• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Need help Configuring a tunnel under *BSD & MacOS X

Started by annoyingspore, August 03, 2010, 11:03:36 PM

Previous topic - Next topic

cholzhauer

The default gateway for your clients is the host that knows what to do with the packet after it receives it.  I realize it's a little vague, but it really depends on how your network is set up.

In the simplest fashion, your IPv6 router is doing Router Advertisements to your clients.  Your clients generate an IPv6 address and the default gateway is the link local address of your IPv6 router.  Your IPv6 router's default gateway is already set to be the HE end of the tunnel, so things just work.

jgeorge

Quote from: annoyingspore on April 30, 2011, 08:20:05 PM
So what should I set as the default route on clients? the tunnel Client IPv6 Address or Server IPv6 Address?

Neither. Once you set up the tunnel between HE and your local router, you'll never reference that tunnel subnet again on any other machines. Everything else you assign to other machines on your network comes out of your routed /64. The router you have set up the tunnel on will have two IPv6 addresses - the tunnel client IPv6 address on the tunnel interface, and it'll have one IPv6 address from your routed /64 on the LAN interface that it shares with the rest of your network.

The default route that your clients needs is the address of your router. Since your client doesn't know how to get to any other IPv6 network, if you used your tunnel address as a default route, the client wouldn't know which machine on the network to send packets to.

If you're using autoconfig your router should be providing the correct default route address to the network on it's own. If you set it manually the proper thing to do is to use the link-local address of your router's LAN interface (the routed/64 address will work as well, but using the link-local address is the best way to go, as it still can reach the router even if your router advertisements stop working).

Quotehow does it know to jump subnets, for instance the tunnel is on 2001:470:1f10:xxx and the route /64 is 2001:470:1f11:xxx ? are you sure the tunnel client doesnt also need to forward packets? for IPv4 I just set up some simple iptables masquerade.

That's pretty much how routers work - they're the devices that know how to get packets from one subnet to another. Your tunnel client acts as a router in that it receives IPv6 traffic from your local machines, and knows to forward that traffic over it's tunnel interface to HE, and do the same thing in reverse for incoming packets.

Cheers,

Joe

magnanimousrogera

Hi there,

I am a newbie and am trying to set up my tunnel but I am getting the following dialog when i try to create it.  My system is a MacMini running Snow Leopard 10.6.7

Quote
IPv4 Endpoint (Your side):
IP is not ICMP pingable. Please make sure ICMP is not blocked. If you are blocking ICMP, please allow 66.220.2.74 through your firewall.
You are viewing from:58.9.166.58
We recommend you use:
Unquote

I have unblocked my firewall but am unable to find a way to allow the IP address 66.220.2.74 into my System Preferences.  Also, where can I find ICMP?

Anyone who can advise me on how to do this?

Many thanks in advance

Roger ???

cholzhauer

It looks like you've got it figured out now



C:\Documents and Settings\Carl>ping 66.220.2.74

Pinging 66.220.2.74 with 32 bytes of data:

Reply from 66.220.2.74: bytes=32 time=72ms TTL=48
Reply from 66.220.2.74: bytes=32 time=69ms TTL=48
Reply from 66.220.2.74: bytes=32 time=70ms TTL=48
Reply from 66.220.2.74: bytes=32 time=71ms TTL=48

Ping statistics for 66.220.2.74:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 69ms, Maximum = 72ms, Average = 70ms



jgeorge


Hey cholzhauer,

66.220.2.74 is the HE side - his IP is 58.9.166.58 and I can't ping him either.


Depends on what router you're using. You may want to put your Mini in the DMZ of your router, or you might be able to unblock pings from your router as well. The firewall on the Mac won't really get in the way at this point (yet) assuming the router is probably blocking you.

I presume your Mac has a private IP address of 192.168.something or so on, and the IP address you have below is the one from your ISP (which is probably your router). Thats what you want to unblock, the tunnel server must be able to ping you to establish the tunnel.

Joe

cholzhauer

Whoops, thanks for catching that.

What router are you using?  Like jgeorge mentions, you could try putting your host into the DMZ and seeing if that helps.  (It doesn't on some routers though)

There are other routers that allow you to enable ICMP separately from everything else.

magnanimousrogera

Hi jgeorge & cholzhauer,

Many thanks for your replies.   I am using a Linksys ADSL 2 WAG54G2 router and am using OpenDNS as my DNS servers.    I also have a dynamic IP address provided by my ISP.  The following is the status of the router at 6.35 this morning:


Firmware Version:   V1.00.10
MAC Address:   00:16:CB:A6:32:51
Current Time:   04-05-2011 06:32:39

Internet Connection   
Login Type:   RFC 2516 PPPoE
Interface:   Up
IP Address:   58.9.163.3
Subnet Mask:   255.255.255.255
Default Gateway:   58.9.163.1
DNS 1:   203.144.207.29
DNS 2:   203.144.207.49
DNS 3:   
WINS:   ---

I also have security mode setup as WPA-2 Personal with encryption shown as TKIP or AES.  I also have SPI Firewall protection on.  Additionally I have IPSec, PPPoE, PPTP and L2TP Passthrough enabled.

Incidentally, I can ping both my IP address (not surprisingly) and 66.220.2.74 but no-one can ping me.

I have put my mini in the DMZ zone with the IP address of 192.168.1.102 so I will now try that and see if I can create the tunnel.   I will get back to you both later today.   (I live in Thailand so the time difference is between minus 11 to 13 hours if you guys are in the US).

Again, I do appreciate your help.

