• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Configuring router to use HE IPv6 Tunnel

Started by jbenamy, October 23, 2012, 07:40:46 PM

Previous topic - Next topic

jbenamy

I have an ASUS RT-N56U router with custom firmware from http://code.google.com/p/rt-n56u/, which fully supports IPv6.  My ISP (DirecPath) does not support IPv6 so I created a tunnel with Tunnel Broker.  I am not exactly sure how to configure my router to use the tunnel I created.  I looked through the Example Configurations on HE's website, but I need some help.  A screenshot of my configuration page is attached.

kasperd

You already set the IPv6 connection type to be 6in4 as required. Ideally you should configure both 6in4 and 6to4, but since it appears your router cannot do both simultaneously, just use 6in4 and forget about 6to4.

The 6in4 remote endpoint should be configured with the server IPv4 address you can see on the tunnelbroker website. I think in your case it is 216.66.22.2, but I am not sure about that.

The tunnel MTU and tunnel TTL are a bit more complicated to find optimal values for. But the defaults look sensible in your case. Leave them as 1480 and 64 unless you find a problem, which is caused by those settings. Since your IPv4 connectivity appears to be IP over Ethernet, any MTU in the range from 1280 to 1480 should work. And for the TTL any value in the range from 30 to 255 should work. You don't have to configure the same MTU and TTL on your router and on the tunnel server, it will still work if the values are different. But different settings on the two ends may be confusing.

I don't know if the WAN section is applicable to you. But I think you are supposed to fill in the IPv6 addresses there, so for your tunnel it would be WAN address 2001:470:7:3f6::2 and default gateway 2001:470:7:3f6::1. And the prefix length should be 64.

In the DNS section I can see that you have already filled in Google's public DNS servers. I'd add 2001:470:20::2 as well. The order of those three is not important.

For the LAN side you appear to have only one LAN, so using the routed /64 should be sufficient. If I correctly understand the assignments that HE use, I think your routed /64 will be 2001:470:8:3f6::/64, but check the webpage to be sure. Choose any IPv6 address in that /64 for the router LAN address. Just needs to be one, which won't confuse you later. You could use 2001:470:8:3f6::3. Notice that the WAN side has a 7 and the LAN side has an 8.

The LAN router advertisement should be enabled. The LAN DHCPv6 server should not be required for you, but enabling it shouldn't hurt either. The two main reasons for using DHCPv6 are:

  • The LAN prefix length does not support auto configuration.
  • Router or clients do not support DNS configuration over router advertisements.
Since your prefix length is 64, the first does not apply to you. The second may apply to you, if that's the case, then with DHCPv6 disabled the clients will do DNS lookups over IPv4 and with DHCPv6 enabled the clients will do DNS lookups over IPv6.

jbenamy

Quote from: kasperd on October 24, 2012, 04:55:11 AM
You already set the IPv6 connection type to be 6in4 as required. Ideally you should configure both 6in4 and 6to4, but since it appears your router cannot do both simultaneously, just use 6in4 and forget about 6to4.

The 6in4 remote endpoint should be configured with the server IPv4 address you can see on the tunnelbroker website. I think in your case it is 216.66.22.2, but I am not sure about that.

The tunnel MTU and tunnel TTL are a bit more complicated to find optimal values for. But the defaults look sensible in your case. Leave them as 1480 and 64 unless you find a problem, which is caused by those settings. Since your IPv4 connectivity appears to be IP over Ethernet, any MTU in the range from 1280 to 1480 should work. And for the TTL any value in the range from 30 to 255 should work. You don't have to configure the same MTU and TTL on your router and on the tunnel server, it will still work if the values are different. But different settings on the two ends may be confusing.

I don't know if the WAN section is applicable to you. But I think you are supposed to fill in the IPv6 addresses there, so for your tunnel it would be WAN address 2001:470:7:3f6::2 and default gateway 2001:470:7:3f6::1. And the prefix length should be 64.

In the DNS section I can see that you have already filled in Google's public DNS servers. I'd add 2001:470:20::2 as well. The order of those three is not important.

For the LAN side you appear to have only one LAN, so using the routed /64 should be sufficient. If I correctly understand the assignments that HE use, I think your routed /64 will be 2001:470:8:3f6::/64, but check the webpage to be sure. Choose any IPv6 address in that /64 for the router LAN address. Just needs to be one, which won't confuse you later. You could use 2001:470:8:3f6::3. Notice that the WAN side has a 7 and the LAN side has an 8.

