Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: b1izzard on December 08, 2009, 12:00:22 AM

Title: Firewall security questions
Post by: b1izzard on December 08, 2009, 12:00:22 AM
I am not in complete understanding of how IPV6 and firewalls function and have a few questions:

1.  If the firewall blocks traffic coming in, how do you configure specific ports to be open?  I have a D-Link DIR-615 router.   I want to setup a Windows RDP connection to my computer so I can access it remotely. 

2.  When running a port scan, I tried to scan my client IPV6 address 2001:470:1f04:6db::2/ and it showed one port open for TCP 53.  I am assuming this must be DNS on the D-Link? 

3.  Does HE filter any traffic whatsoever, or is it wide open?

4.  If I want to create a second HE tunnel for a 2nd network behind another D-Link router on separate static IPv4 WAN address, will I be able to communicate between these just as I would if I had 2 separate IPV4 only networks on their own static WAN IP's?  I do this all the time with IPV4, but don't have a clue on IPV6. 

Thanks!

   
Title: Re: Firewall security questions
Post by: broquea on December 08, 2009, 12:17:06 AM
Re #1, last I checked, the DIR-615 didn't do any IPv6 firewalling, and that you had to do it on the host. I don't see any mention of an IPv6 firewall in the firmware rev notes up through latest.

Re #2, Probably, try a v4 portscan and see if it gets the same behavior, be interesting to know.

Re #3, we don't filter traffic, it's wide open.

Re #4, yes, both networks will have globally routed IPv6 addresses. As long as they have unfiltered services (or filtered with specific hosts/networks allowed) they should be able to communicate with each other.
Title: Re: Firewall security questions
Post by: b1izzard on December 08, 2009, 07:25:18 AM
I tried running an IPV4 port scan on port 25 for my W2K3 Exchange server using grc.com and it was in stealth.  I added a port forwarding rule and tested it again and it was open.  I ran an ipv6 port scan on the server IP address and all 1000 ports were closed (see below).  I do have the 'Client IPV4 address' pointing to my D-Link IP of 192.168.1.1 for the client netsh configuration (example: netsh int ipv6 add v6v4tunnel IP6Tunnel 192.168.1.1 72.x.x.74, but let me know if this is wrong), as from what I can tell that is the correct way to do it when behind a firewall.

How can I get this to work?  Do I need a different firewall capable of passing traffic through, or do I have to directly connect my server to the internet?  I don't want to directly connect it unless I have to.  If you know of any good software or hardware devices that are inexpensive that will do what I need it to, please let me know.  Thanks.

****ipv6 port scan result*****
This utility will perform a basic nmap portscan from 2001:470:0:aa::2 to the supplied IPv6 address. Do note, this is simply a quick probe and is not a replacement for an in-depth security scan.

You may probe any IPv6 address within your routed /64s or /48s as well as your side's tunnel endpoint.
IPs available for you to scan are in the following prefixes:
2001:470:1f04:6db::2/128
2001:470:1f05:6db::/64
2001:470:8055::/48

Enter the IPv6 address to check:
Options Skip initial ping (-PN)Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-08 07:20 PST
All 1000 scanned ports on 2001:470:1f05:6db:20c:29ff:fe2e:7697 are closed

Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds
 *************

Title: Re: Firewall security questions
Post by: jimb on December 08, 2009, 03:08:36 PM
I'm confused now.  Why are you setting up tunnels on your windows hosts when you have the DIR615 acting as your IPv6 router???

You should not be setting up 6in4 tunnels on your windows boxes.  Just your DIR-615.  Then default routes should point to it.  It will route the IPv6 traffic to HE and back.
Title: Re: Firewall security questions
Post by: b1izzard on December 08, 2009, 04:16:40 PM
I was worried that might be confusing.  Let me clarify.  Basically I am going to setup 2 IPV6 networks.  Pretend one is in New York behind a D-Link IPV6 router.  Another is in Los Angeles behind another IPV6 D-Link router.  I just want to set them up so I can IPV6 between them, by which I will use the 'Create Regular Tunnel' to add another tunnel so I have one for LA and one for New York. If there is a problem with this plan or I am misguided, please let me know.

My current setup for New York behind the D-Link router is that I have 2 Windows 2008 Servers, which I setup with the following information.  The D-Link gateway IP is 192.168.1.1.

New York tunnel:
Server IPv4 address: 72.52.104.74
 Server IPv6 address: 2001:470:1f04:6db::1/64
 Client IPv4 address: 173.x.x.11 (Changed to 192.168.1.1 which is the D-Link IP)
 Client IPv6 address: 2001:470:1f04:6db::2/64 
Available DNS Resolvers
 Anycasted IPv6 Caching Nameserver: 2001:470:20::2
 Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
 Routed /48: 2001:470:8055::/48 
 Routed /64: 2001:470:1f05:6db::/64 

 RDNS Delegation NS1: none 
 RDNS Delegation NS2: none 
 RDNS Delegation NS3: none 
BGP Details
 ASN: none
 

On the 2 Windows 2008 Servers, I have added the following commands:

netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.1 72.52.104.74
netsh interface ipv6 add address IP6Tunnel 2001:470:1f04:6db::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f04:6db::1

I can ping the IPV6 internet and browse IPV6 web sites, so things seem to be working correctly from that aspect.

