Hi there,
I have a problem with routing from my local v6 subnet to the outside world.
I can do ping6 ipv6.google.com from my PC which acts as the v6 tunnel endpoint and a firewall. But I can't seem to get the routing working from any of the computers in the subnet.
Here's my setup:
Info from HE:
Global Tunnel ID: 29746 Local Tunnel ID: 5866
Description:
Server IPv4 address: 216.66.84.46
Server IPv6 address: 2001:470:1f14:16ea::1/64
Client IPv4 address: 82.128.196.163
Client IPv6 address: 2001:470:1f14:16ea::2/64
Routed /48: Allocate
Routed /64: 2001:470:1f15:16ea::/64
ifconfig at the server PC:
[root@server1 system]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:72:29:6E:1D
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: 2001:470:1f15:16ea::1/128 Scope:Global
inet6 addr: fe80::213:72ff:fe29:6e1d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18136182 errors:0 dropped:0 overruns:0 frame:0
TX packets:23333170 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2299533635 (2.1 GiB) TX bytes:486273603 (463.7 MiB)
Interrupt:17
eth2 Link encap:Ethernet HWaddr 00:60:08:53:8B:55
inet addr:82.128.196.163 Bcast:82.128.199.255 Mask:255.255.248.0
inet6 addr: fe80::260:8ff:fe53:8b55/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15914992 errors:52541 dropped:0 overruns:0 frame:82771
TX packets:11021027 errors:0 dropped:0 overruns:0 carrier:120
collisions:243 txqueuelen:1000
RX bytes:4187617677 (3.9 GiB) TX bytes:1196776239 (1.1 GiB)
Interrupt:16 Base address:0xdc40
he-ipv6 Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f14:16ea::2/64 Scope:Global
inet6 addr: fe80::5280:c4a3/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:2539 errors:0 dropped:0 overruns:0 frame:0
TX packets:1222 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:304254 (297.1 KiB) TX bytes:144097 (140.7 KiB)
eth0 is connected to our LAN and eth2 is to the WAN through our ISP.
route -A inet6 at the server:
[root@server1 system]# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
2001:470:1f14:16ea::/64 * U 256 155 0 he-ipv6
2001:470:1f15:16ea::1/128 * U 256 0 0 eth0
2001:470:1f15:16ea::/64 * U 1 0 0 eth0
fe80::/64 * U 256 0 0 eth0
fe80::/64 * U 256 0 0 eth1
fe80::/64 * U 256 0 0 eth2
fe80::/64 * U 256 0 0 he-ipv6
*/0 * U 1024 0 0 he-ipv6
::1/128 * U 0 68076 1 lo
2001:470:1f14:16ea::/128 * U 0 0 1 lo
msaarniv-1-pt.tunnel.tserv11.ams1.ipv6.he.net/128 * U 0 2525 1 lo
2001:470:1f15:16ea::1/128 * U 0 44 1 lo
fe80::/128 * U 0 0 1 lo
fe80::/128 * U 0 0 1 lo
fe80::/128 * U 0 0 1 lo
fe80::5280:c4a3/128 * U 0 0 1 lo
fe80::210:18ff:fe1c:7fca/128 * U 0 0 1 lo
fe80::213:72ff:fe29:6e1d/128 * U 0 240 1 lo
fe80::260:8ff:fe53:8b55/128 * U 0 0 1 lo
ff02::1/128 ff02::1 UC 0 7203 0 eth0
ff00::/8 * U 256 0 0 eth0
ff00::/8 * U 256 0 0 eth1
ff00::/8 * U 256 0 0 eth2
ff00::/8 * U 256 0 0 he-ipv6
[root@server1 system]#
ip6tables -L output at the server:
[root@server1 system]# ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp anywhere 2002:d58b:a561:1:5054:5ff:fefc:185b/128udp dpt:61617
ACCEPT udp anywhere 2002:d58b:a561:1:5054:5ff:fefc:185b/128udp dpt:61616
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere 2002:d58b:a561:1:5054:5ff:fefc:185b/128
ACCEPT ipv6-icmp anywhere 2002:d58b:a561:1::1/128
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT udp 2002:d58b:a561:1:5054:5ff:fefc:185b/128 anywhere udp spt:61617
ACCEPT udp 2002:d58b:a561:1:5054:5ff:fefc:185b/128 anywhere udp spt:61616
ACCEPT udp anywhere 2002:d58b:a561:1:5054:5ff:fefc:185b/128udp dpt:61616
ACCEPT ipv6-icmp anywhere 2002:d58b:a561:1:5054:5ff:fefc:185b/128
ACCEPT ipv6-icmp anywhere 2002:d58b:a561:1::1/128
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all anywhere anywhere state NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 system]#
