IPv6 on Amazon VPC: missing default route in Ubuntu

Solution 1:

Your routing table does not look correct. This line looks very wrong:

default dev eth0  metric 1024

This line says that the entire internet is connected directly to your eth0 interface without needing to go through any intermediate routers. This will cause your system to send neighor discovery requests onto the LAN for every host it tries to reach. And if that host is not directly connected to your LAN, it will not see the neighbor discovery request.

So you cannot really expect anything to work with that routing table. With some routers it is possible to configure a neighboring router to work around your misconfiguration. But you shouldn't count on it. Instead you should find out what the correct gateway address is and configure that.

Here is an example of what the routing table entry looks like on one particular machine with functional connectivity:

default via fe80::1 dev eth0  metric 1024  advmss 1220

The via fe80::1 part is what is missing from yours. The address you are supposed to use may be different from fe80::1, you would need to ask your provider what gateway address to use if they haven't told you so. The two ways I have mostly seen providers choose to address their gateway is either fe80::1 or the /64 prefix followed by ::1 which in your case would become 2001:DB8:1234:1234::1.

The advmss 1220 part is not absolutely necessary, but I include it because it will work around some MTU issues.

Once you have fixed the routing table entry the next steps to test is to verify that the router shows up in your neighbor cache. And then use traceroute6 or mtr to see how far you can get packets before they get lost.

Solution 2:

It turned out I missed a step in the migration guide.

When enabling IPv6 on an existing VPC some things, like route tables and security groups, have to be manually updated if you've made modifications to the default ones.

I had updated our route table (as per http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-migrate-ipv6.html#vpc-migrate-ipv6-routes) and security-groups (as per http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-migrate-ipv6.html#vpc-migrate-ipv6-sg-rules), but had forgotten to update our Network ACL, as mentioned on that same page.

So, I was effectively firewalling all IPv6 traffic. Adding inbound and outbound ALLOW rules for ::/0 fixed my problem for Ubuntu 16.04.

For Ubuntu 14.04 there was actually an error in Amazon's migration guide, which has since been fixed. The advice to add iface eth0 inet6 dhcp to /etc/networking/interfaces.d/eth0.cfg didn't work, leading to a configured IPv6 address, but a missing default route.

Instead, I had to start the dhcp-client when the interface came up, like so: up dhclient -6. I ended up with the following working configuration in the /etc/networking/interfaces.d/eth0.cfg file:

# The primary network interface
auto eth0
iface eth0 inet dhcp
    up dhclient -6 -v -pf /run/dhclient6.$IFACE.pid -lf /var/lib/dhcp/dhclient6.$IFACE.leases $IFACE

It appears Amazon has updated their migration guide to say something similar (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-migrate-ipv6.html#ipv6-dhcpv6-ubuntu-14).