>>I'm confused now.  Why are you setting up tunnels on your windows hosts when you have the DIR615 acting as your IPv6 router???

Does this clarify the above question, or am I even farther off on this?
Title: Re: Firewall security questions
Post by: broquea on December 08, 2009, 04:25:37 PM
When your tunnel is terminated on the dlink, you shouldn't be running the tunnel commands on the windows machines. They should be automatically configuring IPv6 addresses from Routed /64: 2001:470:1f05:6db::/64 if that is what you put as LAN IP on the dlink. The dlink is where the tunnel should be terminated on, because you can't have the same tunnel terminated on multiple devices, or else the last one configured tends to be the only one working.

Terminate tunnel on the dlink, have it advertise to all hosts on the lan, and that should be good to go.
Title: Re: Firewall security questions
Post by: jimb on December 08, 2009, 05:33:39 PM
I was worried that might be confusing.  Let me clarify.  Basically I am going to setup 2 IPV6 networks.  Pretend one is in New York behind a D-Link IPV6 router.  Another is in Los Angeles behind another IPV6 D-Link router.  I just want to set them up so I can IPV6 between them, by which I will use the 'Create Regular Tunnel' to add another tunnel so I have one for LA and one for New York. If there is a problem with this plan or I am misguided, please let me know.

My current setup for New York behind the D-Link router is that I have 2 Windows 2008 Servers, which I setup with the following information.  The D-Link gateway IP is 192.168.1.1.

New York tunnel:
Server IPv4 address: 72.52.104.74
 Server IPv6 address: 2001:470:1f04:6db::1/64
 Client IPv4 address: 173.x.x.11 (Changed to 192.168.1.1 which is the D-Link IP)
 Client IPv6 address: 2001:470:1f04:6db::2/64  
Available DNS Resolvers
 Anycasted IPv6 Caching Nameserver: 2001:470:20::2
 Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
 Routed /48: 2001:470:8055::/48  
 Routed /64: 2001:470:1f05:6db::/64  

 RDNS Delegation NS1: none  
 RDNS Delegation NS2: none  
 RDNS Delegation NS3: none  
BGP Details
 ASN: none
 

On the 2 Windows 2008 Servers, I have added the following commands:

netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.1 72.52.104.74
netsh interface ipv6 add address IP6Tunnel 2001:470:1f04:6db::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f04:6db::1

I can ping the IPV6 internet and browse IPV6 web sites, so things seem to be working correctly from that aspect.

>>I'm confused now.  Why are you setting up tunnels on your windows hosts when you have the DIR615 acting as your IPv6 router???

Does this clarify the above question, or am I even farther off on this?

Agh.  OK.  I see what you're trying to do.  You have two separate tunnels emulating two networks.  One is terminated to the Dlink, the other to win2008.

I've already spotted a major problem.  A tunnel terminates to ONE and only ONE host.  You're trying to do a 6in4 tunnel with TWO different 2008 boxes.  You can't do that.  You must use one as a router, and the other as a LAN host which goes through the router.

Second, if you read my previous message, I tried to explain that when behind a NAT, you can only have ONE 6in4 tunnel per public IP.  In other words, if you have a bunch of hosts behind a NAT device behind a single public IP, only ONE can do a 6in4 tunnel to the same tunnel server.  If you use two different tunnel servers, it may work, since it now has two unique source IPs on the return traffic.

Unlike protocols which use TCP or UDP, 6in4 doesn't have ports, so the NAT device has no way of mapping the return traffic to the proper inside IP.  So for things like web browsing, you can have 100 different hosts talking to the same web server, and mapping all of them to the same public IP, and because it has TCP ports to work with, the NAT device can sort out which is which upon receiving the return traffic.  Since 6in4 simply doesn't have ports, it being merely an IPv4 packet with its protocol number field set to 41 containing an IPv6 packet as payload, it has no way of figuring out which inside host originally sent the packet.  If you have say, 192.168.1.5 and 192.168.1.6 talking to the same tunnel server on the internet, the source IPs on the outgoing traffic get NATed to the SAME public IP, and return traffic from the tunnel server for both .5 and .6 will have the same destination public IP, so the NAT device has no clue whether to route a given return packet to .5 or .6.

So, if you have two 6in4 routers behind a NAT device, you either have to map each router to be NATed to a separate public source IP (#1), OR use a separate destination tunnel server IP (#2).  And #2 still may not work, depending on how retarded your NAT device is (in theory it should if that NAT device has a proper implementation of NAT).  :P

Title: Re: Firewall security questions
Post by: b1izzard on December 08, 2009, 07:16:42 PM
Ok, one tunnel per IP.  Got it.  I'm still not clear on what the configuration is supposed to be to have one web server publicly accessible.  Let's forget about the 2 tunnels and focus on just 1.  If you could review the following information and the attached diagram and tell me what I have misconfigured, then that would greatly help me to make sense of how it's supposed to be configured. 

