Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: zhmhua on September 26, 2012, 07:16:01 PM

Title: why it just doesn't work?
Post by: zhmhua on September 26, 2012, 07:16:01 PM
my system is CentOS 6.2

Firstly, I enable the ICMP and put my host in the DMZ(my router does not have place to specify the 41 protocol).

I created my tunnel and followed the instruction:

Code: [Select]
me$ sudo ip tunnel add he-ipv6 mode sit remote 216.218.224.42 local 192.168.2.5 ttl 255
me$ sudo ip link set he-ipv6 up
me$ sudo ip addr add 2001:470:1f0e:1113::2/64 dev he-ipv6
me$ sudo ip route add ::/0 dev he-ipv6

and this is my ifconfig result:
Code: [Select]
he-ipv6   Link encap:IPv6-in-IPv4  
          inet6 addr: fe80::c0a8:205/128 Scope:Link
          inet6 addr: 2001:470:1f0e:1113::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1472  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3370 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:345224 (337.1 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:138 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13220 (12.9 KiB)  TX bytes:13220 (12.9 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:1B:77:27:F7:9D  
          inet addr:192.168.2.5  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:77ff:fe27:f79d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1
          RX packets:143822 errors:0 dropped:0 overruns:0 frame:0
          TX packets:99503 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:143461793 (136.8 MiB)  TX bytes:11951462 (11.3 MiB)

everything seems ok till now, but...

Code: [Select]
me$ ping6 ipv6.google.com
PING ipv6.google.com(yx-in-x67.1e100.net) 56 data bytes

here is the tcpdump record when I was trying to ping6 google
Code: [Select]
me# tcpdump -i he-ipv6
tcpdump: WARNING: he-ipv6: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on he-ipv6, link-type RAW (Raw IP), capture size 65535 bytes
17:36:40.835081 IP6 zhmhua-1-pt.tunnel.tserv8.dal1.ipv6.he.net > yx-in-x68.1e100.net: ICMP6, echo request, seq 1, length 64
17:36:41.834629 IP6 zhmhua-1-pt.tunnel.tserv8.dal1.ipv6.he.net > yx-in-x68.1e100.net: ICMP6, echo request, seq 2, length 64
17:36:42.834605 IP6 zhmhua-1-pt.tunnel.tserv8.dal1.ipv6.he.net > yx-in-x68.1e100.net: ICMP6, echo request, seq 3, length 64
(repeat...)

I think the address was resolved successfully, but it is just not able to ping.
I have tried both the outside IP and the NAT IP, It made no difference.

Can you figure out what's wrong with my operation? or need I present more diagnostic information?
Title: Re: why it just doesn't work?
Post by: cholzhauer on September 26, 2012, 07:35:43 PM
Your router is probably blocking protocol 41
Title: Re: why it just doesn't work?
Post by: zhmhua on September 27, 2012, 10:18:41 AM
But I have put my host in the DMZ.

Your router is probably blocking protocol 41
Title: Re: why it just doesn't work?
Post by: cholzhauer on September 27, 2012, 10:21:44 AM
That doesn't matter.  Some routers/firewalls have a DMZ mode that's "broken" when it comes to protocol41.  The only thing you can do is try a packet capture and see what you can see.
Title: Re: why it just doesn't work?
Post by: zhmhua on September 27, 2012, 02:48:30 PM
I have updated the packet capture result from tcpdump, can you help me to see what the problem is?

That doesn't matter.  Some routers/firewalls have a DMZ mode that's "broken" when it comes to protocol41.  The only thing you can do is try a packet capture and see what you can see.
Title: Re: why it just doesn't work?
Post by: broquea on September 27, 2012, 02:56:45 PM
If you don't see inbound Protocol 41 packets in your PCAP, that is the problem :)
Title: Re: why it just doesn't work?
Post by: zhmhua on September 27, 2012, 03:01:28 PM
then can I have it solved?

If you don't see inbound Protocol 41 packets in your PCAP, that is the problem :)
Title: Re: why it just doesn't work?
Post by: broquea on September 27, 2012, 03:03:01 PM
get a new router. plenty of posts on here to find in a search that report routers that the tunnel can terminate on or behind. I terminated my HE tunnel on a D-Link DIR-825 until Comcast provided me with native IPv6.
Title: Re: why it just doesn't work?
Post by: nickbeee on September 29, 2012, 04:19:39 PM
Zhmhua, Please tell us what your router is that is doing the NAT. Even though you are in a DMZ you are still behind NAT and some NAT firewalls explicitly block protocol 41. So do some Wireless LAN controllers.

Is it a real PC or is it running in a virtual machine?

Take a tcpdump of the ipv4 interface that the tunnel terminates on which appears to be wlan0. That's where the protocol-41 should be, not on the tunnel (ipv6) interface.
Code: [Select]
tcpdump -i wlan0will probably be quite busy so you will need to filter it...
Code: [Select]
tcpdump -i wlan0 'proto 41'will show only tunnel traffic.

If your interface complains about promiscuous mode because it's a wlan then try
Code: [Select]
tcpdump -p -i wlan0 'proto 41'
We are expecting to see outbound protocol-41 here.

Title: Re: why it just doesn't work?
Post by: zhmhua on October 09, 2012, 05:10:50 PM
I am sorry for the delay.
I am running on a real machine, and my router's brand is BELKIN. I don't fully understand what do you mean by "is doing the NAT", but I have tried all the commands as your suggestion, but no key word 'proto 41' was found.

It's very kind of you, thank you.

Zhmhua, Please tell us what your router is that is doing the NAT. Even though you are in a DMZ you are still behind NAT and some NAT firewalls explicitly block protocol 41. So do some Wireless LAN controllers.

Is it a real PC or is it running in a virtual machine?

Take a tcpdump of the ipv4 interface that the tunnel terminates on which appears to be wlan0. That's where the protocol-41 should be, not on the tunnel (ipv6) interface.
Code: [Select]
tcpdump -i wlan0will probably be quite busy so you will need to filter it...
Code: [Select]
tcpdump -i wlan0 'proto 41'will show only tunnel traffic.

If your interface complains about promiscuous mode because it's a wlan then try
Code: [Select]
tcpdump -p -i wlan0 'proto 41'
We are expecting to see outbound protocol-41 here.