• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

First 6 hops in traceroute return no data?

Started by arionnet, June 03, 2008, 07:41:18 PM

Previous topic - Next topic

arionnet

Hi everyone,

I just signed up for a tunnel and have it up and running:

$ ping6 -n www.kame.net
PING www.kame.net(2001:200:0:8002:203:47ff:fea5:3085) 56 data bytes
64 bytes from 2001:200:0:8002:203:47ff:fea5:3085: icmp_seq=1 ttl=52 time=191 ms
64 bytes from 2001:200:0:8002:203:47ff:fea5:3085: icmp_seq=2 ttl=52 time=191 ms
64 bytes from 2001:200:0:8002:203:47ff:fea5:3085: icmp_seq=3 ttl=52 time=191 ms

--- www.kame.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 191.008/191.276/191.712/0.592 ms
$


My tunnel endpoint is a Debian/Etch Linux box (2.6.22). However, when I try to traceroute, I don't get any responses until hop 6::

$ traceroute6 www.kame.net
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085) from 2001:470:1f06:62b::2, 30 hops max, 16 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  tky001ix10.IIJ.Net (2001:240:bb01:7::47)  190.297 ms  191.086 ms  205.125 ms
8  hitachi1.otemachi.wide.ad.jp (2001:200:0:1800::9c4:2)  190.401 ms  191.64 ms  190.587 ms
9  2001:200:0:1802:20c:dbff:fe1f:7200 (2001:200:0:1802:20c:dbff:fe1f:7200)  190.386 ms  190.083 ms  190.33 ms
10  ve42.foundry4.nezu.wide.ad.jp (2001:200:0:11::66)  190.315 ms  190.148 ms  190.601 ms
11  ve45.nec2.yagami.wide.ad.jp (2001:200:0:12::74)  192.829 ms  193.143 ms  193.155 ms
12  lo0.alaxala1.k2.wide.ad.jp (2001:200:0:4800::7800:1)  193.85 ms  193.287 ms  193.383 ms
13  orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085)  191.097 ms  191.904 ms  191.366 ms
$


$ traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2001:4860:0:2001::68) from 2001:470:1f06:62b::2, 30 hops max, 16 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  pr61.iad07.net.google.com (2001:504:0:2:0:1:5169:1)  14.611 ms !S  14.948 ms !S  14.207 ms !S
$


Do I have something borked in my configuration or is this normal behavior? Any info. would be appreciated. Thanks! -Arion

broquea

I can ping your ipv4 endpoint, but I cannot ping6 your side of the tunnel. Are you running ip6tables or have any firewall in place?
The tunnel is configured correctly on the tunnel-server.

arionnet

I found the source of my problem: TTLs of IPv6 packets were getting inherited by the IPv4 tunneled packets. Found info about this at: http://people.debian.org/~csmall/ipv6/setup.html

QuoteIPv6 tunnels work by encapsulating ipv6 packets into ipv4 frames. The problem is, what TTL should the IPv4 packets use? By default they "inherit" their TTL from the IPv6 packet. Works great, stops routing loops and totally breaks traceroute6.

The magic command for me that fixed things was:

ip tunnel change he-ipv6 ttl 64

As for not being able to ping my side of the tunnel, I think I also screwed up my firewall config in that I didn't have a persistent rule to allow inbound protocol type 41. I'm guessing my initial connections were working fine because of connection/state-tracking in iptables.

Thanks for your help and the awesome broker service!
Arion