First I want to say thanks, I've had a tunnel for quite some time, and went stagnant during an ISP switch -- I've just recently really getting everything going (now waiting on IPv6 glue records for my domain... then, sage, here I come) :)
Anyway, I tried to send this all in a mail to ipv6@he.net and was met with an epic fail:
n8I1KA0c025717: to=<ipv6@he.net>, ctladdr=<cowboy@....> (2000/2000), delay=00:05:11, xdelay=00:05:10, mailer=esmtp, pri=123492, relay=he.net. [IPv6:2001:470:0:76::2], dsn=4.0.0, stat=Deferred: 403 User mailbox unable to accept mail
That mail is now in deferred status, so if the problem gets fixed, you can ignore the rest of this :)
Assuming you'll see this, before the problem is fixed, I'll repeat it here:
Subject: Administratively prohibited - tunnel misconfiguration, or actually blocked ?
Endpoint: 2001:470:1F03:2a7::1/64
My side: 2001:470:1F03:2a7::2/64
Routed /48: 2001:470:a897::/48
All addresses in that routed range (ie: 2001:470:a897:200:216:ceff:fe6e:56f2/64)
Are receiving ICMP type 1 (Unreachable) code 1 (Administratively prohibited) from 2001:470:1F03:2a7::1/64
when trying to telnet to irc.ipv6.freenode.net:
$ telnet irc.ipv6.freenode.net 6667
Trying 2001:6b0:5:1688::10...
Trying 2001:6b0:e:2018::172...
Trying 2001:1418:13:1::25...
Trying 2001:19f0:feee::dead:beef:cafe...
telnet: Unable to connect to remote host: Permission denied
But other things are working:
ping6 irc.ipv6.freenode.net
PING irc.ipv6.freenode.net(denis.it.su.se) 56 data bytes
64 bytes from denis.it.su.se: icmp_seq=1 ttl=49 time=206 ms
64 bytes from denis.it.su.se: icmp_seq=2 ttl=49 time=197 ms
64 bytes from denis.it.su.se: icmp_seq=3 ttl=49 time=196 ms
64 bytes from denis.it.su.se: icmp_seq=4 ttl=49 time=198 ms
^C
--- irc.ipv6.freenode.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 196.696/199.607/206.458/4.023 ms
traceroute6 irc.ipv6.freenode.net
traceroute to irc.ipv6.freenode.net (2001:6b0:5:1688::10), 30 hops max, 80 bytepackets
1 2001:470:a897:200::2 (2001:470:a897:200::2) 20.362 ms 28.854 ms 33.836 m
2 cowboy.tunnel.tserv2.fmt.ipv6.he.net (2001:470:1f03:2a7::1) 150.172 ms 15.555 ms 150.939 ms
3 v702.core1.fmt1.he.net (2001:470:0:1f::1) 160.324 ms 162.951 ms 164.074 s
4 10gigabitethernet1-1.core1.pao1.he.net (2001:470:0:2e::2) 151.172 ms 168.41 ms 171.579 ms
5 10gigabitethernet1-1.core1.lax1.he.net (2001:470:0:34::2) 184.130 ms 191.09 ms 194.669 ms
6 10gigabitethernet4-3.core1.nyc4.he.net (2001:470:0:10e::2) 225.352 ms 206891 ms 199.609 ms
7 10gigabitethernet1-2.core1.lon1.he.net (2001:470:0:3e::2) 272.905 ms 202.79 ms 215.233 ms
8 2001:7f8:4::a2b:1 (2001:7f8:4::a2b:1) 214.229 ms 214.588 ms 285.572 ms
9 dk-ore.nordu.net (2001:948:0:f00b::1) 291.764 ms 294.024 ms 288.587 ms
10 se-fre.nordu.net (2001:948:0:f03f::1) 288.984 ms 277.994 ms 285.273 ms
11 c1sth-so-6-0-0.sunet.se (2001:948:0:f051::2) 284.169 ms 255.835 ms 258.79 ms
12 a1sth-su.sunet.se (2001:6b0:dead:beef:2::222) 259.465 ms 230.460 ms 279.50 ms
13 giga-su2-gw-ge2-2.su.se (2001:6b0:5:3::1) 270.846 ms 275.921 ms 311.303 s
14 ipv6-gw-fa0-0.su.se (2001:6b0:5:5::2) 311.430 ms 314.961 ms 322.888 ms
15 shall6-gw1.it.su.se (2001:6b0:5:ffb::2) 323.997 ms 345.737 ms 346.780 ms
16 denis.it.su.se (2001:6b0:5:1688::10) 400.534 ms 439.063 ms 477.019 ms
SMTP was flowing both directions in ipv6 (at least to lizst.debian.org), but seems to have stopped on 2009.09.15
However http to tunnelbroker.net, he.net, ipv6.google.com, etc is all working fine.
