2025.07.27 IPv6 DSR

IPv6でDSRやろうとして失敗した記録
※これは失敗した記録です。

IPv4だと、これが簡単にできるのですけど、IPv6だとうまくできない。
この辺

環境

LBはVIP [2408:a1c0:1ad:1fff::1110] を持っていて
[2408:a1c0:1ad:1fff::1110] へアクセスが来た場合、RSの [2408:a1c0:1ad:1fff::1112] へ転送して
[2408:a1c0:1ad:1fff::1112] が直接返答したい。

# ip a
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1413 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:cb:c5:3a brd ff:ff:ff:ff:ff:ff
    inet 192.168.128.166/24 metric 100 brd 192.168.128.255 scope global dynamic enp2s0
       valid_lft 83701sec preferred_lft 83701sec
    inet6 2408:a1c0:1ad:1fff::1110/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 2408:a1c0:1ad:1fff::1111/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fecb:c53a/64 scope link 
       valid_lft forever preferred_lft forever

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 2408:a1c0:1ad:1fff::1110/128 scope global 
       valid_lft forever preferred_lft forever

3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1413 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:5e:15:a3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.128.217/24 metric 100 brd 192.168.128.255 scope global dynamic enp2s0
       valid_lft 84432sec preferred_lft 84432sec
    inet6 2408:a1c0:1ad:1fff::1112/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe5e:15a3/64 scope link 
       valid_lft forever preferred_lft forever

LB側

# nft list table ip6 nat
table ip6 nat {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		ip6 daddr 2408:a1c0:1ad:1fff::1110 tcp dport 80 dnat to 2408:a1c0:1ad:1fff::1112
	}
}

RS側

# nft list table ip6 nat
table ip6 nat {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		ip6 daddr 2408:a1c0:1ad:1fff::1110 redirect
		ip6 daddr 2408:a1c0:1ad:1fff::1110 tcp dport 80 redirect to :80
	}
}

