• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Can't remember

Started by gavsdavs, February 25, 2008, 01:56:36 PM

Previous topic - Next topic

gavsdavs

I used btexact's broker for some years, they closed the service down, so I signed up the HE and got myself a tunnel.

I have a small ipv4 network which i want also to run ipv6 on, and route that traffic through a 6-in-4 gateway on a linux firewall.

I used the iproute2 solution, so I now have sit0 and he-ipv6 interfaces.

I'm transmitting frames, but getting nothing back. I can also see the ipv4 frames heading to the v4 address of the tunnel broker, but I'm not getting anything back.

What should I be looking for to diagnose this ?

I don't have an he-ipv6 or sit0 ip neighbours:
[root@router ~]#  ip -6 neigh show
fe80::210:a7ff:fe08:5db6 dev eth0 lladdr 00:10:a7:08:5d:b6 REACHABLE


amph

after you log in you should look on the bottom left where it says 'example configs', hit that and then select the second one down 'linux-net-tool' and follow all thoes rules on your linux machine that is connected to the internet, then try to use ipv6 and try to ping the ipv6 ip of the he.net tunnel side.

that config will make sure you have the appropriate sit device..

amph

gavsdavs

Yep, I have tried both net-tools and ip-route2 example configs.
I've also tried disabling ip6tables and just trying it with my firewall as the only access device, and I never get a single frame back from the tunnel broker.

Tunnel setup configs:
--------------------------------
#!/bin/sh
if ! [ -f /proc/net/if_inet6 ]
then echo "IPv6 is not installed!" 1>&2; exit 1; fi
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.26
sleep 2
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:1f08:13b::2/64
route -A inet6 add ::/0 gw fe80::a63:63fe dev sit1              (not sure about this one, I used to need it)
#route -A inet6 add 2000::/3 gw fe80::d579:1855 dev sit1
ifconfig eth0 inet6 add 2001:470:1f08:13b:207:95ff:fe05:92fc/64   (my "internal" interface)
route -A inet6 add ::/0 dev sit1
ifconfig sit1 inet6 add 2001:470:1f08:13b::2/64

- or even -

#ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local 62.49.1.52 ttl 255
#ip link set he-ipv6 up
#ip addr add 2001:470:1f08:13b::2/64 dev he-ipv6
#ip addr add 2001:470:1f08:13b:207:95ff:fe05:92fc/64 dev eth0
#ip route add ::/0 dev he-ipv6
#ip -f inet6 addr
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

--------------------------------

This is ifconfig - lots of frames transmitted, no replies.
sit1      Link encap:IPv6-in-IPv4
          inet6 addr: 2001:470:1f08:13b::2/64 Scope:Global
          inet6 addr: fe80::a63:63fe/64 Scope:Link
          inet6 addr: fe80::a00:fe/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:19833 (19.3 KiB)

Is there a verbose way to setup the tunnel to check my configs ?

tcpdump (ppp0, host 216.66.80.26):
08:30:18.961494 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:1f08:13b:210:a7ff:fe08:5db6.36214 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33437: UDP, length 40
08:30:18.971095 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:1f08:13b:210:a7ff:fe08:5db6.36217 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33438: UDP, length 40
08:30:18.971141 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:1f08:13b:210:a7ff:fe08:5db6.36218 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33439: UDP, length 40
08:30:18.971175 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:.1f08:13b:210:a7ff:fe08:5db6.36220 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33440: UDP, length 40
08:30:18.971207 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:1f08:13b:210:a7ff:fe08:5db6.36221 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33441: UDP, length 40

Frames going to your broker, nothing ever comes back.

If I change between iproute2 and net-tools methods I have to update both my ipv4 firewall and my ip6 firewall to correctly declare my external interfaces. I do this, but I never get anything back. I don't block anything on the firewall either.

broquea

I've verified your config exists on the tunnel server.
I cannot ping either your ipv4 endpoint or your side of the /64 from the tunnel server.
Please paste the output of: route -A inet6 -n

amph

correct me if i'm wrong (and maybe this is his problem) but the tunnel should be setup on a machine directly connected to the internet with a public routable ip address...

i havn't tried to set one of these up via nat yet but i'm not sure how nat would handle it since there are no ports to forward (though, icmp can be natted due to header ID's and the such....)

