Hello, everyone. I meet a strange traceroute problem when using traceroute6 behind nat66. I have two servers, one is in HK, the other is in Frankfurt. And two servers use HE's tunnel broker in different places.The topology likes below:
HE's Tunnel in DE HE's Tunnel in HK
| fra-he | tb0
----------------- VPN Connection -----------------
| Frankfurt (A) | ------------------- | Hong Kong (B) |
----------------- tun1 tun4 -----------------
The server in Frankfurt (A) has a range of IPv6: 2001:470:7429::/48, the server in Hong Kong (B) has a range of IPv6 : 2001:470:fadc::/48
And I compiled the kernel of server A to support IPv6 nat.
I need to route 2001:620::/32 via server A to Internet, and I applied ip6tables NETMAP rules on server A:
ip6tables -t nat -A POSTROUTING -s 2001:470:fadc::/48 -o fra-he -j NETMAP 2001:470:7429::/48
ip6tables -t filter -A IPUT -i tun1 -j ACCEPT
ip6tables -t filter -A FORWARD -i tun1 -o fra-de -j ACCEPT
ip6tables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Then I added route tables in the file /etc/iproute2/rt_tables and add some ip rules to 2 servers respectively.
I ping from server B :ping6 2001:620:130:a080::46, everything goes smoothly. The traffic was routed to server A, and server A did a address translation:
> ping6 strongswan.org
> PING strongswan.org(2001:620:130:a080::46) 56 data bytes
> 64 bytes from 2001:620:130:a080::46: icmp_seq=1 ttl=55 time=289 ms
> 64 bytes from 2001:620:130:a080::46: icmp_seq=2 ttl=55 time=288 ms
> 64 bytes from 2001:620:130:a080::46: icmp_seq=3 ttl=55 time=283 ms
> 64 bytes from 2001:620:130:a080::46: icmp_seq=4 ttl=55 time=284 ms
> 64 bytes from 2001:620:130:a080::46: icmp_seq=5 ttl=55 time=282 ms
> 64 bytes from 2001:620:130:a080::46: icmp_seq=6 ttl=55 time=282 ms
But server B traceroute6 works no good:
traceroute6 2001:620:130:a080::46
> traceroute to 2001:620:130:a080::46 (2001:620:130:a080::46), 30 hops max, 80 > byte packets
> 1 transit-hkg1-fra.homehosts.net (2001:470:fadc:6604::2) 266.003 ms 265.993 ms 265.999 ms
> 2 * * *
> 3 * * *
> 4 * * *
> 5 * * *
> 6 * * *
> 7 * * *
It's strange that I can traceroute from server A :o
traceroute6 2001:620:130:a080::46
> traceroute to 2001:620:130:a080::46 (2001:620:130:a080::46), 30 hops max, 80 byte packets
> 1 yzyuestc2-4.tunnel.tserv6.fra1.ipv6.he.net (2001:470:1f0a:d1e::1) 5.697 ms 5.632 ms 5.622 ms
> 2 v399.core1.fra1.he.net (2001:470:0:69::1) 7.655 ms 7.887 ms 7.880 ms
> 3 100ge3-1.core1.ams1.he.net (2001:470:0:2d4::1) 7.193 ms 11.531 ms 7.177 ms
> 4 swiCE3-10GE-4-1.switch.ch (2001:7f8:1::a500:559:1) 107.881 ms 107.875 ms 107.867 ms
> 5 swiGE2-10GE-3-1.switch.ch (2001:620:0:c093::2) 23.088 ms 17.289 ms 17.348 ms
> 6 swiEL2-10GE-3-1.switch.ch (2001:620:0:c094::2) 24.190 ms 17.894 ms 17.746 ms
> 7 swiLS2-10GE-1-2.switch.ch (2001:620:0:c00c::2) 17.084 ms 17.420 ms 17.398 ms
> 8 swiEZ1-10GE-2-7.switch.ch (2001:620:0:c03c::2) 81.610 ms 81.324 ms 81.304 ms
> 9 swiRA2-10GE-0-0-2-0.switch.ch (2001:620:0:c058::2) 18.913 ms 19.011 ms 18.948 ms
> 10 2001:620:0:ffc8::2 (2001:620:0:ffc8::2) 19.613 ms 21.479 ms 21.248 ms
> 11 * * *
> 12 * * *
I am sure that I added table to every interfaces to spilt routing. I checked the routing tables and found no mistakes.
Anyone help? Thanks !