Hello, I recently signed up for a tunnel and configured it on my Edgemax router (Vyatta) but I am unable to ping6 the remote IP on the tunnel. I deleted and created a new tunnel to a different server endpoint as well with the same results. Do you see anything wrong here? I have yet to set the ipv6 advertisement yet. I took that config out for troubleshooting.
Any help would be appreciated. Thanks.
Here is my config:
firewall {
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
group {
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZ_LOCAL {
default-action drop
description ""
enable-default-log
}
name DMZ_OUT {
default-action drop
description ""
enable-default-log
rule 1 {
action drop
destination {
address 10.10.10.0/24
}
log enable
protocol all
source {
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action accept
destination {
address 0.0.0.0/0
}
log disable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
}
name WAN_IN {
default-action drop
description ""
enable-default-log
rule 1 {
action accept
description "Allow Established"
log enable
protocol all
state {
established enable
invalid disable
new disable
related disable
}
}
rule 2 {
action accept
description "Allow HTTP To WWW Server"
destination {
address 10.10.10.205
port 80
}
log enable
protocol tcp
}
rule 3 {
action accept
description "Allow SSL VPN To ASA"
destination {
address 10.25.25.2
port 443
}
log enable
protocol tcp
}
rule 4 {
action accept
description "Allow UDP 500 to ASA"
destination {
address 10.25.25.2
port 500
}
log disable
protocol udp
}
rule 5 {
action accept
description "Allow UDP 4500 to ASA"
destination {
address 10.25.25.2
port 4500
}
log enable
protocol udp
}
rule 6 {
action accept
description "Allow Synology Traffic"
destination {
address 10.10.10.65
port 5000
}
log enable
protocol tcp
}
}
name WAN_LOCAL {
default-action drop
description ""
enable-default-log
rule 1 {
action drop
description "Allow HTTPS Management"
destination {
port 443
}
log enable
protocol tcp
source {
address 0.0.0.0/0
}
}
rule 2 {
action accept
log enable
protocol icmp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address x.x.x.x
address x.x.x.x
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description "Trunk To Switch 1/0/48"
duplex auto
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 0
managed-flag false
max-interval 10
other-config-flag false
reachable-time 0
retrans-timer 0
send-advert true
}
}
speed auto
vif 10 {
address 10.10.10.1/24
description "Internal LAN"
firewall {
in {
}
}
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
default-preference medium
link-mtu 0
managed-flag true
max-interval 10
other-config-flag true
prefix 2001:470:b:ee::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
}
vif 20 {
description "Guest LAN"
firewall {
out {
}
}
mtu 1500
}
vif 30 {
address 10.100.100.1/24
description DMZ
firewall {
in {
name DMZ_OUT
}
local {
name DMZ_LOCAL
}
out {
}
}
mtu 1500
}
}
ethernet eth2 {
address 10.25.25.1/30
description VPN
duplex auto
speed auto
}
loopback lo {
}
}
protocols {
static {
interface-route6 ::/0 {
next-hop-interface tun0 {
}
}
route 0.0.0.0/0 {
next-hop x.x.x.x {
distance 1
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name DMZ {
authoritative disable
subnet 10.100.100.0/24 {
default-router 10.100.100.1
dns-server 142.165.21.5
dns-server 142.165.200.5
lease 86400
start 10.100.100.100 {
stop 10.100.100.149
}
}
}
shared-network-name LAN {
authoritative disable
subnet 10.10.10.0/24 {
default-router 10.10.10.1
dns-server 142.165.21.5
dns-server 142.165.200.5
lease 86400
start 10.10.10.100 {
stop 10.10.10.149
}
static-mapping 1 {
ip-address 10.10.10.90
mac-address 00:90:a9:a2:40:62
}
static-mapping 2 {
ip-address 10.10.10.91
mac-address 00:90:a9:c8:cf:a0
}
static-mapping CACTI_Server {
ip-address 10.10.10.206
mac-address 00:15:5d:01:78:27
}
}
}
}
dns {
forwarding {
cache-size 4000
listen-on eth1
}
}
gui {
https-port 443
listen-address 10.10.10.1
}
nat {
rule 1 {
description "NAT UDP 4500 To ASA"
destination {
address x.x.x.x
port 4500
}
inbound-interface eth0
inside-address {
address 10.25.25.2
port 4500
}
log enable
protocol udp
type destination
}
rule 2 {
description "NAT SSL To ASA"
destination {
address x.x.x.x
port 443
}
inbound-interface eth0
inside-address {
address 10.25.25.2
port 443
}
log enable
protocol tcp
type destination
}
rule 3 {
description "NAT UDP 500 to ASA"
destination {
address x.x.x.x
port 500
}
inbound-interface eth0
inside-address {
address 10.25.25.2
port 500
}
log enable
protocol udp
type destination
}
rule 4 {
description "NAT Synology NAS"
destination {
address x.x.x.x
port 5000
}
inbound-interface eth0
inside-address {
address 10.10.10.65
port 5000
}
log disable
protocol tcp
type destination
}
rule 5 {
description "NAT HTTP"
destination {
address x.x.x.x
port 80
}
inbound-interface eth0
inside-address {
address 10.10.10.205
port 80
}
log disable
protocol tcp
type destination
}
rule 6 {
description "Redirect WDTV DNS"
destination {
address 0.0.0.0/0
port 53
}
inbound-interface eth1
inside-address {
address 208.122.23.22
}
log enable
protocol tcp_udp
source {
address 10.10.10.0/24
}
type destination
}
rule 7 {
description "Hairpin HTTP"
destination {
address x.x.x.x
port 80
}
inbound-interface eth1
inside-address {
address 10.10.10.205
port 80
}
log enable
protocol tcp
source {
address 10.10.10.0/24
}
type destination
}
rule 8 {
description "Hairpin Synology"
destination {
address x.x.x.x
port 5000
}
inbound-interface eth1
inside-address {
address 10.10.10.65
port 5000
}
log enable
protocol tcp
source {
address 10.10.10.0/24
}
type destination
}
rule 9 {
description "NAT HTTP 1"
destination {
address x.x.x.x
port 80
}
inbound-interface eth0
inside-address {
address 10.10.10.205
port 80
}
log enable
protocol tcp
type destination
}
rule 5000 {
description "Main NAT"
log enable
outbound-interface eth0
outside-address {
address x.x.x.x
}
protocol all
source {
address 10.10.10.0/24
}
type source
}
rule 5001 {
description "HTTP Hairpin"
destination {
address 10.10.10.0/24
port 80
}
log enable
outbound-interface eth1.10
protocol tcp
source {
address 10.10.10.0/24
}
type masquerade
}
rule 5002 {
description "Synology Hairpin"
destination {
address 10.10.10.0/24
port 5000
}
log disable
outbound-interface eth1.10
protocol tcp
source {
address 10.10.10.0/24
}
type masquerade
}
rule 5003 {
description "DMZ NAT"
log disable
outbound-interface eth0
outside-address {
address x.x.x.x
}
protocol all
source {
address 10.100.100.0/24
}
type source
}
}
snmp {
community public {
authorization ro
}
community ro {
authorization ro
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ERL
login {
user admin {
authentication {
encrypted-password
plaintext-password ""
}
level admin
}
}
name-server 142.165.21.5
name-server 142.165.200.5
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
time-zone America/Regina
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.2.0beta1.4567952.130604.1540 */
I see default route specifying the tun0 interface is to be used. But I don't see the tun0 interface defined anywhere in your configuration. Additionally the /64 you are advertising on your LAN is not routed to you. A traceroute to that prefix gives a no route to host error from the tunnel server.
So first check if you typed the prefix correctly, and then check that the tunnel is in fact configured with the correct client IPv4 address on the tunnel server.
Sorry, not sure why that config didn't have the tunnel. Here's the interface config from the current running config:
tunnel tun0 {
address 2001:470:1f10:97b::2/64
description "HE.NET IPv6 Tunnel"
encapsulation sit
local-ip x.x.x.x
remote-ip 184.105.253.14
}
}
The route config is the same and the router ipv6 advertisement config part is removed in the current config.
This was resolved by allowing protocol 41 local on the WAN interface.
Hi msaw6261
Is it possible to show me the firewall config in the browser interface for the tunnel? I'm stuck with the configuration :(
Thanks and regards,
FlakeB