• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Windows 2012 Gateway with RRAS Not Forwarding Client IPv6 Traffic

Started by randomparity, April 20, 2013, 11:19:41 PM

Previous topic - Next topic

randomparity

I've previously used Linux and successfully enabled forwarding across an HE IPv6 tunnel and now trying with Windows 2012.  I have the tunnel setup and working on the Windows 2012 gateway system (passes http://test-ipv6.com with a 10/10 readiness score).  I've also configured the Windows 2012 gateway for route advertisement as follows (addresses changed to protect the guilty):

netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 1.2.3.4 66.220.18.42
netsh interface ipv6 add address IP6Tunnel 2001:ffff:c:ffff::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:ffff:c:ffff::1 publish=yes
netsh interface ipv6 set interface IP6Tunnel forwarding=enabled
netsh interface ipv6 add address "Intranet LOM" 2001:ffff:d:ffff::1
netsh interface ipv6 set interface "Intranet LOM" forwarding=enabled advertise=enabled routerdiscovery=enabled advertisedefaultroute=enabled
netsh interface ipv6 set route 2001:ffff:d:ffff::/64 "Intranet LOM" publish=yes

From the client system I can ping the gateway LOM port at 2001:ffff:d:ffff::1, I can ping the local endpoint of the IP6Tunnel at 2001:ffff:c:ffff::2, but I can't ping the remote endpoint at 2001:ffff:c:ffff::1, suggesting that IPv6 forwarding isn't enabled.  What did I miss?

Dave

cholzhauer

Here's a document a friend shared with me years ago.  This was done in Vista, not Server 2k12, but I have to assume it hasn't changed much


Steps below were done in Vista.  Steps for Windows 7 might be a little different.

1.  Open Regedit, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters
Add STRING value called 'DisabledComponents' and set its value to 0; Reboot
Open the LAN adapter properties and open the IPv6 properties
Manually add an address from this subnet: 2001:470:1f07:e9a::/64
Keep the prefix at 64
Add this gateway: 2001:db8:2:e9a::1
Add this DNS server: 2001:470:200::2 (this is one of HE's DNS servers)
Click OK and OK to save the changes
Open 'cmd' and type the following commands
netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel <your local IP address> 216.66.22.2
netsh interface ipv6 add address IP6Tunnel 2001:db8:2:e9a::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:db8:2:e9a::1
10.  Test IPv6 connectivity by pinging or opening a website like ipv6.google.com

Steps to configure host to act as IPv6 router

1.  In CMD type: netsh int ipv6 set interface IP6Tunnel forwarding=enabled
2.  Next, type: netsh int ipv6 set interface "Local Area Connection" forwarding=enabled advertise=enabled
3.  Next, add the first address of the routed IP address to the Local Area Connection
netsh int ipv6 add address "Local Area Connection" 2001:db8:1:a0a::1
4.  Next, add the default route and next hop for the tunnel and Local Area Connection, then publish it:
netsh int ipv6 set route 2001:db8:1:a0a::/64 "Local Area Connection" publish=yes
5.  Next, add the default route for the tunnel and publish it:
netsh interface ipv6 set route ::/0 IP6Tunnel 2001:470:7:a0a::1 publish=yes

randomparity

Thanks but I tried it and still no joy. 

The commands are essentially the same as my first post and in fact I need the "routerdiscovery=enabled advertisedefaultroute=enabled" settings otherwise I can't even ping the local IPv6 gateway (running "route print" on the Windows 7 client system doesn't show a valid route without them).  The regedit line just enabled all IPv6 services and is already present and valid on my client system. 

I also disabled both the LAN and WAN firewalls just in case they were blocking traffic, no difference.

Adding the interface configuration for the internal IPv4/IPv6 LOM, the external IPv4 LOM, and the external IPv6 tunnel in case it provides any clues.

C:\Users\administrator>netsh int ipv4 show interfaces "Internet LOM"

Interface Internet LOM Parameters
----------------------------------------------
IfLuid                             : ethernet_7
IfIndex                            : 12
State                              : connected
Metric                             : 10
Link MTU                           : 1500 bytes
Reachable Time                     : 19000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 3
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : dhcp
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application


C:\Users\administrator>netsh int ipv6 show interfaces IP6Tunnel

Interface IP6Tunnel Parameters
----------------------------------------------
IfLuid                             : tunnel_8
IfIndex                            : 18
State                              : connected
Metric                             : 10
Link MTU                           : 1280 bytes
Reachable Time                     : 25500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : disabled
Neighbor Unreachability Detection  : disabled
Router Discovery                   : disabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application
Link-Layer Address                 : 1.2.3.4
Remote Link-Layer Address          : 66.220.18.42


C:\Users\administrator>netsh int ipv4 show interfaces "Intranet LOM"

Interface Intranet LOM Parameters
----------------------------------------------
IfLuid                             : ethernet_11
IfIndex                            : 13
State                              : connected
Metric                             : 10
Link MTU                           : 1500 bytes
Reachable Time                     : 42000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 3
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : dhcp
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application