Here is the route print and TCP/IP info from the Windows 2008 server:
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 10    266 ::/0                     fe80::224:1ff:fef5:a02
  1    306 ::1/128                  On-link
 12     18 2001::/32                On-link
 12    266 2001:0:4137:9e50:14fa:2132:3f57:fe9a/128
                                    On-link
 10     18 2001:470:1f05:6db::/64   On-link
 10    266 2001:470:1f05:6db:4f6:430e:50ff:4f1d/128
                                    On-link
 10    266 fe80::/64                On-link
 12    266 fe80::/64                On-link
 10    266 fe80::4f6:430e:50ff:4f1d/128
                                    On-link
 12    266 fe80::14fa:2132:3f57:fe9a/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    266 ff00::/8                 On-link
 10    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
 If Metric Network Destination      Gateway
  0 4294967295 ::/0                     2001:470:1f04:6db::1
===========================================================================

TCP/IP info:
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-78-E5-68
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:470:1f05:6db:4f6:430e:50ff:4f1d(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::4f6:430e:50ff:4f1d%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, December 07, 2009 7:52:04 PM
   Lease Expires . . . . . . . . . . : Monday, December 14, 2009 7:52:05 PM
   Default Gateway . . . . . . . . . : fe80::224:1ff:fef5:a02%10
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{04CF5110-234E-4D95-8399-978745604
DD4}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:14fa:2132:3f57:fe9a(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::14fa:2132:3f57:fe9a%12(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter IP6Tunnel:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Direct Point-to-point Adapater
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Sorry to be a PITA.  Thanks for your help.
Title: Re: Firewall security questions
Post by: b1izzard on December 08, 2009, 07:43:53 PM
Sorry broquea, I somehow missed your last post and read only jimb's.  I'll try that out now and let you know.  I'm guessing I have to run netsh int ipv6 reset to clear it out?

Title: Re: Firewall security questions
Post by: broquea on December 08, 2009, 07:46:19 PM
and make sure in that LAN IP field on the dlink, you put, character for character: 2001:470:1f05:6db::1

it already know it will be a /64 range
Title: Re: Firewall security questions
Post by: jimb on December 08, 2009, 07:52:33 PM
OK. Where do I start.

First, based on the diagram, it looks like you are trying to establish a 6in4 tunnel from BOTH the win2008 machine AND the D-Link.  This is now how it's done.  The 6in4 tunnel is ONLY established from the DLINK to HE.  The LAN machines, including your win2008 box, should NOT have any 6in4 tunnel.  There should be NO v6v4tunnel on the windows 2008 box.

From the output of the commands, I also see you have a bad default route pointing to the tunnel interface on the Dlink (although this may be left over from you trying to set up the tunnel on the win2008 box.  the route looks "costed out" because of the metric, but i'd delete it anyway).  The default route should point to the LAN interface of the DLINK.

Delete the IP6Tunnel interface ("netsh int ipv6 delete int IP6Tunnel") and the bad persistent IPv6 default route on the 2008 box.

The D-Link should have an address configured on it from your routed /64.  It can't end in a zero.  The address it looks like you used on the D-Link LAN interface is "2001:470:1f05:6db::0".  You can't use ::0.  Use "2001:470:1f05:6db::1" instead.  If the D-Link is doing RA, it should provide a proper IPv6 address and default route to your win2008 box.  From the output it looks like it is ("2001:470:1f05:6db:4f6:430e:50ff:4f1d" is being autoconfigured as your IPv6 global, and your default route is being set too):

Code: [Select]
{root@gts/pts/1}~# ipv6calc -i fe80::224:1ff:fef5:a02
No input type specified, try autodetection...found type: ipv6addr
No output type specified, try autodetection...found type: ipv6addr
Address type: unicast, link-local
Registry for address: reserved
Interface identifier: 0224:01ff:fef5:0a02
EUI-48/MAC address: 00:24:01:f5:0a:02
MAC is a global unique one
MAC is an unicast one
OUI is: D-Link Corporation

It's handing the link local address of the D-Link to your windows box as a default route.  This is just fine.

If you get rid of the tunnel interface on the win2008 box, and possibly the route, it should start just working to get to the internet, provided your DNS server and resolver is properly resolving AAAA records.
Title: Re: Firewall security questions
Post by: jimb on December 08, 2009, 07:57:18 PM
Sorry broquea, I somehow missed your last post and read only jimb's.  I'll try that out now and let you know.  I'm guessing I have to run netsh int ipv6 reset to clear it out?
Yeah I also asked this in reply #3 (http://www.tunnelbroker.net/forums/index.php?topic=711.msg3404#msg3404).  But you indicated that you're doing TWO tunnels, so I figured it was examples of your win2008 tunnel server.

Anyway, if you read my previous messages carefully, you'll see that having that 6in4 tunnel on the win2008 box is probably also screwing with your NAT device.  If you eventually want to get the 2nd tunnel up, make sure you review my reply #6 (http://www.tunnelbroker.net/forums/index.php?topic=711.msg3412#msg3412).
Title: Re: Firewall security questions
Post by: b1izzard on December 08, 2009, 08:59:21 PM
Thanks guys.  That allowed me to scan for open ports.  I now have a few more questions.

1.  When doing it from the HE port scanner, it shows ports 80 and 3389 open.  When I try to use the subnetonline.com IPV6 scanner, I get the following:

Checked port 80 on Host/IP 2001:470:1f05:6db:4f6:430e:50ff:4f1d...
The checked port (80) is offline/unreachable
Reason: No route to host (113)

Any ideas on this? 

2.  It seems to me that having the D-Link is pointless since I can only have one tunnel, and all traffic is unfiltered and goes to one host.  Can you give me a good reason to have the D-Link in place? 

