Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: arader on June 17, 2012, 12:14:11 PM

Title: Can't ping tunnel endpoint, it doesn't look like packets are leaving the device?
Post by: arader on June 17, 2012, 12:14:11 PM
Hi guys

I'm trying to get my first IPv6 tunnel set up and I'm pretty much stuck at square one. I'm trying to build an OpenBSD 5.1 based router running on a soekris 4801. After completing all of the set up steps, when I try to ping any IPv6 address (including the server's ipv6 endpoint address) I get 0 packets received.

My topology:
[  Internet  ] ---- [  (71.212.119.174)  Qwest DLS modem+router  (192.168.0.1) ]  ----  [  (192.168.0.2)  OpenBSD  ]
The Qwest rounter is pretty much an abomination, but it at least has a DMZ mode, so I enabled that for my OpenBSD box. I've also disabled PF just to make sure that's not causing any issues.

Before doing any tunnel configuration:

# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c7:37:38
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fec7:3738%sis0 prefixlen 64 scopeid 0x1
        inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
sis1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c7:37:39
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
sis2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c7:37:3a
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog


The example configuration for my tunnel:

ifconfig gif0 tunnel 71.212.119.174 72.52.104.74
ifconfig gif0 inet6 alias 2001:470:1f04:3dd::2 2001:470:1f04:3dd::1 prefixlen 128
route -n add -inet6 default 2001:470:1f04:3dd::1


and after adding the tunnel:

# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c7:37:38
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fec7:3738%sis0 prefixlen 64 scopeid 0x1
        inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
sis1: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c7:37:39
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
sis2: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c7:37:3a
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        priority: 0
        groups: gif egress
        physical address inet 71.212.119.174 --> 72.52.104.74
        inet6 fe80::200:24ff:fec7:3738%gif0 ->  prefixlen 64 scopeid 0x7
        inet6 2001:470:1f04:3dd::2 -> 2001:470:1f04:3dd::1 prefixlen 128


and when I try to ping anything (in this case, tunnel endpoint):

# ping6 2001:470:1f04:3dd::1
PING6(56=40+8+8 bytes) 2001:470:1f04:3dd::2 --> 2001:470:1f04:3dd::1
^C
--- 2001:470:1f04:3dd::1 ping6 statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss


I've tried substituting my external ip address for 192.168.0.2 in the tunnel setup commands, with no effect.

I'm not positive, but I think my ICMP packets aren't even leaving the device. I've replicated the above setup in virtualbox on my laptop, and when I watch the traffic through wireshark I'm never seeing any ping requests when I ping ipv6 address (ipv4 ping requests show up fine). Am I missing some crucial step here?

some extra info:


# route -n show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.0.1        UGS        3      311     -     8 sis0
127/8              127.0.0.1          UGRS       0        0 33196     8 lo0
127.0.0.1          127.0.0.1          UH         2        0 33196     4 lo0
192.168.0/24       link#1             UC         2        0     -     4 sis0
192.168.0.1        50:67:f0:ef:88:34  UHLc       1       38     -     4 sis0
192.168.0.2        127.0.0.1          UGHS       0        0 33196     8 lo0
192.168.0.11       00:15:c5:86:cc:a2  UHLc       1      746     -     4 sis0
224/4              127.0.0.1          URS        0        0 33196     8 lo0

