet6 2a00:c6c0:0:151:3::53/64 scope global 

#4

Oh, so you can ping6 it?

It does not work for me:

PING forum.f-droid.org(2a00:c6c0:0:151:3::53 (2a00:c6c0:0:151:3::53)) 56 data bytes
From 2a02:27f0:2:420::2 (2a02:27f0:2:420::2): icmp_seq=1 Destination unreachable: Address unreachable
From 2a02:27f0:2:420::2 (2a02:27f0:2:420::2): icmp_seq=2 Destination unreachable: Address unreachable
From 2a02:27f0:2:420::2 (2a02:27f0:2:420::2): icmp_seq=3 Destination unreachable: Address unreachable
From 2a02:27f0:2:420::2 (2a02:27f0:2:420::2): icmp_seq=4 Destination unreachable: Address unreachable

--- forum.f-droid.org ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 67ms

#5

@hans I agree with @Rudloff, I can neither ping the IPv6 address:

$ ping 2a00:c6c0:0:151:3::53
PING 2a00:c6c0:0:151:3::53(2a00:c6c0:0:151:3::53) 56 data bytes
From 2a02:27f0:2:420::2: icmp_seq=1 Destination unreachable: Address unreachable
From 2a02:27f0:2:420::2: icmp_seq=2 Destination unreachable: Address unreachable
From 2a02:27f0:2:420::2: icmp_seq=3 Destination unreachable: Address unreachable

Though, Docker seems to listen on all IPv4 and IPv6 addresses:

netstat -tunlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
[...]
[...]
tcp6       0      0 :::80                   :::*                    LISTEN      11864/docker-proxy
[...]
tcp6       0      0 :::443                  :::*                    LISTEN      11850/docker-proxy

Therefore I think the box doesn’t have the IPv6 address attached.


#6

Oh, I might have ping6’ed it from a box on the same network. So it seems like a routing issue then. The IPv6 address is definitely there and active.


#7

Yes, from here it also gets as far as “IX Reach Ltd” (2a02:27f0:2:420::2):

% traceroute6 -n  forum.f-droid.org
traceroute to forum.f-droid.org (2a00:c6c0:0:151:3::53), 30 hops max, 80 byte packets
 1  2001:67c:2f24:130::1  0.120 ms  0.146 ms  0.127 ms
 2  2001:67c:2f24:20::1  0.444 ms  0.479 ms  0.459 ms
 3  2a00:c30:bbbb:10::15  0.729 ms  0.714 ms  0.676 ms
 4  2003:0:1307:4009::1  14.625 ms  14.609 ms  14.588 ms
 5  2001:470:0:45d::2  14.929 ms  14.909 ms  15.300 ms
 6  2001:470:0:45d::1  14.582 ms  14.471 ms  14.448 ms
 7  2001:470:0:404::1  14.653 ms  14.559 ms  14.686 ms
 8  2001:470:1:33f::2  28.518 ms  28.281 ms  28.242 ms
 9  2a02:27f0:0:3087::  28.001 ms  28.011 ms  28.022 ms
10  2a02:27f0:0:3033::197  28.412 ms  28.237 ms  28.283 ms
11  2a02:27f0:2:420::2  21.146 ms  21.304 ms  21.349 ms
12  2a02:27f0:2:420::2  506.124 ms !H  506.110 ms !H  506.148 ms !H

I’ve contacted IX Reach Ltd, and they replied:

"Checking this it looks like this address has been blocked by our downstream customer.

Unfortunately we’re unable to provide much more information and you’d need to contact them to see why this is the case"


#8

I’ve also contacted support _AT_ greenhost.nl, and they confirmed they’ve had some IPv6 issues and have applied vendor workaround while they wait for more permanent fix. It should be working now.

@Rudloff, could you test if it works for you now?

They’d also like to know if/when it stops working again, so feel free to contact them directly if it breaks again


#9

I confirm it works correctly now, thanks!


#10

@mnalis Thank you a lot for fixing our setup and handling the issue! Thanks also to you, @Rudloff, for reporting the issue!