Hurricane Electric's IPv6 Tunnel Broker Forums

Hello,

I can use my router to ping ipv6 websites over the Internet via HE 6in4 tunnel. 

I have also allocated a /48 prefix and setup two ipv6 subnets, one for a LAN and one for a DMZ.

(Prefixes)
LAN - 2001:470:bc0e:1::/64
DMZ -2001:470:bc0e:2::/64

Internally to these subnets I have also assigned my router the following ipv6 addresses on the LAN and DMZ respectively:

LAN - 2001:470:bc0e:1::1/64
DMZ - 2001:470:bc0e:2::1/64

Within these subnets I have configured clients, a webserver on the DMZ and a Windows 7 box on the LAN:

Win7 (LAN) - (IPv6 Address Assigned by RADVD)
Linux Webserver (DMZ) - 2001:470:bc0e:2::250

Now while I can indeed ping the address of the router from each of the machines on the subnet, it appears that I am unable to reach the external ipv6 Internet from the clients, even when trying to ping6 the address (not the domain) of a site like ipv6.google.com.

My first thought was that this had something to do with the routing tables on the clients, and I tried checking the default gateway via the ip -6 route list command:


user@dmz-host~$ ip -6 route list
2001:470:bc0e:2::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via 2001:470:bc0e:2::1 dev eth0 metric 1024


Which leads me to believe that maybe the router isn't forwarding my packets to the 6in4 tunnel...

I don't understand why this doesn't work, does it have something to do with my firewall, or the fact that I'm using subnets within the /48 prefix?

Props for including all of your IP data in the first post :)

You might need to have a route on your router to forward the packets intended for your /48 network.

For example in my setup  (Internet --- Tunnel Router --- Firewall) I have a rule on my Tunnel Router that forwards all traffic intended for my /48 at the outside interface of my firewall.  Can you sketch a quick diagram of what your setup looks like?

Sure,

I'm a bit hazy on how to go about representing tunnels in my drawing, but um here is my best shot at it:

(http://i9.photobucket.com/albums/a58/Maskkkk/2011-12-02_14-40-56.png)

And here's the ifconfig output from the router if that will clear up my lack of tunnel drawing ability...

br-lan    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2001:470:bc0e:1::1/64 Scope:Global
          inet6 addr: fe80::224:a5ff:fed8:5395/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:187 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:28299 (27.6 KiB)  TX bytes:29273 (28.5 KiB)

eth0      Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          inet6 addr: fe80::224:a5ff:fed8:5395/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32846 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33387 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5570104 (5.3 MiB)  TX bytes:20064722 (19.1 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:31319 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32174 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4985054 (4.7 MiB)  TX bytes:19954470 (19.0 MiB)

eth0.2    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: 2001:470:bc0e:2::1/64 Scope:Global
          inet6 addr: fe80::224:a5ff:fed8:5395/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1379 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1196 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:113801 (111.1 KiB)  TX bytes:107884 (105.3 KiB)

eth1      Link encap:Ethernet  HWaddr 00:24:A5:D8:53:96
          inet6 addr: fe80::224:a5ff:fed8:5396/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24173 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20012 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14620426 (13.9 MiB)  TX bytes:3046484 (2.9 MiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:162 errors:0 dropped:0 overruns:0 frame:0
          TX packets:162 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12634 (12.3 KiB)  TX bytes:12634 (12.3 KiB)

mon.wlan0 Link encap:UNSPEC  HWaddr 00-24-A5-D8-53-95-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:296 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:57024 (55.6 KiB)  TX bytes:0 (0.0 B)

pppoe-wan Link encap:Point-to-Point Protocol
          inet addr:xxx.xxx.xxx.xxx  P-t-P:10.7.49.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:50 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:12968 (12.6 KiB)  TX bytes:13814 (13.4 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:53 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9497 (9.2 KiB)  TX bytes:13004 (12.6 KiB)

