lighttpd/nextcloud not reachable over ds-lite ipv6

Troubleshooting
1

Dear community,

as a total noob with ipv6 I am struggling to set up my nextcloud instance on my new raspberry pi 3b. I have previous experience with combination qnap/owncloud/ipv4 at my parents, which works well. I prefer https over port 443 with letsencrypt, but I cannot get even http over port 80 to work…

I can reach the NC over local network over both ipv4 and ipv6, remote connection over hostname/ipv6 is not possible. Internet connection is ds-lite, router is Fritzbox cable 6360.

After several days of tinkering I seem not able to find where the problem lies (i.e. in which application). For testing purposes I have activated the site “testmysetup.chickenkiller.com”, nextcloud sits in directory /nextcloud/.

Please help.

\

Current setup:

on the raspberry pi:

root@malina:~# netstat -tulpn |grep LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 7131/mysqld
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 7039/redis-server 1
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7230/lighttpd
tcp 0 0 0.0.0.0:51413 0.0.0.0:* LISTEN 7258/transmission-d
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 442/dropbear
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 7372/perl
tcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN 7258/transmission-d
tcp6 0 0 ::1:6379 :::* LISTEN 7039/redis-server 1
tcp6 0 0 :::80 :::* LISTEN 7230/lighttpd
tcp6 0 0 :::51413 :::* LISTEN 7258/transmission-d
tcp6 0 0 :::22 :::* LISTEN 442/dropbear
tcp6 0 0 :::443 :::* LISTEN 7230/lighttpd

on fritzbox:

ping6, port 80,443 and 51820 open

Firewall nur für bestimmte Protokolle öffnen.
PING6 freigeben
Protokoll Portbereich
TCP von Port 80 bis Port 80
TCP von Port 443 bis Port 443
UDP von Port 51820 bis Port 51820

in net setup DNS Server active with IA_PD and IA_NA address

DHCPv6-Server im Heimnetz

DHCPv6-Server in der FRITZ!Box für das Heimnetz aktivieren:

DNS-Server, Präfix (IA_PD) und IPv6-Adresse (IA_NA) zuweisen

FRITZ!Box als DNS-Server via DHCPv6 bekannt geben. Teile des vom Internetanbieter zugewiesenen IPv6-Netzes an nachgelagerte Router weitergeben. Geräte im Heimnetzwerk bekommen eine IPv6-Adresse via DHCPv6 zugewiesen.

ping6 from Online Ping, Traceroute, DNS lookup, WHOIS, Port check, Reverse lookup, Proxy checker, Bandwidth meter, Network calculator, Network mask calculator, Country by IP, Unit converter works perfectly:

— PING testmysetup.chickenkiller.com(xxxxxx) 56 data bytes —
64 bytes from xxxxxx: icmp_seq=1 ttl=244 time=41.1 ms
64 bytes from xxxxxx: icmp_seq=2 ttl=244 time=92.9 ms
64 bytes from xxxxxx: icmp_seq=3 ttl=244 time=110 ms
64 bytes from xxxxxx: icmp_seq=4 ttl=244 time=82.4 ms


testmysetup.chickenkiller.com ping statistics —


packets transmitted 4
received 4
packet loss 0 %
time 3007 ms



— Round Trip Time (rtt) —


min 41.110 ms
avg 81.688 ms
max 110.382 ms
mdev 25.471 ms

IPV6 port scanner shows as expected the ports 80 and 443 open

SSL test (letsencrypt) gives names mismatch obviously, but ends with A if trust issues are ignored

https://www.ssllabs.com/ssltest/analyze.html?d=testmysetup.chickenkiller.com


Overall Rating T
If trust issues are ignored: A


Visit our documentation page for more information, configuration guides, and books. Known issues are documented here.
This server’s certificate is not trusted, see below for details.
This server supports TLS 1.3.

Most interestingly, nextcloud.com finds the instance of nextcloud and reports security A

Rating A
https://testmysetup.chickenkiller.com/nextcloud

Running Nextcloud 20.0.4.0

The possible culprit firewall ???

traceroute to testmysetup.chickenkiller.com (xxxxxx), 30 hops max, 80 byte packets


1 * * *


2 * * *


3 * * *


4 * * *


5 * * *
No reply for 5 hops. Assuming we reached firewall.

