Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Windows => Topic started by: Ninho on November 16, 2011, 10:13:45 AM

Title: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on November 16, 2011, 10:13:45 AM
Gents, the more I dig the more I am finding Microsoft XP is very much 6-in-4 tunneling hostile !
Maybe it's because they want to promote their "solution" (Teredo). Whatever...

Apart from the issue with some Windows update raised in the other thread (please have a look and see if you can help), there are problems with the (so-called) Windows firewall.

Allowing ICMP for all interfaces (and all message types just to be sure), yet the minute I turn the darned "firewall" on, the HE tunnel ceases to work ! Turn it off and IP6 is working again;  >:( Grrr...

Who was telling me it "just works" for "everybody" has certainly not been trying to use an XP box as his 6in4 router  :(

Por favor Senhores ajudem !
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: broquea on November 16, 2011, 10:44:44 AM
XP had IPv6 support as experimental at best. You would be better served running a virtualbox with Linux in it on the XP machine as the router. Or upgrading to a modern version of Windows that doesn't run experimental IPv6 code. Vista/2008/7 all have a proper, non-experimental, IPv6 stack for the Windows platform.
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on November 16, 2011, 12:47:27 PM
Quote
XP had IPv6 support as experimental at best

Microsoft would beg to differ, I'm sure <G>. "Experimental" was IPv6 in Windows 2000 and XP with no service packs. Starting at SP1 and certainly SP2+ it is no more experimental. Maybe buggy, maybe terrible, I don't know, but experimental ? /not/ !

Furthermore I found their "experimental" support (as of Windows 2000) to be much better than later incarnations, as far as 6-in-4 tunnels go. You seem to be pushing people to "upgrade" to even later Windows versions, but, considering the trend, upgrading is only likely to bring more problems and vulnerabilities, assuming it solves this particular problem <G>

MS is not going to get one more cent from my pocket. Ever. And the money I was fool enough to give them I want back in getting it to work as advertised (as far as humanly possible)  ;=)

Dear Broquea, I think I understand your expertise is not so much with MS Windows (and I'm not blaming you!) Among the wealth of experts and system admins who contribute to this forum (you know who I mean)  I surely hope one or two of them can give definite answers other than "old Windows is flaky, new Windows is great" - I can't believe none has run Windows XP during all the years it was mainstream.

Respectfuly

Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: antillie on November 16, 2011, 05:32:09 PM
Even if the IPv6 stack in XP isn't experimental it certainly is outdated. XP implements site local addresses and a few other things that have long since been deprecated from the RFCs. Honestly I am very surprised that XP can even talk to a modern IPv6 box at all with how non standards compliant its stack is. I'm not knocking MS here, XP's IPv6 stack was quite standards compliant when it was written 10+ years ago. But the standards have changed a bit since then and XP isn't going to be getting any updates for its IPv6 stack, ever. Also, several IPv4 to IPv6 transitional technologies, such as several forms of tunneling, either hadn't been fully written yet, or have changed quite a bit since then so its perfectly understandable why XP has problems with them today. And I seriously doubt there will ever be a patch from MS for this either.

And I would be very surprised if anyone ever tried to run IPv6 on Windows XP for more than a few days in anything larger than a lab until the past year or so. So its very probable that there are plenty of issues with the IPv6 stack in XP that aren't known about yet because it was simply never really used in the wild or subjected to any serious large scale deployment and security/stability testing. Sure people are starting to play with it now, but those same people are also moving to Windows 7/2008 in droves. Note that MS, the only people able to fix any such issues, are firmly in the "moving to Windows 7/2008" camp.

If you want to do anything even remotely serious with IPv6 Windows XP is probably not the OS for you. I am in complete agreement with broquea here, you really should upgrade to a modern OS. If you don't like MS nothing says that you have to go to Windows 7. Linux, BSD, and MacOSX are all perfectly IPv6 capable. Although honestly 64 bit Windows 7 + Server 2008 R2 is probably one of the best platforms from a security and ease of use ratio perspective out of box. IMO, XP needs to go. It was great in its day, but its day has long since past.
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on November 17, 2011, 02:56:06 AM
' Morning, Antillie !
Quote
If you want to do anything even remotely serious with IPv6 Windows XP is probably not the OS for you.

