ipv6 not working on servers*It's Over*

I am having problems with ipv6 not working on my websites even though the server has ipv6 active.
IPv6 validation for http://etc-md.com

Tested on Thu, 12 Jan 2017 19:55:48 GMT AAAA DNS record 2604:4100:2:7::2 IPv6 web server web server is unreachable : No route to host

never mind

Status: 
Closed (cannot reproduce)

Comments

I am also checking with my ip provider. I noticed the ipv6 interface has nothing on it...these addies are bound to the ipv4 interface as additional ip addresses.

[root@dedi ~]# nslookup

set q=any etc-md.com Server: 127.0.0.1 Address: 127.0.0.1#53

etc-md.com text = "v=spf1 include:_spf.google.com ~all" etc-md.com mail exchanger = 10 ALT4.ASPMX.L.GOOGLE.com. etc-md.com mail exchanger = 10 ALT3.ASPMX.L.GOOGLE.com. etc-md.com mail exchanger = 1 ASPMX.L.GOOGLE.com. etc-md.com mail exchanger = 5 ALT2.ASPMX.L.GOOGLE.com. etc-md.com mail exchanger = 5 ALT1.ASPMX.L.GOOGLE.com. etc-md.com has AAAA address 2604:4100:2:7::2 etc-md.com origin = ns1.etc-md.com mail addr = root.ns1.etc-md.com serial = 1465080916 refresh = 10800 retry = 3600 expire = 604800 minimum = 38400 etc-md.com nameserver = ns2.etc-md.com. etc-md.com nameserver = ns1.etc-md.com. Name: etc-md.com Address: 199.15.253.2

hotmail.com ;; Truncated, retrying in TCP mode. Server: 199.15.253.34 Address: 199.15.253.34#53

Non-authoritative answer: hotmail.com origin = ns1.msft.net mail addr = msnhst.microsoft.com serial = 2016120502 refresh = 7200 retry = 900 expire = 2419200 minimum = 3600 Name: hotmail.com Address: 65.55.85.12 Name: hotmail.com Address: 157.56.172.28 Name: hotmail.com Address: 65.55.77.28 hotmail.com text = "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 include:spf.protection.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all" hotmail.com mail exchanger = 5 mx1.hotmail.com. hotmail.com mail exchanger = 5 mx2.hotmail.com. hotmail.com mail exchanger = 5 mx3.hotmail.com. hotmail.com mail exchanger = 5 mx4.hotmail.com. hotmail.com nameserver = ns3.msft.net. hotmail.com nameserver = ns4.msft.net. hotmail.com nameserver = ns1.msft.net. hotmail.com nameserver = ns2.msft.net.