2

Hi,

I had a look and for me your website is reachable, even via SSL

I did a domain check first

picture.PNG
picture.PNG1398×648 106 KB

and tried to access your NextCloud

Screenshot_20210111-181344.jpg
Screenshot_20210111-181344.jpg970×2048 153 KB

3

It worked fine for me too. Most likely the issue with ping/traceroute is that your fqdn has only AAAA record, therefore no IPv4.

trendy@garida:[~]$nslookup testmysetup.chickenkiller.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	testmysetup.chickenkiller.com
Address: 2a02:xxxx:4c10:4480:ba27:ebff:xxxx:b66c

trendy@garida:[~]$ping -4 testmysetup.chickenkiller.com
ping: testmysetup.chickenkiller.com: Name or service not known
trendy@garida:[~]$ping -6 testmysetup.chickenkiller.com
PING testmysetup.chickenkiller.com(2a02:xxxx:4c10:4480:ba27:ebff:xxxx:b66c (2a02:xxxx:4c10:4480:ba27:ebff:xxxx:b66c)) 56 data bytes
64 bytes from 2a02:xxxx:4c10:4480:ba27:ebff:xxxx:b66c (2a02:xxxx:4c10:4480:ba27:ebff:xxxx:b66c): icmp_seq=1 ttl=244 time=72.9 ms
64 bytes from 2a02:xxxx:4c10:4480:ba27:ebff:xxxx:b66c (2a02:xxxx:4c10:4480:ba27:ebff:xxxx:b66c): icmp_seq=2 ttl=244 time=69.1 ms
^C
--- testmysetup.chickenkiller.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 69.116/71.031/72.946/1.915 ms
4

I guess it’s a side effect of ds-lite

https://en.avm.de/service/fritzbox/fritzbox-7530-ax/knowledge-base/publication/show/1611_What-is-DS-Lite-and-how-does-it-work/

Last point is the most important. …on a DS-Lite internet connection, you can access it and the home network from the internet over IPv6. For this type of IPv6 connection, both parties must have an IPv6 internet connection.

Means no IPv4 address.

I had issues to connect from my home network first, because I’m using IPv4 only at my local LAN. Therefore I switched to mobile network and it was working.

5

Thanks both of you for checking. This led me to some more reading and I found 2 problems that were blocking me.

For future reference should someone have the same problem:

(please correct me if this is wrong)

  1. Make sure you connect from a device that has ipv6 address.

I was checking the setup from a phone with cellular connection, and always ended with DNS PROBE FINISHED NXDOMAIN. As it seems, in Germany Telefonica does not offer ipv6 address

IMG_20210111_201040.jpg
IMG_20210111_201040.jpg1728×2880 495 KB

  1. Make sure your computer can resolve the domain name, i.e. test with dig and host commands,:

host testmysetup.chickenkiller.com

;; connection timed out; no servers could be reached

host testmysetup.chickenkiller.com 8.8.8.8

Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

testmysetup.chickenkiller.com has IPv6 address 2a02:xxxxxxxxx

dig testmysetup.chickenkiller.com AAAA

; <<>> DiG 9.16.1-Ubuntu <<>> testmysetup.chickenkiller.com AAAA
;; global options: +cmd
;; connection timed out; no servers could be reached

dig testmysetup.chickenkiller.com AAAA @8.8.8.8

; <<>> DiG 9.16.1-Ubuntu <<>> testmysetup.chickenkiller.com AAAA @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52234
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;testmysetup.chickenkiller.com. IN AAAA

;; ANSWER SECTION:
testmysetup.chickenkiller.com. 3599 IN AAAA 2a02:xxxxx

;; Query time: 2872 msec
;; SERVER: 8.8.8.8#53(8.8.8.> :sunglasses:
;; WHEN: Mon Jan 11 21:06:40 CET 2021
;; MSG SIZE rcvd: 86

I had to change the settings on fritzbox to provide proper ipv6 dns nameserver.

fritzbox.ipv6.dns.png
fritzbox.ipv6.dns.png1457×339 27.7 KB

Since then everything works (well, not the phone with cellular connection, but that is probably not possible to solve…)

6

well, not the phone with cellular connection, but that is probably not possible to solve…

Check with O2 if they offer ipv6 or check for other cellular provider in red or magenta :wink: