Since I originally set up our HE IPv6 tunnel (not actually used much yet), we added a second broadband service and configured our EdgeRouter X for load balancing. The second service is somewhat faster than the first so I wanted to explore moving the HE tunnel from eth0 to eth1. Before making any changes I double-checked the tunnel from the router's CLI and found "ping6 google.com" not responding. I'm assuming ping from the CLI is outside the firewall. The router dashboard says the tunnel is "Connected" and shows traffic being transmitted, but nothing being received. "show interfaces tunnel tun0 brief" shows state/link as u/u. "show interfaces tunnel tun0" does shows RX > 6M packets received, but that number is now static while the TX numbers are increasing. I tried "show interfaces tunnel tun0 capture" and see only outbound packets. The router uptime is "3 months 4 weeks 1 day" as I type, so receiving packets must have stopped during those ~4 months. I don't know if adding the second connection on eth1 affected the tunnel through eth0, but that's the only change in the interim I believe. I'm currently stumped. I've attached our (redacted) configuration in the hope someone can offer a hint on how to further diagnose or correct why incoming packets on the HE tunnel are not being received. Thanks in advance.
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-name IPv6-FW {
default-action drop
description "IPv6 Firewall"
rule 10 {
action accept
log disable
protocol icmpv6
}
rule 20 {
action accept
state {
established enable
related enable
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 70 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
... BEGIN PORT FORWARDING RULES LIKE:
rule NN {
action accept
description "DESCRIPTION"
destination {
address 192.168.1.XXX
port YY
}
log disable
protocol tcp
}
... END PORT FORWARDING RULES ...
rule 90 {
action accept
description "Encapsulated IPv6 Packets"
log disable
protocol 41
}
rule 110 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "ICMP to Router"
log disable
protocol icmp
state {
established enable
invalid disable
new enable
related disable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1420
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address yyy.yyy.yyy.85/28
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address dhcp
description "WAN 2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.1.1/24
address xxxx:xxxx:1f05:xxxx::1/64
description Local
firewall {
in {
modify balance
}
}
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
link-mtu 1420
managed-flag false
max-interval 600
name-server 2001:4860:4860::8888
other-config-flag false
prefix xxxx:xxxx:1f05:xxxx::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
radvd-options "RDNSS xxxx:xxxx:1f04:xxxx::2 {};"
reachable-time 0
retrans-timer 0
send-advert true
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
tunnel tun0 {
address xxxx:xxxx:1f04:xxxx::2/64
description "HE IPv6 Tunnel"
encapsulation sit
firewall {
in {
ipv6-name IPv6-FW
}
local {
ipv6-name IPv6-FW
}
}
local-ip yyy.yyy.yyy.85
multicast disable
remote-ip 72.52.104.74
ttl 255
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
}
lb-local enable
lb-local-metric-change disable
sticky {
dest-addr disable
dest-port disable
proto disable
source-addr enable
source-port disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
wan-interface eth0
}
protocols {
static {
interface-route6 ::/0 {
next-hop-interface tun0 {
}
}
route 0.0.0.0/0 {
next-hop yyy.yyy.yyy.81 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
dns-server 8.8.8.8
lease 86400
start 192.168.1.100 {
stop 192.168.1.199
}
}
}
static-arp disable
use-dnsmasq disable
}
dhcpv6-server {
}
dns {
dynamic {
interface eth0 {
service dyndns {
host-name tunnelTTTTTT.tunnel.tserv3.fmt2.ipv6.he.net
login OURHELOGIN
password OURHEUPDATEKEY
server ipv4.tunnelbroker.net
}
}
}
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
... IPv4 PORT FORWARDING RULES ...
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name TheCatHouse
login {
user admin {
authentication {
encrypted-password ENCRYPTEDPASSWORD
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
ipsec disable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Los_Angeles
traffic-analysis {
dpi enable
export enable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.11.5274269.200221.1028 */
The cause was the load balancing configuration. The solution was to add a static route for the HE server network to use the interface for which HE had the public IP address:
set protocols static interface-route 72.52.104.0/24 next-hop-interface eth0