Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: Keiro on September 28, 2010, 01:29:41 PM

Title: Double-check IPv6to4 settings, please?
Post by: Keiro on September 28, 2010, 01:29:41 PM
Hi, everyone.

With Broquea's help, I think it is from the e-mail... :p I've been working on getting the tunnel to work.

The config of the server:
OS: CentOS 5.5 with cPanel installed.
iptables: yes

I did the following:

Quote
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::66.220.18.42
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:c:67f::2/64
route -A inet6 add ::/0 dev sit1

then with Broquea's help, I did the following:


iptables -A INPUT -p 41 -i eth0 -j ACCEPT

iptables -A INPUT -p 41 -i sit0 -j ACCEPT

iptables -A INPUT -p 41 -i sit1 -j ACCEPT

So here's the following ifconfig output:

Quote
root@serv [~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.10  Bcast:69.61.68.15  Mask:255.255.255.248
          inet6 addr: fe80::21c:c0ff:fef2:26a6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21826620 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29327296 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5360738967 (4.9 GiB)  TX bytes:31752490950 (29.5 GiB)
          Memory:d0700000-d0720000

eth0:1    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.11  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:2    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.12  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:3    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.13  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:4    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.14  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:5    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.34  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:6    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.35  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:7    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.36  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:8    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.37  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:9    Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.38  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:10   Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.39  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:11   Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.40  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:12   Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.41  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:13   Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.42  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:14   Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.43  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:15   Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.44  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:16   Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.45  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

eth0:17   Link encap:Ethernet  HWaddr 00:1C:C0:F2:26:A6
          inet addr:69.61.68.46  Bcast:69.61.68.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:d0700000-d0720000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1961182 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1961182 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:206697510 (197.1 MiB)  TX bytes:206697510 (197.1 MiB)

sit0      Link encap:IPv6-in-IPv4
          inet6 addr: ::69.61.68.45/96 Scope:Compat
          inet6 addr: ::69.61.68.44/96 Scope:Compat
          inet6 addr: ::69.61.68.14/96 Scope:Compat
          inet6 addr: ::69.61.68.13/96 Scope:Compat
          inet6 addr: ::69.61.68.46/96 Scope:Compat
          inet6 addr: ::69.61.68.12/96 Scope:Compat
          inet6 addr: ::69.61.68.41/96 Scope:Compat
          inet6 addr: ::69.61.68.11/96 Scope:Compat
          inet6 addr: ::69.61.68.40/96 Scope:Compat
          inet6 addr: ::69.61.68.10/96 Scope:Compat
          inet6 addr: ::69.61.68.43/96 Scope:Compat
          inet6 addr: ::69.61.68.42/96 Scope:Compat
          inet6 addr: ::69.61.68.37/96 Scope:Compat
          inet6 addr: ::69.61.68.36/96 Scope:Compat
          inet6 addr: ::127.0.0.1/96 Scope:Unknown
          inet6 addr: ::69.61.68.39/96 Scope:Compat
          inet6 addr: ::69.61.68.38/96 Scope:Compat
          inet6 addr: ::69.61.68.35/96 Scope:Compat
          inet6 addr: ::69.61.68.34/96 Scope:Compat
          UP RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

sit1      Link encap:IPv6-in-IPv4
          inet6 addr: fe80::453d:442d/64 Scope:Link
          inet6 addr: fe80::453d:442c/64 Scope:Link
          inet6 addr: fe80::453d:440e/64 Scope:Link
          inet6 addr: 2001:470:c:67f::2/64 Scope:Global
          inet6 addr: fe80::453d:440d/64 Scope:Link
          inet6 addr: fe80::453d:442e/64 Scope:Link
          inet6 addr: fe80::453d:440c/64 Scope:Link
          inet6 addr: fe80::453d:4429/64 Scope:Link
          inet6 addr: fe80::453d:440b/64 Scope:Link
          inet6 addr: fe80::453d:4428/64 Scope:Link
          inet6 addr: fe80::453d:440a/64 Scope:Link
          inet6 addr: fe80::453d:442b/64 Scope:Link
          inet6 addr: fe80::453d:442a/64 Scope:Link
          inet6 addr: fe80::453d:4425/64 Scope:Link
          inet6 addr: fe80::453d:4424/64 Scope:Link
          inet6 addr: fe80::453d:4427/64 Scope:Link
          inet6 addr: fe80::453d:4426/64 Scope:Link
          inet6 addr: fe80::453d:4423/64 Scope:Link
          inet6 addr: fe80::453d:4422/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:44 dropped:0 overruns:0 carrier:44
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

And I tried running tcpdump, but I was a little overwhelmed by the dump going by so fast because this server receives a LOT of traffic.

So I'll ask for others' eyes on this, as I need to ensure I'm getting this right, haha. If you guys need further info, please let me know. :)
Title: Re: Double-check IPv6to4 settings, please?
Post by: cholzhauer on September 28, 2010, 01:31:54 PM
OK, so what problem(s) are you having?
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 28, 2010, 01:43:59 PM
Basically, I'm having trouble checking to see if the ipv6to4 tunnel is working.

I know a tcpdump would be the preferred option, but I'd like to confirm from the outside whether it actually works or not.

Basically, what I'm trying to do is to verify that the tunnel is in fact working and can receive/send ipv6 to 4 traffic.
Title: Re: Double-check IPv6to4 settings, please?
Post by: cholzhauer on September 28, 2010, 06:54:41 PM
Gotcha

I tried pinging your side of the tunnel, but didn't work

Code: [Select]

mars# ping6 2001:470:c:67f::2
PING6(56=40+8+8 bytes) 2001:470:c27d:e000:20c:29ff:fe8a:1618 --> 2001:470:c:67f::2
^C
--- 2001:470:c:67f::2 ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss


I saw you're using IPTables (I'm not familiar with it, so forgive me for being dumb) but if you're not blocking ICMP, I can't get through
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 28, 2010, 10:19:43 PM
Yes, I'm using IPTables.