Authoritative answers can be found from: hotmail.com nameserver = ns2.msft.net. hotmail.com nameserver = ns3.msft.net. hotmail.com nameserver = ns4.msft.net. hotmail.com nameserver = ns1.msft.net. mx1.hotmail.com internet address = 104.44.194.231 mx1.hotmail.com internet address = 104.44.194.232 mx1.hotmail.com internet address = 104.44.194.233 mx1.hotmail.com internet address = 104.44.194.234 mx1.hotmail.com internet address = 104.44.194.235 mx1.hotmail.com internet address = 104.44.194.236 mx1.hotmail.com internet address = 104.44.194.237 mx1.hotmail.com internet address = 134.170.2.199 mx1.hotmail.com internet address = 207.46.8.167 mx1.hotmail.com internet address = 65.54.188.72 mx1.hotmail.com internet address = 65.54.188.126 mx1.hotmail.com internet address = 65.55.33.119 mx1.hotmail.com internet address = 65.55.33.135 mx1.hotmail.com internet address = 65.55.37.72 mx1.hotmail.com internet address = 65.55.37.88 mx1.hotmail.com internet address = 65.55.37.104 mx1.hotmail.com internet address = 65.55.92.136 mx1.hotmail.com internet address = 65.55.92.168 mx1.hotmail.com internet address = 65.55.92.184 mx2.hotmail.com internet address = 65.55.37.120 mx2.hotmail.com internet address = 65.55.92.136 mx2.hotmail.com internet address = 65.55.92.152 mx2.hotmail.com internet address = 65.55.92.184 mx2.hotmail.com internet address = 104.44.194.231 mx2.hotmail.com internet address = 104.44.194.232 mx2.hotmail.com internet address = 104.44.194.233 mx2.hotmail.com internet address = 104.44.194.234 mx2.hotmail.com internet address = 104.44.194.235 mx2.hotmail.com internet address = 104.44.194.236 mx2.hotmail.com internet address = 104.44.194.237 mx2.hotmail.com internet address = 207.46.8.167 mx2.hotmail.com internet address = 207.46.8.199 mx2.hotmail.com internet address = 65.54.188.72 mx2.hotmail.com internet address = 65.54.188.94 mx2.hotmail.com internet address = 65.54.188.126 mx2.hotmail.com internet address = 65.55.33.135 mx2.hotmail.com internet address = 65.55.37.88 mx2.hotmail.com internet address = 65.55.37.104 mx3.hotmail.com internet address = 65.55.92.136 mx3.hotmail.com internet address = 65.55.92.152 mx3.hotmail.com internet address = 65.55.92.168 mx3.hotmail.com internet address = 104.44.194.231 mx3.hotmail.com internet address = 104.44.194.232 mx3.hotmail.com internet address = 104.44.194.233 mx3.hotmail.com internet address = 104.44.194.234 mx3.hotmail.com internet address = 104.44.194.235 mx3.hotmail.com internet address = 104.44.194.236 mx3.hotmail.com internet address = 104.44.194.237 mx3.hotmail.com internet address = 207.46.8.167 mx3.hotmail.com internet address = 207.46.8.199 mx3.hotmail.com internet address = 65.54.188.72 mx3.hotmail.com internet address = 65.54.188.94 mx3.hotmail.com internet address = 65.54.188.110 mx3.hotmail.com internet address = 65.55.33.119 mx3.hotmail.com internet address = 65.55.37.72 mx3.hotmail.com internet address = 65.55.37.104 mx3.hotmail.com internet address = 65.55.37.120 mx4.hotmail.com internet address = 104.44.194.234 mx4.hotmail.com internet address = 104.44.194.235 mx4.hotmail.com internet address = 104.44.194.236 mx4.hotmail.com internet address = 104.44.194.237 mx4.hotmail.com internet address = 134.170.2.199 mx4.hotmail.com internet address = 207.46.8.199 mx4.hotmail.com internet address = 65.54.188.94 mx4.hotmail.com internet address = 65.54.188.110 mx4.hotmail.com internet address = 65.55.33.119 mx4.hotmail.com internet address = 65.55.33.135 mx4.hotmail.com internet address = 65.55.37.72 mx4.hotmail.com internet address = 65.55.37.88 mx4.hotmail.com internet address = 65.55.37.120 mx4.hotmail.com internet address = 65.55.92.152 mx4.hotmail.com internet address = 65.55.92.168 mx4.hotmail.com internet address = 65.55.92.184 mx4.hotmail.com internet address = 104.44.194.231 mx4.hotmail.com internet address = 104.44.194.232 mx4.hotmail.com internet address = 104.44.194.233 ns1.msft.net internet address = 208.84.0.53 ns1.msft.net has AAAA address 2620:0:30::53 ns3.msft.net internet address = 193.221.113.53 ns3.msft.net has AAAA address 2620:0:34::53 ns4.msft.net internet address = 208.76.45.53 ns4.msft.net has AAAA address 2620:0:37::53

Can you access websites via IPv6 directly from your system? Or from your own network?

from the webserver no. My internal network was not ipv6 capable hence why i ran the external test from a site that was ipv6 capable. The server itself that is running virt is also unable to access ipv6 correctly. shouldn't the ipv6 addies be on the iplv6 interface and not as additional addresses to the ipv4 interface?