Well, I take that back.  I just tried to ping and it worked perfectly



C:\Users\cholzhauer>ping  2001:470:bc0e:1::1

Pinging 2001:470:bc0e:1::1 with 32 bytes of data:
Reply from 2001:470:bc0e:1::1: time=155ms
Reply from 2001:470:bc0e:1::1: time=154ms
Reply from 2001:470:bc0e:1::1: time=156ms
Reply from 2001:470:bc0e:1::1: time=157ms

Ping statistics for 2001:470:bc0e:1::1:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 154ms, Maximum = 157ms, Average = 155ms

C:\Users\cholzhauer>ping 2001:470:bc0e:2::1

Pinging 2001:470:bc0e:2::1 with 32 bytes of data:
Reply from 2001:470:bc0e:2::1: time=155ms
Reply from 2001:470:bc0e:2::1: time=155ms
Reply from 2001:470:bc0e:2::1: time=154ms
Reply from 2001:470:bc0e:2::1: time=154ms

Ping statistics for 2001:470:bc0e:2::1:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 154ms, Maximum = 155ms, Average = 154ms


Are both the DMZ and LAN not working?

No, they work in so far as the packets get to the router, but anything beyond the router, you can just forget it...

See example a:


user@dmzHost:~$ tracert6 2620:0:1cfe:face:b00c::3
traceroute to 2620:0:1cfe:face:b00c::3 (2620:0:1cfe:face:b00c::3) from 2001:470:bc0e:2::250, 30 hops max, 60 bytes packets
1  2001:470:bc0e:2::1 (2001:470:bc0e:2::1)  9.108 ms  0.416 ms  0.690 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
 26% completed...


Now if I try to ping anything from the router, that's another story...


root@OpenWrt:~# ping6 www.v6.facebook.com
PING www.v6.facebook.com (2620:0:1cfe:face:b00c::3): 56 data bytes
64 bytes from 2620:0:1cfe:face:b00c::3: seq=0 ttl=49 time=183.879 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=1 ttl=49 time=184.513 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=2 ttl=49 time=184.249 ms
^C64 bytes from 2620:0:1cfe:face:b00c::3: seq=3 ttl=49 time=183.980 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=4 ttl=49 time=184.189 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=5 ttl=49 time=184.188 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=6 ttl=49 time=183.911 ms
^C
--- www.v6.facebook.com ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 183.879/184.129/184.513 ms
root@OpenWrt:~#


Hmm...something isn't making sense.  From what I can tell, you have Ipv6 addresses on all interfaces of your router

There's a br-lan should there be a br-dmz?

Do I need to add routes?

Is the router running Linux as well? What is in /proc/sys/net/ipv6/conf/*/forwarding?

Yes the router is running OpenWRT Backfire

I believe I remember changing the forwarding setting in accordance with the OpenWRT Wiki page about ipv6 (http://wiki.openwrt.org/doc/howto/ipv6#enable.routing.in.backfire):

here is my cat of /proc/sys/net/ipv6/conf/*/forwarding


/proc/sys/net/ipv6/conf/6in4-henet/forwarding 2
/proc/sys/net/ipv6/conf/all/forwarding 1
/proc/sys/net/ipv6/conf/br-lan/forwarding 2
/proc/sys/net/ipv6/conf/default/forwarding 1
/proc/sys/net/ipv6/conf/eth0.1/forwarding 1
/proc/sys/net/ipv6/conf/eth0.2/forwarding 2
/proc/sys/net/ipv6/conf/eth0/forwarding 1
/proc/sys/net/ipv6/conf/eth1/forwarding 1
/proc/sys/net/ipv6/conf/lo/forwarding 2
/proc/sys/net/ipv6/conf/mon.wlan0/forwarding 1
/proc/sys/net/ipv6/conf/pppoe-wan/forwarding 2
/proc/sys/net/ipv6/conf/sit0/forwarding 1
/proc/sys/net/ipv6/conf/wlan0/forwarding 1


Most of them are 1's but a few are zeros.