• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Need help with creating a working IPv6 tunnel

Started by idjuric10, December 21, 2012, 11:33:52 AM

Previous topic - Next topic

idjuric10

Hi, I'm having some trouble with setting up an IPv6 tunnel. Judging from the information you get from the Example Configuration you'd think that the process is simple and straight-forward, that you'd just need to copy and paste four commands:

Quotenetsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 79.101.74.9 216.66.80.30
netsh interface ipv6 add address IP6Tunnel 2001:470:1f0a:90e::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f0a:90e::1

However, that doesn't work. Since I messed up I needed these commands to be able to start over:

Quotenetsh interface ipv6 delete interface IP6Tunnel
netsh interface ipv6 reset

After I found out I needed to use the IPv4 address I got with the ipconfig command instead of the 79.101.74.9 in my example, I pasted the commands again with that corrected.

Quotenetsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.2 216.66.80.30
netsh interface ipv6 add address IP6Tunnel 2001:470:1f0a:90e::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f0a:90e::1

But it still won't work. After some asking around and reading these forums for a bit I found out that DMZ is often mentioned as the number one problem to why an IPv6 tunnel won't work. The router I'm using is Huawei HG 520s and the only mention of DMZ in the router settings that I seemed to find was this:



The SPI option was set to Disable so I tried enabling it even though I'm assuming that the description refers to the Enable option. Still won't work.

Apparently I should also try forwarding GRE and some other protocol, anyone know anything about that?

All help is greatly appreciated, thanks.

This was supposed to go to the IPv6 on Windows sub forum, hopefully a moderator will move it.

nickbeee

Your Windows config should use the second option as you are behind a NAT.

I'm not familiar with that router but it sounds like it's blocking protocol 41.
GRE (protocol 47) is not used in this case.

I had a quick look at a PDF manual, does yours have an option to set a FILTER? If so I suggest the following parameters:

Interface - whatever your WAN, likely PVC0
Direction - incoming
Type - tcp/ip
Source IP address - HE end of the tunnel 216.66.80.30
Subnet mask - 255.255.255.255 - only the one HE host address
Port number - 0
Protocol - This only has options for TCP/UDP/ICMP so try all three

No guarantee that this will work but there don't appear to be any other options on that router!
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

idjuric10

#2
It does indeed have a Filter option, does this look about right?



Unfortunately I tried all three options (TCP/UDP/ICMP), deleting and resetting the tunnel after trying out each one but it didn't seem make a difference. Any other thoughts?

Shouldn't I get an OK after inputting the second of the four commands if everything's working like it should? Because nothing comes out after I enter it.

kasperd

Quote from: idjuric10 on December 21, 2012, 11:33:52 AMAfter some asking around and reading these forums for a bit I found out that DMZ is often mentioned as the number one problem to why an IPv6 tunnel won't work.
Any link to where you found such information?

I am not aware of any cases, where DMZ functionality would be the problem. On some routers, DMZ is the solution.

Quote from: idjuric10 on December 21, 2012, 11:33:52 AMThis was supposed to go to the IPv6 on Windows sub forum
I don't think so, because your question is about Huawei HG 520s, which I suppose doesn't run Windows. Looks like you did configure Windows correctly in your second attempt. My guess the router is the only reason it didn't work for you.

Quote from: idjuric10 on December 21, 2012, 02:09:27 PMI tried all three options (TCP/UDP/ICMP)
None of them are applicable. There are more than a hundred protocol numbers defined, if that checkbox only lists three of them, then your router is a bit too limited.

A sensible router would have an option in that pulldown menu saying "Other". If you chose other, then port number fields would disappear and instead you would see a single protocol number field, in which you could type in 41.

Can you show us the full list of possible choices for "Filter Type" and for "Protocol"?

Though I suspect the filer functionality isn't going to help. I think it is for blocking traffic, which would otherwise be allowed through. In that case adding filters isn't going to make it work, but if you did get it working, adding a filter might break it again.

So try to browse through the menus on the router looking for something more usable. Three sorts of features you should look for on the router are:

  • (port) forwarding
  • DMZ
  • IPv6 tunnel functionality (any page mentioning IPv6, 6to4, 6in4 or 6rd is interesting.)
If you don't find any of those three settings on the router, I am afraid you are going to need another router firmware to make it work.

idjuric10

Quote from: kasperd on December 21, 2012, 05:03:05 PM
Quote from: idjuric10 on December 21, 2012, 11:33:52 AMAfter some asking around and reading these forums for a bit I found out that DMZ is often mentioned as the number one problem to why an IPv6 tunnel won't work.
Any link to where you found such information?

I am not aware of any cases, where DMZ functionality would be the problem. On some routers, DMZ is the solution.

Yeah sorry, that's what I meant, as far as I understood DMZ should be one of the top things that should solve the problem most people have with not being able to get a working tunnel.