I've tried switching my default route (linux) to using just the device (he-ipv6), and using the endpoint + device, to no avail.
Am I likely doing something wrong, or is there something else at play ?
Thanks,
--
Rick
One thing I did notice in the mail log was that he.net apparently tries caller-verification - and I prohibit EXPN and VRFY
unless one is authenticated (or on the private network).
Standard (& old school) security.
Hrm. My /48 can get to ipv6.chat.us.freenode.net juts fine.
You may want to check to see if it's not your firewall. I've seen firewalls do that sort of thing before (fake ICMP responses when blocking) when the policy prohibits them from connecting to some site. Stuff like websense mostly, IIRC.
Thanks, I've heard from another US HE user that they also can make it through fine.
My firewall is straight Linux iptables/ip6tables, and I'm able to get freenode.net via ipv4 just fine.
It certainly never hurts to take another gander at the mess of scripts that create the firewall, however :)
--
rick
Yeh I have the same setup. Linux/iptables/ip6tables. No scripts though. I just do it by hand and use ip6tables-save, etc. May wanna check logs too to make sure it's not dropping, etc. Scripts could be doing anything really. :P
EDIT: You may also want to do a tcpdump on the ipv6 interface and make sure the ICMP messages are coming from the HE side of your tunnel. If so maybe it's some ACL on their side, or something like that.
You have an ancient tunnel on a tunnel-server that blocked IRC pre-2007, and these days is only used for BGP tunnels (although we didn't nuke people off of them completely, that would have been rude/mean).
I've just removed that IRC filter, so please retest.
I've already used wireshark(old name tripwire) to verify that the icmp responce was coming from the upstream endpoint.
I do need to cleanup my scripts, I started with a script per interface (for forwarding/masq), and one per service (smtp, irc, http...) With a config file per host (so the scripts were the same).
it'd certainly be a faster startup to just use save/restore, but a less general (all my config files/scripts are in SVN, and cfengine is used to push/pull state to the various machines) -- overkill for my network size, but thats what I do (not to mention that I use the same setup at work).
--
Rick
Quote from: broquea on September 17, 2009, 07:55:35 PM
You have an ancient tunnel on a tunnel-server that blocked IRC pre-2007, and these days is only used for BGP tunnels (although we didn't nuke people off of them completely, that would have been rude/mean).
hrm, does that mean I'll should be pestering my DNS provider (as soon as they get the glue records done) to update them to a new /48 ?
Quote from: broquea on September 17, 2009, 07:55:35 PM
I've just removed that IRC filter, so please retest.
Aha... I'm not going insane (well, not because of this at any rate) :)
Indeed, I'm now connected just fine... but should I be contemplating moving to a new tunnel ? I'd like to wait until they get one round of .org glue records figured out before throwing them a new range, but it isn't that big a deal.
Thanks for fixing this, you guys rock !
LOL. So it was an ACL on the HE side. Heh. Had no idea they blocked IRC back in the day. Not surprising though, since it's often associated with hax0rz, etc (botnet control, hacker hangouts, etc).
BTW, Wireshark was called Ethereal before. Tripwire is a whole 'nother thing (tracks changes to your system, etc).
Quote from: jimb on September 17, 2009, 08:19:12 PM
BTW, Wireshark was called Ethereal before. Tripwire is a whole 'nother thing (tracks changes to your system, etc).
Sigh, /me puts the bottle back in the cupboard, I've obviously had enough for one day, I don't know how I managed to screw that up, I've been running both for (maybe too) many years :)
No worries. Happens to everyone. ;D