The LAN router advertisement should be enabled. The LAN DHCPv6 server should not be required for you, but enabling it shouldn't hurt either. The two main reasons for using DHCPv6 are:

  • The LAN prefix length does not support auto configuration.
  • Router or clients do not support DNS configuration over router advertisements.
Since your prefix length is 64, the first does not apply to you. The second may apply to you, if that's the case, then with DHCPv6 disabled the clients will do DNS lookups over IPv4 and with DHCPv6 enabled the clients will do DNS lookups over IPv6.
Thank you so much!

kasperd

Quote from: jbenamy on October 24, 2012, 12:33:31 PMIt appears that my DNS isn't resolving:
QuoteC:\Users\Joseph>nslookup ipv6.he.net
DNS request timed out.
   timeout was 2 seconds.
Server:  UnKnown
Address:  2001:470:7:3f6::2
You are trying to use your router as DNS server. That's fine if your router is running a functional DNS server. But obviously it isn't.

Your configuration gives a few more clues about what may be wrong. The default gateway is using the link-local address of the router instead of the global address. There is nothing wrong with that per se, but it does hint that something may be going on.

The only information in the configuration, which is obviously wrong, is the IPv6 addresses, you are using on your LAN. Those are not from your routed prefix as they should be, but rather from the tunnel prefix (2001:470:7:3f6::/64). So your computer is using wrong addresses, which I assume it got from the router. So I think your router is configured incorrectly.

Additionally, I tried to traceroute the address of your router (2001:470:7:3f6::2), and it is not responding. So something is wrong on the router.traceroute to 2001:470:7:3f6::2 (2001:470:7:3f6::2), 30 hops max, 80 byte packets
1  2001:470:1f0b:1da2:635a:c32:ae34:df91  0.475 ms  1.355 ms  1.378 ms
2  2001:470:1f0a:1da2::1  43.454 ms  46.897 ms  52.014 ms
3  2001:470:0:69::1  56.788 ms  64.801 ms  64.888 ms
4  2001:470:0:21b::2  60.104 ms  60.523 ms  54.970 ms
5  2001:470:0:1b1::1  140.909 ms  146.898 ms  146.925 ms
6  2001:470:20::2  138.679 ms  141.018 ms  143.488 ms


Guessing you might have swapped the routed prefix and the tunnel prefix, I also tried a traceroute to 2001:470:8:3f6::2. That showed a routing looptraceroute to 2001:470:8:3f6::2 (2001:470:8:3f6::2), 30 hops max, 80 byte packets
1  2001:470:1f0b:1da2:635a:c32:ae34:df91  0.313 ms  1.306 ms  1.376 ms
2  2001:470:1f0a:1da2::1  46.471 ms  51.157 ms  56.147 ms
3  2001:470:0:69::1  61.522 ms  66.483 ms  66.918 ms
4  2001:470:0:21b::2  80.484 ms  81.282 ms  75.566 ms
5  2001:470:0:1b1::1  148.853 ms  145.163 ms  144.591 ms
6  2001:470:20::2  133.118 ms  136.246 ms  138.741 ms
7  *  *  *
8  2001:470:20::2  184.531 ms  190.733 ms  *
9  *  *  *
10  *  *  *
11  *  *  *
12  *  2001:470:20::2  327.007 ms  344.707 ms
13  *  *  *
14  2001:470:20::2  352.542 ms  359.129 ms  315.659 ms
15  *  *  *
16  2001:470:20::2  395.315 ms  *  432.500 ms
17  *  *  *
18  2001:470:20::2  374.772 ms  403.224 ms  394.022 ms
19  *  *  *
20  2001:470:20::2  541.131 ms  564.465 ms  567.815 ms
21  *  *  *
22  2001:470:20::2  605.135 ms  603.240 ms  602.085 ms
23  *  *  *
24  2001:470:20::2  610.281 ms  *  *
25  *  *  *
26  *  2001:470:20::2  654.001 ms  *


I think that route is bouncing back and forth between your router and the tunnel server.

I don't know exactly what the misconfiguration is. But everything is pointing towards the router. So check the configuration of the router again.

jbenamy

Quote from: kasperd on October 24, 2012, 01:00:53 PM
Quote from: jbenamy on October 24, 2012, 12:33:31 PMIt appears that my DNS isn't resolving:
QuoteC:\Users\Joseph>nslookup ipv6.he.net
DNS request timed out.
   timeout was 2 seconds.
Server:  UnKnown
Address:  2001:470:7:3f6::2
You are trying to use your router as DNS server. That's fine if your router is running a functional DNS server. But obviously it isn't.

