Hi all,
I’m trying to set up IPv6 in my home network but running into issues on my Fedora machine. Basically, I can’t ping anything including my router. I also have several Debian servers on the same network, and they seem to work fine, so it’s unlikely the problem is with my OPNSense router configuration.

I’m fairly new to IPv6 and would appreciate any suggestions on how to debug this issue.

OS: Fedora Linux 42 (KDE Plasma Desktop Edition) x86_4
Kernel: Linux 6.16.8-200.fc42.x86_64

ping6 ipv6.google.com

ping6: connect: Network is unreachable

ip -6 addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: wlp192s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:Х:Хfd:3e00:2c81:e108:7631:79e1/64 scope global dynamic noprefixroute 
       valid_lft 86314sec preferred_lft 14314sec
    inet6 fe80::765d:770b:1386:5044/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

ip -6 route

2001:Х:Хfd:3e00::/64 dev wlp192s0 proto ra metric 600 pref medium
fe80::/64 dev wlp192s0 proto kernel metric 1024 pref medium
default via fe80::5a9c:fcff:fe10:9b09 dev wlp192s0 proto ra metric 20600 pref medium

for reference, output of ip -6 route from one of debian machines

2001:Х:Хfd:3e00::/64 dev ens18 proto ra metric 1002 mtu 1500 pref medium
fe80::/64 dev ens18 proto kernel metric 256 pref medium
fe80::/64 dev veth6a98a1a proto kernel metric 256 pref medium
fe80::/64 dev br-25f2fd6ab8d8 proto kernel metric 256 pref medium
fe80::/64 dev veth97cc6d3 proto kernel metric 256 pref medium
fe80::/64 dev veth21a1b63 proto kernel metric 256 pref medium
default via fe80::5a9c:fcff:fe10:9b09 dev ens18 proto ra metric 1002 mtu 1500 pref medium

ip -6 neigh show

fe80::5a9c:fcff:fe10:9b09 dev wlp192s0 router FAILED 

for reference, output of ip -6 neigh show from one of debian machines

2001:Х:Хf7:e500:5a9c:fcff:fe10:9b09 dev ens18 lladdr 58:9c:fc:10:9b:09 router STALE 
fe80::5a9c:fcff:fe10:9b09 dev ens18 lladdr 58:9c:fc:10:9b:09 router STALE 
fe80::9c4e:9b7d:1489:b439 dev ens18 lladdr 7c:c2:c6:3e:13:65 STALE 
2001:Х:Хfd:3e00:5a9c:fcff:fe10:9b09 dev ens18 lladdr 58:9c:fc:10:9b:09 router STALE 
2001:Х:Хfd:3e00:865a:cdda:6c46:285c dev ens18 FAILED 

note: 58:9c:fc:10:9b:09 is LAN MAC of my router

nmcli device show

IP4.ADDRESS[1]:                         10.10.1.195/24
IP4.GATEWAY:                            10.10.1.1
IP4.ROUTE[1]:                           dst = 10.10.1.0/24, nh = 0.0.0.0, mt = 600
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 10.10.1.1, mt = 600
IP4.DNS[1]:                             10.10.1.1
IP4.DOMAIN[1]:                          home
IP6.ADDRESS[1]:                         2001:Х:Хfd:3e00:2c81:e108:7631:79e1/64
IP6.ADDRESS[2]:                         fe80::765d:770b:1386:5044/64
IP6.GATEWAY:                            fe80::5a9c:fcff:fe10:9b09
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024
IP6.ROUTE[2]:                           dst = 2001:Х:Хfd:3e00::/64, nh = ::, mt = 600
IP6.ROUTE[3]:                           dst = ::/0, nh = fe80::5a9c:fcff:fe10:9b09, mt = 20600
IP6.DNS[1]:                             2001:Х:Хfd:3e00:5a9c:fcff:fe10:9b09

“to configure IPv6 networking on Fedora 38, you’ll need to edit the network configuration file for your interface. By default, Fedora uses NetworkManager, which provides a command-line tool nmcli for network configuration.

nmcli connection show

This command will list all network connections. Identify the one you wish to configure for IPv6 and proceed with the following steps.