Internet6:
Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface
::/104                             ::1                            UGRS       0        0     -     8 lo0
::/96                              ::1                            UGRS       0        0     -     8 lo0
default                            2001:470:1f04:3dd::1           UGS        0        0     -     8 gif0
::1                                ::1                            UH        14        0 33196     4 lo0
::127.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0
::224.0.0.0/100                    ::1                            UGRS       0        0     -     8 lo0
::255.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0
::ffff:0.0.0.0/96                  ::1                            UGRS       0        0     -     8 lo0
2001:470:1f04:3dd::1               2001:470:1f04:3dd::2           UH         1       22     -     4 gif0
2001:470:1f04:3dd::2               link#7                         UHL        0        0     -     4 lo0
2001:470:1f05:3dd::/64             link#2                         C          0        0     -     4 sis1
2001:470:1f05:3dd::10              00:00:24:c7:37:39              HL         0        0     -     4 lo0
2002::/24                          ::1                            UGRS       0        0     -     8 lo0
2002:7f00::/24                     ::1                            UGRS       0        0     -     8 lo0
2002:e000::/20                     ::1                            UGRS       0        0     -     8 lo0
2002:ff00::/24                     ::1                            UGRS       0        0     -     8 lo0
fe80::/10                          ::1                            UGRS       0        0     -     8 lo0
fe80::%sis0/64                     link#1                         UC         0        0     -     4 sis0
fe80::200:24ff:fec7:3738%sis0      00:00:24:c7:37:38              UHL        0        0     -     4 lo0
fe80::%sis1/64                     link#2                         C          0        0     -     4 sis1
fe80::200:24ff:fec7:3739%sis1      00:00:24:c7:37:39              HL         0        0     -     4 lo0
fe80::%lo0/64                      fe80::1%lo0                    U          0        0     -     4 lo0
fe80::1%lo0                        link#5                         UHL        0        0     -     4 lo0
fe80::%gif0/64                     link#7                         UC         0        0     -     4 gif0
fe80::200:24ff:fec7:3738%gif0      link#7                         UHL        0        0     -     4 lo0
fec0::/10                          ::1                            UGRS       0        0     -     8 lo0
ff01::/16                          ::1                            UGRS       0        0     -     8 lo0
ff01::%sis0/32                     link#1                         UC         0        0     -     4 sis0
ff01::%sis1/32                     link#2                         C          0        0     -     4 sis1
ff01::%lo0/32                      fe80::1%lo0                    UC         0        0     -     4 lo0
ff01::%gif0/32                     link#7                         UC         0        0     -     4 gif0
ff02::/16                          ::1                            UGRS       0        0     -     8 lo0
ff02::%sis0/32                     link#1                         UC         0        0     -     4 sis0
ff02::%sis1/32                     link#2                         C          0        0     -     4 sis1
ff02::%lo0/32                      fe80::1%lo0                    UC         0        0     -     4 lo0
ff02::%gif0/32                     link#7                         UC         0        0     -     4 gif0



# cat /etc/sysctl.conf
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets
net.inet6.ip6.accept_rtadv=0    # 1=Permit IPv6 autoconf (forwarding must be 0)


any thoughts? I'm up for trying anything at this point...
Title: Re: Can't ping tunnel endpoint, it doesn't look like packets are leaving the device?
Post by: cholzhauer on June 17, 2012, 12:43:41 PM
Since you're behind NAT, did you replace your public ip address with your nat address when you issued the commands in openbsd?
Title: Re: Can't ping tunnel endpoint, it doesn't look like packets are leaving the device?
Post by: broquea on June 17, 2012, 12:45:39 PM
Replace 71.212.119.174 with 192.168.0.2 when creating your tunnel.
Title: Re: Can't ping tunnel endpoint, it doesn't look like packets are leaving the device?
Post by: arader on June 17, 2012, 03:54:04 PM
still no dice:


# ifconfig gif0 tunnel 192.168.0.2 72.52.104.74
# ifconfig gif0 inet6 alias 2001:470:1f04:3dd::2 2001:470:1f04:3dd::1 prefixlen 128
# route -n add -inet6 default 2001:470:1f04:3dd::1
add net default: gateway 2001:470:1f04:3dd::1

# ping6 2001:470:1f04:3dd::1
PING6(56=40+8+8 bytes) 2001:470:1f04:3dd::2 --> 2001:470:1f04:3dd::1
^C
--- 2001:470:1f04:3dd::1 ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss


I think the real question: why would wireshark not see any IMCPv6 requests when running in a virtual machine? is there additional configuration that I need to do that I'm missing?

Another example: if I run 'wget http://ipv6.google.com' I can see the DNS requests in wireshark, but nothing else. wget eventually times out because it can't connect.

so what would cause the IPv6 requests to never leave the machine?
Title: Re: Can't ping tunnel endpoint, it doesn't look like packets are leaving the device?
Post by: arader on July 02, 2012, 12:41:10 PM
A follow up: I figured out the issue. Even in DMZ mode it appears my modem (a ZyXel PK5000z) wouldn't send proto41 to my DMZ host. My fix was to pick up a cheap actiontec modem that supports transparent bridging and set up openbsd to handle pppoe. This also has the benefit of my tunnel box getting direct access to the WAN IP, making it trivial to have a script that updates the tunnel endpoints if my IP changes.