Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: idjuric10 on December 21, 2012, 11:33:52 AM

Title: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 21, 2012, 11:33:52 AM
Hi, I'm having some trouble with setting up an IPv6 tunnel. Judging from the information you get from the Example Configuration you'd think that the process is simple and straight-forward, that you'd just need to copy and paste four commands:

Quote
netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 79.101.74.9 216.66.80.30
netsh interface ipv6 add address IP6Tunnel 2001:470:1f0a:90e::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f0a:90e::1

However, that doesn't work. Since I messed up I needed these commands to be able to start over:

Quote
netsh interface ipv6 delete interface IP6Tunnel
netsh interface ipv6 reset

After I found out I needed to use the IPv4 address I got with the ipconfig command instead of the 79.101.74.9 in my example, I pasted the commands again with that corrected.

Quote
netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.2 216.66.80.30
netsh interface ipv6 add address IP6Tunnel 2001:470:1f0a:90e::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f0a:90e::1

But it still won't work. After some asking around and reading these forums for a bit I found out that DMZ is often mentioned as the number one problem to why an IPv6 tunnel won't work. The router I'm using is Huawei HG 520s and the only mention of DMZ in the router settings that I seemed to find was this:

(http://i.imgur.com/60LYQ.png)

The SPI option was set to Disable so I tried enabling it even though I'm assuming that the description refers to the Enable option. Still won't work.

Apparently I should also try forwarding GRE and some other protocol, anyone know anything about that?

All help is greatly appreciated, thanks.

This was supposed to go to the IPv6 on Windows sub forum, hopefully a moderator will move it.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: nickbeee on December 21, 2012, 12:06:09 PM
Your Windows config should use the second option as you are behind a NAT.

I'm not familiar with that router but it sounds like it's blocking protocol 41 (http://en.wikipedia.org/wiki/6in4).
GRE (protocol 47) is not used in this case.

I had a quick look at a PDF manual, does yours have an option to set a FILTER? If so I suggest the following parameters:

Interface - whatever your WAN, likely PVC0
Direction - incoming
Type - tcp/ip
Source IP address - HE end of the tunnel 216.66.80.30
Subnet mask - 255.255.255.255 - only the one HE host address
Port number - 0
Protocol - This only has options for TCP/UDP/ICMP so try all three

No guarantee that this will work but there don't appear to be any other options on that router!
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 21, 2012, 02:09:27 PM
It does indeed have a Filter option, does this look about right?

(http://i.imgur.com/LrASv.png)

Unfortunately I tried all three options (TCP/UDP/ICMP), deleting and resetting the tunnel after trying out each one but it didn't seem make a difference. Any other thoughts?

Shouldn't I get an OK after inputting the second of the four commands if everything's working like it should? Because nothing comes out after I enter it.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 21, 2012, 05:03:05 PM
After some asking around and reading these forums for a bit I found out that DMZ is often mentioned as the number one problem to why an IPv6 tunnel won't work.
Any link to where you found such information?

I am not aware of any cases, where DMZ functionality would be the problem. On some routers, DMZ is the solution.

This was supposed to go to the IPv6 on Windows sub forum
I don't think so, because your question is about Huawei HG 520s, which I suppose doesn't run Windows. Looks like you did configure Windows correctly in your second attempt. My guess the router is the only reason it didn't work for you.

I tried all three options (TCP/UDP/ICMP)
None of them are applicable. There are more than a hundred protocol numbers defined, if that checkbox only lists three of them, then your router is a bit too limited.

A sensible router would have an option in that pulldown menu saying "Other". If you chose other, then port number fields would disappear and instead you would see a single protocol number field, in which you could type in 41.

Can you show us the full list of possible choices for "Filter Type" and for "Protocol"?

Though I suspect the filer functionality isn't going to help. I think it is for blocking traffic, which would otherwise be allowed through. In that case adding filters isn't going to make it work, but if you did get it working, adding a filter might break it again.

So try to browse through the menus on the router looking for something more usable. Three sorts of features you should look for on the router are:
If you don't find any of those three settings on the router, I am afraid you are going to need another router firmware to make it work.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 21, 2012, 11:56:27 PM
After some asking around and reading these forums for a bit I found out that DMZ is often mentioned as the number one problem to why an IPv6 tunnel won't work.
Any link to where you found such information?

I am not aware of any cases, where DMZ functionality would be the problem. On some routers, DMZ is the solution.

Yeah sorry, that's what I meant, as far as I understood DMZ should be one of the top things that should solve the problem most people have with not being able to get a working tunnel.

I tried all three options (TCP/UDP/ICMP)
None of them are applicable. There are more than a hundred protocol numbers defined, if that checkbox only lists three of them, then your router is a bit too limited.

A sensible router would have an option in that pulldown menu saying "Other". If you chose other, then port number fields would disappear and instead you would see a single protocol number field, in which you could type in 41.

Can you show us the full list of possible choices for "Filter Type" and for "Protocol"?

Of course:

(http://i.imgur.com/WedDI.png)

(http://i.imgur.com/NcX1s.png)

Though I suspect the filer functionality isn't going to help. I think it is for blocking traffic, which would otherwise be allowed through. In that case adding filters isn't going to make it work, but if you did get it working, adding a filter might break it again.

Makes sense, I guess that's probably the case.


So try to browse through the menus on the router looking for something more usable. Three sorts of features you should look for on the router are:
  • (port) forwarding
  • DMZ
  • IPv6 tunnel functionality (any page mentioning IPv6, 6to4, 6in4 or 6rd is interesting.)
If you don't find any of those three settings on the router, I am afraid you are going to need another router firmware to make it work.

Can't seem to find any of those unfortunately... Here are the available options:

(http://i.imgur.com/lAsF8.png) (http://i.imgur.com/oMInP.png) (http://i.imgur.com/dlx41.png)
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 22, 2012, 02:50:57 AM
Here are the available options
Can we get to see what options are available under NAT, IP Route, and Port Mapping?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 22, 2012, 03:45:35 AM
(http://i.imgur.com/hvtSZ.png)

Don't know how I missed it, should've paid attention to the buttons too, good call!

After clicking on DMZ:

(http://i.imgur.com/hEab5.png)

And after clicking on Port Forwarding:

(http://i.imgur.com/v2epX.png)
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 22, 2012, 03:53:25 AM
After clicking on DMZ:

(http://i.imgur.com/hEab5.png)
Set it to enabled, and type in the LAN address of the Windows machine, where you are running the tunnel (192.168.1.2 according to your first post). Notice that this means that Windows machine will receive all traffic, which the router has no other place to send. So make sure that Windows machine is kept up to date with security fixes.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 22, 2012, 04:00:14 AM
Just did that, still won't work. The next thing to try should be Port Forwarding, right?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 22, 2012, 04:14:39 AM
The next thing to try should be Port Forwarding, right?
Depends on what choices there is for the protocol.

My current guess is, your router is one of those, where DMZ is the only way to get it working. But we may need to fire up Wireshark or equivalent to see what is going on. I might be able to figure out something by probing your network with a few packets, but I don't have time at the moment.

If you don't get it working, you can try to leave it configured with the DMZ setting, which should work, then I'll find some time later to take another look.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 22, 2012, 04:19:50 AM
The options are TCP and UDP:

(http://i.imgur.com/r825O.png)

And back to the option I first tried that I mentioned in the first post:

(http://i.imgur.com/60LYQ.png)

Should it be enabled or disabled?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 22, 2012, 02:32:09 PM
I tried traceroute towards your IP address using various kinds of packets. What I found was that I can do a traceroute to 79.101.74.9 using ICMP echo request. It responds to echo requests and I can see all hops in between.

If I do a traceroute using UDP packets or protocol 41 packets, I can see all hops until 212.200.15.66 (which according to the above traceroute is the next to last hop). But once the packets reach 79.101.74.9, they appear to be silently dropped.

The options are TCP and UDP
Then it is not applicable, since what you need to get through is not UDP or TCP, but rather protocol 41. So ignore the port forwarding section. The only forwarding you can use to get the tunnel through is the DMZ feature.

And back to the option I first tried that I mentioned in the first post:

(http://i.imgur.com/60LYQ.png)

Should it be enabled or disabled?
I think that should be disabled. If you set firewall to disabled is the SPI option still available, or does it get ghosted, once you disable firewall?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: cholzhauer on December 22, 2012, 03:09:12 PM
My guess is your router is probably blocking protocol 41.  Can you use something like wireshark and look for packets to confirm/deny that?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: snarked on December 22, 2012, 03:18:29 PM
General comment:  In all the screens, plus info at http://www.modemarea.com/2011/07/huawei-hg520s-router-specifications/, there is no hint that the router itself handles IPv6.  Although that doesn't mean conclusively that it won't pass protocol 41 (6in4), there does seem to be a corrolation between not doing so when IPv6 support is missing.

The manufacturer does mention IPv6 support on its web site (but not specifically for that device).  Their HG232f does claim to support IPv6.  I suspect that you have an older device that may not.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 22, 2012, 03:37:01 PM
And back to the option I first tried that I mentioned in the first post:

(http://i.imgur.com/60LYQ.png)

Should it be enabled or disabled?
I think that should be disabled. If you set firewall to disabled is the SPI option still available, or does it get ghosted, once you disable firewall?

It's still available even if I disable the firewall option... So I'll set SPI back to Disable, which was the default option.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 22, 2012, 04:02:37 PM
there is no hint that the router itself handles IPv6.  Although that doesn't mean conclusively that it won't pass protocol 41 (6in4), there does seem to be a corrolation between not doing so when IPv6 support is missing.
I have seen many routers with no IPv6 support, and a builtin DNS server which fails in spectacular ways, if it receives AAAA queries, but still capable of forwarding protocol 41 without a problem.

Some need a DMZ option to forward protocol 41 packets to a specific LAN IP. Others can handle protocol 41 in the default configuration by using connection tracking (which just assumes all packets with a particular protocol number + remote IP combination is a single connection).
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 22, 2012, 04:04:15 PM
It's still available even if I disable the firewall option... So I'll set SPI back to Disable, which was the default option.
If setting firewall to disabled, doesn't solve the problem, then we are going to need traffic dumps to make any further progress. Can you install Wireshark on that machine?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 22, 2012, 11:20:39 PM
It's still available even if I disable the firewall option... So I'll set SPI back to Disable, which was the default option.
If setting firewall to disabled, doesn't solve the problem, then we are going to need traffic dumps to make any further progress. Can you install Wireshark on that machine?

Sure. Care to elaborate on what I need to do once it's installed since I don't have a lot of experience with using it?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 23, 2012, 02:50:55 AM
Care to elaborate on what I need to do once it's installed since I don't have a lot of experience with using it?
You need to do a packet capture on the physical network interface that connects the computer to the router. In the Linux version I can start a capture by just starting Wireshark and then clicking on the name of the network interface. Probably it is about the same in Windows. But the naming of network interfaces is totally different, so I cannot tell you what name to look for in the list of network interfaces.

Then while the capture is running, try to do an IPv6 ping of any IPv6 address outside your own LAN.

Once you are done with that, you need to click the stop icon (it is the fourth icon on the list in the Wireshark version I have here). Then go to the "File" menu and choose "Save As".

If your computer is doing something else on the network connection, while you are running the capture, you may also need to use the filtering features in Wireshark. I recommend you avoid doing a lot of unrelated stuff on the network connection, while running Wireshark, such that you won't need the filtering.

I am leaving a traceroute to 2001:470:1f0a:90e::2 running until you have done the packet captures, that way we can also see if any packets from me make it through your router.

Additionally, I'd like to have you check again that the router is showing the expected IPv4 address on the WAN interface. I guess you find that under "Status" or under "Basic", "WAN Setting".
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 23, 2012, 03:23:48 AM
OK, here's the file, hopefully I did everything correctly:

http://www46.zippyshare.com/v/80457274/file.html

Additionally, I'd like to have you check again that the router is showing the expected IPv4 address on the WAN interface. I guess you find that under "Status" or under "Basic", "WAN Setting".

(http://i.imgur.com/v05X9.png)
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 23, 2012, 04:12:52 AM
OK, here's the file, hopefully I did everything correctly
When looking in the file, I do see the IPv6 echo requests going from your computer to the router. I do not see anything coming back, no errors, no responses. I'll think about the next step in debugging and reply later (maybe today, maybe another day).

Notice that you can attach files directly in this forum. There is no need to use third party sites for such attachments. And that particular site you uploaded the file to looked a bit fishy. It was difficult to find the correct download link due to the download links to various exe files all over the page.

Additionally, I'd like to have you check again that the router is showing the expected IPv4 address on the WAN interface. I guess you find that under "Status" or under "Basic", "WAN Setting".

(http://i.imgur.com/v05X9.png)
Four virtual interfaces with two IPs. I am wondering what criteria the router use to choose between them. Also the IP seen there is different from the one you mentioned earlier.

Does that mean your public IP is dynamic and it changed since your first post? Or is your router actually using the RFC 1918 address and going through another layer of NAT with the previously mentioned IP address being the public IP address of the other NAT?

If the problem was just that the IP had changed and you didn't get it updated on the tunnel server, then the packet trace you uploaded should have shown ICMP errors from the tunnel server, but there were no such errors in the trace.

If you look on each of your posts in this thread, then in the lower right corner you can see, which IP you posted from. Can you tell us, what is showing up there?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 23, 2012, 04:49:15 AM
Sorry about that, I'll use the attach option on the forum next time.

Entering ipconfig now gives me the same ip address as before:

(http://i.imgur.com/A35Un.png)

(http://i.imgur.com/cVCy2.png)

178.223.27.71 is showing in the bottom right corner.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 23, 2012, 05:20:13 AM
Entering ipconfig now gives me the same ip address as before
That's the LAN address. That one is not very likely to change.

178.223.27.71 is showing in the bottom right corner.
Also on the first post, where you mentioned the IP address 79.101.74.9?

Which IP address is specified on the tunnel configuration page on tunnelbroker.net?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 23, 2012, 05:25:24 AM
77.46.208.16 is in the bottom right corner of my first post and all the others on the first page except the last one which has 178.223.27.71.

The address I quoted in the first post is the one I copied from the Tunnel Details page:

(http://i.imgur.com/LvBrv.png)

I was told that I was supposed to replace that with my LAN IP address, 192.168.1.2, which I did.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 23, 2012, 05:39:02 AM
77.46.208.16 is in the bottom right corner of my first post and all the others on the first page except the last one which has 178.223.27.71.
So it sounds like you have a dynamic IPv4 address on the WAN side of your router. And it changed at least twice during the time you tried to set up the tunnel. Did you power off or restart the router during this period?

I was told that I was supposed to replace that with my LAN IP address, 192.168.1.2, which I did.
That's correct. When running the tunnel endpoint behind a NAT, the tunnel endpoint only needs to know the IP on the LAN, not the WAN address of the router.

The tunnel server OTOH does need to know the WAN address of your router. That means each time it changes, you need to go to tunnelbroker.net and update the tunnel configuration with the new WAN address of your router. There are ways to automate that, but I think you should wait with the configuration of that until you manage to get at least a single IPv6 ping response through the tunnel.

Until then use the tunnelbroker.net web interface to manually update the WAN address of your router, and try to keep your router online continuously, such that it doesn't change IP address so frequently.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 23, 2012, 05:52:19 AM
Someone else in the house probably restarted the router. I was wondering if I needed to do that anyway after making an adjustment in the settings in order for it to work but I guess I shouldn't do that as my IP address will change.

(http://i.imgur.com/lKRiD.png)

This is where I'm supposed to change it, right? Then why am I getting this message when the firewall is currently set to disabled in the router settings?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 23, 2012, 03:38:45 PM
This is where I'm supposed to change it, right?
Yes.

Then why am I getting this message when the firewall is currently set to disabled in the router settings?
I don't get any response when I try to ping 178.223.27.71, so the report from tunnelbroker.net is correct. I don't know why your router doesn't respond to echo requests, when you have disabled the firewall.

I can only suggest you try all four possible combinations of the firewall and SPI settings to see if any of them permits pinging your router.

It is possible the DMZ feature is implemented in such a way that when you enable DMZ the echo requests are also forwarded from the router to the Windows box, and you have a firewall on the Windows box blocking echo requests. If this is the case, then running Wireshark while trying to update the IP address should reveal the echo requests coming through to the Windows box and not being replied to.

Though if that is really the case, then the router should still have been visible as a hop on a traceroute to your IP. So I should have seen 178.223.27.71 as a hop on the route, but not the last one. And then packets getting dropped past that.

So it would require the DMZ feature to not only forward ICMP requests to the Windows box, but also do it without proper decreasing the TTL value. It is a possible explanation, router firmwares are rarely known for their excellent quality.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 23, 2012, 11:41:08 PM
Tried all four combinations of the firewall and SPI settings, got the error message every time. Set the DMZ option back to disabled and:

(http://i.imgur.com/CBwSU.png)

So what now?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 24, 2012, 03:07:27 AM
Tried all four combinations of the firewall and SPI settings, got the error message every time. Set the DMZ option back to disabled and:
That leaves two possible explanations. Either they thought it was a good idea to have the DMZ feature forward echo requests to the LAN IP without even decreasing TTL, and something is filtering the echo requests on the LAN side. Or the DMZ feature in this router is just very broken.

There are still some possibilities left. It may be that after your WAN IPv4 address changes, you need to perform the following steps:That's more step than one would like to have to do each time the IPv4 address changes, but before we try to get that process simplified, let's figure out if those steps will actually get the tunnel working.

You have done the first two steps, so the next step would be to enable DMZ again. The IPv4 update page only requires you to respond to ICMP echo request for long enough to update the IP. Once it has been updated, it will stay with that setting, even if it stops responding to ICMP echo requests again.

So enable DMZ. And repeat the experiment from http://www.tunnelbroker.net/forums/index.php?topic=2747.msg16106#msg16106
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 24, 2012, 07:18:12 AM
I enabled DMZ and wanted to start up Wire Shark but now I get this message:

(http://i.imgur.com/W7bFV.png)

Re-installed WinPcap, should be OK now. I attached the file below.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 24, 2012, 05:05:23 PM
I enabled DMZ and wanted to start up Wire Shark but now I get this message
No idea how that happened. Looks like it is Windows specific. I don't think that could happen with the Linux version of Wireshark. And I don't think this in any way is related to the DMZ feature on the router.

Re-installed WinPcap, should be OK now.
I hope you won't need to do that often. Sounds annoying.

I attached the file below.
Packets from Windows machine to tunnel server are still looking good. But you are still getting nothing back. There are no replies or error messages. You are also not getting any ICMPv6 messages from the traceroute commands I am running towards 2001:470:1f0a:90e::2.

So it really looks like packets are not making it through your router to your Windows machine. We don't know if the packets from your Windows machine are making it through the router to the tunnel server. They may be making it through just fine, and the problem might only be the responses not getting back.

So we need to take another look to see if any filtering is happening. Does the filtering page on the router currently list any filters? I think you shouldn't have any filters, and I think the firewall should be set to disabled. I don't know if SPI should be set to enabled or disabled.

I set up a couple of address you can try to ping such that we can find out, if packets from your computer are making it out through your router.
2001:470:1f0b:1da2:a848:bd8e:c71b:28fe
2002:5634:7905:727a:dbf9:80df:51fc:a85f
I'll be able to see if your echo requests reaches either of those two addresses. You can also try to use my IPv4 address 86.52.121.5 instead of specifying the IP address of the tunnel server. That means the netsh command would read
Code: [Select]
netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.2 86.52.121.5That's obviously just for testing. I am not running a tunnel server, but you can send packets directly that way in order to reach the two IPv6 addresses I mentioned.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 24, 2012, 11:17:21 PM
No filters, firewall is disabled, SPI is disabled.