3.  Normally, in IPV4 I would have a terminal server, mail server, and VPN server NAT'ed behind one static IP.  So correct me if I'm wrong, but I'd either have to have 4 D-Link routers, or connect all 4 directly to the internet?

4.  Am I being paranoid, or isn't that extremely risky having a server directly connected to the internet with only a software firewall?  ISA server is pretty secure, but Windows 2008 would just be running off the standard firewall.

5.  What is a typical scenario for keeping a LAN secure so authorized people from inside and outside the organization can access it?  Typically, I have customers that I have setup for VPN, OWA, Term Server, etc, but since it's behind a NAT'ed static IP, all the ports except the few we need open are blocked.

Again, thanks a million!  I really appreciate all your help.
Title: Re: Firewall security questions
Post by: b1izzard on December 08, 2009, 09:30:52 PM
Jimb, I do read your posts, but sometimes I don't fully understand what it is your telling me because it's not super super specific for an IPV6 newbie like me. 

I think the whole thing that screwed me up and got me off track was the initial configuration page for the tunnel details.  Where it says:

"*NOTE* When behind a firewall appliance that passes protocol41, instead of using the IPv4 endpoint you provided to our broker, use the IPv4 address you get from your appliance's DHCP service.",  I construed 'The IPv4 address you get from your appliance's DHCP service' to be 192.168.1.1. 

Well it could also technically be the IP address that YOU get as it says, which would be your IP.  Since there was no mention not to add the Windows sample configuration to the Windows host, I proceeded to.  Due to the **NOTE* message above, I construed the following netsh command needed to be modified from

netsh interface ipv6 add v6v4tunnel IP6Tunnel 173.160.167.11 72.52.104.74

to

netsh interface ipv6 add v6v4tunnel IP6Tunnel  192.168.1.1 72.52.104.74

Perhaps this information is somewhere on your site, but it seems that for newbies, it would be very helpful to add 2 hyperlinks to the tunnel details page and break it into categories for how to setup IPV6 using a router with PC's behind it, and also how to setup IPV6 for directly connecting your computer to the internet without a hardware firewall.   I guarantee it would have saved you guys some serious time having to answer my relentless postings.   :)

If I can pay you back by creating this documentation for you to review and post, I'd be happy to help.

Title: Re: Firewall security questions
Post by: jimb on December 08, 2009, 09:37:19 PM
Thanks guys.  That allowed me to scan for open ports.  I now have a few more questions.

1.  When doing it from the HE port scanner, it shows ports 80 and 3389 open.  When I try to use the subnetonline.com IPV6 scanner, I get the following:

Checked port 80 on Host/IP 2001:470:1f05:6db:4f6:430e:50ff:4f1d...
The checked port (80) is offline/unreachable
Reason: No route to host (113)

Any ideas on this? 
Not sure why, but I can't ping or trace your host from outside.  Tunnel appears to be down.

Quote
2.  It seems to me that having the D-Link is pointless since I can only have one tunnel, and all traffic is unfiltered and goes to one host.  Can you give me a good reason to have the D-Link in place? 
The fact that the D-Link doesn't appear to be able to firewall IPv6 traffic would be a big issue with me.  I wouldn't like that.

IPv6 traffic should be able to get to ANY host on your IPv6 routed /64 LAN via the D-Link.  It should NOT go only "to one host."  This is a bug or configuration problem.

Quote
3.  Normally, in IPV4 I would have a terminal server, mail server, and VPN server NAT'ed behind one static IP.  So correct me if I'm wrong, but I'd either have to have 4 D-Link routers, or connect all 4 directly to the internet?
It is still possible to have TS, SMTP, and VPN behind a single NATed public IPv4 and reachable, while simultaneously running a 6in4 tunnel to the D-Link.  What's not possible is having more than one 6in4 tunnel running through the same IPv4 public IP NAT going to the same tunnel server.

These services should also be reachable via IPv6 directly, via the tunnel.

Quote
4.  Am I being paranoid, or isn't that extremely risky having a server directly connected to the internet with only a software firewall?  ISA server is pretty secure, but Windows 2008 would just be running off the standard firewall.
I wouldn't do it.  I prefer to have defense in depth, running a network firewall at the ingress point, and having host based firewalls running on each host.  I personally network firewall my IPv6 traffic using ip6tables on my linux based IPv6 router.

Quote
5.  What is a typical scenario for keeping a LAN secure so authorized people from inside and outside the organization can access it?  Typically, I have customers that I have setup for VPN, OWA, Term Server, etc, but since it's behind a NAT'ed static IP, all the ports except the few we need open are blocked.
Typically secure remote access requires a client VPN setup.  Services like OWA can typically be port forwarded to the outside, depending on how much you trust the security of OWA.  Many put these types of servers on a separate DMZ network.

If we're talking IPv6, all these services are reachable directly from the internet.  So if you want to block them, you simply block them with your network (and/or host) firewall's security policy.

But even in a situation like this, it's often risky to allow access to servers on your internal corporate LAN since any exploitable services may allow a hacker access to a machine on your internal LAN.  This is why, as I mentioned above, machines like this are often placed on a highly restricted DMZ network, or off site at a data center.

