[SOLVED] 2 dd-wrt routers+HE-internal IPv6 working-access to IPv6 Internet NO-GO

[jtschoneich]

Hi,
I have spent much more time than a week and cannot resolve my problem. So I am calling for IPv6+6to4+proto 41+iptables+dd-wrt gurus. Maybe someone has similar setting and was able to overcome similar issues, or would like to experiment with IPv6 tunnels, to help with this puzzle?
2 ddwrt routers: VINT (wrt54gs v1.0) and NEWD-2 K26 (wrt610n v1.0) with the latest Eko mega builds.
Both have IPv6 enabled and working.
HE tunnel end on wrt54GS.
Internet<->WAN-port-of-wrt54gs on subnet1<->LAN1-port<->WAN-port-of-wrt610n on subnet2 <->LAN-ports->subnet2
All machines have no issues to communicate with each other using pure IPv4 or IPv6 protocols. So routing between subnets seems correct.
PCs connected to GS can get to IPv6 Internet, but...
PCs on 610n cannot get to IPv6 internet!!!
Even WAN port of 610 cannot ping6 6to4 tunnel local IPv6 end, despite it is on GS subnet (like it is not there for wrt610n).
I have read it might have something to do with forwarding protocol 41 (ipv6), but I was not able to succeed.
I do NOT want to connect 610 to GS using LAN ports (I do want to use WAN port and NAT). Firewall on 610 is disabled, so all windows sharing traffic is working between all computers on all subnets. Both IPv4 and IPv6 are on 2 separate subnets.
Besides when I ping6 local tunnel end, without going to Internet, I think, it does not use proto 41, or does it?
Can anyone give me some hints?
Is there a way to passthrough proto 41 as it is done with PPTP or L2TP?
I have to admit iptables are not my forte.
I have tried to accept proto 41, forward it to WAN of 610, allow to get out, but no success to access IPv6 internet, but only from behind 610.
THX in advance.

[cholzhauer]

I'm pretty well confused...I think a diagram would help the situation.

If you're using a HE tunnel, everything requires protocol41

Why not completely turn off iptables to get things working, then enabled it bit by bit until you have it where you want it?

[jtschoneich]

Hi,
Maybe this will present my settings more clearly:

For simplicity, let's assume:
- HE 54G's sit0 HE local tunnel end 2001:aabb:wwxx:yyzz::2/64 (sit0 in reality is dev he-ipv6)
- HE routed prefix is 2001:aabb:ccdd::/48
- The 54G's LAN uses 2001:aabb:ccdd:1::/64
- The 610N's LAN uses 2001:aabb:ccdd:2::/64
- The 54G uses two interfaces, sit0 and lan0
- The 610N uses two interfaces, wan0 and lan0

Then let's assume the following IPv6 addresses:
- HE 54G's sit0 local tunnel end 2001:aabb:wwxx:yyzz::2/64
- 54G-lan0 is 2001:aabb:ccdd:1::1
- 610N-wan0 is 2001:aabb:ccdd:1::610
- 610N-lan0 is 2001:aabb:ccdd:2::1

Routes:

on the 610N:
$ ip -6 route add 2001:aabb:ccdd:1::/64 dev wan0
$ ip -6 route add default via 2001:aabb:ccdd:1::1/64 dev wan0
$ ip -6 route add 2001:aabb:ccdd:2::/64 dev lan0

on the 54G:
$ ip -6 route add default dev sit0
$ ip -6 route add 2001:aabb:ccdd:1::/64 dev lan0
$ ip -6 route add 2001:aabb:ccdd:2::/64 via 2001:aabb:ccdd:1::610/64 dev lan0

Firewalls are disabled on both routers

Using radvd for address distribution on lans

on the 610N:
radvd prefix: 2001:aabb:ccdd:2::/64

on the 54G:
radvd prefix: 2001:aabb:ccdd:1::/64

Once again: locally all machines are communicating. 54G's machines can get out to IPv6 Internet, and 610's machines can NOT get to IPv6 Internet.

[lukec]

Assuming this:-
Internet-----HE-tunnel:1-------net1/64-------:2sit0-54GS-lan0-1::1-------net2/64-------1::610wan0-610N-lan0 2::1-------net3/64-----various pcs not able to go out.

where
net1 is your tunnel to HE /64
net2 and net3 are different /64s from your routed /48
?
Does ping6(ping msworld) from pc on net3 get responses from pcs on net2? packet goes to 610N connected net3 and on to connected net2 assuming the routing table on those hosts have 610N-lan0-net32::1 as their default gateway.
What would break this is if 54GS-lan0 could not reach wan0-610N...
Can you ping between the routers?   (i.e. source a ping from 610-wan0 to lan0-54GS)

OR what is your routed /48 is actually your routed /64 (simplistic agreed but easy to miss)
Regards
lukec

[jtschoneich]

@lukec
Internet-----HE-tunnel:1-------net1/64-------:2sit0-54GS-lan0-1::1-------net2/64-------1::610wan0-610N-lan0 2::1-------net3/64-----various pcs not able to go out.