(http://i46.tinypic.com/2n0vo2f.png)

It's the same even after deleting the tunnel with:

Quote
netsh interface ipv6 delete interface IP6Tunnel
netsh interface ipv6 reset

and using:

Quote
netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.2 86.52.121.5
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 25, 2012, 01:30:10 AM
It's the same even after deleting the tunnel with:

Quote
netsh interface ipv6 delete interface IP6Tunnel
netsh interface ipv6 reset

and using:

Quote
netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.2 86.52.121.5
But this time I can see, that the ICMP echo requests that you send actually made it through to me:
Code: [Select]
Received echo request from 2001:470:1f0a:90e::2 via 178.223.56.238 to 2001:470:1f0b:1da2:a848:bd8e:c71b:28fe ttl=112 len=32
Received echo request from 2001:470:1f0a:90e::2 via 178.223.56.238 to 2001:470:1f0b:1da2:a848:bd8e:c71b:28fe ttl=112 len=32
Received echo request from 2001:470:1f0a:90e::2 via 178.223.56.238 to 2001:470:1f0b:1da2:a848:bd8e:c71b:28fe ttl=112 len=32
Received echo request from 2001:470:1f0a:90e::2 via 178.223.56.238 to 2001:470:1f0b:1da2:a848:bd8e:c71b:28fe ttl=112 len=32
But this also reveals, that your IPv4 address changed again.

Can you try to repeat the experiment but this time try pinging all of these IPv6 addresses:
2001:470:1f0b:1da2:161c:67c3:678a:2837
2001:470:1f0b:1da2:a848:bd8e:c71b:28fe
2002:5634:7905:525a:73af:e547:8d21:8bab
2002:5634:7905:727a:dbf9:80df:51fc:a85f
And let me know which of the four you get a reply from. And while testing, you should still be using 86.52.121.5 rather than the real tunnel server.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 25, 2012, 02:20:58 AM
Yep, looking at my above post the IP address in the bottom right corner is 178.223.56.238 but I don't think anyone in the house restarted the router so I don't know why it changed.

Tried pinging all four addresses, didn't get a reply from any of them...

(http://i.imgur.com/apuED.png)

(http://i.imgur.com/Uuh3K.png)
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 25, 2012, 03:07:09 AM
Tried pinging all four addresses, didn't get a reply from any of them...
In all four cases the echo request reached me. And I am almost certain the echo reply made it all the way back to your router in at least two of the cases. So I think your router is blocking all protocol 41 packets arriving from the Internet, even when they are replies to packets you have send.

I think you should repeat the above experiment with different combinations of SPI and DMZ enabled and disabled to see if any combination works. From the above list 2001:470:1f0b:1da2:161c:67c3:678a:2837 is the one which has the best chance of getting a reply through.

But I am starting to think it just isn't possible to get it to work with your router firmware. Maybe you can find a firmware update for your router, which can help.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 25, 2012, 05:51:57 AM
Tried pinging 2001:470:1f0b:1da2:161c:67c3:678a:2837 with all four combinations but none worked.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 25, 2012, 02:02:10 PM
Tried pinging 2001:470:1f0b:1da2:161c:67c3:678a:2837 with all four combinations but none worked.
Then I think we have exhausted the options with the current firmware on your router. I cannot think of any more you can do other than looking for an updated firmware for the router.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 26, 2012, 03:00:33 AM
I've already updated the firmware, last year or two years ago, I'm not sure. So I'm afraid it's now safe to say I'm screwed.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 26, 2012, 03:34:04 AM
I've already updated the firmware, last year or two years ago, I'm not sure.
A lot of new bugs can be found in a year. You should check if there is a newer firmware.

So I'm afraid it's now safe to say I'm screwed.
There are many other options. If you cannot find an official firmware upgrade for the router, you may be able to find an unofficial firmware with more features. If you can find a good third-party firmware for the router, you may even be able to run the tunnel endpoint directly on the router and get a much better setup that way.

Alternatively you can go with a tunnel broker using other protocols. SixXS supports a much wider range of protocols, some of which should work through your router. Just be aware that SixXS have a quite unpredictable bureaucracy around registration. Some people can get an account, other people cannot.

If all else fails, you can buy yourself a router with proper IPv6 support.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 26, 2012, 03:45:24 AM
It doesn't seem that the crappy router I'm using is supported enough (or at all) to get constant firmware updates, official or not.

