• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Non-functioning tunnel and incorrect portscan

Started by Gophyr, November 11, 2019, 09:17:06 AM

Previous topic - Next topic

Gophyr

About half a week ago, my tunnel (that had been functioning perfectly for a month or so) suddenly stopped working.  In trying to fix it, I've determined that I can ping the gateway server just fine, but nothing else.  Additionally, the portscan (of the client IP) provided by https://tunnelbroker.net/portscan.php is very wrong.  It fails unless I specify -Pn, and lists the following ports as open (none of which are open in my firewall config):

6666/tcp
6667/tcp
6668/tcp
6669/tcp
7000/tcp
9999/tcp

Normally I would assume that I had grossly misconfigured something, except for the fact that it was working perfectly and stopped working seemingly without provocation (no reboots, network outages, etc.).  Is there someone that I should contact about this?

cholzhauer

You can ping the gateway server over Ipv4?  Any chance your public IPv4 address changed?

Gophyr

I can ping the gateway server on both v4 and v6.  Neither my public v4 nor my public v6 (I'm on a VPS provider that gave me both) has changed.

cholzhauer

When you say gateway server, what do you mean by that?

Gophyr


cholzhauer

If you can ping HE over IPv6, that means the tunnel is up and the issue is on your side.

What isn't working? Do your clients get IPv6 addresses? Where does traceroute break?  You haven't provided many details

Gophyr

Everything gets addresses fine.  Traceroute/ping gets me a "connect: Network is unreachable."  All other connection attempts through the interface just hang.  Additionally, I get the same results if I disable the firewall completely, allowing all traffic from all sources.

kumowoon1025

A lot of those xxxx/yyyy/~9999 ports could be blocked by ISP (either yours or VPS provider) or even directly used by whichever hv is running your vps (like for those vnc/pty-over-https interfaces some make available for example).

If you don't need them for some reason and are just concerned about them being open, just try a tcpdump on the host while you do the scan. That should let you find out if it's something you can change or if its something you have to talk someone into changing :)