Edit the connection using:

nmcli connection edit [connection-name]

Within the nmcli interactive editor, set the IPv6 method to ‘auto’ to enable DHCPv6 or ‘manual’ to set a static address:

set ipv6.method auto

Or for a static setup:

set ipv6.method manual
set ipv6.addresses [your-IPv6-address]/[prefix-length]
set ipv6.gateway [your-gateway-address]

Save the changes and exit nmcli:

save
quit

For the changes to take effect, restart the NetworkManager service:

systemctl restart NetworkManager

“

Copied from Setting Up IPv6 Networking on Fedora 38 | Reintech media

This is default settings in F42 and I confirm it on both wired and wireless connections.

Your fedora config seems ok, so your guess it might be the router config.

This is what I see on my NetworkManager system (most of my other systems use systemd-networkd). My router, home designed on Fedora, does IPv6 prefix deligation.

Here are DNS query, ping -6 and traceroute -6 for google.com

$ resolvectl query google.com
google.com: 142.250.140.102                    -- link: enp2s0
            142.250.140.101                    -- link: enp2s0
            142.250.140.100                    -- link: enp2s0
            142.250.140.113                    -- link: enp2s0
            142.250.140.139                    -- link: enp2s0
            142.250.140.138                    -- link: enp2s0
            2a00:1450:4009:c0b::8a             -- link: enp2s0
            2a00:1450:4009:c0b::65             -- link: enp2s0
            2a00:1450:4009:c0b::71             -- link: enp2s0
            2a00:1450:4009:c0b::64             -- link: enp2s0
$ ping -6 -n -c 3 google.com
PING google.com (2a00:1450:4009:c0b::65) 56 data bytes
64 bytes from 2a00:1450:4009:c0b::65: icmp_seq=1 ttl=115 time=6.95 ms
64 bytes from 2a00:1450:4009:c0b::65: icmp_seq=2 ttl=115 time=7.06 ms
64 bytes from 2a00:1450:4009:c0b::65: icmp_seq=3 ttl=115 time=6.82 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 6.818/6.942/7.061/0.099 ms

$ traceroute -6 -n google.com
traceroute to google.com (2a00:1450:4009:c0b::65), 30 hops max, 80 byte packets
 1  2001:xxxx:xxxxx:0:da43:aeff:feb9:bb6  0.701 ms  0.690 ms  0.716 ms
 2  2001:8b7::192:150:92:42  6.082 ms  6.056 ms  6.030 ms
 3  2001:8b7::192:150:92:25  5.995 ms  6.043 ms  6.016 ms
 4  2a00:1450:80e1::1  6.736 ms * *
 5  2a00:1450:80ff::1  7.762 ms 2a00:1450:80e9::1  6.581 ms  6.620 ms
 6  2001:4860:0:1::50a2  7.524 ms 2001:4860:0:1::54cc  6.696 ms 2001:4860:0:1::73c6  7.214 ms
 7  * 2001:4860:0:1::4722  6.314 ms *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  2a00:1450:4009:c0b::65  6.697 ms  6.651 ms  6.678 ms 

Both Fedora and Debian have a working IPv6. NetworkManager ipv6.method=auto does the job. Difference is Fedora 42 on Wifi and Debian on Lan. The router advertisements assign the same /64 subnet, and the default routes on Debian and Fedora are the same:

Fedora: default via fe80::5a9c:fcff:fe10:9b09 dev wlp192s0 proto ra metric 20600

Debian: default via fe80::5a9c:fcff:fe10:9b09 dev ens18 proto ra metric 1002

So I assume your Wifi is obtained with an access point in bridged mode? Are IPv4 subnets the same?

Are you able to connect the Fedora (laptop?) wired? Then I assume it works. So for the moment I would suspect the Wireless system.

You could try on the Fedora:

“tcpdump -ni wlp191s0 icmp6” in one window and

ip -6 neigh flush all && ping -6 2000::1

in another. The same tcpdump on the LAN interface (em1??) in the OPNsense console→shell.

On both sides, you should see a neighbour discovery and answer for the router fe80 address.

11:19:31.139377 IP6 2a02:x:x:0:7b71:a889:8093:1488 > ff02::1:ff57:410d: ICMP6, neighbor solicitation, who has fe80::b2ac:d2ff:fe57:410d, length 32
11:19:31.140828 IP6 fe80::b2ac:d2ff:fe57:410d > 2a02:x:x:0:7b71:a889:8093:1488: ICMP6, neighbor advertisement, tgt is fe80::b2ac:d2ff:fe57:410d, length 32

Thank you for the tips.

packet capture results

I made several adjustments to reduce the number of variables:

1. Disabled the firewall on Fedora: systemctl stop firewalld

2. Connected Fedora via Ethernet to the same hardware switch as the Proxmox box with the Debian machines, to eliminate the software bridge and Wi-Fi.

