• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Some IPv6 addresses from the tunnel can't be used?

Started by ptirc, February 21, 2021, 02:44:24 PM

Previous topic - Next topic

ptirc

Hello everyone!

First of all, let me congratulate you for this amazing service!

I'm new to this tunnel things and kinda new on Linux well and I just recently received my tunnel.

After going through the procedure to become a Sage and unlock IRC and SMTP access I decided to test a few things with the tunnel.

I've figured out that I couldn't use some addresses, although the tunnel is properly set with netplan.

I have a bash script that generates a random IP from the /64 subnet, to be assigned to each ZNC (IRC Bouncer) user.

The script is the following:


#!/bin/bash
randomize=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
printf "2001:470:1f12:136$(echo -n $randomize | sha1sum | head -c 16 | sed 's/..../:&/g')\n"


And it ouputs something like:

2001:470:1f12:136:4fec:c00a:acd0:3fdd
2001:470:1f12:136:af49:1934:ae1b:2289
2001:470:1f12:136:3b17:a031:d793:bd67


Those IPs are correct, as far as I know.

I can successfully make ZNC, eggdrops and such connect to IRC with IPs like:

2001:470:1f12:136::1
2001:470:1f12:136::2
2001:470:1f12:136::3


But when comes to those long IPs, some are usable and some others aren't.

Worth to mention that I can ping the server via those long IPs and even telnet to some bots and other programs via those same IPs, but outgoing/outbound connections doesn't always work.

Any ideas/thoughts?

TIA
Good criticism leads to improvement while bad criticism lead to you to be ignored.

ptirc

Any ideas from anyone?

This is kinda annoying because, as far as I know the generated IPS are valid except that not every one of them are usable.

Cheers!
Good criticism leads to improvement while bad criticism lead to you to be ignored.

broquea

You should really be using your statically routed /64, not the link point-to-point range. Try with that. Also, 2001:470:1f12:136::1/64 is the IP on our side of the tunnel interface. Try not using that, ever.

ptirc

My current netplan config is the following:

network:
  version: 2
  tunnels:
    he-ipv6:
      mode: sit
      remote: 216.66.84.42
      local: 37.187.124.211
      addresses:
        - "2001:470:1f12:136::2/64"
        - "2001:470:1f12:136::3/64"
      gateway6: "2001:470:1f12:136::1"

This seems to be valid, unless I'm doing something wrong here.

Some of the long IPS that I've generated were for testing purposes and removed afterwards.
Good criticism leads to improvement while bad criticism lead to you to be ignored.

mikma

Quote from: ptirc on February 25, 2021, 09:51:11 PM
This seems to be valid, unless I'm doing something wrong here.

Some of the long IPS that I've generated were for testing purposes and removed afterwards.

As already mentioned if you want to use more addresses than the "Client IPv6 Address" then you should use addresses from the "Routed /64" (or from "Routed /48" if you already use the /64 on a LAN). Reserve a /64 that you aren't going to use on a LAN, and configure the addresses you want with a /128 prefix.

ptirc

#5
Alright.
So, my "Routed /64" is:
2001:470:1f13:136::/64

So, generating a random IP, for user "convos" which is a znc user gave me the following ip:
2001:470:1f13:136:1b8d:a290:6be6:3f6d

I've added it  to my netplan config;
network:
  version: 2
  tunnels:
    he-ipv6:
      mode: sit
      remote: 216.66.84.42
      local: 37.187.124.211
      gateway6: "2001:470:1f12:136::1"
      nameservers:
        addresses:
        - "2001:470:20::2"
        - "2001:4860:4860::8888"
        - "2001:4860:4860::8844"
      addresses:
        # Client IPv6 Address
        - "2001:470:1f12:136::2/64"
        # Routed /64: 2001:470:1f13:136::/64
        - "2001:470:1f13:136::1/64"
        # convos
        - "2001:470:1f13:136:1b8d:a290:6be6:3f6d/64"


But whenever I try to connect to IRC via the 2001:470:1f13:136:1b8d:a290:6be6:3f6d IP, the connection just times out (outgoing).

But I stil can connect to my machine via 2001:470:1f13:136:1b8d:a290:6be6:3f6d.

Example of a SSH connection via 2001:470:1f13:136:1b8d:a290:6be6:3f6d to my machine:
$ ssh eggdrop@2001:470:1f13:136:1b8d:a290:6be6:3f6d
The authenticity of host '2001:470:1f13:136:1b8d:a290:6be6:3f6d (2001:470:1f13:136:1b8d:a290:6be6:3f6d)' can't be established.
ECDSA key fingerprint is SHA256:jTQXO+w4f75dOYYoHbAp4M05asip/D7H2RR3t6ewrZw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '2001:470:1f13:136:1b8d:a290:6be6:3f6d' (ECDSA) to the list of known hosts.
eggdrop@2001:470:1f13:136:1b8d:a290:6be6:3f6d's password:
Last login: Fri Feb 26 16:45:59 2021 from 127.0.0.1


Thoughts?
Good criticism leads to improvement while bad criticism lead to you to be ignored.

tjeske

Quote from: ptirc on February 26, 2021, 08:10:57 AM
I've added it  to my netplan config;
You probably should add the routed /64 to your network interface, not to your tunnel interface:

network:
  version: 2
  tunnels:
    he-ipv6:
      mode: sit
      remote: 216.66.84.42
      local: 37.187.124.211
      gateway6: "2001:470:1f12:136::1"
      nameservers:
        addresses:
        - "2001:470:20::2"
        - "2001:4860:4860::8888"
        - "2001:4860:4860::8844"
      addresses:
        # Client IPv6 Address
        - "2001:470:1f12:136::2/64"
  ethernets:
    eth0:
      addresses:
        - x.x.x.x/24
        # Routed /64: 2001:470:1f13:136::/64
        - "2001:470:1f13:136::1/64"
        # convos
        - "2001:470:1f13:136:1b8d:a290:6be6:3f6d/64"
      gateway4: x.x.x.y