Hurricane Electric's IPv6 Tunnel Broker Forums

I've set up a tunnel on tserv9.chi1 for use with an ipv4-only VM host provider and I'm unable to connect to any sites.

Here is the configure script as given by the website:

modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 209.51.181.2 local 96.x.x.x ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f10:a13::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr


Here are the relevant details of my network config:


root@host:~# ip tunnel show
he-ipv6: ipv6/ip  remote 209.51.181.2  local 96.x.x.x  ttl 255  6rd-prefix 2002::/16
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc 6rd-prefix 2002::/16

root@migrationtest:~# ip -6 route show
2001:470:1f10:a13::/64 via :: dev he-ipv6  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
fe80::/64 via :: dev he-ipv6  proto kernel  metric 256
default dev he-ipv6  metric 1024

root@host:~# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 fe80::216:3eff:fe7f:56b5/64 scope link
       valid_lft forever preferred_lft forever
4: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480
    inet6 2001:470:1f10:a13::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::6008:7814/128 scope link
       valid_lft forever preferred_lft forever

root@host:~# ip -6 link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:3e:7f:56:b5 brd ff:ff:ff:ff:ff:ff
3: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
4: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
    link/sit 96.x.x.x peer 209.51.181.2


I'm able to ping the tunnel endpoints and the he.net provided dns server:

root@host:~# ping 209.51.181.2
PING 209.51.181.2 (209.51.181.2) 56(84) bytes of data.
64 bytes from 209.51.181.2: icmp_req=1 ttl=55 time=2.10 ms
64 bytes from 209.51.181.2: icmp_req=2 ttl=55 time=2.44 ms
64 bytes from 209.51.181.2: icmp_req=3 ttl=55 time=2.54 ms
^C
--- 209.51.181.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.105/2.366/2.548/0.189 ms

root@host:~# ping6 2001:470:1f10:a13::1
PING 2001:470:1f10:a13::1(2001:470:1f10:a13::1) 56 data bytes
64 bytes from 2001:470:1f10:a13::1: icmp_seq=1 ttl=64 time=3.04 ms
64 bytes from 2001:470:1f10:a13::1: icmp_seq=2 ttl=64 time=2.22 ms
^C
--- 2001:470:1f10:a13::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.224/2.634/3.044/0.410 ms

root@host:~# ping6 2001:470:20::2
PING 2001:470:20::2(2001:470:20::2) 56 data bytes
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=64 time=3.24 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=2.59 ms
^C
--- 2001:470:20::2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.596/2.920/3.244/0.324 ms


However, I can't ping any ipv6 sites:

root@host:~# ping6 www.google.com
PING www.google.com(den03s06-in-x10.1e100.net) 56 data bytes
^C
--- www.google.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms


Here is a traceroute from another ipv6 enabled host:


$ traceroute6 2001:470:1f10:a13::2
traceroute to 2001:470:1f10:a13::2 (2001:470:1f10:a13::2) from 2001:470:1f0f:1082:45c7:cf3f:aa0:a6bb, 30 hops max, 24 byte packets
1  2001:470:1f0f:1082:0:c0c1:c017:7c14 (2001:470:1f0f:1082:0:c0c1:c017:7c14)  0.626 ms  0.952 ms  1.069 ms
2  alyandon-1.tunnel.tserv8.dal1.ipv6.he.net (2001:470:1f0e:1082::1)  29.538 ms  31.27 ms  24.967 ms
3  gige-g2-14.core1.dal1.he.net (2001:470:0:78::1)  20.998 ms  27.859 ms  19.485 ms
4  10gigabitethernet4-4.core1.chi1.he.net (2001:470:0:1bb::2)  70.556 ms  45.64 ms  82.973 ms
5  tserv1.chi1.he.net (2001:470:0:6e::2)  50.111 ms  47.181 ms  48.498 ms
6  tserv1.chi1.he.net (2001:470:0:6e::2)  47.531 ms !H  55.061 ms !H  61.668 ms !H

$ traceroute6 2001:470:1f10:a13::1
traceroute to 2001:470:1f10:a13::1 (2001:470:1f10:a13::1) from 2001:470:1f0f:1082:45c7:cf3f:aa0:a6bb, 30 hops max, 24 byte packets
1  2001:470:1f0f:1082:0:c0c1:c017:7c14 (2001:470:1f0f:1082:0:c0c1:c017:7c14)  0.696 ms  0.483 ms  0.688 ms
2  alyandon-1.tunnel.tserv8.dal1.ipv6.he.net (2001:470:1f0e:1082::1)  63.331 ms  23.066 ms  24.953 ms
3  gige-g2-14.core1.dal1.he.net (2001:470:0:78::1)  28.618 ms  21.332 ms  21.449 ms
4  10gigabitethernet4-4.core1.chi1.he.net (2001:470:0:1bb::2)  48.453 ms  44.173 ms  48.451 ms
5  alyandon-2.tunnel.tserv9.chi1.ipv6.he.net (2001:470:1f10:a13::1)  43.465 ms  48.505 ms  47.246 ms


The tunnel at least appears to be up but it seems to not actually be routing my outgoing traffic.  I've flushed the chains on iptables and ip6tables and configured the default policy to ACCEPT for all chains while I'm trying to troubleshoot this.

Anyone have any ideas?

This has been resolved via trouble ticket.  A great thanks to HE.net and the free service they are providing!