I would modify your graphic, to make it more clear:

Internet-IPv6---HE-Tun::1----Tun-Net/64 (since this is not my routed net)---HE-Tun::2-sit0-54GS-lan0-1::1----net1/64 (out of my routed/48, NOT from routed/64-they are different)---1::610-wan0-610---lan0 2::1---net2/64 (out of my routed/48)---PCs on net2/64.

Pure IPv6 (not tunneled) goes without any problems between net1/64 and net2/64, back and forth, all PCs are talking to each other on both nets and between these nets.
PCs on net1/64, where is sit0, can get to Internet IPv6 using HE-Tun, no issues here.
PCs on net2/64 (attached to wrt610n) can NOT get to HE-Tun, and to IPV6 Internet.
1::610-wan0-610 interface cannot even ping6 :2sit0-54GS virtual interface tunnel address HE-Tun::2. Is it proto 41 involved in this connection, or anything else? However 610 router can ping6 any other IPv6 address on my networks (PCs as well can ping6 each other).
Firewalls are disabled on both routers. I am using routers ssh terminals to test pings between both routers.
I am not sure where to look, or what to look for, that causes such issue.
Any suggestions?

[lukec]

How are you making the 54GS-lan------------wan-610N connection?

The 610N has 4 switched gig ports and DSL yes? Is the wan port the DSL port on the 610N?
Possible this is not routing but switching via the ethernets or your wireless?
Regards
lukec

[jtschoneich]

610N has 4 lan ports 1-4 and 1 wan port.
I am not sure what do you mean here as "DSL" port?
My 610N wan is connected to 54GS lan3 port by cat5 cable (not wireless)
610N is deliberately set as router (and not as gateway, as 54GS is).
>>Possible this is not routing but switching via the ethernets or your wireless<<
I really do not know how to differentiate what router is doing inside.
However, I do not encounter any IPv4 issues between networks and machines. Traffic passes between different subnets without issues.
I suspect it has something to do with handling & passing proto 41 (tunnelled IPv6) traffic. Pure IPv4 & v6 do not exhibit any issues, but 6to4/6in4 do.

[allen4names]

There seems to be only one gateway here so I would only use one /64 for this allocating an /80 to each router.

%your64prefix%::1/64 - Remote tunnel endpoint
%your64prefix%:1::1/80 - Local tunnel endpoint at your 54GS
%your64prefix%:2::1/80 - Your 610N

Each machine should get an address from the /80 allocated to the router it is connected to.

I hope this works.

Allen

[cholzhauer]

I would recommend staying with /64 everywhere

[jtschoneich]

SOLVED:
Not sure if this is an appropriate/entirely correct solution in IPv6 world, but it is working for me.
So if members of this forum will allow me, here are more details:

I have created a local 6to4/6in4 tunnel between my primary 54GS router and secondary 610N router.
You can see my network layout in above posts.

So, on 610N:
1. ip tunnel add my-local-ipv6-tun mode sit remote {610N gateway IPv4 addr (=54GS internal IPv4 addr on br0)} local {610N wan IPv4 addr}, ttl 255
2. ip link set my-local-ipv6-tun up
3. ip addr add 2001:aabb:ccdd:3::2/64 dev my-local-ipv6-tun (I chose this address from another unused subnet :3 from my routed pool, in order not to interfere with other local subnets)
4. ip route add default dev my-local-ipv6-tun
5. ip route add ::/0 dev my-local-ipv6-tun
6. ip route add 2000::/3 dev my-local-ipv6-tun

on 54GS:
added additional tunnel interface to the existing one
1. ip tunnel add my-local-ipv6-tun mode sit remote {610N wan IPv4 addr} local {610N gateway IPv4 addr (=54GS internal IPv4 addr on br0)} ttl 255
2. ip link set my-local-ipv6-tun up
3. ip addr add 2001:aabb:ccdd:3::1/64 dev my-local-ipv6-tun

I did not bother adding any additional routes, since I have noticed once I have created a device, a route was automatically created for this devices prefix, so all routes were correct (using radvd).

I hope this might help, in any case someone has similar network topography.