Not going to argue. I'm hardly doing more than playing with IPv6 for the fun of learning, and doing so not only in Windows XP. But with Linux there are fewer problems (if any), so I don't have to come asking questions <G>

Quote
Also, several IPv4 to IPv6 transitional technologies, such as several forms of tunneling, either hadn't been fully written yet, or have changed quite a bit since then so its perfectly understandable why XP has problems with them today.

Even if I were to install Seven (I did run it as a virtual machine downloadable from MS itself, and you bet I hated the thing!) I wouldn't bet a kopek that the problems would go out. For instance KB978338 says the update (which seems to block HE's 6in4 tunnels) was not intended for Vista and Seven because its functionality is already integrated there.

The main problem with MS Windows is not bugs in my modest opinion, its opacity.

Regarding the particular problems with XP SP3 updates and 6in4 tunnelling , where - beyond this forum -do you think I might get (free!) serious and thorough answers from MS MVPs or Gurus ?
Can you (you all) advise for the right newsgroup [but MS has abandoned its own news groups] and/or web fora where those experts hide out ?

Thank you very much for your interest and advising
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: cholzhauer on November 17, 2011, 07:37:59 AM
When I get back in the office i'll try and make it work..what does your setup look like?
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: antillie on November 17, 2011, 08:21:19 AM
Even if I were to install Seven (I did run it as a virtual machine downloadable from MS itself, and you bet I hated the thing!) I wouldn't bet a kopek that the problems would go out. For instance KB978338 says the update (which seems to block HE's 6in4 tunnels) was not intended for Vista and Seven because its functionality is already integrated there.

When this functionality was written for Windows Vista and 7 MS probably wrote it as part of the original OS with IPv6 in mind. I seriously doubt this was the case when they wrote the patch for XP since IPv6 support has never been a big priority for XP. Honestly I really like Windows 7. Personally I consider it to be a worthy successor to XP in every way.

Regarding the particular problems with XP SP3 updates and 6in4 tunnelling , where - beyond this forum -do you think I might get (free!) serious and thorough answers from MS MVPs or Gurus ?
Can you (you all) advise for the right newsgroup [but MS has abandoned its own news groups] and/or web fora where those experts hide out ?

I suspect that the only answer you will get from the vast majority of Windows admins and MS support people will be that you should upgrade to Windows 7. The point is that Windows XP's IPv6 support is what it is. If something works, great. If it doesn't, oh well. MS probably isn't going to fix it and most people aren't going to bother trying to find a work around. XP is just too old and klunky to bother.
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on November 17, 2011, 09:51:59 AM
When I get back in the office i'll try and make it work..what does your setup look like?

Great, Carl ! Comparison will be very valuable. My settings are simple enough,

ADSL (IPv4/PPPoA) --> Alcatel Speedtouch 510 (passes IP proto 41 thru to) --> Windows XP comp.

The Speedtouch includes an ethernet switch to which other computers connect directly or over powerline - no wireless here!

Softwarewise, I had to replace tcpip6.sys and 9to4svc.dll by their pre-KB978338 versions, and disable the Firewall. These annoying changes I would like to avoid, precisely.
Else nothing special, I used old style ipv6.exe commands, and it just works with the specified limits.

:: ipv6 config -  Windows XP sp3
  ipv6 -p rtu ::/0 2/::216.66.80.30 pub
  ipv6 -p adu 2/2001:470:1f0A:69a::2

:: be the IPv6 gateway for our LAN :
:: interface 6 = Ethernet: local area adapter
  ipv6 -p rtu 2001:470:1f0B:69a::/64 6 pub
  ipv6 -p ifc 2 forw
  ipv6 -p ifc  6 forw adv
_______________________________________________________

Ah! Also, vain trials to override 6in4 packet controls per KB978338, in my hosts file :

127.0.0.1       localhost
216.66.80.30 isatap.lan  # lan is a (pseudo)domain provided by DHCP
216.66.80.30 isatap.sanguine  # sanguine is computername
216.66.80.30 isatap.mydomain.com  # taken verbatim from MS article (silly, no?)

