As in the subject, I am trying to connect my Windows7 laptop (internal ipv4 192.168.1.117) over my ipv6 tunnel, and i have a NATting IPCop router in the way.
On the windows machine I have run the following:
netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.117 216.66.80.26
netsh interface ipv6 add address IP6Tunnel 2001:470:1f08:88a::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f08:88a::1
netsh interface ipv6 set route 2001:470:1f08:88a::2/64 IP6Tunnel metric=4
On the IPCop machine I couldn't see a handy option in the web interface for forwarding protocol 41, google wasn't particularly helpful, but i ssh'd in and ran the following -
# iptables -t filter -A INPUT -p ipv6 -s 0/0 -d 0/0 -j ACCEPT
# iptables -t filter -A OUTPUT -p ipv6 -s 0/0 -d 0/0 -j ACCEPT
# iptables -t filter -A FORWARD -p ipv6 -s 0/0 -d 192.168.1.117/24 -j ACCEPT
What have I missed? I can ping the IPv4 address of the tunnel server (216.66.80.26) ok, so connectivity that way is fine, and i can ping the local 2001:470:1f08:88a::2 address, but cant ping any 2001:470:1f08:88a::1 or any IPv6 internet hosts.
Laptop IPConfig, route table etc:
C:\Users\Neil>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Zarf-Delta
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : localdomain
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : ****************
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Broadcom NetLink (TM) Fast Ethernet
Physical Address. . . . . . . . . : ************
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fca4:b97f:c18:ea4e%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.117(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 27 February 2010 21:14:41
Lease Expires . . . . . . . . . . : 01 March 2010 15:32:18
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 234890158
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-0E-F2-96-00-23-AE-07-1C-84
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
Physical Address. . . . . . . . . : *****************
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.localdomain:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{34FF5EFB-A21D-4BDA-AC4E-72C27AC731D6}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter IP6Tunnel:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Direct Point-to-point Adapater
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\Neil>route print
===========================================================================
Interface List
16...00 1f 3a d7 43 16 ......Bluetooth Device (Personal Area Network)
11...00 23 ae 07 1c 84 ......Broadcom NetLink (TM) Fast Ethernet
13...00 1d e0 3a 71 89 ......Intel(R) Wireless WiFi Link 4965AGN
1...........................Software Loopback Interface 1
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
27...00 00 00 00 00 00 00 e0 Microsoft Direct Point-to-point Adapater
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.117 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.117 276
192.168.1.117 255.255.255.255 On-link 192.168.1.117 276
192.168.1.255 255.255.255.255 On-link 192.168.1.117 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.117 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.117 276
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
11 276 fe80::/64 On-link
11 276 fe80::fca4:b97f:c18:ea4e/128
On-link
1 306 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
If Metric Network Destination Gateway
0 4294967295 ::/0 2001:470:1f08:88a::1
0 4 2001:470:1f08:88a::/64 On-link
===========================================================================
C:\Users\Neil>ping -6 ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:8006::6a] with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.