Security best practices for IPv6 isn't very different than security for IPv4.  The only real difference is that by default in the IPv4 world, most hosts are unreachable by default from the internet simply because you need a port forward, or static NAT to a public IPv4 for any inside host that you want to be reachable.  But any sane IPv6 network security policy will deny all by default, and only allow access to what you want to be access from the outside.  So in the end it boils down to the same thing, just less complicated setup required (no port forward/nat nonsense).

Title: Re: Firewall security questions
Post by: b1izzard on December 08, 2009, 09:56:43 PM
I see part of my problem.  I was confusing a tunnel with host.  I was thinking a tunnel needed to be created for each host, but that is not the case.  I am able to scan my computers ports, so it appears all are reachable from the internet.  The thing that concerns me is

>>Not sure why, but I can't ping or trace your host from outside.  Tunnel appears to be down.

Is it possible it's a problem on my end?  It's strange that I can see them open from the HE port scanner but nowhere else.  Have you run into this before?
Title: Re: Firewall security questions
Post by: jimb on December 08, 2009, 10:17:03 PM
I see part of my problem.  I was confusing a tunnel with host.  I was thinking a tunnel needed to be created for each host, but that is not the case.  I am able to scan my computers ports, so it appears all are reachable from the internet.  The thing that concerns me is
Yes I noticed that before, and I guess I didn't explain it well enough.  You only need ONE 6in4 tunnel to route IPv6 traffic from hosts for an entire LAN, or even a set of many LANs connected by other routers to the IPv6 internet.  You set the tunnel up on the host/box/node/appliance you chose as your IPv6 router, and all other hosts send IPv6 traffic through this router, which routes the traffic down the tunnel to HE's tunnel server, and receives return traffic to your LAN through the same tunnel.  Each host on your LAN does not have a separate tunnel.

Quote
>>Not sure why, but I can't ping or trace your host from outside.  Tunnel appears to be down.

Is it possible it's a problem on my end?  It's strange that I can see them open from the HE port scanner but nowhere else.  Have you run into this before?
Actually it's working now.  I can't ping your windows box because it's probably dropping pings (firewall).  But an nmap scan reveals port 80 and port 3389 (rdp) open, and I can connect:

Code: [Select]
{root@gtoojimb/pts/3}~# nmap -6 -P0 -sT -T3 2001:470:1f05:6db:4f6:430e:50ff:4f1d

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-08 22:12 PST
Interesting ports on 2001:470:1f05:6db:4f6:430e:50ff:4f1d:
Not shown: 998 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-term-serv

nc -6 -n -v 2001:470:1f05:6db:4f6:430e:50ff:4f1d 3389
(UNKNOWN) [2001:470:1f05:6db:4f6:430e:50ff:4f1d] 3389 (ms-wbt-server) open

nc -6 -n 2001:470:1f05:6db:4f6:430e:50ff:4f1d 80
lakjdsf
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 09 Dec 2009 06:13:09 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>

EDIT: OK now it's down again.  Not sure what's going on:

nc -6 -v -n 2001:470:1f05:6db:4f6:430e:50ff:4f1d 3389
(UNKNOWN) [2001:470:1f05:6db:4f6:430e:50ff:4f1d] 3389 (ms-wbt-server) : No route to host


It could be that your tunnel is flapping if you didn't completely get rid of the tunnel interfaces on your windows boxes.  As I said before, if one of those 2008 boxes sends a 6in4 packet out, it will "override" the NAT entry on your edge router, and then all tunnel traffic will be sent to the windows box instead of the 615, until the 615 sends another 6in4 packet, yadda yadda.  If your edge router allows you to configure a static NAT for protocol 41, configure one and point it to the DIR-615.  Then it won't matter.
Title: Re: Firewall security questions
Post by: broquea on December 08, 2009, 10:22:29 PM
Perhaps this information is somewhere on your site, but it seems that for newbies, it would be very helpful to add 2 hyperlinks to the tunnel details page and break it into categories for how to setup IPV6 using a router with PC's behind it, and also how to setup IPV6 for directly connecting your computer to the internet without a hardware firewall.   I guarantee it would have saved you guys some serious time having to answer my relentless postings.   :)

If I can pay you back by creating this documentation for you to review and post, I'd be happy to help.

This would actually be the function of the forums, where users can discuss and learn things like basics of IPv6 routing and WAN/LAN connectivity. The purpose of us providing examples for creating the tunnel on a device is simply to show how to do it. We can't know every single users' network topology, so we'll never be able to completely cover everyone's situation. Here on the forums, as you're seeing, the community helps to educate it's inhabitants. One of the bigger issues is the amount of NAT on the net these days, which is why I added that note about terminating tunnels on machines behind NAT. But if they don't understand we'd hope that they would ask. We could bloat the inside of the broker with huge walls of text explaining every single detail, but we felt that here on the forums, or emailing us directly would be a better way for everyone involved to help educate eachother.

We're also working on expanding the online FAQ to cover most of the topics we get submitted as trouble tickets http://ipv6.he.net/certification/faq.php  That "what is an IPv4 endpoint" question is still the top ticket sent in; I've seen at least 5 this week and its only Tuesday, and we even display the viewing IPv4 address right next to the input field. If you want to write up a really nice set of documentation, walk-thoughs or HOWTOs (and ideally all our users should want to do this) we can even sticky the post in the forums to make sure it doesn't disappear. If there is an informative post we missed and people would like to see it stickied, bring it to our attention, absolutely.