C:\Users\administrator>netsh int ipv6 show interfaces "Intranet LOM"

Interface Intranet LOM Parameters
----------------------------------------------
IfLuid                             : ethernet_11
IfIndex                            : 13
State                              : connected
Metric                             : 10
Link MTU                           : 1500 bytes
Reachable Time                     : 36500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : enabled
Advertising                        : enabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : enabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application


Dave

cholzhauer

If you run a packet trace on the tunnel server while trying to ping the outside world from a client, do you see anything?

randomparity

Yes, Network Monitor shows the following when I ping ipv6.google.com:

1) An IPv6/ICMPv6 echo request sent from the Windows 7 system to the Windows 2012 gateway (2001:ffff:d:ffff::1)
2) An IPv4/IPv6/ICMv6 encapsulated frame sent from the local tunnel endpoint IP (1.2.3.4) to the remote tunnel IP (66.220.18.42)
3) An IPv4/IPv6/ICMPv6 echo reply from the remote tunnel IP (66.220.18.42) to the local tunnel IP (1.2.3.4)

There should be a step 4 to complete the ping but that doesn't occur, steps 1-3 repeat again until the ping terminates.  Seems like the frame is not decapsulated or is not forwarded on the local network. 

Routing table is shown as:

C:\Users\administrator>netsh
netsh>int
netsh interface>ipv6
netsh interface ipv6>show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
Yes      Manual    256  ::/0                       18  2001:FFFF:c:FFFF::1
No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       System    256  2001:FFFF:c:FFFF::/64        18  IP6Tunnel
No       System    256  2001:FFFF:c:FFFF::2/128      18  IP6Tunnel
Yes      System    256  2001:FFFF:d:FFFF::/64        13  Intranet LOM
No       System    256  2001:FFFF:d:FFFF::/128       13  Intranet LOM
No       System    256  2001:FFFF:d:FFF::1/128      13  Intranet LOM
No       System    256  2001:FFFF:d:FFF:68f7:1a9a:18ed:f8c3/128   13  Intranet LOM
No       System    256  2001:FFFF:d:FFF:dfa7:58f:af75:82cc/128   13  Intranet LOM
No       System    256  fe80::/64                  13  Intranet LOM
No       System    256  fe80::/64                  18  IP6Tunnel
No       System    256  fe80::5efe:192.168.2.1/128   17  isatap.{F6AF95CA-3C9A-4637-A3F3-5681B1D5EF2D}
No       System    256  fe80::200:5efe:68.4.231.178/128   14  isatap.oc.cox.net
No       System    256  fe80::68f7:1a9a:18ed:f8c3/128   13  Intranet LOM
No       System    256  fe80::e194:5746:1d97:7acf/128   18  IP6Tunnel
No       System    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       System    256  ff00::/8                   13  Intranet LOM
No       System    256  ff00::/8                   18  IP6Tunnel

netsh interface ipv6>


Dave

randomparity

I looked more closely at the Network Monitor trace I took by removing the ICMPv6 filter and found that the OS is specifically dropping the final part of the echo response (attached PNG).  All firewalls are disabled and the drop wasn't noted in the firewall log file (yes, I did enable logging dropped events).  Even when the firewalls are enabled the frame isn't dropped by the firewall, I would have expected to see another "FilterId" in the Windows Filtering Platform (WFP) message that points to the failing rule.  As it is I haven't found what the existing drop message indicates.

Dave

randomparity

Sorry to say I've given up.  Microsoft would not look into the issue without $$$ involved.

Switched back to Windows Server 2008 R2 and the IP6 tunnel configuration is working normally. 

For the moment I'd advise to stay away from Windows 2012 Server for this configuration.

Dave

Ataru

I also spent a great time trying to work this out but quite simply Windows Server 2012 will not forward IPv6 packets :(

Even the latest IPv6 for Windows book was no help.

Edit: Having tried one last time I actually got it working. Will post more details once I've worked out what actually got it working..

Ataru

Okay so I have found that routing does work so long as you do not join the domain. (even with no GPOs applied).

I've also given up for now as I cannot work out what joining the domain screws up exactly.

Even creating firewall rules to allow everything in and out, as well as checking the dropped packets log. but nothing.

So basically stick to 2008R2 or Linux (or even pfSense).

gattytto

So far I've got working the IP6Tunnel part and can ping the private Ethernet2 2001:d::1 address but not the 2001:c::2 nor 2001:c::1 addresses so It'd be nice of you if you shared the steps for doing the "Intranet LOM" thing to get the ipv6 packages out of the private network (between Hyper-v host and guests) throught the internet and mainly the 2001:c::1 gateway.

Thanks

Quote from: Ataru on May 11, 2013, 07:55:55 AM
Okay so I have found that routing does work so long as you do not join the domain. (even with no GPOs applied).

I've also given up for now as I cannot work out what joining the domain screws up exactly.

Even creating firewall rules to allow everything in and out, as well as checking the dropped packets log. but nothing.

So basically stick to 2008R2 or Linux (or even pfSense).