General IPv6 Topics => IPv6 on Routing Platforms => Topic started by: ivordurham on January 28, 2021, 09:06:02 AM
Title: [SOLVED] Tunnel stopped working on Ubiquiti EdgeRouter
Post by: ivordurham on January 28, 2021, 09:06:02 AM
Since I originally set up our HE IPv6 tunnel (not actually used much yet), we added a second broadband service and configured our EdgeRouter X for load balancing. The second service is somewhat faster than the first so I wanted to explore moving the HE tunnel from eth0 to eth1. Before making any changes I double-checked the tunnel from the router's CLI and found "ping6 google.com" not responding. I'm assuming ping from the CLI is outside the firewall. The router dashboard says the tunnel is "Connected" and shows traffic being transmitted, but nothing being received. "show interfaces tunnel tun0 brief" shows state/link as u/u. "show interfaces tunnel tun0" does shows RX > 6M packets received, but that number is now static while the TX numbers are increasing. I tried "show interfaces tunnel tun0 capture" and see only outbound packets. The router uptime is "3 months 4 weeks 1 day" as I type, so receiving packets must have stopped during those ~4 months. I don't know if adding the second connection on eth1 affected the tunnel through eth0, but that's the only change in the interim I believe. I'm currently stumped. I've attached our (redacted) configuration in the hope someone can offer a hint on how to further diagnose or correct why incoming packets on the HE tunnel are not being received. Thanks in advance. firewall { all-ping enable broadcast-ping disable group { network-group PRIVATE_NETS { network 192.168.0.0/16 network 172.16.0.0/12 network 10.0.0.0/8 } } ipv6-name IPv6-FW { default-action drop description "IPv6 Firewall" rule 10 { action accept log disable protocol icmpv6 } rule 20 { action accept state { established enable related enable } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians disable modify balance { rule 10 { action modify description "do NOT load balance lan to lan" destination { group { network-group PRIVATE_NETS } } modify { table main } } rule 20 { action modify description "do NOT load balance destination public address" destination { group { address-group ADDRv4_eth0 } } modify { table main } } rule 30 { action modify description "do NOT load balance destination public address" destination { group { address-group ADDRv4_eth1 } } modify { table main } } rule 70 { action modify modify { lb-group G } } } name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } ... BEGIN PORT FORWARDING RULES LIKE: rule NN { action accept description "DESCRIPTION" destination { address 192.168.1.XXX port YY } log disable protocol tcp } ... END PORT FORWARDING RULES ... rule 90 { action accept description "Encapsulated IPv6 Packets" log disable protocol 41 } rule 110 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action accept description "ICMP to Router" log disable protocol icmp state { established enable invalid disable new enable related disable } } rule 30 { action drop description "Drop invalid state" state { invalid enable } } } options { mss-clamp { mss 1420 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address yyy.yyy.yyy.85/28 description WAN duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth1 { address dhcp description "WAN 2" duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth2 { duplex auto speed auto } ethernet eth3 { duplex auto speed auto } ethernet eth4 { duplex auto speed auto } loopback lo { } switch switch0 { address 192.168.1.1/24 address xxxx:xxxx:1f05:xxxx::1/64 description Local firewall { in { modify balance } } ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 link-mtu 1420 managed-flag false max-interval 600 name-server 2001:4860:4860::8888 other-config-flag false prefix xxxx:xxxx:1f05:xxxx::/64 { autonomous-flag true on-link-flag true valid-lifetime 2592000 } radvd-options "RDNSS xxxx:xxxx:1f04:xxxx::2 {};" reachable-time 0 retrans-timer 0 send-advert true } } mtu 1500 switch-port { interface eth2 { } interface eth3 { } interface eth4 { } vlan-aware disable } } tunnel tun0 { address xxxx:xxxx:1f04:xxxx::2/64 description "HE IPv6 Tunnel" encapsulation sit firewall { in { ipv6-name IPv6-FW } local { ipv6-name IPv6-FW } } local-ip yyy.yyy.yyy.85 multicast disable remote-ip 72.52.104.74 ttl 255 } } load-balance { group G { interface eth0 { } interface eth1 { } lb-local enable lb-local-metric-change disable sticky { dest-addr disable dest-port disable proto disable source-addr enable source-port disable } } } port-forward { auto-firewall enable hairpin-nat enable lan-interface switch0 wan-interface eth0 } protocols { static { interface-route6 ::/0 { next-hop-interface tun0 { } } route 0.0.0.0/0 { next-hop yyy.yyy.yyy.81 { } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN { authoritative enable subnet 192.168.1.0/24 { default-router 192.168.1.1 dns-server 192.168.1.1 dns-server 8.8.8.8 lease 86400 start 192.168.1.100 { stop 192.168.1.199 } } } static-arp disable use-dnsmasq disable } dhcpv6-server { } dns { dynamic { interface eth0 { service dyndns { host-name tunnelTTTTTT.tunnel.tserv3.fmt2.ipv6.he.net login OURHELOGIN password OURHEUPDATEKEY server ipv4.tunnelbroker.net } } } forwarding { cache-size 150 listen-on switch0 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { ... IPv4 PORT FORWARDING RULES ...
rule 5000 { description "masquerade for WAN" outbound-interface eth0 type masquerade } rule 5002 { description "masquerade for WAN 2" outbound-interface eth1 type masquerade } } ssh { port 22 protocol-version v2 } unms { disable } } system { conntrack { expect-table-size 4096 hash-size 4096 table-size 32768 tcp { half-open-connections 512 loose enable max-retrans 3 } } host-name TheCatHouse login { user admin { authentication { encrypted-password ENCRYPTEDPASSWORD } level admin } } name-server 8.8.8.8 name-server 8.8.4.4 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat enable ipsec disable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/Los_Angeles traffic-analysis { dpi enable export enable } }
/* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v1.10.11.5274269.200221.1028 */
Title: Re: [SOLVED] Tunnel stopped working on Ubiquiti EdgeRouter
Post by: ivordurham on January 30, 2021, 04:49:04 PM
The cause was the load balancing configuration. The solution was to add a static route for the HE server network to use the interface for which HE had the public IP address:
set protocols static interface-route 72.52.104.0/24 next-hop-interface eth0