In fact, I'd open up a whole new forum topic area just for user submitted documentation, walk-throughs and HOWTOs if enough people wanted it and were willing to contribute.
Title: Re: Firewall security questions
Post by: jimb on December 08, 2009, 10:34:49 PM
@broquea:  I sometimes wonder if it'd serve better to simply omit the "Client IPv4 address" from the output.

Many routers don't even need this to be explicitly set anyway (it just uses the LAN interface).  And maybe it'll make people actually think about what to use when it does ask for it.  

I was also in the middle of writing a reply about this, mentioning the videos and stuff you guys posted on youtube.  But canceled figuring that I'd let you answer it.  :P
Title: Re: Firewall security questions
Post by: broquea on December 08, 2009, 10:37:26 PM
@broquea:  I sometimes wonder if it'd serve better to simply omit the "Client IPv4 address" from the output.

Well, that is the link to update your IPv4 endpoint inside the broker's UI...so not getting rid of it quite yet! :D

Plus it's needed in some of those example commands to get the tunnel up. Be they behind NAT or not.
Title: Re: Firewall security questions
Post by: jimb on December 08, 2009, 11:27:51 PM
O yeh I forgot about that link.  Static IP here so I don't have to worry about it.  :)
Title: Re: Firewall security questions
Post by: b1izzard on December 09, 2009, 12:41:37 AM
Jimb, the problem with the tunnel going up and down may have been related to me turning on and off the Windows 2008 firewall.  Please try hitting TCP 3389 for host 2001:470:1f05:6db:714c:8d1d:88de:831 and let me know if you have any problems.  I won't mess with it again until I hear back from you.

Both of my Windows XP machines are showing 2 IPV6 addresses and I don't know how to remove one of them.  I tried resetting, and uninstalling IPV6, but they persist.  They are both 2001: global addresses.  How do use the command line to delete the second one?  I tried netsh int ipv6 delete address "lan" <IPV6 address>, but get the error 'A device attached to the system is not functioning.
Title: Re: Firewall security questions
Post by: jimb on December 09, 2009, 01:14:16 AM
Jimb, the problem with the tunnel going up and down may have been related to me turning on and off the Windows 2008 firewall.  Please try hitting TCP 3389 for host 2001:470:1f05:6db:714c:8d1d:88de:831 and let me know if you have any problems.  I won't mess with it again until I hear back from you.
It connects.  You don't have to turn the FW on/off.  You should be able to enable access to whatever services you desire with windows firewall.  When you turn on remote desktop access, it normally puts a rule in there automatically.

Quote
Both of my Windows XP machines are showing 2 IPV6 addresses and I don't know how to remove one of them.  I tried resetting, and uninstalling IPV6, but they persist.  They are both 2001: global addresses.  How do use the command line to delete the second one?  I tried netsh int ipv6 delete address "lan" <IPV6 address>, but get the error 'A device attached to the system is not functioning.
What are the IPv6 addresses?  It could just be Teredo which is automatic.  It wont use Teredo if there's a good unicast address.  Plus it's turned off by default under XP.  It may also be a result of IPv6 privacy, which generates a new IPv6 at intervals which is supposed to internet use more anonymous.  You can turn it off with a netsh command if that's what's going on.
Title: Re: Firewall security questions
Post by: b1izzard on December 09, 2009, 07:35:25 AM
Here is what I have for my Windows XP machine.  Note the 2nd 2001: address.  Is this normal for XP?

Ethernet adapter LAN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8169/8110 Family Gigabit
Ethernet NIC
        Physical Address. . . . . . . . . : 00-0D-61-11-90-77
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.5
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        IP Address. . . . . . . . . . . . : 2001:470:1f05:6db:1859:ac7e:f09f:e1d
0
        IP Address. . . . . . . . . . . . : 2001:470:1f05:6db:20d:61ff:fe11:9077

        IP Address. . . . . . . . . . . . : fe80::20d:61ff:fe11:9077%5
        Default Gateway . . . . . . . . . : 192.168.1.1
                                            fe80::224:1ff:fef5:a02%5
        DNS Servers . . . . . . . . . . . : 192.168.1.1
                                            68.87.69.146
                                            fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1

Tunnel adapter Teredo Tunneling Pseudo-Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%4
        Default Gateway . . . . . . . . . :
        NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface

        Physical Address. . . . . . . . . : C0-A8-01-05
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.5%2
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled
Title: Re: Firewall security questions
Post by: b1izzard on December 09, 2009, 07:42:17 AM
Also, I did a traceroute from subnetonline.com and came up with this.  It seems to make it to HE.  Any idea why it won't get through to me?
TraceRoute IPv6 Output:

