You are not logged in.
- Topics: Active | Unanswered
#1 2026-01-04 00:26:14
- Beemo
- Member
- Registered: 2024-12-20
- Posts: 83
[Solved] Route config for multi-interface w/ IPv6 reverse path filter
What does systemd-network's PreferredSource (or equivalently ip-route's src) do? Is it needed if I have 2 interfaces with 1 IP on each? Does the kernel have some kind of source selection algorithm that chooses the right IP for the right outgoing interface?
What happens when I mix source-based and destination-based routing? How is the precedence determined?
How do I favor one route over the other, or dynamically choose the best route?
Context:
I have a server with 2 IPv6 interfaces (actually one is a SIT tunnel): interface#1 has a bunch of static IP6, interface#2 (SIT tunnel) has a static IP6 and an allocated prefix (the static IP is outside the prefix, which is good).
The server acts as a WireGuard router with a few peers. Peers are given IP6 from both interface#1 (by way of NDP proxy and route) and interface#2's dedicated prefix.
The problem is, on the Internet, IPv6 Reverse Path Filtering is the default as recommended by RFC. So when I ping from a WG client, if it's using interface#1 IP but the traffic goes through interface#2, no response.
So I'm using source-based routing. All the configuration is done in systemd-network. It currently works, but I'm not confident that it's correct.
The config is too much to post (and too much to redact...), but the route looks like this:
Notice 2 default route at the end (for the 1st and 3rd question).
Notice 1st and 5th route. The 1st route intends to ensure that WG client traffic going to internet using the dedicated prefix should go through the interface that the prefix came from. 5th is the automatically added route saying WG clients are on-link on the WireGuard interface. But what happens if clients talk to each other, so both src and dst are the prefix?
Last edited by Beemo (2026-01-04 06:06:59)
Offline
#2 2026-01-04 05:32:37
- Beemo
- Member
- Registered: 2024-12-20
- Posts: 83
Re: [Solved] Route config for multi-interface w/ IPv6 reverse path filter
PreferredSource hints at which IP to select as source when there are multiple, which is true in this case. However the source address selection algorithm is sufficient. Rule 5: Prefer outgoing interface.
Specificity (prefix length) -> Preference -> Metric. The on-link route has lower metric and thus take precedence correctly. Destination specificity has precedence over source specificity. Not sure about Preference having precedence over Metric. RFC4191 doesn't say, but it seems to be.
Use IPv6Preference to set the Preference. By default preference affect metric too. However, this doesn't work for me, I changed the preference but it still looks the same. I had to manually set the metric to break up the last route into 2 entries, at which point the preference became correct. (Bug?)
Last edited by Beemo (2026-01-04 05:52:15)
Offline
#3 2026-01-04 06:00:41
- Beemo
- Member
- Registered: 2024-12-20
- Posts: 83
Re: [Solved] Route config for multi-interface w/ IPv6 reverse path filter
About the behavior, it seems to originate from ip-route. Different pref doesn't matter, it's considered the same (if I ip route replace it replaces the default route shown).
$ ip -6 route show
default via 2607:0:0:0::1 dev ens3 proto static metric 1024 pref medium
$ sudo ip route add default proto static pref low via 2001:0:e:0::1 dev sit-tunnel
RTNETLINK answers: File exists
$ sudo ip route add default proto static pref low via 2001:0:e:0::1 dev sit-tunnel metric 2048
$ ip -6 route show
default via 2607:0:0:0::1 dev ens3 proto static metric 1024 pref medium
default via 2001:0:e:0::1 dev sit-tunnel proto static metric 2048 pref lowLast edited by Beemo (2026-01-04 06:05:51)
Offline
#4 2026-01-05 07:48:35
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,074
Re: [Solved] Route config for multi-interface w/ IPv6 reverse path filter
I find this setup difficult to understand. Your problem (differing IPv6 source addresses) seems self-afflicted to me - IMHO there's no need for the WireGuard clients to have two different globally routeable IPv6 addresses. If "2607::" (belongs to Westman Communications Group) is the primary global IPv6 address space - what's the SIT interface for? Is this a dual-ISP setup?
Offline