I don’t see much difference between the two cases. Both show router solicitations and advertisements, but on Fedora ping6 ipv6.google.com still returns “Network unreachable”.

Fedora wired connection

• interface - enp195s0f0u2

• mac - 7c:c2:c6:3e:13:65

• local link - fe80::9c4e:9b7d:1489:b439

Note: For some reason, I can’t initiate the discovery process on Fedora using ip -6 neigh flush all as I can on Debian. Instead, I’m running ifconfig enp195s0f0u2 down/up which I hope achieves the same result.

Packet capture on fedora during interface up

tcpdump -ni enp195s0f0u2 icmp6

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on enp195s0f0u2, link-type EN10MB (Ethernet), snapshot length 262144 bytes

17:05:00.652166 IP6 :: > ff02::1:ff89:b439: ICMP6, neighbor solicitation, who has fe80::9c4e:9b7d:1489:b439, length 32

17:05:05.448750 IP6 fe80::9c4e:9b7d:1489:b439 > ff02::2: ICMP6, router solicitation, length 8

17:05:05.449563 IP6 fe80::5a9c:fcff:fe10:9b09 > fe80::9c4e:9b7d:1489:b439: ICMP6, router advertisement, length 104

17:05:05.668170 IP6 :: > ff02::1:ff00:1e7f: ICMP6, neighbor solicitation, who has 2001:X:Xfd:3e00::1e7f, length 32

17:05:06.076571 IP6 :: > ff02::1:ff46:285c: ICMP6, neighbor solicitation, who has 2001:X:Xfd:3e00:865a:cdda:6c46:285c, length 32

17:05:15.154709 IP6 fe80::5a9c:fcff:fe10:9b09 > ff02::1:ffbe:174d: ICMP6, neighbor solicitation, who has 2001:X:Xfd:3e00:719d:9545:bfbe:174d, length 32

17:05:16.170524 IP6 fe80::5a9c:fcff:fe10:9b09 > ff02::1:ffbe:174d: ICMP6, neighbor solicitation, who has 2001:X:Xfd:3e00:719d:9545:bfbe:174d, length 32

17:05:17.182068 IP6 fe80::5a9c:fcff:fe10:9b09 > ff02::1:ffbe:174d: ICMP6, neighbor solicitation, who has 2001:X:Xfd:3e00:719d:9545:bfbe:174d, length 32

corresponding packet capture on OPNSense (filtered by fedora MAC, ICMP6)

Interface Timestamp SRC DST output

LAN

bridge0 2025-10-05

17:08:39.288882 7c:c2:c6:3e:13:65 33:33:00:00:00:02 ethertype IPv6 (0x86dd), length 62: (flowlabel 0xa49d8, hlim 255, next-header ICMPv6 (58) payload length: 8) fe80::9c4e:9b7d:1489:b439 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 8

LAN

bridge0 2025-10-05

17:08:39.289618 58:9c:fc:10:9b:09 7c:c2:c6:3e:13:65 ethertype IPv6 (0x86dd), length 158: (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::5a9c:fcff:fe10:9b09 > fe80::9c4e:9b7d:1489:b439: [icmp6 sum ok] ICMP6, router advertisement, length 104

hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms

prefix info option (3), length 32 (4): 2001:X:Xfd:3e00::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s

rdnss option (25), length 24 (3): lifetime 1800s, addr: 2001:X:Xfd:3e00:5a9c:fcff:fe10:9b09

dnssl option (31), length 16 (2): lifetime 1800s, domain(s): home.

mtu option (5), length 8 (1): 1500

source link-address option (1), length 8 (1): 58:9c:fc:10:9b:09

LAN

bridge0 2025-10-05

17:08:39.437452 7c:c2:c6:3e:13:65 33:33:ff:46:28:5c ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ff46:285c: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:X:Xfd:3e00:865a:cdda:6c46:285c

unknown option (14), length 8 (1):

