• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Home router zeroes first 4bytes of tunneled IPv6 header, breaking v6 tunnel

Started by mclovin, October 04, 2020, 01:43:07 PM

Previous topic - Next topic

mclovin

My IPv6 tunnel recently stopped working. I can PING, but TCP connections hangs. The tunnel works if I change the endpoint to my server. If I create a tunnel between my home computer and the server, I get the same problem. Thus I think it's a problem with my ISP provided home router. When I receive TCP packets (usually the SYN-ACK response) thru the tunnel, wireshark complains "Expert Info (Error/Malformed): Bogus IPv6 version" because the first 4 bytes of the IPv6 header have been zeroed! I tracerouted from my server to my home computer with one of the packets that gets corrupted, and all the routers including my home router have the correct header in the ICMP reply, so I think the corruption happens inside my network. My home router has a public IP and does NAT. There is no CGNAT.

Does anyone know why my router would do this? I thought it might be NAT trying to rewrite the TCP checksum, and assuming that the TCP header directly follows the IPv4 header, but it's the wrong offset and size. If the router assumes that the TCP header directly follows the IPv4 header, it tries to set source and destination port to zero, which doesn't make sense?

mikma

Quote from: mclovin on October 04, 2020, 01:43:07 PM
My home router has a public IP and does NAT.

The IPv6 tunnels use protocol 41 which can't be used with (many-to-one) NAT since protocol 41 doesn't use port numbers in the outer packet. (One-to-one NAT should work if it's supported in the router and can be configured for protocol 41.)

cholzhauer


mclovin

Quote from: mikma on October 04, 2020, 03:31:48 PM
Quote from: mclovin on October 04, 2020, 01:43:07 PM
My home router has a public IP and does NAT.

The IPv6 tunnels use protocol 41 which can't be used with (many-to-one) NAT since protocol 41 doesn't use port numbers in the outer packet. (One-to-one NAT should work if it's supported in the router and can be configured for protocol 41.)
I think the router does NAT based only on the (source IP, destination IP) tuple.

Quote from: cholzhauer on October 04, 2020, 06:57:55 PM
Which router do you have?
Inteno EG400. I think it runs a modified OpenWRT.

ajyip6

"I can PING, but TCP connections hangs" sounds very much like the problem I describe in the "Tunnel Problems" thread in the "Questions & Answers" forum in the "Tunnelbroker.net Specific Topics" section. There is no solution there either, but it would be interesting to know if your diagnostics are comparable with my diagnostics

Andy

mclovin

Quote from: ajyip6 on October 08, 2020, 02:27:10 PM
"I can PING, but TCP connections hangs" sounds very much like the problem I describe in the "Tunnel Problems" thread in the "Questions & Answers" forum in the "Tunnelbroker.net Specific Topics" section. There is no solution there either, but it would be interesting to know if your diagnostics are comparable with my diagnostics

Andy
My wget looks the same as yours. If you run wireshark (or maybe tcpdump) it should be quite easy to see if it's the same problem.

ajyip6

I've added some tshark captures, though I don't think these show the same as you.

Sad thing is we're probably about 10 years to late for these forums to have enough traffic to help us  :(

Andy

mclovin