Quote from: kasperd on December 21, 2012, 05:03:05 PM
Quote from: idjuric10 on December 21, 2012, 02:09:27 PMI tried all three options (TCP/UDP/ICMP)
None of them are applicable. There are more than a hundred protocol numbers defined, if that checkbox only lists three of them, then your router is a bit too limited.

A sensible router would have an option in that pulldown menu saying "Other". If you chose other, then port number fields would disappear and instead you would see a single protocol number field, in which you could type in 41.

Can you show us the full list of possible choices for "Filter Type" and for "Protocol"?

Of course:





Quote from: kasperd on December 21, 2012, 05:03:05 PM
Though I suspect the filer functionality isn't going to help. I think it is for blocking traffic, which would otherwise be allowed through. In that case adding filters isn't going to make it work, but if you did get it working, adding a filter might break it again.

Makes sense, I guess that's probably the case.


Quote from: kasperd on December 21, 2012, 05:03:05 PM
So try to browse through the menus on the router looking for something more usable. Three sorts of features you should look for on the router are:

  • (port) forwarding
  • DMZ
  • IPv6 tunnel functionality (any page mentioning IPv6, 6to4, 6in4 or 6rd is interesting.)
If you don't find any of those three settings on the router, I am afraid you are going to need another router firmware to make it work.

Can't seem to find any of those unfortunately... Here are the available options:


kasperd

Quote from: idjuric10 on December 21, 2012, 11:56:27 PMHere are the available options
Can we get to see what options are available under NAT, IP Route, and Port Mapping?

idjuric10



Don't know how I missed it, should've paid attention to the buttons too, good call!

After clicking on DMZ:



And after clicking on Port Forwarding:


kasperd

Quote from: idjuric10 on December 22, 2012, 03:45:35 AMAfter clicking on DMZ:

Set it to enabled, and type in the LAN address of the Windows machine, where you are running the tunnel (192.168.1.2 according to your first post). Notice that this means that Windows machine will receive all traffic, which the router has no other place to send. So make sure that Windows machine is kept up to date with security fixes.

idjuric10

Just did that, still won't work. The next thing to try should be Port Forwarding, right?

kasperd

Quote from: idjuric10 on December 22, 2012, 04:00:14 AMThe next thing to try should be Port Forwarding, right?
Depends on what choices there is for the protocol.

My current guess is, your router is one of those, where DMZ is the only way to get it working. But we may need to fire up Wireshark or equivalent to see what is going on. I might be able to figure out something by probing your network with a few packets, but I don't have time at the moment.

If you don't get it working, you can try to leave it configured with the DMZ setting, which should work, then I'll find some time later to take another look.

idjuric10

#10
The options are TCP and UDP:



And back to the option I first tried that I mentioned in the first post:



Should it be enabled or disabled?

kasperd

I tried traceroute towards your IP address using various kinds of packets. What I found was that I can do a traceroute to 79.101.74.9 using ICMP echo request. It responds to echo requests and I can see all hops in between.

If I do a traceroute using UDP packets or protocol 41 packets, I can see all hops until 212.200.15.66 (which according to the above traceroute is the next to last hop). But once the packets reach 79.101.74.9, they appear to be silently dropped.

Quote from: idjuric10 on December 22, 2012, 04:19:50 AMThe options are TCP and UDP
Then it is not applicable, since what you need to get through is not UDP or TCP, but rather protocol 41. So ignore the port forwarding section. The only forwarding you can use to get the tunnel through is the DMZ feature.

Quote from: idjuric10 on December 22, 2012, 04:19:50 AMAnd back to the option I first tried that I mentioned in the first post:



Should it be enabled or disabled?
I think that should be disabled. If you set firewall to disabled is the SPI option still available, or does it get ghosted, once you disable firewall?

cholzhauer

My guess is your router is probably blocking protocol 41.  Can you use something like wireshark and look for packets to confirm/deny that?

snarked

#13
General comment:  In all the screens, plus info at http://www.modemarea.com/2011/07/huawei-hg520s-router-specifications/, there is no hint that the router itself handles IPv6.  Although that doesn't mean conclusively that it won't pass protocol 41 (6in4), there does seem to be a corrolation between not doing so when IPv6 support is missing.

The manufacturer does mention IPv6 support on its web site (but not specifically for that device).  Their HG232f does claim to support IPv6.  I suspect that you have an older device that may not.

idjuric10

#14
Quote from: kasperd on December 22, 2012, 02:32:09 PM
Quote from: idjuric10 on December 22, 2012, 04:19:50 AMAnd back to the option I first tried that I mentioned in the first post:



Should it be enabled or disabled?
I think that should be disabled. If you set firewall to disabled is the SPI option still available, or does it get ghosted, once you disable firewall?

It's still available even if I disable the firewall option... So I'll set SPI back to Disable, which was the default option.