Your configuration gives a few more clues about what may be wrong. The default gateway is using the link-local address of the router instead of the global address. There is nothing wrong with that per se, but it does hint that something may be going on.

The only information in the configuration, which is obviously wrong, is the IPv6 addresses, you are using on your LAN. Those are not from your routed prefix as they should be, but rather from the tunnel prefix (2001:470:7:3f6::/64). So your computer is using wrong addresses, which I assume it got from the router. So I think your router is configured incorrectly.

Additionally, I tried to traceroute the address of your router (2001:470:7:3f6::2), and it is not responding. So something is wrong on the router.traceroute to 2001:470:7:3f6::2 (2001:470:7:3f6::2), 30 hops max, 80 byte packets
1  2001:470:1f0b:1da2:635a:c32:ae34:df91  0.475 ms  1.355 ms  1.378 ms
2  2001:470:1f0a:1da2::1  43.454 ms  46.897 ms  52.014 ms
3  2001:470:0:69::1  56.788 ms  64.801 ms  64.888 ms
4  2001:470:0:21b::2  60.104 ms  60.523 ms  54.970 ms
5  2001:470:0:1b1::1  140.909 ms  146.898 ms  146.925 ms
6  2001:470:20::2  138.679 ms  141.018 ms  143.488 ms


Guessing you might have swapped the routed prefix and the tunnel prefix, I also tried a traceroute to 2001:470:8:3f6::2. That showed a routing looptraceroute to 2001:470:8:3f6::2 (2001:470:8:3f6::2), 30 hops max, 80 byte packets
1  2001:470:1f0b:1da2:635a:c32:ae34:df91  0.313 ms  1.306 ms  1.376 ms
2  2001:470:1f0a:1da2::1  46.471 ms  51.157 ms  56.147 ms
3  2001:470:0:69::1  61.522 ms  66.483 ms  66.918 ms
4  2001:470:0:21b::2  80.484 ms  81.282 ms  75.566 ms
5  2001:470:0:1b1::1  148.853 ms  145.163 ms  144.591 ms
6  2001:470:20::2  133.118 ms  136.246 ms  138.741 ms
7  *  *  *
8  2001:470:20::2  184.531 ms  190.733 ms  *
9  *  *  *
10  *  *  *
11  *  *  *
12  *  2001:470:20::2  327.007 ms  344.707 ms
13  *  *  *
14  2001:470:20::2  352.542 ms  359.129 ms  315.659 ms
15  *  *  *
16  2001:470:20::2  395.315 ms  *  432.500 ms
17  *  *  *
18  2001:470:20::2  374.772 ms  403.224 ms  394.022 ms
19  *  *  *
20  2001:470:20::2  541.131 ms  564.465 ms  567.815 ms
21  *  *  *
22  2001:470:20::2  605.135 ms  603.240 ms  602.085 ms
23  *  *  *
24  2001:470:20::2  610.281 ms  *  *
25  *  *  *
26  *  2001:470:20::2  654.001 ms  *


I think that route is bouncing back and forth between your router and the tunnel server.

I don't know exactly what the misconfiguration is. But everything is pointing towards the router. So check the configuration of the router again.
It seemed to sort itself out.  I think that the IPv6 information had not been received by my computer yet.  The information in my network connection details was inaccurate.  Works now.

kasperd

Quote from: jbenamy on October 24, 2012, 01:02:21 PMIt seemed to sort itself out.  I think that the IPv6 information had not been received by my computer yet.  The information in my network connection details was inaccurate.  Works now.
I still see the same routing loop, so something is not configured correctly. What does your router configuration look like?

jbenamy

Quote from: kasperd on October 24, 2012, 01:16:52 PM
Quote from: jbenamy on October 24, 2012, 01:02:21 PMIt seemed to sort itself out.  I think that the IPv6 information had not been received by my computer yet.  The information in my network connection details was inaccurate.  Works now.
I still see the same routing loop, so something is not configured correctly. What does your router configuration look like?

kasperd

The LAN IPv6 address is wrong. You entered 2001:470:7:3f6::2, but it should have been 2001:470:8:3f6::2. If you go to the tunnel page on tunnelbroker.net, you should see the difference between the two prefixes highlighted there as well.

