Using a subnet router with ipv6

Tailscale version: 1.22.1
Your operating system & version: Amazon Linux 5.10.102-99.473.amzn2.x86_64

For context, I’m trying to get ipv6 forwarding working for my VPC s.t. I can access hosts over ipv6 even when I’m on an ipv6 only network. I’ve configured one ec2 instance as a subnet router following the guides (enabling ipv4 and ipv6 forwarding) and was able to get private ipv4 addresses working end-to-end. However, I’ve run into some issues with ipv6

  • By default, turning on forwarding for ipv6 disabled accepting router advertisements. This appears to just break ipv6 altogether, and so setting accept_ra=2 seems to fix things.

  • Even then, when trying to connect to any ipv6 host besides the subnet router itself packets never make it back to the original client. running wireshark on the final destination shows that while ipv4 packets are arriving with the forwarding subnet router’s aws ipv4 address, ipv6 packets are arriving with the original client’s tailscale ipv6 address.

My assumption for this last one is that ipv4 forwarding is doing NAT, but that ipv6 doesn’t perform NAT. Am I correct that the only way to solve this is through ip6tables rules, and if so do yall have any recommendations on what configuration to apply before I go remind myself how to configure iptables :slight_smile: ?

You are correct, subnet routers do not Source-NAT IPv6 traffic (they do Source-NAT IPv4 traffic by default, but that is configurable). The issue with RAs being disabled is a Linux issue, unrelated to Tailscale.

You could SNAT the IPv6 traffic if you wished, or you could setup static routes on the machines that are receiving the traffic to know that they need to send replies back through the subnet router. If those machines are all using a single default router for their traffic, you’d only need to setup the static route there (pointing to the subnet router).

Is there any documentation around tailscale’s ipv6 ranges used for machines? Looking at How Tailscale assigns IP addresses · Tailscale the ipv4 assignment is well-defined, but not for ipv6.

Tailscale uses a Unique Local Address prefix of fd7a:115c:a1e0:ab12::/64

Thanks! It would be nice if that were also documented on the assignment doc page.

Additionally, a callout on Enable IP forwarding on Linux · Tailscale around ipv6 behavior in linux would be nice, as it was not immediately obvious that the command that was suggested I run would cause issues or that I would have to think about it.

1 Like