By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IPv6 subnet routing to instance

0

I have EC2 instance (t4g.nano) with Open VPN server running on it. Also I have /56 IPv6 prefix delegated from Amazon. I assigned one /64 prefix to subnet assigned with my instance and allocated the IPv6 address to instance's network interface from that prefix. Also I created another /64 subnet in same VPC and added route for that prefix directed to instance's network interface. This prefix is used by instance to assign IPv6 addresses to VPN clients. Now, the instance has access to the internet from assigned IPv6 address. But VPN clients using assigned IPv6 addresses from routed prefix don't have internet connectivity outside the virtual network routed by instance. I mean that VPN clients can ping and trace route each other but tracing ipv6.google.com fails starting from 2nd hop (the 1st hop is instance itself). The question is: what else I need to do to make IPv6 routes work properly?

Topics
ComputeNetworking & Content Delivery
Tags
Amazon EC2IPv6
Language
English
KMironov
asked 10 months ago375 views
3 Answers
0

I don't have second ENI because I already have second internal interface created by OpenVPN server. But the main problem that IPv6 subnet routing just don't work: packets send to an address within the routed prefix simply doesn't come to ENI interface. I checked that with tcpdump. Moreover, my EC2 instance stops receiving router advertisments when I remove IPv6 address from ENI. But assigning IPv6 address from another prefix to the ENI does not solves the problem with the routed subnets. However, assigned IPv6 address is work for the instance: I can use it to connect via SSH and ping - and it works nice, but not the addresses from routed prefix. Inb4: IPv6 forwarding is turned on.

KMironov
answered 10 months ago
  • Bert
    7 months ago

    What I noticed is that the middle box routing doesn’t forward traffic for the entire subnet, only for addresses that ec2 knows about. So if you create a firewall with 2 interfaces and ec2 instances on the second subnet it routes fine. With a vpn ec2 doesn’t know about the vpn clients and doesn’t forward the traffic… The workaround I found was to create a dummy interface in the target subnet in ec2 (just leave it unconfigured on the vpn server) and then use the prefix feature to bind a /80 block of address space to that interface. Then you can have your vpn clients assigned addresses within the /80 and ec2 will route the traffic to the vpn server as expected.

0

If you are not using the OpenVPN server to dynamically assign the IP to the VPN clients, then you may need to tweak the configuration.

With a VPN-instance, you'll need an ENI mapped to the external interface (first /64 prefix) and a second ENI mapped to the internal interface (second /64 prefix). The route table for the first /64 prefix (external subnet) should have a default (or preferred static) route pointing to the VPC IGW, while the route table for the second /64 prefix (internal subnet) should have a default (or preferred static) route pointing to the internal ENI on the VPN-instance.

The VPN clients (getting their IP from the internal subnet) will route their external traffic to the internal ENI on the VPN server and it will go through the VPN

AWS
rePost-User-8071261
answered 10 months ago
0

Your answer didn't help me. On the step of attaching a 2nd ENI - I cannot see my 2nd ENI if ENI is in an another availability zone. When I created ENI in the same availability zone then is it available for attaching. And I attach it but there is didn't appear a new network interface in the VM. And routed IPv6 prefixes to the 2nd ENI still don't have access to the internet.

KMironov
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content