jbenamy

Quote from: kasperd on October 24, 2012, 01:39:00 PM
The LAN IPv6 address is wrong. You entered 2001:470:7:3f6::2, but it should have been 2001:470:8:3f6::2. If you go to the tunnel page on tunnelbroker.net, you should see the difference between the two prefixes highlighted there as well.
I have updated it now.

kasperd

Quote from: jbenamy on October 24, 2012, 01:39:25 PM
Quote from: kasperd on October 24, 2012, 01:39:00 PM
The LAN IPv6 address is wrong. You entered 2001:470:7:3f6::2, but it should have been 2001:470:8:3f6::2. If you go to the tunnel page on tunnelbroker.net, you should see the difference between the two prefixes highlighted there as well.
I have updated it now.
Now it looks correct.

Your router is not responding to echo requests. That is not an immediate problem, but it could become a problem at some point.

If I do a traceroute to an unused IPv6 address on your LAN, I see the expected result including the IP address of your router. So now you appear to have gotten the prefixes right.traceroute to 2001:470:8:3f6::42 (2001:470:8:3f6::42), 30 hops max, 80 byte packets
1  2001:470:1f0b:1da2:635a:c32:ae34:df91  0.253 ms  0.221 ms  0.253 ms
2  2001:470:1f0a:1da2::1  50.882 ms  56.521 ms  61.156 ms
3  2001:470:0:69::1  61.680 ms  61.794 ms  61.846 ms
4  2001:470:0:21b::2  64.441 ms  64.558 ms  59.869 ms
5  2001:470:0:1b1::1  139.566 ms  139.141 ms  139.181 ms
6  2001:470:20::2  129.242 ms  132.181 ms  134.570 ms
7  2001:470:7:3f6::2  148.149 ms  149.443 ms  192.040 ms
8  *  *  *
9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  2001:470:7:3f6::2  423.981 ms !H

jbenamy

Quote from: kasperd on October 24, 2012, 01:54:21 PM
Quote from: jbenamy on October 24, 2012, 01:39:25 PM
Quote from: kasperd on October 24, 2012, 01:39:00 PM
The LAN IPv6 address is wrong. You entered 2001:470:7:3f6::2, but it should have been 2001:470:8:3f6::2. If you go to the tunnel page on tunnelbroker.net, you should see the difference between the two prefixes highlighted there as well.
I have updated it now.
Now it looks correct. Your router is not responding to echo requests. That is not an immediate problem, but it could become a problem at some point.

If I do a traceroute to an unused IPv6 address on your LAN, I see the expected result including the IP address of your router. So now you appear to have gotten the prefixes right.traceroute to 2001:470:8:3f6::42 (2001:470:8:3f6::42), 30 hops max, 80 byte packets
1  2001:470:1f0b:1da2:635a:c32:ae34:df91  0.253 ms  0.221 ms  0.253 ms
2  2001:470:1f0a:1da2::1  50.882 ms  56.521 ms  61.156 ms
3  2001:470:0:69::1  61.680 ms  61.794 ms  61.846 ms
4  2001:470:0:21b::2  64.441 ms  64.558 ms  59.869 ms
5  2001:470:0:1b1::1  139.566 ms  139.141 ms  139.181 ms
6  2001:470:20::2  129.242 ms  132.181 ms  134.570 ms
7  2001:470:7:3f6::2  148.149 ms  149.443 ms  192.040 ms
8  *  *  *
9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  2001:470:7:3f6::2  423.981 ms !H

My router is configured not to respond to ICMP requests because it's a home router.  Do you recommend that I respond to requests?

kasperd

Quote from: jbenamy on October 24, 2012, 01:55:27 PMMy router is configured not to respond to ICMP requests because it's a home router.  Do you recommend that I respond to requests?
I think it is a good idea to reply to ICMP and ICMPv6 echo requests.

jbenamy

Quote from: kasperd on October 24, 2012, 02:05:27 PM
Quote from: jbenamy on October 24, 2012, 01:55:27 PMMy router is configured not to respond to ICMP requests because it's a home router.  Do you recommend that I respond to requests?
I think it is a good idea to reply to ICMP and ICMPv6 echo requests.
I enabled Respond Ping Request from WAN, but it appears that that only impacted IPv4 requests.  I will contact the firmware developer, I guess.