gavsdavs

#5
external IP is 62.49.1.52. Deliberately ignores unsolicited pings. Is that required ?
[root@ponsonby ~]# route -A inet6 -n
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::1/128                                    ::                                      U     0      2        1 lo
::10.0.0.254/128                            ::                                      U     0      0        1 lo
::10.99.99.254/128                          ::                                      U     0      0        1 lo
::127.0.0.1/128                             ::                                      U     0      0        1 lo
::/96                                       ::                                      U     256    0        0 sit0
2001:470:1f08:13b::/128                     ::                                      U     0      0        2 lo
2001:470:1f08:13b::/128                     ::                                      U     0      0        2 lo
2001:470:1f08:13b::2/128                    ::                                      U     0      10       1 lo
2001:470:1f08:13b:207:95ff:fe05:92fc/128    ::                                      U     0      0        1 lo
2001:470:1f08:13b::/64                      ::                                      U     256    238       0 sit1
2001:470:1f08:13b::/64                      ::                                      U     256    0        0 eth0
fe80::/128                                  ::                                      U     0      0        2 lo
fe80::/128                                  ::                                      U     0      0        2 lo
fe80::/128                                  ::                                      U     0      0        2 lo
fe80::a00:fe/128                            ::                                      U     0      0        1 lo
fe80::a63:63fe/128                          ::                                      U     0      0        1 lo
fe80::207:95ff:fe05:92fc/128                ::                                      U     0      49       1 lo
fe80::260:97ff:fed9:91a/128                 ::                                      U     0      0        1 lo
fe80::/64                                   ::                                      U     256    0        0 eth0
fe80::/64                                   ::                                      U     256    0        0 eth1
fe80::/64                                   ::                                      U     256    0        0 sit1
ff00::/8                                    ::                                      U     256    0        0 eth0
ff00::/8                                   ::                                      U     256    0        0 eth1
ff00::/8                                    ::                                      U     256    0        0 sit1
::/0                                        fe80::a63:63fe                          UG    1      373       0 sit1
::/0                                        ::                                      U     1      0        0 sit1

connectivity is pppoatm 32 bit netmask through demon over adsl.
[root@ponsonby ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
194.159.161.36  0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.99.99.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         194.159.161.36  0.0.0.0         UG        0 0          0 ppp0
[root@ponsonby ~]#

The firewall doesn't allow firewall to originate ICMP, here's a traceroute to the tunnel broker from a machine behind the firewall

# traceroute 216.66.80.26
traceroute to 216.66.80.26 (216.66.80.26), 30 hops max, 40 byte packets
ponsonby.gda-adsl.demon.co.uk (10.99.99.254)  0.524 ms  0.406 ms  0.415 ms
anchor-hg-5-lo100.router.demon.net (194.159.161.36)  25.228 ms  25.279 ms  33.124 ms
anchor-access-4-s155.router.demon.net (194.159.161.161)  33.129 ms  33.123 ms  33.098 ms
anchor-inside-4-g6-0-4.router.demon.net (194.159.161.94)  41.003 ms  41.036 ms  41.010 ms
park-border-1-g1-0-0.router.demon.net (194.70.98.90)  40.856 ms  40.826 ms  48.681 ms
gsr12012.lon.he.net (195.66.224.21)  48.693 ms  45.556 ms  53.442 ms
7  216.66.80.26 (216.66.80.26)  53.444 ms  30.541 ms  30.484 ms

I'm a bit confused by why my external (sit1) interface's address turns out to be
2001:470:1f08:13b::2/64

And the suffix you've allocated me is:
2001:470:1f08:13b::/64.

Isn't that, like, errr, the same network ? (therefore routing won't work with two interfaces of the firewall in the same subnet, will it ?)

samh

Quote from: gavsdavs on February 26, 2008, 12:57:42 PM


I'm a bit confused by why my external (sit1) interface's address turns out to be
2001:470:1f08:13b::2/64

And the suffix you've allocated me is:
2001:470:1f08:13b::/64.

Isn't that, like, errr, the same network ? (therefore routing won't work with two interfaces of the firewall in the same subnet, will it ?)

2001:470:1f08:13b::/64 is your Point to Point /64

2001:470:1f09:13b::/64 is your routed /64

Can you describe this setup a little more?  Your drop goes into a firewall (What kind of Firewall? Does it pass protocol 41 traffic?  Have you tried with a directly connected machine taking the firewall out of the loop?)  Unfortunately with IPv6 it either works out of the box, or its a game of "Guess the Problem".  Taking items out of the loop and simplifying it shows you where the borked member is :)

gavsdavs

The linux machine *is* the firewall.
It has a PCI ADSL modem in it, and it uses ppp to establish my connection to demon.

I have a v4 firewall on it which does pass protocol 41.

i will adjust for the subnet change and let you know how I get on.

Thanks

gavsdavs

Connectivity established (from the firewall without the policy enabled), by problem is in the forwarding somewhere.

