• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

ICMPv6 from my network to far hosts

Started by Fiera, April 16, 2018, 12:46:06 PM

Previous topic - Next topic

Fiera

My problem - I able to browse ipv6.google.com (and other v6-sites) but not able to ping it from my LAN.

Ok, let`s start - 6in4-tunnel is enabled on router (Clavister cOS), clients in LAN side get addresses from DHCPv6, router address in RA, everything looks good.

Ping to ipv6.google.com from router - passed.
Ping to ipv6.google.com from lan client - no reply (i monitored this on router with packet capture software).
Ping to HE.net DNS server 2001:470:20::2 from lan client - passed.

Ok, let`s try another direction:
Ping to my lan client from others ipv6-hosts (my home ISP and my hoster VPS) - both passed.

Traceroute ipv6.google.com from my lan client:
  1    <1 мс    <1 мс    <1 мс  2001:470:6f:cf6::253
  2    78 ms    78 ms    78 ms  2001:470:6e:cf6::1
  3    80 ms    74 ms    74 ms  2001:470:0:221::1
  4      *           *          *     no reply after that

Traceroute my hoster vps from my lan client:
  1    <1 мс    <1 мс     1 ms  2001:470:6f:cf6::253
  2    78 ms    83 ms    77 ms  2001:470:6e:cf6::1
  3    95 ms   122 ms    95 ms  2001:470:0:221::1
  4    99 ms    99 ms    97 ms  2001:7f8:7f::72
  5    93 ms   123 ms    99 ms  2001:7f8:14::2d:1
  6    96 ms   123 ms    99 ms  2001:1a48:ffff::51
  7     *        *        *     no reply after that

Only one far server i was able to ping - is 2a02:17d0:8201:402::2 in my ISP network.

It`s my fault or someone else?

cholzhauer

Probably yours.

Are you running a firewall?

Fiera

Quote from: cholzhauer on April 16, 2018, 03:40:04 PM
Are you running a firewall?

Of course i do.
I already checked firewall log on router for dropped packet - no difference there when i ping HE DNS (2001:470:20::2) or some router in my ISP network (2a02:17d0:8201:402::2) and ipv6.google.com.
Only difference is in packet capture on router - i see in Wireshark "Echo (ping) reply id=0x0001, seq=325, hop limit=62 (request in 337)" on success or "No response seen to ICMPv6 request in frame 290" on failed ping.

cholzhauer

I sort of figured, but had to ask.

Are you filtering anything outbound, or does it only apply to inbound traffic? Either way, I'd turn it off and try ICMP with it off, at least then you'll be able to rule something out.

Fiera

Quote from: cholzhauer on April 17, 2018, 04:58:01 AM
Are you filtering anything outbound, or does it only apply to inbound traffic? Either way, I'd turn it off and try ICMP with it off, at least then you'll be able to rule something out.

Yes, now it only apply to inbound. But it seems that i found root of problem - only Windows cannot ping some far hosts from HE tunnel, iOS and linux have no problem.

In Wireshark it looks like that:
iOS ping (HE app) - ICMPv6 70 Echo (ping) request id=0xac22, seq=0, hop limit=63 (reply in 68)
Windows ping (win10) - ICMPv6 102 Echo (ping) request id=0x0001, seq=325, hop limit=128 (reply in 343)

Hm, what is the difference?