Cheers

Roger

magnanimousrogera

Hi jgeorge & cholzhauer,

Further to my post above, I have tried both my IP addresses (192.168.1.102, the MacMini, and 58.9.163.3) and get the following responses:

Quote
You currently have 0 of 5 tunnels configured.
IP is not ICMP pingable. Please make sure ICMP is not blocked. If you are blocking ICMP, please allow 66.220.2.74 through your firewall.
If you are trying to reclaim a tunnel simply use your last IPv4 address here. If you have any issues please email ipv6@he.net.
If you have a public ASN and wish to setup a full BGP feed, please use this form instead.
IPv4 Endpoint (Your side):
IP is blocked. (RFC1918 Private Address Space)
You are viewing from:58.9.163.3
Unquote.

This is after putting my MacMini into my DMZ zone.

The router address is 192.168.1.1, the MacMini address is 192.168.1.102 and the dynamic IP address today is 58.9.163.3.

Any other ideas?

Cheers

Roger

cholzhauer

The only thing I've been able to find is this

http://portforward.com/routergui/Linksys/WAG54G2/Firewall.htm

And that doesn't list anything for allowing ICMP through to your hosts.

You could try turning off the firewall and seeing if that helps.  If that helps, you may just want to run a firewall on each individual host.

magnanimousrogera

Hi Cholzhauser cc jgeorge.

I have disabled my firewall both on my MacMini and on my router, entered my IP address 58.9.163.3, and have tried to create the tunnel.  I get the following response in a green band:

IPv4 Endpoint (Your side):
IP is a potential tunnel endpoint. (in a green band)
You are viewing from:

I believe that the tunnel has been created as the ping worked.  See below:

Ping has started...

PING 58.9.163.3 (58.9.163.3): 56 data bytes
64 bytes from 58.9.163.3: icmp_seq=0 ttl=64 time=0.698 ms
64 bytes from 58.9.163.3: icmp_seq=1 ttl=64 time=0.681 ms
64 bytes from 58.9.163.3: icmp_seq=2 ttl=64 time=0.628 ms
64 bytes from 58.9.163.3: icmp_seq=3 ttl=64 time=0.621 ms
64 bytes from 58.9.163.3: icmp_seq=4 ttl=64 time=0.640 ms
64 bytes from 58.9.163.3: icmp_seq=5 ttl=64 time=0.536 ms
64 bytes from 58.9.163.3: icmp_seq=6 ttl=64 time=0.573 ms
64 bytes from 58.9.163.3: icmp_seq=7 ttl=64 time=0.611 ms
64 bytes from 58.9.163.3: icmp_seq=8 ttl=64 time=0.623 ms
64 bytes from 58.9.163.3: icmp_seq=9 ttl=64 time=0.621 ms

--- 58.9.163.3 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.536/0.623/0.698/0.044 ms

A few questions now.

1.   Since my IP address in dynamic, I assume that the IP address will change and that the tunnel will not work.  Am I right?
2.   If I re-enable my firewall on my router, will the tunnel will close?
3.   If I just re-enable the firewall on my MacMini, will the same thing happen?
4.   If you have any other comments, I would appreciate if you could make them.

Again, many thanks for your efforts.  I really appreciate them.

Cheers

Roger

cholzhauer

Quote
A few questions now.

1.   Since my IP address in dynamic, I assume that the IP address will change and that the tunnel will not work.  Am I right?
2.   If I re-enable my firewall on my router, will the tunnel will close?
3.   If I just re-enable the firewall on my MacMini, will the same thing happen?
4.   If you have any other comments, I would appreciate if you could make them.

1) Correct. You either need to manually change it on your settings page or use one of the scripts that people have published to do it for you.
2) I don't think so.  I think ping is only required to confirm you "own" that IP address.  After you have your tunnel up, try it and find out.
3) See above.  Worst case, you can just enable the firewall on your MacMini and allow ping and disallow everything else.

If you have anything else, just ask.  If it's a specific question, you'd probably be better off starting a new topic.

annoyingspore

I am having a problem now, I am trying to certify that my web page is IPv6 capable, but now when i go to http://ipv6.he.net/certification, it tells me 'Welcome to the Hurricane Electric IPv6 Certification Project validation code generator.
Your reported Internet Protocol Address is: 184.104.31.133
You do not appear to be using an IPv6 capable connection.

that is my tunnel endpoint address. I have checked my tunnel, dns, etc and everything appears alright. what is going on now?

ip tunnel show
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc 6rd-prefix 2002::/16
he-ipv6: ipv6/ip  remote 209.51.181.2  local 184.104.31.133  ttl 255  6rd-prefix 2002::/16

although when i do 'dig -6 domain'
i get:
connection timed out; no servers could be reached
but when i do 'dig @74.82.42.42 -6 domain' it works, but when i do 'dig @2001:470:20::2 -6 domain', it doesnt.  ???

even though my resolv.conf is:
nameserver 74.82.42.42
nameserver 192.168.1.5
nameserver 2001:470:20::2

my local address (192.168.1.5) is a slave for that zone, but where on he.net dns do you tell it what ip's in can replicate to?

cholzhauer

whats with the 2002:: stuff in there?  if you're using HE, you shouldnt use a 6to4 address

annoyingspore

not sure what you meant by that. why cant i use hurricane's ipv6 dns server?
I am using my own dns server as primary, he.net's as secondary. seems to me this presents a problem, since you can only have a primary, secondary, and tertiary nameserver. if you had 2 ipv4 and 2 ipv6, that would be more then 3.
another thing i was trying to figure out is, how do i tell he.net's dns that i want my dns server to be a secondary for my domain name?

cholzhauer

I'm trying to remember why I wrote that...I think it was because of this

Quote
he-ipv6: ipv6/ip  remote 209.51.181.2  local 184.104.31.133  ttl 255  6rd-prefix 2002::/16

If you're using an HE tunnel, you don't need that 2002::/16 in there