• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Tunnel w/o incoming ICMP?

Started by tex, June 19, 2010, 03:03:35 AM

Previous topic - Next topic

tex

Hi,
recently I've got a faster internet connection at home and my ISP provided me with an new Router-Modem-Device (CPE).

Unfortunately this device does not allow incoming ICMP-Pakets!
Acording to my ISP there is no way to enable incoming ICMP with this device.

Is there any way I can re-establish my HE IPv6 tunnel with this device, i.e. without incoming ICMP?

jimb

If it allows it, you could maybe NAT ICMP to some inside box.   :P

cholzhauer

An alternative, but certainly less desireable is a ayiya tunnel from sixxs if you can get am account

jimb

And another choice of course is the toss the crap CPE and get something better.  Like a linux or BSD box w/ your DSL or cable modem in transparent bridge mode (your existing box can probably be put into this mode).

tex

Quote from: jimb on June 19, 2010, 05:38:24 PM
If it allows it, you could maybe NAT ICMP to some inside box.   :P
Nope, I've tried that, but this box only knows "TCP" and "UDP" :(
Quote from: cholzhauer on June 19, 2010, 08:35:31 PM
An alternative, but certainly less desireable is a ayiya tunnel from sixxs if you can get am account
Nope, they don't like. One email from them bounced ... account gone.
Quote from: jimb on June 19, 2010, 09:27:26 PM
And another choice of course is the toss the crap CPE and get something better.  Like a linux or BSD box w/ your DSL or cable modem in transparent bridge mode (your existing box can probably be put into this mode).
Yes, that'd be nice, but unfortunately that is not as easy as it sounds. The CPE is the DSL modem and replacting it would be troublesome.

I've tried using the PPTP-Tunnel, but I can't figure out which routes need to go over the VPN since I don't want all of my traffic routed over the VPN.

jimb

#5
Quote from: tex on June 20, 2010, 12:00:21 AM
Quote from: jimb on June 19, 2010, 09:27:26 PM
And another choice of course is the toss the crap CPE and get something better.  Like a linux or BSD box w/ your DSL or cable modem in transparent bridge mode (your existing box can probably be put into this mode).
Yes, that'd be nice, but unfortunately that is not as easy as it sounds. The CPE is the DSL modem and replacting it would be troublesome.

I've tried using the PPTP-Tunnel, but I can't figure out which routes need to go over the VPN since I don't want all of my traffic routed over the VPN.
I'm not saying to replace the DSL modem.  I'm saying to simply not use it as a router.  Most ISPs have that option so as to allow people to use their own routers.  (BTW, what is the make/model of your modem/router?)

You put the DSL modem in to transparent bridging mode, and it acts as a simple ethernet bridge.  You can then either do DHCP/static IPs, or PPPoE or whatever (if your ISP/account calls for it) from your new router over the DSL modem.  The DSL modem simply acts like a switch (a switch is merely a bridge with lots of ports), with a DSL line on one side, and one or more ethernet ports on the other into which you can plug an ethernet router.  (I just noticed you were from Germany even though your nick is "tex" ... I'm not super familiar with how they do DSL over there, but I presume you can also bridge it if you want).

You could either buy a consumer grade router box like the DIR615, or some other device by replacing the firmware with something like DDWRT, or throw together your own router firewall with an old computer and a pair of NICs by using some open source routing software (look here too).  There's a bunch of stuff out there like M0n0wall (BSD based firewall/router w/ GUI ... don't remember if it has IPv6 functionality yet) to do this.  

Then you configure your router and set up the IPv6 tunnel on it, and you're done, and have a much more flexible device at your edge.

As far as the PPTP option, if you have windows I have yet to find a way around the "all or nothing" situation.  If you have a linux or *BSD box as an IPv6 router, you should be able to use policy routing to set things up so that only your 6in4 tunnel is routed through PPTP, and everything else goes the "normal" route.  (this topic shows how to set this up under linux.  From glancing at it I believe it does just what I describe, routing only 6in4 over the PPTP).

Personally though, I wouldn't go through all the trouble of setting up a PPTP solution using a linux box when I could just replace the routing functionality of the ISP provided device with the same linux box and avoid PPTP, which slows things down.  I'd only go that route (no pun intended) if I had no other choice (for instance, the CPE device couldn't do transparent bridging).

tex

Thanks for your input. It looks like I've got to go that route anyway. I got the PPTP tunnel configured but I've just found out that this stupid CPE doesn't even support VPN-Passthrough (GRE). I've got to get rid of this piece of ... whatever ... ASAP.

jimb

PPTP still may work through your devices.  "PPTP passthrough" and stuff like that typically means it has helper code in the connection tracker which uses a particular field in the GRE headers to uniquely identify PPTP/GRE connections per internal host (so it can sort out which host belongs to which session/tunnel).  But even without this helper code, a typically fw/NAT device will support a single PPTP and/or GRE tunnel through it from a single inside host.

Still, it's better to just replace the built in crap, since it's crap.  :P

tex

Quote from: jimb on June 23, 2010, 05:20:21 PM
Still, it's better to just replace the built in crap, since it's crap.  :P
Thanks for your help, in the end I've got myself a better CPE/Router and now I'm happy again ;)