Wait, if your internal network is not IPv6 capable, how would external clients be able to connect to your webserver?

As i noted: My internal network was not ipv6 capable hence why i ran the external test from a site that was ipv6 capable.

MY internal network..aka at my location was not ipv6 capable which is why i ran that external ipv6 validation from a site that was ipv6 capable. My provider's network most assuredly is ipv6 capable...the virt server is having ipv6 problems internally.

ok shouldn't the ipv6 addresses be on the ipv6 interface of the server instead of being latched onto the ipv4 interface as additional ip addresses? This is how virt has installed them which seems non-sensical to me.

Oh, I see ... so by "internal" network, do you mean at your office and not at the site when you are running Virtualmin?

V6 addresses are on the same interface as V4. There is no such thing as different interfaces for IPv6.

ok i figured out the issue. Virt somehow after the most recent upgrade got ipv6 firewall screwed up and was blocking ipv6. I reset the firewall to allow all traffic..then applied that ruleset..then reset it to block all but web hosting ports and applied that ruleset.

That worked for a few minutes then i lost ipv6 connectivity again. So the ipv6 firewall has some kind of issue that unless you allow all traffic you loose connectivity to ipv6.

IPv6 validation for http://etc-md.com

Tested on Sat, 14 Jan 2017 01:57:14 GMT AAAA DNS record 2604:4100:2:7::2 IPv6 web server web server is unreachable : No route to host IPv6 DNS server

Maybe just try turning off the IPv6 firewall for now? Personally I don't think firewalls add a lot of value if all your servers are up to date.

YOu need to read up on best practices then. Firewalls are essential to good security.

here's something. I brought up the apache webserver inside of webmin and only the ipv4 addresses are listed. DNS AAAA works with ipv6 tables activated but it is the apache webserver that gets firewalled off. Does the fact there are not listed ipv6 addies inside the apache webserver module mean anything?

The reason I'm skeptical about firewalls is that 99% of attacks come via services that you can't firewall - for example, exploiting vulnerable PHP webapps, or SSH password guessing (unless you want to lock down SSH to a small set of IPs).

Regarding Apache, you will certainly need it to be listening on an IPv6 to work properly.

As a network security consultant I see plenty of fully patched machines..Linux..BSD..And windows compromised by zero days in kernels. There is a reason modern operating systems have firewalls by default. It protects the most important part of your server...The kernel.

How do we fix the Apache apparently not listening on ipv6?

Try selecting the domain from the left menu, go to Change IP Address, and enable use of your system's primary shared IPv6 address.

part of my service is an individual ipv6 ip per account. i will try cycling between shared and then back to an individual.

Ok, in that case you can enable a per-domain IPv6 address on the Edit Virtual Server page.

Just for giggles I created a dummy domain and tried to assign an ipv6 addy to it and here's what happened: Adding IPv6 address 2604:4100:0002:0007:0000:0000:0000:0 .. .. IPv6 address failed! : Failed to add IPv6 address : SIOCSIFADDR: File exists

I think virt has lost track of the fact it has assigned ipv6 addies at all.

I then cycled the domain to shared....and then cycled it back to assigned and ti worked: Updating IP addresses in virtual server blahblah.com Adding IPv6 address 2604:4100:0002:0007:0000:0000:0000:14 .. .. added to interface enp0s25 Changing IPv6 address in DNS domain .. .. done

Changing IP address of virtual website .. .. done

Updating Webmin user .. .. done

Saving server details .. .. done

Re-starting DNS server .. .. done Applying web server configuration .. .. done

Re-loading Webmin .. .. done

the apache webserver module however still does not show any ipv6 assignments.

What does the domain's <virtualhost> block look like exactly?

That looks fine to me, assuming that 2604:4100:0002:0007:0000:0000:0000:14 is the correct external IP address.

I think I'd need to login to your system to debug this further..