I doubt in fact isatap has anything to do with my settings; as almost always, the MS article provides cooking recipes which might or might not apply to your situation, without much explanation.
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: cholzhauer on November 21, 2011, 11:23:33 AM
Works fine for me...the IPv6 config part took me five to ten minutes

OS is Windows XP x64 SP2 with all available updates

Code: [Select]
netsh interface ipv6 add v6v4tunnel "ip6tunnel" 2001:470:1f06:141a::1 2001:470:1f06:141a::2
netsh interface ipv6 add v6v4tunnel "ip6tunnel" 205.251.163.12 209.51.161.14
netsh int ipv6 add route ::/0 "ip6tunnel" 2001:470:1f06:141a::1

That allows me to ping ipv6.google.com with no problem

I did disable ISATAP and 6to4

My tunnel server is directly connected to the Internet
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on November 24, 2011, 09:53:28 AM
Works fine for me...

Och! Danke shönn, Carl! For some reason had not seen your message till this moment.

I'll try and mimic your config, using netsh and a new tunnel interface instead of ipv6.exe and the prebuilt tunnel interface. Shall keep you all updated !

Quote
My tunnel server is directly connected to the Internet
Bitte what do you mean by that exactly ?

--
Ninho
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: cholzhauer on November 24, 2011, 03:15:34 PM
I mean that there is nothing between my tunnel server and the internet...no firewall, nothing..it's just connected directly to my internet router.
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on November 27, 2011, 11:32:34 AM
...no firewall, nothing..it's just connected directly to my internet router.

Oh, just that! I wondered if you might have  meant you connected directly to the core
 of the internet - or at least to a much fatter pipe than usual home connections afford...

Anyways, I've now tried a configured tunnel using netsh commands (btw those commands you posted above don't seem quite right; I followed HE's instructions on my "tunnel details" page instead).

The result : that doesn't work, at all for me, with or without the XP firewall  ???

Reverting to my usual voodo (using ipv6.exe and the prebuilt interface number 2 instead of "creating" a tunnel interface) works as usual (i.e. without firewall; the Windows firewall blocks ipv6)

Sooo... my conclusions :

1. I'm content with my own, personal, exclusive config after all   ;)

2. The reason the way which is working for you and others, doesn't seem to work for me, may reside in my router (part of the speedtouch ADSL appliance) : this router doesn't pass native ipv6, only packets encapsulated in ipv4 protocol #41. Maybe this is a difference between our settings ? When you were doing that experiment, was the link between your XP computer and the internet router passing native IPv6 packets ?

Otherwise I'm clueless as well as baffled !

Regards

corrected typo
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: cholzhauer on November 27, 2011, 12:03:13 PM
Regarding the router...i'm not sure...its just the router that's managed by my isp...I would assume that it forwards traffic as it gets it, no encapsulation.
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Sheila22Gascon on December 11, 2011, 06:49:32 AM
IPv6 support is still experimental under Windows XP and the stack has to be enabled manually.

To enable the Windows XP IPv6 stack:
From the Windows desktop press the “start” button.
Click on “Control Panel”.
Assuming that the Control Panel is in classic view mode, click on “Network Connections”.
Right click on the connection that needs to have the IPv6 stack enabled and go to “Properties”
On the properties window click on the “Install…” button.
On the “Select Network Component Type” window, select the “Protocol” option and then click on the “Add…” button.
On the “Select Network Protocol” window select “Microsoft TCP/IP version 6” and then click the “Ok” button.

The Microsoft IPv6 stack is now enabled for your network connection.

There is no graphical configuration of IPv6 properties/settings. A command line tool used netsh is used to configure IPv6 for interfaces.

To add or delete an IPv6 Address:
From a windows command line invoke the netsh tool by typing “netsh” and then pressing the enter key.
Next change the context of netsh to interface by typing “interface” and press enter.
Change the context of the interface to ipv6 mode by typing “ipv6” and pressing enter.
The command to add an address has the form of “add address [interface=]<string> [address=]<IPv6 Adress>”
a. Example: add address interface="Local Area Connection 2" 2001:1945:feed:deef::1

Deletion can be handled in the same manner by using keyword delete instead of keyword add.

