• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

ipv6 nat problem?

Started by smajko, August 25, 2010, 04:41:23 AM

Previous topic - Next topic

smajko

Hi

I decided to launch ipv6 tunnel with your service. I have 10.10.10.11 with 1-1 NAT with my public address 81.210.9.47. I configured it as you suggest:

smajko:/home/smajko# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:0c:29:b5:ed:0b
          inet addr:10.10.10.11  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: 2a02:e88:0:7:20c:29ff:feb5:ed0b/64 Scope:Global
          inet6 addr: fe80::20c:29ff:feb5:ed0b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:693539 errors:4 dropped:0 overruns:0 frame:0
          TX packets:482617 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:107325070 (102.3 MiB)  TX bytes:57648725 (54.9 MiB)
          Interrupt:19 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:0c:29:b5:ed:15
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:18 Base address:0x2080

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:24640 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24640 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1480591 (1.4 MiB)  TX bytes:1480591 (1.4 MiB)

sit0      Link encap:IPv6-in-IPv4
          inet6 addr: ::10.10.10.11/96 Scope:Compat
          inet6 addr: ::127.0.0.1/96 Scope:Unknown
          UP RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

sit1      Link encap:IPv6-in-IPv4
          inet6 addr: fe80::a0a:a0b/64 Scope:Link
          inet6 addr: 2001:470:1f0a:18a4::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:40 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1004 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4160 (4.0 KiB)  TX bytes:123806 (120.9 KiB)

and

smajko:/home/smajko# ip -6 ro
::/96 via :: dev sit0  metric 256  mtu 1480 advmss 1420 hoplimit 4294967295
2001:470:1f0a:18a4::/64 via :: dev sit1  metric 256  mtu 1480 advmss 1420 hoplimit 4294967295
2a02:e88:0:7::/64 dev eth0  proto kernel  metric 256  expires 0sec mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev sit1  metric 256  mtu 1480 advmss 1420 hoplimit 4294967295
default dev sit1  metric 1  mtu 1480 advmss 1420 hoplimit 4294967295


but

smajko:/home/smajko# ping6 2001:470:1f0a:18a4::1
PING 2001:470:1f0a:18a4::1(2001:470:1f0a:18a4::1) 56 data bytes
From 2001:470:1f0a:18a4::2 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:470:1f0a:18a4::2 icmp_seq=3 Destination unreachable: Address unreachable
From 2001:470:1f0a:18a4::2 icmp_seq=4 Destination unreachable: Address unreachable
From 2001:470:1f0a:18a4::2 icmp_seq=5 Destination unreachable: Address unreachable


So I tought that it might be proto41 and NAT related problem. So I configured ACL with permit proto41 on both my local and public interfaces. When I do ping to my address 2001:470:1f0a:18a4::2 http://www.berkom.blazing.de/tools/ping.cgi and observe my ACL counters I see that IPv6 traffic is going through my router:

Extended IP access list 105
    10 permit 41 any any (5 matches)
    20 permit ip any any (5 matches)
Extended IP access list 106
    10 permit 41 any any (5 matches)
    20 permit ip any any (10 matches)
Extended IP access list 115
    10 permit 41 any any log (5 matches)
    20 permit ip any any (132 matches)
Extended IP access list 116
    10 permit 41 any any (5 matches)
    20 permit ip any any (152 matches)

with ACL configured for:

my public interface
ip access-group 115 in
ip access-group 116 out

my local subinterface
ip access-group 105 in
ip access-group 106 out

So it looks like the ping is coming to me, my PC is replying but the replay never gets back to sender. Any ideas what could be the reason of this?


Regards,


smajko



cholzhauer

Have you tried it without the firewall?  Save your config, remove anything that's blocking IPv6 and try again.  If it works, there's something wrong with your config.  If it doesn't work, there's a problem with your setup.

smajko

What could be wrong with my setup if ipv6 encapsulated packets are coming to my router and going out also? Going out but somehow do not arrive where they should...
Could it be a problem with routing between my ISP and HE ?

cholzhauer

Right now, it could be a problem anywhere...I"m just trying to eliminate things so we can narrow down the scope of the problem.  It's better to eliminate your equipment before bringing HE into it.

smajko

OK but the problem is that my PC is one of few on this machine and interface (virtual machines) So I just can't disconnect it, assign public address and check if it works without nat  :(

maestroevolution

Two questions,

1) Can you provide the NAT config on your router?  It may be that return traffic is not being NAT'ted (un-NAT'ed?) properly; it matches the ACL, then dropped.

2) What VM flavor?  If this is VMware workstation on a regular PC, the traffic has to go through the host PC's NIC.  If it's not configured for IPv6, it (or maybe a firewall on the host) may be dropping the return ip proto 41 traffic before the virtual vmware switch can bridge it to the guest nic.

Joel

smajko

1. My NAT is simple:

ip nat inside source static 10.10.10.11 81.210.9.47

2. Yes it is VMware but I have DHCPv6 server running on this virtual machine and my CPE are able to obtain IPv6 address from it so it could not be host PC's NIC I guess...

Anyway the idea is good so I will try to check new config with host PC and with its ip address NATed to 81.210.9.47. I will let you know about results...

thanks for help

smajko