0x0000: f3f6 f4e4 81dd

LAN

bridge0 2025-10-05

17:08:39.901466 7c:c2:c6:3e:13:65 33:33:ff:00:1e:7f ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:ff00:1e7f: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:X:Xfd:3e00::1e7f

unknown option (14), length 8 (1):

0x0000: 95e5 7ce2 4b62

LAN

bridge0 2025-10-05

17:08:44.594703 58:9c:fc:10:9b:09 7c:c2:c6:3e:13:65 ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::5a9c:fcff:fe10:9b09 > fe80::9c4e:9b7d:1489:b439: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::9c4e:9b7d:1489:b439

source link-address option (1), length 8 (1): 58:9c:fc:10:9b:09

LAN

bridge0 2025-10-05

17:08:44.594929 7c:c2:c6:3e:13:65 58:9c:fc:10:9b:09 ethertype IPv6 (0x86dd), length 78: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::9c4e:9b7d:1489:b439 > fe80::5a9c:fcff:fe10:9b09: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::9c4e:9b7d:1489:b439, Flags [solicited]

LAN

bridge0 2025-10-05

17:08:49.629404 7c:c2:c6:3e:13:65 58:9c:fc:10:9b:09 ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::9c4e:9b7d:1489:b439 > fe80::5a9c:fcff:fe10:9b09: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::5a9c:fcff:fe10:9b09

source link-address option (1), length 8 (1): 7c:c2:c6:3e:13:65

LAN

bridge0 2025-10-05

17:08:49.629462 58:9c:fc:10:9b:09 7c:c2:c6:3e:13:65 ethertype IPv6 (0x86dd), length 78: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::5a9c:fcff:fe10:9b09 > fe80::9c4e:9b7d:1489:b439: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::5a9c:fcff:fe10:9b09, Flags [router, solicited]

for reference , packet capture on Debian during ip -6 neigh flush all

• interface - ens18

• MAC - bc:24:11:08:f2:86

• local link address - fe80::bc80:7176:84c:3b9a

sudo tcpdump -ni ens18 icmp6

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on ens18, link-type EN10MB (Ethernet), snapshot length 262144 bytes

17:22:16.320973 IP6 fe80::bc80:7176:84c:3b9a > ff02::2: ICMP6, router solicitation, length 16

17:22:16.321682 IP6 fe80::5a9c:fcff:fe10:9b09 > fe80::bc80:7176:84c:3b9a: ICMP6, router advertisement, length 104

corresponding packet capture on OPNSense (filtered by debian MAC, ICMP6)

Interface Timestamp SRC DST output

LAN

bridge0 2025-10-05

17:25:49.292635 bc:24:11:08:f2:86 33:33:00:00:00:02 ethertype IPv6 (0x86dd), length 70: (flowlabel 0x08213, hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::bc80:7176:84c:3b9a > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16

source link-address option (1), length 8 (1): bc:24:11:08:f2:86

LAN

bridge0 2025-10-05

17:25:49.292774 58:9c:fc:10:9b:09 bc:24:11:08:f2:86 ethertype IPv6 (0x86dd), length 158: (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::5a9c:fcff:fe10:9b09 > fe80::bc80:7176:84c:3b9a: [icmp6 sum ok] ICMP6, router advertisement, length 104

hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms

prefix info option (3), length 32 (4): 2001:X:Xfd:3e00::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s

rdnss option (25), length 24 (3): lifetime 1800s, addr: 2001:X:Xfd:3e00:5a9c:fcff:fe10:9b09

dnssl option (31), length 16 (2): lifetime 1800s, domain(s): home.

mtu option (5), length 8 (1): 1500

source link-address option (1), length 8 (1): 58:9c:fc:10:9b:09

LAN

bridge0 2025-10-05

17:25:54.329377 58:9c:fc:10:9b:09 bc:24:11:08:f2:86 ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::5a9c:fcff:fe10:9b09 > fe80::bc80:7176:84c:3b9a: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::bc80:7176:84c:3b9a

source link-address option (1), length 8 (1): 58:9c:fc:10:9b:09

LAN

bridge0 2025-10-05

17:25:54.329653 bc:24:11:08:f2:86 58:9c:fc:10:9b:09 ethertype IPv6 (0x86dd), length 78: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::bc80:7176:84c:3b9a > fe80::5a9c:fcff:fe10:9b09: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::bc80:7176:84c:3b9a, Flags [solicited]