RS側までは通信届いてて、ACKを返している
が、確認側では受け取れてない。

# tcpdump -nne -i enp2s0 ip6 and port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:40:07.223156 fa:16:3e:cb:c5:3a > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [S], seq 1408598023, win 64944, options [mss 1353,sackOK,TS val 1483087515 ecr 0,nop,wscale 7], length 0
07:40:07.223206 fa:16:3e:5e:15:a3 > fa:16:3e:6a:e4:85, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1112.80 > 2408:a1c0:1ad:1fff::1113.50342: Flags [S.], seq 102076255, ack 1408598024, win 64368, options [mss 1353,sackOK,TS val 2464373664 ecr 1483087515,nop,wscale 7], length 0
07:40:07.223538 fa:16:3e:6a:e4:85 > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 74: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [R], seq 1408598024, win 0, length 0
07:40:08.252682 fa:16:3e:cb:c5:3a > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [S], seq 1408598023, win 64944, options [mss 1353,sackOK,TS val 1483088546 ecr 0,nop,wscale 7], length 0
07:40:08.252732 fa:16:3e:5e:15:a3 > fa:16:3e:6a:e4:85, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1112.80 > 2408:a1c0:1ad:1fff::1113.50342: Flags [S.], seq 118162608, ack 1408598024, win 64368, options [mss 1353,sackOK,TS val 2464374693 ecr 1483088546,nop,wscale 7], length 0
07:40:08.253056 fa:16:3e:6a:e4:85 > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 74: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [R], seq 1408598024, win 0, length 0
07:40:09.276664 fa:16:3e:cb:c5:3a > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [S], seq 1408598023, win 64944, options [mss 1353,sackOK,TS val 1483089570 ecr 0,nop,wscale 7], length 0
07:40:09.276717 fa:16:3e:5e:15:a3 > fa:16:3e:6a:e4:85, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1112.80 > 2408:a1c0:1ad:1fff::1113.50342: Flags [S.], seq 134162336, ack 1408598024, win 64368, options [mss 1353,sackOK,TS val 2464375717 ecr 1483089570,nop,wscale 7], length 0
07:40:09.277056 fa:16:3e:6a:e4:85 > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 74: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [R], seq 1408598024, win 0, length 0
07:40:10.300694 fa:16:3e:cb:c5:3a > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [S], seq 1408598023, win 64944, options [mss 1353,sackOK,TS val 1483090594 ecr 0,nop,wscale 7], length 0
07:40:10.300744 fa:16:3e:5e:15:a3 > fa:16:3e:6a:e4:85, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1112.80 > 2408:a1c0:1ad:1fff::1113.50342: Flags [S.], seq 150162788, ack 1408598024, win 64368, options [mss 1353,sackOK,TS val 2464376741 ecr 1483090594,nop,wscale 7], length 0
07:40:10.301055 fa:16:3e:6a:e4:85 > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 74: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [R], seq 1408598024, win 0, length 0
07:40:11.324645 fa:16:3e:cb:c5:3a > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [S], seq 1408598023, win 64944, options [mss 1353,sackOK,TS val 1483091618 ecr 0,nop,wscale 7], length 0
07:40:11.324693 fa:16:3e:5e:15:a3 > fa:16:3e:6a:e4:85, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1112.80 > 2408:a1c0:1ad:1fff::1113.50342: Flags [S.], seq 166161982, ack 1408598024, win 64368, options [mss 1353,sackOK,TS val 2464377765 ecr 1483091618,nop,wscale 7], length 0
07:40:11.325033 fa:16:3e:6a:e4:85 > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 74: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [R], seq 1408598024, win 0, length 0
07:40:12.348552 fa:16:3e:cb:c5:3a > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [S], seq 1408598023, win 64944, options [mss 1353,sackOK,TS val 1483092642 ecr 0,nop,wscale 7], length 0
07:40:12.348590 fa:16:3e:5e:15:a3 > fa:16:3e:6a:e4:85, ethertype IPv6 (0x86dd), length 94: 2408:a1c0:1ad:1fff::1112.80 > 2408:a1c0:1ad:1fff::1113.50342: Flags [S.], seq 182160432, ack 1408598024, win 64368, options [mss 1353,sackOK,TS val 2464378789 ecr 1483092642,nop,wscale 7], length 0
07:40:12.348916 fa:16:3e:6a:e4:85 > fa:16:3e:5e:15:a3, ethertype IPv6 (0x86dd), length 74: 2408:a1c0:1ad:1fff::1113.50342 > 2408:a1c0:1ad:1fff::1112.80: Flags [R], seq 1408598024, win 0, length 0

確認VM側

LB経由の場合は、帰ってこない

# curl -6 -v http://[2408:a1c0:1ad:1fff::1110]
*   Trying [2408:a1c0:1ad:1fff::1110]:80...

RS直接の場合は届く、[2408:a1c0:1ad:1fff::1112]

# curl -6 -v http://[2408:a1c0:1ad:1fff::1112]
*   Trying [2408:a1c0:1ad:1fff::1112]:80...
* Connected to 2408:a1c0:1ad:1fff::1112 (2408:a1c0:1ad:1fff::1112) port 80
> GET / HTTP/1.1
> Host: [2408:a1c0:1ad:1fff::1112]
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sat, 26 Jul 2025 22:42:22 GMT
< Server: Apache/2.4.58 (Ubuntu)
< Last-Modified: Sat, 26 Jul 2025 08:27:31 GMT
< ETag: "b-63ad0d463dc8d"
< Accept-Ranges: bytes
< Content-Length: 11
< Content-Type: text/html
< 
test-lll02
* Connection #0 to host 2408:a1c0:1ad:1fff::1112 left intact

日記, IPv6, Nat

目次

2025.07.27 IPv6 DSR

環境

LB側

RS側

確認VM側