Hope this helps.
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on January 03, 2012, 03:41:48 PM
@All : best wishes for 2012 !

I'm afraid I shall resurrect this thread...

@Sheila : thanks but I have IPv6, and the IPv6-in-IP tunnel, working properly in XP. The problem is the Windows XP SP3 firewall kills this completely, and the question, whether it's possible to configure the FW to let 6-in-4 alone, or if it's an incompatible configuration.

@Cholz : reading your Nov. 21 post again, I can't see any mention of the firewall. Was it activated during your tests ? If not, a crucial comparison element has been missing...

On my XP system, as soon as the firewall is active, it drops every outgoing packet to the tunnel (protocol 41). I've checked this fact both in the firewall's own log and with a packet capture utility. It would probably also drop incoming packets, but there are none left to block since I can't send requests  :=)

There doesn't seem to be any setting for the firewall either in the graphical interface or netsh commands that change this behaviour. Deactivatin the FW immediately restores communication thru the tunnel.

The dropped packets have :
ipv4 proto = 41, source IP = 10.0.0.1, dest IP=216.66.80.30 (Frankfurter tunnel server)
ipv6 payload: source = my local IP6 , dest = whatever

I have no idea what the firewall doesn't like in my packets :=)
Until proven otherwise, I assume it simply doesn't support 6-in-4.

Incidentally  we have here a case of the MS firewall dropping outgoing packets, whereas all their documentation (that I have seen) says it is intended to drop unsollicited ingoing... one more case of MS documentation being incomplete, misleading or plain wrong.

Please confirm whether your tunnels work with the XP FW active or not !

Thanks


--
Ninho

Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: cholzhauer on January 03, 2012, 04:50:29 PM
I'm 99.9% sure I had the firewall on (I don't think I would have had the firewall off on an XP computer directly connected to the net)  I think I only had to allow incoming ICMP so I could create the tunnel.

I didn't read back through the thread, but did you try a brand new XP install with your setup?
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on January 04, 2012, 04:02:08 AM
I'm 99.9% sure I had the firewall on (I don't think I would have had the firewall off on an XP computer directly connected to the net)  I think I only had to allow incoming ICMP so I could create the tunnel.

I didn't read back through the thread, but did you try a brand new XP install with your setup?

I used a fresh install from a CD slipstreamed with SP2, and updated from MS Update.
A brand new XP (SP zero) would not help diagnose the question, since it wouldn't have the new windows firewall - nor even IPv6 installed by default.

I don't think the problem is to do with something special in this install. But reading again your previous messages,

Quote
  just connected directly to my internet router.

I wonder : were you NATting (IPv4) or not so ? IOW, in your experiment did that XP computer get the public IP from the ISP or did it get a private IPv4 address ? Notice how in my setting here, the XP comp gets a private 10.x.x.x addie from the Speedtouch ADSL "modem/router".  This might be the crucial point... 

Sincere regards

--
Ninho
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: cholzhauer on January 04, 2012, 04:58:30 AM
What about trying SP3?

No NAT what so ever.  My "local area connection" had a public IP address.  The next hop was the router owned by the ISP and from there, out to the abyss.
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: Ninho on January 04, 2012, 09:29:23 AM
What about trying SP3?

I am running SP3 and up-to-date with patches.

Quote
No NAT what so ever.  My "local area connection" had a public IP address.  The next hop was the router owned by the ISP and from there, out to the abyss.

Yup, this is where your test did not reproduce my settings. I get the distinctive feeling, were I to connect directly to the public internet, the firewall would let traffic pass thru the HE tunnel.

By no means feel obliged, but if you get an opportunity to - and curiosity for - testing with a local NAT, I'd be much interested. Anyone of you all, not just Carl, by the way ! That's Windows Firewall + NATted v4 LAN (the NAT should pass IP protocol 41 to the Windows computer of interest.) And maybe not just XP, who says this problem is fixed in Vista and above ?


--
Ninho
Title: Re: Win XP: Impossible to reconcile IPv6 with the Firewall ???
Post by: cholzhauer on January 06, 2012, 04:25:23 PM
Come to think of it, I did have a tunnel hosted on my home XP install a year or so ago.  I never really used it for anything because the machine isn't on much, but I do know it worked