OMG, I’m so sorry for wasting everyone’s time! I found the following rules in iptables, which had been installed by AmneziaVPN (a VPN server configuration tool I used some time ago).

sudo ip6tables -L -n -v

Chain amnvpn.100.blockAll (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable

hain amnvpn.250.blockIPv6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      !lo+    ::/0                 ::/0                 reject-with icmp6-port-unreachable
Chain amnvpn.310.blockDNS (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     udp  --  *      *       ::/0                 ::/0                 udp dpt:53 reject-with icmp6-port-unreachable
    0     0 REJECT     tcp  --  *      *       ::/0                 ::/0                 tcp dpt:53 reject-with icmp6-port-unreachable

Thank you so much for all the suggestions! At the very least, I learned something new about IPv6.

OK, I hope this was the culprit. The ip6tables shows only unreferenced chains without any packets passing by. But I assume this is one the famous IPv6 drop-all from VPN providers lagging behind in IPv6 implementation.

May be the best question to be asked first for debugging a situation where the OS defaults are enough for a working IPv6 was to try a Live system. That should work.

Difference between Fedora and Debian is an active firewall. There is a policy implemented in /etc/firewalld/policies/allow-host-ipv6.xml to allow in any case router advertisements, redirects and neighbour solliciations/advertisements. Fedora uses the new “nftables” firewall, but iptables sits behind and is still able to drop allowed packets.

Firewalld can use either iptables or nftables API, it is configurable.
Iptables API is compiled into nftables as I understand it by the kernel.

You’re right. The config file allows iptables and nftables, with the remark that iptables backend is deprecated.

Firewalld creates a nftables table “inet firewalld” , ip(6)tables from the “iptables-nft” package creates a nftables table “ip filter” and “ip6 filter” .

There is, including Fedora 43 beta, an iptables-legacy, which is the classical one. Using that pulls in the iptables kernel modules.

Look like I need to educate myself on this subject, nftables and firewalld are new to me.
Question regarding ip(6)tables - what is “default”, “out of the box” state of the tables?
Will -F -X sequence bring me to that state?

By default firewalld uses nftables. No idea what sense you can get from a iptables query.

Firewalld is a high-level firewall based on zones. Default on server is the “public” zone allowing only SSH, DHCPv6 client and all ICMP. There is a GUI and very extensive CLI tool. It compiles into a nftables table or a set of IP(6)tables rules depending on the backend choosen. Available on Debian too.

For iptables, the default is ACCEPT, so for firewalling you should define what you want to accept terminated with a block-all rule. Or change the default policies.

iptables -F -X flushes rules and chains, so you end having no firewall at all with ACCEPT default policy.

In case of active firewalld with nftables backend, the iptables created tables are flushed but the firewalld section stays alive and kicking.

Thanks for the clarification! My understanding is that both iptables and nftables are interfaces for the kernel netfilter module. While firewalld can work with both, by default on Fedora 42 it’s connected to nftables. (Please correct me if I’m wrong in these assumptions.)

So, my questions (all in relation to the “out-of-the-box” F42 experience) are:

1. Does iptables matter at all? Will rules set up via the iptables interface still be executed?
2. I noticed that the nftables daemon is not running. Does this mean that rules set up in nftables outside of the firewalld table are not executed?
3. Is firewalld “replacing” the nftables daemon’s functionality and instead using its own settings to configure rules?

Thank you!

There is a compatibility package named iptables-nft which will provide the old iptables programs, but will use nft to implement the firewall. Some packages still uses this interface. You can use the alternatives command to chose between the real iptables programs and the compatibility versions.

The nftables daemon is not used when you manage the firewall with firewalld. If you prefer, you can disable firewalld and enable nftables and configure the firewall this way.

No, firewalld is using the nftables to implement the firewall rules, so it is not replacing it. firewalld used to use iptables instead, and perhaps it can still be configured to do so.

Both iptables and nftables have no user-space daemon, they communicate with the kernel. Firewalld is a daemon program, so firewall-config gui and firewall-cmd can communicate with firewalld.

Both nftables and iptables are active, either iptables translated to nftables or native. A packet has to pass both before reaching the system or getting out or forwarded.

Difference with iptables/ip6tables is that firewalld handles IPv4 and IPv6 together except masquerading. If you want to masquerade IPv6, you must setup it separately.