ping6 ipv6.google.com output at the server:
[root@server1 system]# ping6 -c2 ipv6.google.com
PING ipv6.google.com(fx-in-x68.google.com) 56 data bytes
64 bytes from fx-in-x68.google.com: icmp_seq=1 ttl=58 time=50.8 ms
64 bytes from fx-in-x68.google.com: icmp_seq=2 ttl=58 time=54.0 ms
--- ipv6.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 50.813/52.442/54.072/1.645 ms
[root@sns1 system]#
ifconfig at the subnet PC:
[root@snl7 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1C:25:76:8B:BA
inet addr:192.168.0.90 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: 2001:470:1f15:16ea::2/128 Scope:Global
inet6 addr: fe80::21c:25ff:fe76:8bba/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:137761 errors:0 dropped:0 overruns:0 frame:0
TX packets:72321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:95562866 (91.1 MiB) TX bytes:9054483 (8.6 MiB)
Memory:fe200000-fe220000
[root@snl7 ~]#
route -A inet6 at a PC in the subnet:
[root@snl7 ~]# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
2001:470:1f15:16ea::2/128 * U 256 0 0 eth0
fe80::/64 * U 256 0 0 eth0
fe80::/64 * U 256 0 0 wlan0
*/0 * U 1 0 0 eth0
localhost6.localdomain6/128 * U 0 0 1 lo
2001:470:1f15:16ea::2/128 * U 0 289 1 lo
fe80::/128 * U 0 0 1 lo
fe80::/128 * U 0 0 1 lo
fe80::21c:25ff:fe76:8bba/128 * U 0 26 1 lo
fe80::21f:3bff:fe26:efbd/128 * U 0 0 1 lo
ff02::1/128 ff02::1 UC 0 397 0 eth0
ff00::/8 * U 256 0 0 eth0
ff00::/8 * U 256 0 0 wlan0
[root@snl7 ~]#
and a ping6 -c1 ipv6.google.com at the subnet PC:
[root@snl7 ~]# ping6 -c1 ipv6.google.com
PING ipv6.google.com(ww-in-x68.google.com) 56 data bytes
From 2001:470:1f15:16ea::2 icmp_seq=1 Destination unreachable: Address unreachable
--- ipv6.google.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 3002ms
[root@snl7 ~]#
I've seen a lot of posts by people with similar problems but haven't been able to fix my problems with the advises that I've seen so far. I'm running out of ideas so any help would be highly appreciated.
Best regards and many thanks in advance,
msaarniv
Ok .. I guess the basic problem is the v6 default route on your client machine. There should be a next hop for that route.
(On the server/router you can get away without a next hop since the tunnel interface is point-to-point.)
Try the following:ip -6 route add default via 2001:470:1f15:16ea::1
Also be sure to have v6 forwarding enabled on your server/router:
(e.g. /proc/sys/net/ipv6/conf/all/forwarding contains '1')
Thanks Kristian, although it didn't help unfortunately.
The forwarding has been enabled on the server PC.
Some more info:
When I do ping6 ipv6.google.com on the subnet PC while having wireshark running on the server PC I get absolutely no traffic at all in the he-ipv6 interface. On the eth0 (subnet) I'm getting a bunch of Neighbor Solicitation messages to address ff02::1:ff00:68. As far as I can understand the address of the ipv6.google.com is 2001:4860:a004::68). The NS messages don't get routed to any interface so I guess this means that there's something seriously wrong with my ip6tables setup.
Have to keep digging
Just FYI: The neighbor solicitation packets shouldn't be routed. So your ip6tables setup is not necessarily the problem.
I suspect your client machine is trying to find google in your LAN. (Something tells me that it will not succeed. ;))
1.) To be sure: The old default route (without a next hop) must be removed.
2.) Also try setting the LAN v6 addresses on the server & client with /64 masks instead of /128.
Kristian,
How stupid of me! Fixing the /64 and removing the false default route (and adding the default gw) helped.
Thanks a million.
best regards,