Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Routing Platforms => Topic started by: mattwilson9090 on April 01, 2012, 02:08:38 AM

Title: Port Forwarding on Toastman (Tomato)
Post by: mattwilson9090 on April 01, 2012, 02:08:38 AM
I'm trying to work my way through HE's certification program but find myself stumped almost at the beginning. Basically I need to create an IPv6 reachable website, and put a file up there that can be retrieved. I think my problem is either a configuration issue, or some sort of flaw with the Toastman firmware I'm using on my router.

My HE tunnel has been up and functional for some time, and I do have IPv6 connectivity both internally and externally. I do have an AAAA record for the website I'm trying to access. When I try to reach the website via IPv6 from one of my internal computers it works, presumably because after the AAAA returns the address the computer "realizes" the address is on the local LAN, so it never needs to go out on the internet. When I run HE's IPv6 Portscan it reports that the address is up, but doesn't specify what ports it found. The address I'm using isn't being used by anything else on the webserver, and the address/port combination is the only thing I have opened in the firmware. When I temporarily opened a corresponding IPv4 with an A record I was able to reach the site so I think the server OS and webserver are configured properly.

All of which leads me to suspect that I've IPv6 port forwarding on the Toastman configured improperly.

A quick overview of my configuration is that my perimeter is guarded by a Calyptix Access Enforcer 500 which is providing only IPv6 services. I've got my tunnel terminated on a WRT54G-TM router running Toastman firmware that had been reconfigured as a WiFi Access Point, with WAN/Internet disabled and WAN port used for the LAN. (As I'm typing this I realized this may be may be my problem area). My HE Tunnel is terminated on this Toastman device. The server itself is Windoers Server 2008 R2. It was specifically built for this, so it's not doing anything else. The webserver is IIS 7. Like I said it responds properly from within the network on IPv6, and responds from within and external to the network on IPv4.

In the IPv6 Port Forwarding section I only have one mapping created. Protocol is set to both, Src Address is blank, Dest Address is 2001:470:d:10bb::80, and Dest Ports is 80.

The address I'm using is from my /64, and like I said Nmap is reporting it up, but without any details as to which port responded. The AAAA record for is pointing to that address, and ping -6 from within the network returns that address and gets me to the site internally.

The only conclusion I'm left with after looking at everything is that I'm either doing something wrong with the port forwarding or there is some sort of problem with the firmware itself. As I'm typing this I'm starting to wonder if disabling WAN/Internet is my problem, but I'm not sure since I think that only applies to IPv4, and anyway, I am getting a response on Nmap.

Anyone have any thoughts or suggestions?
Title: Re: Port Forwarding on Toastman (Tomato)
Post by: cholzhauer on April 01, 2012, 06:57:14 AM
I'm able to ping from the outside with no issues...does it matter if you open up all ports (and not just 80) to that host?

It definitely seems like a firewall issue, especially because you say the site works internally
Title: Re: Port Forwarding on Toastman (Tomato)
Post by: mattwilson9090 on April 01, 2012, 10:30:09 AM
Thanks, that does help some.

You can ping it, but can you get there with your browser? I just set port forwarding to 1-65000 since there is no option for "all ports" and I can't remember the exact range of ports. There is a DMZ option, but it doesn't accept IPv6 addresses, only IPv4.

Ping tells me that ICMP traffic is getting through, which probably means my wondering about the WAN/Internet setting probably doesn't apply. Unfortunately ping doesn't tell me anything about traffic to specifc ports. I really wish the Nmap report gave more detailed results.

I did look at the Windows Firewall and tweaked a setting there, but it didn't make a difference. BTW, in my earlier testing I had disabled the Windows firewall as well, so that's likely not the issue.

I doubt my Calyptix firewall is impacting this since the traffic is tunneled in Port 41, albeit unencrypted. I'll have to look deeper and see if I can control any settings concerning that.

If the issue is with Toastman I still have no clue as to where to look though.
Title: Re: Port Forwarding on Toastman (Tomato)
Post by: mattwilson9090 on April 01, 2012, 10:48:54 AM
Ok, I just reran and reread the nmap report.

"All 1000 scanned ports on (2001:470:d:10bb::80) are filtered" For some reason that part didn't sink into my brain. This does seem to reinforce even more strongly that I have a port forwarding issue, but everything seems to be configured properly.

Unless maybe I needed to have additional entries because this is a tunnel? That doesn't quite make sense, but I'm at the beating my head against the wall stage anyway.
Title: Re: Port Forwarding on Toastman (Tomato)
Post by: cholzhauer on April 01, 2012, 05:09:30 PM
Remember port != protocol

Anything beyond the tunnel router wont know that you're actually behind a tunnel
Title: Re: Port Forwarding on Toastman (Tomato)
Post by: mattwilson9090 on April 01, 2012, 05:13:35 PM
Yes, I'm aware that ports are not the same as protocols. I'm talking about getting port forwarding to work through the firmware on the router that is acting as my tunnel endpoint, *inside* a UTM firewall that is scanning and protecting my IPv4 traffic. So regardless of port or protocol that firewall is touching in some way the traffic bound for my tunnel endpoint.
Title: Re: Port Forwarding on Toastman (Tomato)
Post by: mattwilson9090 on April 03, 2012, 11:22:38 PM
Beating head against wall. Ok, I got it working. After considering all sorts of  things, including considering changing firmware I found a rouuting setting that I changed and it works correctly. My guess is that it's all related to my network configuration and no longer using this box as router.