[root@ponsonby ~]# traceroute6 www.kame.net
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 40 byte packets
gavsdavs.tunnel.tserv5.lon1.ipv6.he.net (2001:470:1f08:13b::1)  29.971 ms  37.774 ms  37.715 ms
2  2001:470:0:67::1 (2001:470:0:67::1)  37.668 ms  45.598 ms  45.553 ms
ge-0.linx.londen03.uk.bb.gin.ntt.net (2001:7f8:4::b62:1)  45.507 ms  53.427 ms  53.383 ms
as-0.r20.nycmny01.us.bb.gin.ntt.net (2001:418:0:2000::1a9)  133.277 ms  133.232 ms  141.149 ms
as-2.r21.sttlwa01.us.bb.gin.ntt.net (2001:418:0:2000::5)  229.145 ms  229.083 ms  229.050 ms
as-2.r21.osakjp01.jp.bb.gin.ntt.net (2001:218:0:2000::75)  332.960 ms  309.313 ms  301.540 ms
ae-4.r21.tokyjp01.jp.bb.gin.ntt.net (2001:218:0:2000::dd)  309.365 ms  317.316 ms  309.669 ms
xe-4-1.a15.tokyjp01.jp.ra.gin.ntt.net (2001:218:0:6000::116)  285.455 ms  293.383 ms  517.999 ms
ge-8-2.a15.tokyjp01.jp.ra.gin.ntt.net (2001:218:2000:5000::82)  293.815 ms  293.767 ms  301.714 ms
10  * vlan44.cisco2.fujisawa.wide.ad.jp (2001:200:0:3::105)  301.628 ms *
11  ve-4.nec2.yagami.wide.ad.jp (2001:200:0:1c04:230:13ff:feae:5b)  309.515 ms  317.437 ms  317.402 ms
12  lo0.alaxala1.k2.wide.ad.jp (2001:200:0:4800::7800:1)  317.343 ms  325.284 ms  317.230 ms
13  orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085)  294.131 ms  301.916 ms  293.889 ms

Thanks for taking the time to help.


gavsdavs

Ok, I'm stuck at the basics, I do this:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

And it isn't forwarding traffic.

Traceroutes are working from the firewall, but I get no reply from my subnet hosts.

Traceroute from a host behind the firewall, as seen on sit1 on the firewall:
23:13:28.354957 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37549 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33437: UDP, length 40
23:13:28.355498 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37550 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33438: UDP, length 40
23:13:28.355707 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37551 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33439: UDP, length 40
23:13:28.355758 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37552 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33440: UDP, length 40
23:13:28.355788 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37554 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33441: UDP, length 40
23:13:28.355817 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37555 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33442: UDP, length 40
23:13:28.355845 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37556 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33443: UDP, length 40
23:13:28.355873 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37558 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33444: UDP, length 40
23:13:28.355902 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37559 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33445: UDP, length 40
23:13:28.355929 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37560 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33446: UDP, length 40
23:13:28.355957 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37561 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33447: UDP, length 40
23:13:28.355985 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37563 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33448: UDP, length 40
23:13:28.356013 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37564 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33449: UDP, length 40
23:13:28.358017 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37565 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33450: UDP, length 40
23:13:28.358157 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37566 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33451: UDP, length 40
23:13:28.358262 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37567 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33452: UDP, length 40
23:13:33.357315 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37568 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33453: UDP, length 40
23:13:33.357524 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37569 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33454: UDP, length 40
23:13:33.357595 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37570 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33455: UDP, length 40
23:13:33.357650 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37572 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33456: UDP, length 40
23:13:33.357695 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37574 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33457: UDP, length 40
23:13:33.357739 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37575 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33458: UDP, length 40
23:13:33.357783 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37576 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33459: UDP, length 40
23:13:33.357826 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37577 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33460: UDP, length 40
23:13:33.357870 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37578 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33461: UDP, length 40
23:13:33.357914 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37579 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33462: UDP, length 40
23:13:33.357957 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37580 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33463: UDP, length 40
23:13:33.358002 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37581 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33464: UDP, length 40
23:13:33.358048 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37582 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33465: UDP, length 40