Ping statistics for 2a00:1450:8006::6a:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\Neil>
IPCop iptables -L
root@ipcop:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
BADTCP all -- anywhere anywhere
ACCOUNT_INPUT all -- anywhere anywhere
CUSTOMINPUT all -- anywhere anywhere
FW_ADMIN all -- anywhere anywhere
FW_INPUT all -- anywhere anywhere
FW_IPCOP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
REDINPUT all -- anywhere anywhere
FW_XTACCESS all -- anywhere anywhere state NEW
FW_LOG all -- anywhere anywhere
ACCEPT ipv6 -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
BADTCP all -- anywhere anywhere
ACCOUNT_FORWARD_IN all -- anywhere anywhere
ACCOUNT_FORWARD_OUT all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
CUSTOMFORWARD all -- anywhere anywhere
FW_FORWARD all -- anywhere anywhere
FW_IPCOP_FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
PORTFWACCESS all -- anywhere anywhere state NEW
FW_LOG all -- anywhere anywhere
ACCEPT ipv6 -- anywhere Zarf-Delta
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCOUNT_OUTPUT all -- anywhere anywhere
CUSTOMOUTPUT all -- anywhere anywhere
ACCEPT ipv6 -- anywhere anywhere
Chain ACCOUNT_FORWARD_IN (1 references)
target prot opt source destination
Chain ACCOUNT_FORWARD_OUT (1 references)
target prot opt source destination
Chain ACCOUNT_INPUT (1 references)
target prot opt source destination
Chain ACCOUNT_OUTPUT (1 references)
target prot opt source destination
Chain BADTCP (2 references)
target prot opt source destination
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
PSCAN tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
NEWNOTSYN tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
Chain CUSTOMINPUT (1 references)
target prot opt source destination
Chain CUSTOMOUTPUT (1 references)
target prot opt source destination
Chain FW_ADMIN (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:oa-system
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
Chain FW_DMZHOLES (0 references)
target prot opt source destination
Chain FW_FORWARD (1 references)
target prot opt source destination
Chain FW_INPUT (1 references)
target prot opt source destination
Chain FW_IPCOP (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain FW_IPCOP_FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FW_LOG (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `RED DROP '
DROP all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `GREEN REJECT '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere
Chain FW_XTACCESS (1 references)
target prot opt source destination
Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `NEW not SYN? '
DROP all -- anywhere anywhere
Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.102 tcp dpt:12443
ACCEPT udp -- anywhere 192.168.1.102 udp dpt:12443
Chain PSCAN (5 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `TCP Scan? '
LOG udp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `UDP Scan? '
LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `ICMP Scan? '
LOG all -f anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `FRAG Scan? '
DROP all -- anywhere anywhere
Chain REDINPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:bootps dpt:bootpc
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
Chain WIRELESSFORWARD (0 references)
target prot opt source destination
Chain WIRELESSINPUT (0 references)
target prot opt source destination
Nevermind, cleaned house and started again, this time using netsh interface ipv6 add v6v4tunnel interface=IP6Tunnel 192.168.1.117 216.66.80.26 becasue i'm on 64 bit.
C:\Users\Neil>ping -6 ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:8006::63] with 32 bytes of data:
Reply from 2a00:1450:8006::63: time=61ms
Reply from 2a00:1450:8006::63: time=63ms
Reply from 2a00:1450:8006::63: time=83ms
Reply from 2a00:1450:8006::63: time=62ms
Ping statistics for 2a00:1450:8006::63:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 61ms, Maximum = 83ms, Average = 67ms
C:\Users\Neil>
:D
BTW, you shouldn't need the INPUT or OUTPUT chain rules on the iptables firewall.
All you need is a NAT rule for proto 41 traffic (iptables --append PREROUTING --table nat --destination <outside IP> --proto 41 --jump DNAT --to-destination <inside IP>), and a rule in the FORWARD chain allowing the traffic to the NATed IP (as you had in your OP).
May I suggest, however, that you simply terminate your 6in4 tunnel to the Linux router instead of the Windows box? That way you wouldn't even need to deal with NAT, and you could use your routed /64 IPv6 on the inside for any machine you want on your LAN, and even automate address assignment by using radvd or DHCPv6. Just make sure you set up ip6tables so your IPv6 enabled boxen aren't wide open.
access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0
group-policy hillvalleyvpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group hillvalleyvpn general-attributes
default-group-policy hillvalleyvpn
Quote from: jimb on March 01, 2010, 01:10:21 PM
May I suggest, however, that you simply terminate your 6in4 tunnel to the Linux router instead of the Windows box? That way you wouldn't even need to deal with NAT, and you could use your routed /64 IPv6 on the inside for any machine you want on your LAN, and even automate address assignment by using radvd or DHCPv6. Just make sure you set up ip6tables so your IPv6 enabled boxen aren't wide open.
I agree - this seems to be the best way to go. I wouldn't normally be opposed to terminating the tunnel to a router so that there's no additional hardware needed, since the same results are produced, but I bricked (not permanently) a few routers by doing that with DD-WRT.