I'm actually building my own company and want to provide all sorts of technology services, and in order to do that I need to be dual stack enabled (I am, but my ISP, Century Link, is not). So I built out my first tunnel, got it fully working, then completed the IPv6 certification program, and now I am building out Mobile IPv6 routers that can drop onto any network, update their tunnel end-point, and connect to the IPv6 network with their own firewall! I'll have 4 of these and they will be pretty handy for building out our initial POPs!

Thank you HE team for building this amazing tool, and the IPv6 certification program! It has really helped kick-start the back-end mess of Unknown Technology Solutions!

As always, if anyone has any questions, I'd love to answer them, so feel free to ask me however!

Thanks for the quick reply.  Btw, some of the IPs and names in the original post were anonymized.

I ran mtr from outside in, and it sees losses of 1 to 8% ofver all the hops.  I see 60^ loss on the tserv15.lax1 hop,a dn also 60% at hops near the destination.  Here is tracing to google:

 2. tunnel201234.tunnel.tserv15.lax1 60.0%   336   15.1  30.0  13.5 192.7  33.2
 3. 10ge9-12.core1.lax1.he.net        1.8%   336  128.7  29.1  12.0 172.5  33.7
 4. 100ge14-1.core1.lax2.he.net       2.1%   336   13.3  34.9  12.1 430.9  44.3
 5. 2001:504:13::210:41               2.4%   336   12.4  26.4  12.4 181.5  28.8
 6. 2001:4860:0:110d::1              57.6%   336   54.3  26.4  12.5 161.8  25.4
 7. 2001:4860:0:1::430f              77.3%   336   24.9  28.1  13.4 146.2  30.2
 8. lax31s06-in-x04.1e100.net         2.4%   336   33.5  25.7  11.1 172.9  31.0

vs. in (from a different far side, not google)

 1. 2001:1878:400::                  1.7%   466    0.5   0.3   0.2  13.0   0.6
 2. 2001:1878:18:5::3                 9.9%   466    1.2   1.2   1.1   2.7   0.3
 3. ve338.core1.lax2.he.net           1.7%   466    0.9   3.7   0.9  49.0   8.6
 4. 100ge2-2.core1.lax1.he.net        1.7%   466    1.0   3.3   0.9 453.2  24.0
 5. tserv1.lax1.he.net                2.1%   465    4.7  19.7   3.5 171.9  34.1
 6.
 7. me        4.7%   465   55.8  36.7  12.4 181.9  42.4

I'm not really sure how to use mtr to tell which side has the loss, unfortunately.

The PL didn't continue next hop, its 0% until the destination. Might have loss on the return path or an issue itself at the destination.

I'm seeing 60% packet loss at tserv15.lax1.  That's... fairly unpleasant.
Does anyone else see this kind of problem?


                                       Packets               Pings
 Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 2001:470:d:aaa::1                 0.0%    30    0.7   0.7   0.6   0.9   0.1
 2. tunnel201234.tunnel.tserv15.lax1 60.0%    30   17.0  30.3  15.2 129.7  32.3
 3. 10ge9-12.core1.lax1.he.net        0.0%    30   30.2  31.6  12.6 141.4  34.5
 4. 100ge14-1.core1.lax2.he.net       0.0%    30  134.0  50.2  12.6 216.5  54.3
 5. 2001:470:1:4a0::2                 0.0%    30   43.8  22.6  12.2 102.6  19.5
 6. 2001:1878:0:2::3                 20.7%    29   16.5  27.3  13.5 115.0  26.8

Judging by how this has gone thus far, and you not being able to access it from the internet, are you sure that everything is port-forwarded correctly, and also that there is no strange ACL stuff going on? If this is on IPv6 then port-forwarding is most likely the cause. If you have any questions, I can post screenshots of my router configuration for port-forwarding IPv6

Howdy,
I may not have my domains registered with Network Solutions, but I did run into what seems to be a similar issue to what you might be having.
Assuming you have glue records with your provider, you should set the first NS to an IPv6 address, then the second NS to an IPv6 address. Then, on your own DNS server, go ahead and assign IPv6 and IPv4 addresses to the NS addresses you set in the glue records. Once the TLD NSes have propagated your NS addresses, all future DNS requests will pretty much entirely bypass the TLD NSes, and go straight to your server where they will find both IPv4 and v6 addresses for your NS, which will then override the TLD servers since they aren't authoritative for your domain. I can post screenshots to better describe what I am talking about if wanted.

It looks like I could maintain a table of IPv6 addresses that the Apple TV's are using by running:

     ndp -a | egrep '(mac[0]|mac[1]...)'

on the firewall and throwing that addresses that I find into a table.

Ah yes, I forgot about privacy extensions.

Why would you have to change from SLAAC to DHCPv6 to block the oubound traffic?  I assume it's because you'd just block the IP of your device, but the SLAAC address shouldn't change, right?

The issue is privacy extensions and knowing what the current IP address is on each of my Apple TVs. Under privacy extensions, the IPv6 addresses do change. So, I'm thinking about moving from SLAAC to DHCPv6 because lacking a way to convert the ethernet address of my Apple TV into the IPv6 address that it's currently using, I would instead move to an address protocol that allows me to force certain devices to have certain IPv6 addresses. Then listing those addresses in a firewall table that blocked traffic over IPv6 to netflix is simple.

Here's a question: Is ndp a cache like arp? Or is it something else? If ndp is a cache like ARP then I expect that I cannot reasonably translate Ethernet address  into a temporary IPv6 allocation in a script. That leads to this question: Given an ethernet address, can I figure out which IPv6 address a specific device is using?

The root problem here is that the IP addresses on both sides of the equation are dynamic.

Why would you have to change from SLAAC to DHCPv6 to block the oubound traffic?  I assume it's because you'd just block the IP of your device, but the SLAAC address shouldn't change, right?