traceroute to 2001:470:1f05:6db:20d:61ff:fe11:9077 (2001:470:1f05:6db:20d:61ff:fe11:9077), 30 hops max, 40 byte packets
 1  2001:1af8:4200:b000::1 (2001:1af8:4200:b000::1)  0.822 ms  0.808 ms  0.868 ms
 2  2001:1af8:4100::5 (2001:1af8:4100::5)  0.822 ms  0.904 ms  0.977 ms
 3  be11.crs.evo.leaseweb.net (2001:1af8::9)  1.177 ms  1.164 ms  1.149 ms
 4  ams-ix.he.net (2001:7f8:1::a500:6939:1)  1.134 ms  1.143 ms  1.166 ms
 5  10gigabitethernet1-4.core1.lon1.he.net (2001:470:0:3f::1)  8.590 ms  8.664 ms  8.669 ms
 6  10gigabitethernet2-3.core1.nyc4.he.net (2001:470:0:3e::1)  76.626 ms  76.558 ms  77.859 ms
 7  10gigabitethernet5-3.core1.lax1.he.net (2001:470:0:10e::1)  147.225 ms  147.210 ms  147.403 ms
 8  10gigabitethernet1-3.core1.pao1.he.net (2001:470:0:34::1)  156.874 ms  156.868 ms  157.105 ms
 9  10gigabitethernet1-4.core1.fmt2.he.net (2001:470:0:30::1)  146.590 ms  146.584 ms  146.596 ms
10  1g-bge0.tserv3.fmt2.ipv6.he.net (2001:470:0:45::2)  149.811 ms  152.865 ms  155.933 ms
11  1g-bge0.tserv3.fmt2.ipv6.he.net (2001:470:0:45::2)  149.446 ms !H  149.481 ms !H  149.587 ms !H
Title: Re: Firewall security questions
Post by: jimb on December 09, 2009, 03:46:56 PM
The XP output looks normal.  The extra IPv6 addresses on the interface are the "private" addresses which XP has added over time which I spoke of in a previous post.

Traceroute probably fails because your firewall is dropping the UDP packets, or not generating ICMPv6 time exceeded responses, or something is blocking these responses.  The last response you see is HE's tunnel server.
Title: Re: Firewall security questions
Post by: b1izzard on December 09, 2009, 04:25:07 PM
If you are referring to the fe80: addresses, I can understand that.  But I was referring specifically to the two 2001: addresses.  So those are also considered 'private' and not global?

I have setup an AAAA host record for my test website and have tested it, so it's live.  For my Windows Server 2008 box, should I set a static IPV6 address using netsh or the gui?  Right now IPV6 is automatically configured from the D-Link.  If I add a static IPV6 and now have two 2001: IPV6 addresses (the stateless and static), will this mess anything up? 

If I just use the GUI, what is the Windows Server 2008 configuration supposed to be?  I tried to use the auto-configuration IP of 2001:470:1f05:6db:4f6:430e:50ff:4f1d with 64 subnet, and the D-Link address as the gateway, which is the fe80::224:1ff:fef5:a02.  It didn't seem to take it unfortunately.
Title: Re: Firewall security questions
Post by: broquea on December 09, 2009, 04:50:30 PM
Windows generated Privacy Address:
Code: [Select]
IP Address. . . . . . . . . . . . : 2001:470:1f05:6db:1859:ac7e:f09f:e1d0
Auto-configured Address (note the FF:FE):
Code: [Select]
IP Address. . . . . . . . . . . . : 2001:470:1f05:6db:20d:61ff:fe11:9077
Title: Re: Firewall security questions
Post by: b1izzard on December 09, 2009, 05:25:39 PM
Since I can do a port scan using either 2001 address, and they are both showing up, that tells me that they are both publicly accessible making them not private.   What is the point of the Privacy address?  What is it's intended usage?
Title: Re: Firewall security questions
Post by: kcochran on December 09, 2009, 05:35:23 PM
The privacy address is named such as it doesn't include your NIC's MAC address in it.  It'll also change itself periodically.
Title: Re: Firewall security questions
Post by: b1izzard on December 09, 2009, 06:03:52 PM
Awesome.  Good to know.  That makes perfect sense since all MAC's are unique.
Title: Re: Firewall security questions
Post by: jimb on December 09, 2009, 06:28:48 PM
Since I can do a port scan using either 2001 address, and they are both showing up, that tells me that they are both publicly accessible making them not private.   What is the point of the Privacy address?  What is it's intended usage?
OOPS.  I used a bad choice of words.  I should have said "privacy" instead of "private".  Again, I discussed these briefly in a previous post (http://www.tunnelbroker.net/forums/index.php?topic=711.msg3430#msg3430).  Do you read what I write or just sort of "scan" it?  :P  

As broquea said, they're meant to provide some privacy via address anonymity.  Auto configured IP addresses contain the MAC address of your machine, which can be used to identify your specific host.  Also, it's meant to provide some of the anonymity that being behind a NAT gives in the IPv4 world, where everyone's internet traffic is hidden behind a single public IP.  It's turned on by default in windows, and will generate a new IPv6 in your prefix periodically, and start using it.  The original IPv6 stays around forever AFAIK, and the temporary privacy IPv6s stay around for a certain time period, then expire.  They're all reachable before they expire.  If you want to turn it off, you can issue the command:  netsh int ipv6 set privacy disabled

(this wiki page (http://en.wikipedia.org/wiki/IPv6_Addresses#Temporary_addresses) describes itin more detail)

The "fe80::224:1ff:fef5:a02%10" address is your default gateway, which is the link-local address of your D-Link, which I also referenced in this previous message (http://www.tunnelbroker.net/forums/index.php?topic=711.msg3418#msg3418).  (The %10 is just an interface index [zone index] which the OS pays attention to ... see here (http://en.wikipedia.org/wiki/IPv6_Addresses#Link-local_addresses_and_zone_indices)).
EDIT:  Oops.  I think you already understood this.