(Start of a) Traceroute from the firewall itself (using sit1 as source IP)
23:12:45.060352 IP6 2001:470:1f08:13b::2.33022 > 2001:200:0:8002:203:47ff:fea5:3085.traceroute: UDP, length 40
23:12:45.061760 IP6 2001:470:1f08:13b::2.33023 > 2001:200:0:8002:203:47ff:fea5:3085.33435: UDP, length 40
23:12:45.062699 IP6 2001:470:1f08:13b::2.33024 > 2001:200:0:8002:203:47ff:fea5:3085.33436: UDP, length 40
23:12:45.063470 IP6 2001:470:1f08:13b::2.33025 > 2001:200:0:8002:203:47ff:fea5:3085.33437: UDP, length 40
23:12:45.064215 IP6 2001:470:1f08:13b::2.33026 > 2001:200:0:8002:203:47ff:fea5:3085.33438: UDP, length 40
23:12:45.065137 IP6 2001:470:1f08:13b::2.33027 > 2001:200:0:8002:203:47ff:fea5:3085.33439: UDP, length 40
23:12:45.065851 IP6 2001:470:1f08:13b::2.33028 > 2001:200:0:8002:203:47ff:fea5:3085.33440: UDP, length 40
23:12:45.067187 IP6 2001:470:1f08:13b::2.33029 > 2001:200:0:8002:203:47ff:fea5:3085.33441: UDP, length 40
23:12:45.067876 IP6 2001:470:1f08:13b::2.33030 > 2001:200:0:8002:203:47ff:fea5:3085.33442: UDP, length 40
23:12:45.068681 IP6 2001:470:1f08:13b::2.33031 > 2001:200:0:8002:203:47ff:fea5:3085.33443: UDP, length 40
23:12:45.069415 IP6 2001:470:1f08:13b::2.33032 > 2001:200:0:8002:203:47ff:fea5:3085.33444: UDP, length 40
23:12:45.070166 IP6 2001:470:1f08:13b::2.33033 > 2001:200:0:8002:203:47ff:fea5:3085.33445: UDP, length 40
23:12:45.071440 IP6 2001:470:1f08:13b::2.33034 > 2001:200:0:8002:203:47ff:fea5:3085.33446: UDP, length 40
23:12:45.072152 IP6 2001:470:1f08:13b::2.33035 > 2001:200:0:8002:203:47ff:fea5:3085.33447: UDP, length 40
23:12:45.073007 IP6 2001:470:1f08:13b::2.33036 > 2001:200:0:8002:203:47ff:fea5:3085.33448: UDP, length 40
23:12:45.073704 IP6 2001:470:1f08:13b::2.33037 > 2001:200:0:8002:203:47ff:fea5:3085.33449: UDP, length 40
23:12:45.088658 IP6 2001:470:1f08:13b::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.094122 IP6 2001:470:1f08:13b::2.33038 > 2001:200:0:8002:203:47ff:fea5:3085.33450: UDP, length 40
23:12:45.096691 IP6 2001:470:1f08:13b::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.096699 IP6 2001:470:1f08:13b::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.096706 IP6 2001:470:0:67::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.102252 IP6 2001:470:1f08:13b::2.33039 > 2001:200:0:8002:203:47ff:fea5:3085.33451: UDP, length 40
23:12:45.103229 IP6 2001:470:1f08:13b::2.33040 > 2001:200:0:8002:203:47ff:fea5:3085.33452: UDP, length 40
23:12:45.103935 IP6 2001:470:1f08:13b::2.33041 > 2001:200:0:8002:203:47ff:fea5:3085.33453: UDP, length 40
23:12:45.104692 IP6 2001:470:0:67::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.104700 IP6 2001:470:0:67::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.108004 IP6 2001:470:1f08:13b::2.33042 > 2001:200:0:8002:203:47ff:fea5:3085.33454: UDP, length 40
23:12:45.108858 IP6 2001:470:1f08:13b::2.33043 > 2001:200:0:8002:203:47ff:fea5:3085.33455: UDP, length 40

I never get a reply for traffic for my subnet....any ideas ?