REALLY?!?!?! what information do you want? Do you want me to setup the remote access from inside virt and paste the keys here(once i take this thread private if you answer yes).

Yes, that would be best. It looks like the problem is deeper than just the apache config.

ok so i have the ipv6 firewall turned on and as per my OP ipv6 connectivity is not working even though i have the webhosting rules turned on and applied. If i disable ip6tables then everything works fine. So It is not just apache getting blocked it is everything. For some reason when ip6tables is being invoked the rules are not being applied correctly.

I just made two posts here and the site lost them both..:(

testing to see if my posts show up.

I didn't see your remote access notification. What's your system's IP address?

Joe's picture
Submitted by Joe on Fri, 01/27/2017 - 14:52 Pro Licensee

Your posts were queued for moderation by our spam filters; they're kinda crappy sometimes (we pay Akismet for the service, but it kinda sucks...missing a lot of spam and catching a lot of false positives). We can always see them, however...you don't need to worry about a ticket being lost. Eric, Jamie, and I always have access to all posts, including those that have been queue for moderation.

I've approved your posts so they'll be visible to you now.

Addresses: 2604:4100:2:7::2 199.15.253.2

Did my remote access creds come though this time?

Did you get my remote creds?

any response?

Jamie, you mentioned in Comment #27 above that you may need to log in to troubleshoot this, but due to a comment moderation problem it may not have been generating proper notifications since then. That should be fixed now, but note that the remote login has been enabled.

Ok, great! hescominsoon - what's your IP address?

Ok, I'm logged in. Do you mind if I try turning off your IPv6 firewall temporarily, to see which rule is the cause of the problem?

any updates?

nmever mind.

Status: Active » Closed (cannot reproduce)

Did you figure out the cause? From the description, it seems like something that was outside of Virtualmin's control.

no I gave up. it is within virts control. I have removed ipv6 from my server and removed my ipv6 promotions from my website. Unfortunately this was a good selling point for me and is another time I have had to reduce my features i list to my clients as to why they should host with me. I really would like to renew with virtualmin but I keep having to reduce my feature set to continue to use virtualmin due to virtualmin issues. I hope you can get things worked out in future versions before my own renewal comes up.

It really looked like an IPv6 routing issue to me - I wasn't even able to ping your v6 addresses from other v6-connected machines on the internet.

Ipv6 routing is fine as I have another server at the same data center that works fine without virtualmin installed....It has a competitive product on it.

This is still an issue..along with all of the other ipv6 issues with virtualmin. This has been shown across multiple machines..and it is not my datacenter as other machines with non virt on it work fine with ipv6. Let's get it fixed folks.

I have been trying for a couple of years to get my control panel to work correctly. Unfortunately it appears my choice of web hosting control panel vendors has done me in. The issue has been constant ipv6 issues. My vendor, Virtualmin, is unable to fix the problems and unfortunately this means I have two choices. I have to switch to another control panel which will cost double what I am paying now for less features or I can slowly wind down operations.

All existing hosting arrangements will be honored until their expiry. I will not be accepting any new clients for web hosting and my servers will stay online until Jan 7th 2021. I have plenty of funds to keep things operating until that point. All offerings with the exception of ipv6 will also continue to operate until this time. I am also suspending billing for any renewals as since I am unable to provide the service I advertised I cannot, in good conscience) continue to bill for a service I cannot provide in full.

I simply do not have the resources to build my own panel at this time and the hundreds of hours I have spent have taken a toll on my health. It is, with a heavy heart, that I wind down my hosting operations. For all who have used my service, I thank you. If you want an archive of your site all you have to do is ask and I will make one for you that will facilitate your transition to other hosting. I will also turn over domains to your chosen registrar as well if you have purchased domains through me.Since I am giving over a year’s notice nobody will be shorted on their contracts.

Title: ipv6 not working on servers » ipv6 not working on servers*It's Over*
Status: Active » Closed (cannot reproduce)