And yes, I'm blocking ICMP. Anyone that traceroutes to the server tends to get blocked, though I'm considering unblocking ICMP. I'm checking the firewall and making an edit to allow traceroutes.

Edit: Should be allowed now, I think.
Title: Re: Double-check IPv6to4 settings, please?
Post by: cholzhauer on September 29, 2010, 05:01:04 AM
No, still doesn't work

We won't get into the IMCP blocking debate.

What service can we test if you're blocking ICMP?
Title: Re: Double-check IPv6to4 settings, please?
Post by: snarked on September 29, 2010, 10:00:21 AM
Please note that HE tunnels are "6in4", not "6to4".  6to4 are assigned from 2002::/16.
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 29, 2010, 10:52:49 AM
No, still doesn't work

We won't get into the IMCP blocking debate.

What service can we test if you're blocking ICMP?

You can test HTTPD, as I know for certain anyone can reach it... I know that one's reachable, heh. I'm not entirely sure yet, as I've been figuring out how all of this works, as this isn't like ipv4. As for the site, it'd be shatteredtears.com

Snarked: Ah, thanks for the correction.

I'll be contacting CSF/cPanel shortly for further help on ipv6in4.
Title: Re: Double-check IPv6to4 settings, please?
Post by: cholzhauer on September 29, 2010, 11:02:04 AM
Code: [Select]
[carl@mars ~]$ host shatteredtears.com
shatteredtears.com has address 69.61.68.10
shatteredtears.com mail is handled by 0 mail6.zoneedit.com.
shatteredtears.com mail is handled by 0 mail7.zoneedit.com.

Nope, that site isn't IPv6 capable.

Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 29, 2010, 11:08:54 AM
Hm. Alright. I'll disable the server's IPTables for the moment and take it out of the equation and see what happens.

Thanks for helping me out so far!
Title: Re: Double-check IPv6to4 settings, please?
Post by: cholzhauer on September 29, 2010, 11:11:43 AM
Quote
Hm. Alright. I'll disable the server's IPTables for the moment and take it out of the equation and see what happens.

That won't work for this.  You'll need to edit the DNS entry if you want the site to be associated with an IPv6 address
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 29, 2010, 11:33:52 AM
Alright, I'm going to try assigning an IPv6 address to the site. >_>

I'm kinda fighting this one.

I assigned the IP: 2001:470:c:67f::2 to shatteredtears.com

but it doesn't seem to have taken, so I think it's something else at issue here. I'm going to contact my datacenter and see if they can help me out here, as they seem to have a working IPv6 setup on their VPS servers.
Title: Re: Double-check IPv6to4 settings, please?
Post by: cholzhauer on September 29, 2010, 11:36:20 AM
ping works to that address

Code: [Select]

[carl@mars ~]$ ping6 2001:470:c:67f::2
PING6(56=40+8+8 bytes) 2001:470:c27d:e000:20c:29ff:fe8a:1618 --> 2001:470:c:67f::2
16 bytes from 2001:470:c:67f::2, icmp_seq=0 hlim=56 time=259.932 ms
16 bytes from 2001:470:c:67f::2, icmp_seq=1 hlim=56 time=254.006 ms
16 bytes from 2001:470:c:67f::2, icmp_seq=2 hlim=56 time=255.635 ms
^C
--- 2001:470:c:67f::2 ping6 statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/std-dev = 254.006/256.524/259.932/2.500 ms


But you're right, no DNS entry yet
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 29, 2010, 11:37:50 AM
Score, something works! IT WORKS! hahahaha

Alright, working on it. I think this requires an AAAA?
Title: Re: Double-check IPv6to4 settings, please?
Post by: cholzhauer on September 29, 2010, 11:39:16 AM
Yes, an AAAA record is used for IPv6
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 29, 2010, 11:48:53 AM
Added! :D

Should work now... I think. One more question:

Would this work so long as I assign other IPs, say: 2001:470:c:67f::3 for example, to other domains on the server?
Title: Re: Double-check IPv6to4 settings, please?
Post by: broquea on September 29, 2010, 11:50:18 AM
Yes, but you'll never be able to set reverse DNS since you are using the link /64 and not the routed /64.
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 29, 2010, 11:51:46 AM
Ah! Okay, so to make sure I can set reverse DNS, how would I proceed in this manner?
Title: Re: Double-check IPv6to4 settings, please?
Post by: broquea on September 29, 2010, 11:53:05 AM
Configure IPs out of your routed /64 instead, on your server. Then you can control rDNS after delegation to whatever server or service you will use to manage it. Broker accounts get access to dns.he.net automatically if you want to use that service.
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on September 29, 2010, 11:55:11 AM
Gotcha, that's what I was trying to learn how to do, to route IPs out of my assigned /64.

Thanks a whole bunch for the help so far!

I'll be dropping by that service in a bit to check it out.

Edit: So, I click on Routed /48 and I see a bunch of stuff, in my tunnel detail list.
Title: Re: Double-check IPv6to4 settings, please?
Post by: Keiro on January 29, 2011, 04:13:48 AM
Jesus.

It took several hours of banging my head against the wall this morning.

Turns out it's not CSF at fault.

It's the darned kernel. We're running pre-2.6.20. Which means CSF kills the connections unintentionally.

HOWEVER! I can at least say that IPv6in4 now works!

Try checking shatteredtears.com via IPv6.  ;D

So... the solution is to essentially disable CSF and/or upgrade to post-2.6.2x kernel and reenable CSF to make it work.

For now, I'm just going to wait for a kernel upgrade and leave CSF disabled. :/