gavsdavs

A test from http://www.tunnelbroker.net/connectivity.php

to  2001:470:1f09:13b:hostaddress

Traceroute6 result:
1  2001:470:0:57::1 (2001:470:0:57::1)  21.855 ms  4.941 ms  0.229 ms
10g-1-2.core1.sjc2.ipv6.he.net (2001:470:0:2f::2)  0.716 ms  0.666 ms  0.622 ms
10g-1-3.core1.nyc4.ipv6.he.net (2001:470:0:33::2)  79.892 ms  79.967 ms  89.68 ms
10g-1-2.core1.lon1.ipv6.he.net (2001:470:0:3e::2)  148.445 ms  148.401 ms  148.431 ms
5  2001:470:0:67::2 (2001:470:0:67::2)  148.646 ms  148.599 ms  148.539 ms
6  2001:470:0:67::1 (2001:470:0:67::1)  148.542 ms  148.531 ms  148.575 ms
7  2001:470:0:67::2 (2001:470:0:67::2)  148.704 ms  148.782 ms  149.794 ms
8  2001:470:0:67::1 (2001:470:0:67::1)  148.638 ms  148.697 ms  149.846 ms
9  2001:470:0:67::2 (2001:470:0:67::2)  148.86 ms  148.87 ms  148.827 ms
10  2001:470:0:67::1 (2001:470:0:67::1)  148.953 ms  156.709 ms  149.86 ms
11  2001:470:0:67::2 (2001:470:0:67::2)  149.058 ms  149.049 ms  149.049 ms
12  2001:470:0:67::1 (2001:470:0:67::1)  148.991 ms  158.161 ms  148.996 ms
13  2001:470:0:67::2 (2001:470:0:67::2)  149.129 ms  149.147 ms  149.076 ms
14  2001:470:0:67::1 (2001:470:0:67::1)  149.222 ms  149.207 ms  149.072 ms
15  2001:470:0:67::2 (2001:470:0:67::2)  149.227 ms  149.199 ms  149.347 ms
16  2001:470:0:67::1 (2001:470:0:67::1)  149.377 ms  149.307 ms  149.21 ms
17  2001:470:0:67::2 (2001:470:0:67::2)  149.481 ms  149.443 ms  149.544 ms
18  2001:470:0:67::1 (2001:470:0:67::1)  156.154 ms  149.431 ms  149.452 ms
19  2001:470:0:67::2 (2001:470:0:67::2)  159.581 ms  149.554 ms  149.524 ms
20  2001:470:0:67::1 (2001:470:0:67::1)  149.597 ms  149.546 ms  149.605 ms
21  2001:470:0:67::2 (2001:470:0:67::2)  150.229 ms  149.771 ms  150.023 ms
22  2001:470:0:67::1 (2001:470:0:67::1)  149.741 ms  149.732 ms  152.884 ms
23  2001:470:0:67::2 (2001:470:0:67::2)  149.861 ms  149.934 ms  149.94 ms
24  2001:470:0:67::1 (2001:470:0:67::1)  149.785 ms  149.887 ms  149.872 ms
25  2001:470:0:67::2 (2001:470:0:67::2)  150.029 ms  150.107 ms  149.991 ms
26  2001:470:0:67::1 (2001:470:0:67::1)  150.055 ms  150.783 ms  150.011 ms
27  2001:470:0:67::2 (2001:470:0:67::2)  150.236 ms  150.225 ms  150.19 ms
28  2001:470:0:67::1 (2001:470:0:67::1)  150.243 ms  150.649 ms  150.189 ms
29  2001:470:0:67::2 (2001:470:0:67::2)  150.362 ms  158.275 ms  150.351 ms
30  2001:470:0:67::1 (2001:470:0:67::1)  150.352 ms  160.398 ms  155.436 ms

What's broken here ?

broquea

Looks like the broker hadn't put in the static route. It is there now, and I'll look into what went wrong.
Please retest.

gavsdavs

It did, eventually. I was blocking some icmp responses, some of which I've now allowed through.
Not sure if it was the icmp that got the routing working, but here's a traceroute from behind the firewall.

# traceroute6 -n www.kame.net
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 40 byte packets
1  2001:470:1f09:13b:207:95ff:fe05:92fc  0.307 ms  0.252 ms  0.232 ms (my firewall)
2  2001:470:1f08:13b::1  31.501 ms  39.490 ms  39.283 ms
3  2001:470:0:67::1  39.248 ms  47.160 ms  47.166 ms
4  2001:7f8:4::b62:1  47.139 ms  55.007 ms  55.017 ms
5  2001:418:0:2000::1a9  135.037 ms  134.952 ms  134.973 ms
6  2001:418:0:2000::5  230.861 ms  230.762 ms  230.727 ms
7  2001:218:0:2000::75  334.692 ms  303.424 ms  303.166 ms
8  2001:218:0:2000::dd  302.941 ms  302.969 ms  295.297 ms
9  2001:218:0:6000::116  303.138 ms  303.154 ms  295.627 ms
10  2001:218:2000:5000::82  295.499 ms  287.590 ms  295.490 ms
11  2001:200:0:3::105  303.459 ms * *
12  2001:200:0:1c04:230:13ff:feae:5b  303.446 ms  287.553 ms  287.501 ms
13  2001:200:0:4800::7800:1  295.487 ms  295.428 ms  303.298 ms
14  2001:200:0:8002:203:47ff:fea5:3085  295.361 ms  295.422 ms  295.318 ms

Question: how do i configure the firewall to respond to:

07:57:39 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
08:34:45 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
08:34:46 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
08:34:46 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
08:35:19 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0

(That's seen on the firewall by ip6tables).