My USG 50 arrived Thursday and I have a working IPv4 setup. Since it supports IPv6 in IPv4 I would like to use it to manage a Hurricane Electric IPv6 tunnel. Are there instructions somewhere on how to do this for a USG XX? I have the HE end setup. However, the example in the USG manual is for a point to point tunnel between two Zywalls.
I would think its the same basic idea. What options are they looking for?
After going through the setup again I found that the USG LAN IP needs to be 2001:470:1f0e:1134::2/64 instead of /128. I also had to add a firewall rule to allow IP6to 4 (protocol 41) and manually configure the HE IPv6 DNS server. The windows 7 PCs now have valid IPv6 addresses in the same /64
However, if I do a tracert to google.com the name is resolved to an IPv6 address which implies that DNS is working but the trace times out. I don't see anything being blocked by the firewall so I don't know why tracert isn't working.
C:\Users\janderso>tracert google.com
Tracing route to google.com [2001:4860:800a::71]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 ^C
C:\Users\janderso>
Let's see your routing table
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\janderso>route print
===========================================================================
Interface List
16...4c eb 42 40 d5 0d ......Intel(R) Centrino(R) Wireless-N 1030
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.30.30.1 172.30.30.211 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.30.30.0 255.255.255.0 On-link 172.30.30.211 276
172.30.30.211 255.255.255.255 On-link 172.30.30.211 276
172.30.30.255 255.255.255.255 On-link 172.30.30.211 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.30.30.211 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.30.30.211 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.24.80.161 Default
0.0.0.0 0.0.0.0 172.30.30.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 281 ::/0 fe80::ca6c:87ff:fe36:f82e
1 306 ::1/128 On-link
18 58 2001::/32 On-link
18 306 2001:0:9d38:953c:30b8:503:9e9f:fcd3/128
On-link
16 33 2001:470:1f0e:1134::/64 On-link
16 281 2001:470:1f0e:1134:449e:56a8:92c1:caa0/128
On-link
16 281 2001:470:1f0e:1134:a09e:8e1d:2703:62e7/128
On-link
16 281 fe80::/64 On-link
18 306 fe80::/64 On-link
18 306 fe80::30b8:503:9e9f:fcd3/128
On-link
16 281 fe80::a09e:8e1d:2703:62e7/128
On-link
1 306 ff00::/8 On-link
18 306 ff00::/8 On-link
16 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\Users\janderso>
So fe80::ca6c:87ff:fe36:f82e is the address of your Zyxel?
Is there an option on the Zyxel where you tell it to route ipv6 traffic?
That is the link local address of the router. There is a policy route that tells it to route IPv6 from the LAN2 interface to the tunnel. Note from my second post that the PC is able to access the DNS server via the tunnel and resolve google.com.
I was using the client /64 for the LAN subnet instead of the routed /64. Here is the new route print.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\janderso>route print
===========================================================================
Interface List
16...4c eb 42 40 d5 0d ......Intel(R) Centrino(R) Wireless-N 1030
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.30.30.1 172.30.30.211 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.30.30.0 255.255.255.0 On-link 172.30.30.211 276
172.30.30.211 255.255.255.255 On-link 172.30.30.211 276
172.30.30.255 255.255.255.255 On-link 172.30.30.211 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.30.30.211 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.30.30.211 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.24.80.161 Default
0.0.0.0 0.0.0.0 172.30.30.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
16 281 ::/0 fe80::ca6c:87ff:fe36:f82e
1 306 ::1/128 On-link
18 58 2001::/32 On-link
18 306 2001:0:9d38:953c:3c10:f8e:53e1:e12c/128
On-link
16 33 2001:470:1f0f:1134::/64 On-link
16 281 2001:470:1f0f:1134:6946:1dcf:a269:da1c/128
On-link
16 281 2001:470:1f0f:1134:a09e:8e1d:2703:62e7/128
On-link
16 281 fe80::/64 On-link
18 306 fe80::/64 On-link
18 306 fe80::3c10:f8e:53e1:e12c/128
On-link
16 281 fe80::a09e:8e1d:2703:62e7/128
On-link
1 306 ff00::/8 On-link
18 306 ff00::/8 On-link
16 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\Users\janderso>
After I fixed the subnet problem I can ping google.com. However tracert still fails. Should tracert work through the tunnel?
C:\Users\janderso>ping google.com
Pinging google.com [2001:4860:4002:801::1004] with 32 bytes of data:
Reply from 2001:4860:4002:801::1004: time=91ms
Reply from 2001:4860:4002:801::1004: time=89ms
Reply from 2001:4860:4002:801::1004: time=87ms
Reply from 2001:4860:4002:801::1004: time=85ms
Ping statistics for 2001:4860:4002:801::1004:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 85ms, Maximum = 91ms, Average = 88ms
C:\Users\janderso>tracert google.com
Tracing route to google.com [2001:4860:4002:801::1004]
over a maximum of 30 hops:
1 27 ms 2 ms 3 ms 2001:470:1f0f:1134::1
2 * * * Request timed out.
3 ^C
C:\Users\janderso>nslookup google.com
Server: ordns.he.net
Address: 2001:470:20::2
Non-authoritative answer:
Name: google.com
Addresses: 2001:4860:4002:801::1004
74.125.227.32
74.125.227.38
74.125.227.34
74.125.227.33
74.125.227.46
74.125.227.36
74.125.227.37
74.125.227.40
74.125.227.35
74.125.227.41
74.125.227.39
C:\Users\janderso>
Yes, traceroute should work
It appears that the USG 50 has a problem with IPv6 tracert. I let the trace run to completion and it actually got to google.com on hop number 12. The first line in my trace is the USG routed /64 IPv6 address. For a test I turned the firewall off and restarted the USG to be sure it was actually off. Firewall on or off I get request timed out for all but the first and last hops.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\janderso>tracert -d google.com
Tracing route to google.com [2001:4860:4002:801::1005]
over a maximum of 30 hops:
1 2 ms 2 ms 3 ms 2001:470:1f0f:1134::1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 96 ms 78 ms 78 ms 2001:4860:4002:801::1005
Trace complete.
C:\Users\janderso>
My setup is exactly the same as the OP, with the same issue and the same symptoms. Ping works but not tracert. I suspect some configuration tweak is necessary on the USG but even after spending a good few hours, I haven't been able to figure it out.