I have until the end of the year to get this to work and set up a web and mail server with an IPv6 address after that. I'm thinking about trying to do it at a friend's house but unfortunately he also has a Huawei router, different model though but who knows if it'll work after all the trouble I've had with setting up mine...
Title: Re: Need help with creating a working IPv6 tunnel
Post by: AndrejaKo on December 26, 2012, 04:16:28 AM
Would the PPTP VPN option help here at all? Maybe the router will pass it through its firewall?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 26, 2012, 04:20:43 AM
Would the PPTP VPN option help here at all?
I don't think HE supports that anymore. But do take a look at the offerings from SixXS. They support protocols that should work through most routers and firewalls.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: AndrejaKo on December 26, 2012, 04:51:45 AM
Well the point which idjuric10 didn't mention is that we got an assignment from our University to pass he.net IPv6 certification and among other things were told to set up our IPv6 tunnel using he.net.


I don't see why certification wouldn't work using SixXs or gogo6, if our TA doesn't make any problems with that.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 26, 2012, 05:49:41 AM
I don't see why certification wouldn't work using SixXs or gogo6, if our TA doesn't make any problems with that.
If I was the TA and a student gave me a good technical explanation of why the task couldn't be completed using the HE tunnel broker, and simultaneously explained how he found another tunnel broker in order to complete the certification, then I would accept that explanation.

As far as I remember there is some step along the way, which requires functional reverse DNS records. So if I recall that part correctly, then you need to use a tunnel broker, which supports reverse DNS records. Apart from that, I don't think there is any limitations on which IPv6 connectivity, you can use to pass the certification test. You are not even required to use the same IPv6 connectivity for the entire test, as long as you have a domain and can update the DNS records in that domain, you can point them at different IPv6 addresses throughout the test.

You could even use Teredo for the first parts of the test and then switch to a tunnel broker once you reach the point in the test, where you need reverse DNS records.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: nickbeee on December 26, 2012, 12:53:00 PM
As far as I remember there is some step along the way, which requires functional reverse DNS records. So if I recall that part correctly, then you need to use a tunnel broker, which supports reverse DNS records.

If you have registered  with SixXs and set up a tunnel then you can set up reverse DNS (https://www.sixxs.net/faq/dns/?faq=reverse) pointing at one of the HE free DNS servers. This worked for me.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 28, 2012, 08:34:53 AM
OK so I'm trying to make an IPv6 tunnel using a friend's router which uses MikroTik RouterOS V2.9. This one should be better and have a lot more options then mine, what do I need to do to make it forward protocol 41 in order to get the IPv6 tunnel to work?
Title: Re: Need help with creating a working IPv6 tunnel
Post by: cholzhauer on December 28, 2012, 08:42:08 AM
It should just do it (check the firewall setting for restrictions)...you may need to enable DMZ mode though.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 28, 2012, 08:54:29 AM
OK, googling now to find out how to enable DMZ on this router since it seems like it isn't as simple as checking the Enable DMZ box like on mine.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: kasperd on December 28, 2012, 11:50:16 AM
OK, googling now to find out how to enable DMZ on this router since it seems like it isn't as simple as checking the Enable DMZ box like on mine.
It isn't hard to find a router without such a feature. And actually there are routers which can handle protocol 41 without needing the DMZ feature. Some routers can handle protocol 41 in the default configuration by simply using connection tracking.

So even if you cannot find the router configuration options you are looking for, it is worth trying setting up the tunnel anyway. With a bit of luck, it might just work.

If you just want to test passing protocol 41 packets without needing to get the tunnel configured on the tunnel server first, you can still use 86.52.121.5 as if it was the tunnel server IP and then try to ping 2001:470:1f0b:1da2:161c:67c3:678a:2837.
Title: Re: Need help with creating a working IPv6 tunnel
Post by: idjuric10 on December 30, 2012, 02:44:41 PM
The results of me dedicating most of Friday and literally this whole weekend to this:

http://ipv6.he.net/certification/scoresheet.php?pass_name=idjuric10

Thanks for all the help even though it ended up not being possible to make it work on my router!