• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Inbound traffic does not work

Started by starcastle, June 21, 2008, 06:35:19 PM

Previous topic - Next topic

starcastle

Now that outbound is working I am trying to get inbound traffic to work.

I have been working with HE but I think I am not understanding their terminology or vis a versa.

HE has a number of terms they are using:

Server IPv6 address (their end of the v6 tunnel)

Client IPv6 address (my end of the tunnel)

Routed /64 (the range I select for my clients)

They way I 'think' it works (I have an apache web server running on the same box as my end of the tunnel) is I should be able to browse to the Server IPv6 addr and the traffic should route through the tunnel.

If, on my lan, I browse to the client ipv6 addr I get my default page.

My end of the tunnel cannot be reached from the internet.

I can ping both ends of the tunnel as well as do tracerts.

HE says that traffic to the Server IPv6 addr is routed down the tunnel.

Anyone have any ideas?

broquea

Using our terms, the "server IPv6 address" (a:b:c::1) will never respond with your website. That IP is configured on our tunnel-server equipment, which does not run a web server, or have the content of your website.

Your side of the tunnel's allocation (a:b:c::2) is configured on your machine, and the IPv6 address that should load the website when queried.

assuming linux:
Make sure that there are no ip6tables rules blocking HTTP. Go so far as to make sure ip6tables isn't even running to eliminate doubts (not recommended to leave off, since that removes firewall/filter).

Make sure you have enabled IPv6 forwarding in sysctl, if you plan on using an address from your routed /64 (a:b:d::/64), although that might not be 100% required.

broquea

Incidentally, I can ping6/traceroute6 your side of the tunnel, as well as load your "StarCastle IPv6 Portal - Home" page when I put that IP into a browser.

starcastle

Thanks, that clears up my confusion.

I am running linux with no firewall (Suse 10.3) and therefore assuming that iptables is not engaged (I am a beginner linux user).

The box sits behind a Nortel Contivity firewall which passes port 41 to the linux box (ipv6 from inside my lan works with or without the port forward).

I setup my tunnel using the linux-net-tools configuration example (I dont specify the ipv4 addr at my end of the tunnel).

When I do a tracert I get the following:

C:\Users\woodallp.CAMRK01.001>tracert 2001:470:1f06:541::2

Tracing route to starcastle-pt.tunnel.tserv4.nyc4.ipv6.he.net
::2]
over a maximum of 30 hops:

  1    50 ms    40 ms    36 ms  2001:5c0:8fff:ffff::146
  2     *        *        *     Request timed out.
  3   113 ms    81 ms    52 ms  if-5-0-1.6bb1.mtt-montreal.ipv
001:5a0:300::5]
  4    52 ms    45 ms    42 ms  if-1-0.mcore3.mtt-montreal.ipv
001:5a0:300:100::1]
  5    41 ms    49 ms    75 ms  if-13-0.mcore4.nqt-newyork.ipv
001:5a0:300:100::2]
  6    88 ms    63 ms    45 ms  2001:5a0:400:200::1
  7    58 ms    91 ms    58 ms  2001:5a0:400:200::6
  8   101 ms    64 ms    79 ms  2001:5a0:600:100::5
  9    53 ms    61 ms    61 ms  2001:5a0:600::5
10    55 ms    49 ms    56 ms  core1.ash1.he.net [2001:504:0:
11   123 ms    67 ms    63 ms  10gigabitethernet1-2.core1.nyc
:0:36::2]
12    52 ms    65 ms    91 ms  1g-bge0.tserv4.nyc4.ipv6.he.ne
2]
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
21     *        *        *     Request timed out.
22     *        *        *     Request timed out.
23     *        *        *     Request timed out.

Its looking more like a firewall issue but short of putting the linux box in a dmz I cant see what else to do.

Any ideas would be welcome.

Thanks

starcastle

Saw your last message after I posted my reply.

I cannot browse the site so it seems to indicate an issue at the machine I am using to browse from.

broquea

I don't think its an issue with the Nortel since I was able to ping6 and load a website from your side of the tunnel.

I know you say you checked "iptables", but make sure that you mean "ip6tables", as the former is for IPv4.

Also something must have changed on your host, as now I can no longer browse or ping6 2001:470:1f06:541::2 (unless the machine is off-line now).

starcastle

The issue turned out to be the tunnel's lifetime witout traffic (less than a minute).

I setup a ping every 45 seconds and it's all good.