To answer your other question, you should just be able to add a static IP via the GUI if you wish.  I think this will turn autoconfiguration off.  I wouldn't use the autoconfig address.  Just use "2001:470:1f05:6db::10" or something like that.  Easier to type that way anyway.  You should be able to use the link-local of your D-Link as a default gateway, but you'll likely need to include the interface index too (the %10), or specify the interface.  Since it's link-local, it could be on any interface, and the OS has no idea which interface to use to get to it, hence the need for interface indexes.  Alternatively, you could use the global IPv6 you set on the D-Link, which should be 2001:470:1f05:6db::1" if you set it the way I expect you did.
Title: Re: Firewall security questions
Post by: b1izzard on December 09, 2009, 06:41:03 PM
Sorry Jimb, I missed the second half of the post on the privacy.  You did address this.  Not enough sleep... 

I did try the fe80 as the gateway, but the Windows GUI wouldn't take it.  When I went back to it, it would be empty.  I tried entering 2001:470:1f05:6db::1, which is the D-Link LAN IPV6 address and it takes it.  Will it screw things up using that instead of the fe80 address of the D-Link?
Title: Re: Firewall security questions
Post by: jimb on December 09, 2009, 06:54:32 PM
Sorry Jimb, I missed the second half of the post on the privacy.  You did address this.  Not enough sleep... 

I did try the fe80 as the gateway, but the Windows GUI wouldn't take it.  When I went back to it, it would be empty.  I tried entering 2001:470:1f05:6db::1, which is the D-Link LAN IPV6 address and it takes it.  Will it screw things up using that instead of the fe80 address of the D-Link?
No.  It's fine.  It's debatable whether to use the global IPv6 or the Link-local for the default gateway.  Both work.  RA/autoconfiguration seems to always use the link-local.

One advantage I can see with using a link local address is that provided the MAC address of the router doesn't change, the IPv6 prefix can change, and the default router entry doesn't have to change.  This would be good in situations where the prefix might change on a somewhat regular basis, such as a 6to4 or Teredo situation.  However, since you're already having to change the global IPv6 addresses on every interface when your IPv4 changes, I don't see it as a whole lot of extra work to also update the default gateway.  So it's kind of moot to me.  Plus, if you change your router hardware, the link-local address will change too.  In a non-6to4/Teredo situation, this is more likely to happen than your prefix changing, unless you change ISPs frequently.  :P
Title: Re: Firewall security questions
Post by: b1izzard on December 10, 2009, 08:10:41 PM
I'm not sure if this is a problem with my D-Link firewall on the fritz with IPV6, but I am trying to setup Exchange 2007 (running on SBS 2008 64 bit) and am having trouble with the mail server certification.  Where is says "Schedule a test, and we will email you your new User Code", it just hangs on sending and I never receive an email.  I have disabled the firewall on the server and can see many open ports using your iPV6 scanner to 2001:470:1f05:6db:382a:5450:30d8:3c49, but for some reason it refuses to show port 25 as open.  When I do a telnet to it using IPV4, it sees the server just fine at remote.everettcoffee.com.  I can send and receive email and everything is perfect under IPv4. 

Any ideas would could cause this hang up?  Exchange 2007 is on SP1 from what I can tell (ver 8.1).  I haven't seen anything on Google with IPV6 not working on SBS 2008.  Is there something special you have to do for configuring Exchange 2007 for IPV6? 

I am assuming that you scan port 25, so that shouldn't be the problem.  The only other thing I can think of is to wipe the router and rebuild to see if it is the problem. 
Title: Re: Firewall security questions
Post by: jimb on December 10, 2009, 08:23:27 PM
I'm not sure if this is a problem with my D-Link firewall on the fritz with IPV6, but I am trying to setup Exchange 2007 (running on SBS 2008 64 bit) and am having trouble with the mail server certification.  Where is says "Schedule a test, and we will email you your new User Code", it just hangs on sending and I never receive an email.  I have disabled the firewall on the server and can see many open ports using your iPV6 scanner to 2001:470:1f05:6db:382a:5450:30d8:3c49, but for some reason it refuses to show port 25 as open.  When I do a telnet to it using IPV4, it sees the server just fine at remote.everettcoffee.com.  I can send and receive email and everything is perfect under IPv4. 

Any ideas would could cause this hang up?  Exchange 2007 is on SP1 from what I can tell (ver 8.1).  I haven't seen anything on Google with IPV6 not working on SBS 2008.  Is there something special you have to do for configuring Exchange 2007 for IPV6? 

I am assuming that you scan port 25, so that shouldn't be the problem.  The only other thing I can think of is to wipe the router and rebuild to see if it is the problem. 

Appears to be your server.  When I connect to port 25 on your IPv6 mail server it connected and came back with "421 service not available" and closed the connection.
Title: Re: Firewall security questions
Post by: b1izzard on December 11, 2009, 01:14:36 AM
Thanks for checking it jimb.  After looking into this, the problem was with my server as you mentioned.  It turned out to be a missing IPv6 entry for the Server > Hub transport > Network > 'Receive mail from remote servers that have these IP addresses' dialog box.  Anyway, I added the Remote IP addresses 0:0:0:0:0:0:0:0-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff and I could then Telnet in.  I still wasn't receive the he.net email, but the logs showed that your email was getting spam out so I made an exception for it and it came through.  Now onto RDNS.   :D