Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: routed network only reachable on tunnel server  (Read 3595 times)

digidoc

  • Newbie
  • *
  • Posts: 12
routed network only reachable on tunnel server
« on: December 20, 2010, 07:33:27 AM »

hello forum

i have two machines, one setup as tunnelserver (hws1)
and ones as a second server (hws2)
in my ipv6 routeable block (2001:470:1f15:109f::/64)

the addresses i assign from my routable block on hws1 can be ping6'ed and traceroute6'ed
any addresses i assign to hws2 are not reachable
i can however traceroute out from hws2 to for example ipv6.google.com
i can see packets coming in for hws2 with tcpdump on hws1 the he-ipv6 interface but hws1 does not forward them
any help appreciated
regards
hoyte swager


forwarding is enabled on hws1:

[root@hws1 root]# cat /proc/sys/net/ipv6/conf/all/forwarding
1

ipv6 addresses on hws1:

[root@hws1 root]# ip -6 addr         
2: eth0: <BROADCAST,MULTICAST,UP> qlen 1000
    inet6 2001:470:1f15:109f::f1/128 scope global
13: he-ipv6: <POINTOPOINT,NOARP,UP>
    inet6 2001:470:1f14:109f::2/64 scope global

ipv6 routes on hws1:

[root@hws1 root]# ip -6 route
2001:470:1f14:109f::/64 via :: dev he-ipv6  metric 256  mtu 1280 advmss 1220
2001:470:1f15:109f::/64 dev eth0  metric 1024  mtu 1280 advmss 1220
2000::/3 dev he-ipv6  metric 1024  mtu 1280 advmss 1220
default dev he-ipv6  metric 1024  mtu 1280 advmss 1220


ipv6 addresses on hws2:

[root@hws2 root]# ip -6 addr

2: eth0: <BROADCAST,MULTICAST,UP> qlen 1000
    inet6 2001:470:1f15:109f::f2/128 scope global

ipv6 routes on hws2:

[root@hws2 root]# ip -6 route
2001:470:1f14:109f::/64 via 2001:470:1f15:109f::f1 dev eth0  metric 1024  mtu 1500 advmss 1440
2001:470:1f15:109f::/64 dev eth0  metric 1024  mtu 1500 advmss 1440
2000::/3 via 2001:470:1f15:109f::f1 dev eth0  metric 1024  mtu 1500 advmss 1440
default via 2001:470:1f15:109f::f1 dev eth0  metric 1024  mtu 1500 advmss 1440

traceroute from hws2:

[root@hws2 root]# traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2a00:1450:8005::63) from 2001:470:1f15:109f::f2, 30 hops max, 16 byte packets
 1  hws1.digi.nl (2001:470:1f15:109f::f1)  0.288 ms  0.132 ms  0.116 ms
 2  digidoc-1.tunnel.tserv11.ams1.ipv6.he.net (2001:470:1f14:109f::1)  18.091 ms  19.874 ms  20.302 ms
 3  gige-g2-20.core1.ams1.he.net (2001:470:0:7d::1)  16.091 ms  2.57 ms  14.482 ms
 4  pr61.ams04.net.google.com (2001:7f8:1::a501:5169:1)  4.839 ms  41.875 ms  2.063 ms
 5  2001:4860::1:0:8 (2001:4860::1:0:8)  3.885 ms  2.7 ms  2.752 ms
 6  2001:4860::1:0:2a (2001:4860::1:0:2a)  6.99 ms  6.778 ms  6.809 ms
 7  2001:4860::2:0:66e (2001:4860::2:0:66e)  6.773 ms  6.057 ms  6.734 ms
 8  2001:4860:0:1::65 (2001:4860:0:1::65)  7.056 ms  11.217 ms  19.75 ms
 9  2a00:1450:8005::63 (2a00:1450:8005::63)  11.879 ms  6.764 ms  6.763 ms

tcpdump of incoming ping for hws2 on hws1:

[root@hws1 root]# tcpdump -i he-ipv6 -n ip6 and not port 53
tcpdump: WARNING: he-ipv6: no IPv4 address assigned
tcpdump: listening on he-ipv6
16:29:09.782706 2001:5c0:1400:a::d3 > 2001:470:1f15:109f::f2: icmp6: echo request
16:29:10.782766 2001:5c0:1400:a::d3 > 2001:470:1f15:109f::f2: icmp6: echo request
16:29:11.782586 2001:5c0:1400:a::d3 > 2001:470:1f15:109f::f2: icmp6: echo request
16:29:12.773569 2001:470:1f14:109f::2 > 2001:5c0:1400:a::d3: icmp6: 2001:470:1f15:109f::f2 unreachable address
16:29:12.773585 2001:470:1f14:109f::2 > 2001:5c0:1400:a::d3: icmp6: 2001:470:1f15:109f::f2 unreachable address
16:29:12.773603 2001:470:1f14:109f::2 > 2001:5c0:1400:a::d3: icmp6: 2001:470:1f15:109f::f2 unreachable address
16:29:12.782604 2001:5c0:1400:a::d3 > 2001:470:1f15:109f::f2: icmp6: echo request
16:29:15.773620 2001:470:1f14:109f::2 > 2001:5c0:1400:a::d3: icmp6: 2001:470:1f15:109f::f2 unreachable address

but a ping from hws1 to hws2 works fine:

[root@hws1 root]# ping6 -c 3 2001:470:1f15:109f::f2
PING 2001:470:1f15:109f::f2(2001:470:1f15:109f::f2) from 2001:470:1f15:109f::f1 : 56 data bytes
64 bytes from 2001:470:1f15:109f::f2: icmp_seq=1 ttl=64 time=0.247 ms
64 bytes from 2001:470:1f15:109f::f2: icmp_seq=2 ttl=64 time=0.112 ms
64 bytes from 2001:470:1f15:109f::f2: icmp_seq=3 ttl=64 time=0.126 ms

--- 2001:470:1f15:109f::f2 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 1999ms
rtt min/avg/max/mdev = 0.112/0.161/0.247/0.062 ms
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2737
Re: routed network only reachable on tunnel server
« Reply #1 on: December 20, 2010, 07:40:17 AM »

What OS?
Logged

digidoc

  • Newbie
  • *
  • Posts: 12
Re: routed network only reachable on tunnel server
« Reply #2 on: December 20, 2010, 07:52:04 AM »

[root@hws1 root]# uname -a
Linux hws1 2.4.37 #2 Thu Sep 24 11:34:04 EDT 2009 i686 unknown

[root@hws2 root]# uname -a
Linux hws2 2.4.37 #9 SMP Fri May 8 17:02:39 CEST 2009 i686 unknown

regards
hoyte
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2737
Re: routed network only reachable on tunnel server
« Reply #3 on: December 20, 2010, 07:54:03 AM »

Are you running some sort of firewall on hws2 that would be blocking this traffic?
Logged

digidoc

  • Newbie
  • *
  • Posts: 12
Re: routed network only reachable on tunnel server
« Reply #4 on: December 20, 2010, 08:01:22 AM »

no, currently all on accept
the weirdest thing is it worked just now for a moment and then stopped working again
so the problem seems intermittent
???
regards
hoyte



[root@hws1 external]# ip6tables -L -v
Chain INPUT (policy ACCEPT 8468 packets, 2513K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 962 packets, 84304 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8576 packets, 977K bytes)
 pkts bytes target     prot opt in     out     source               destination         


(successfull traceroute)

imac:bin root# traceroute6 -n 2001:470:1f15:109f::f2
traceroute6 to 2001:470:1f15:109f::f2 (2001:470:1f15:109f::f2) from 2001:5c0:1400:a::d3, 64 hops max, 12 byte packets
 1  2001:5c0:1400:a::d2  18.122 ms  18.078 ms  18.380 ms
 2  2001:4de0:1000:a22::1  18.650 ms  18.379 ms  40.232 ms
 3  2001:4de0:a::1  27.201 ms  24.781 ms  25.192 ms
 4  2001:7f8:1::a500:6939:1  23.258 ms  24.664 ms  24.964 ms
 5  2001:470:0:7d::2  23.210 ms  23.575 ms  22.402 ms
 6  2001:470:1f14:109f::2  20.464 ms  20.440 ms  20.761 ms
 7  2001:470:1f15:109f::f2  20.718 ms  21.009 ms  20.689 ms

(followed by failed ping)

imac:bin root# ping6 2001:470:1f15:109f::f2
PING6(56=40+8+8 bytes) 2001:5c0:1400:a::d3 --> 2001:470:1f15:109f::f2
Request timeout for icmp_seq=0
Request timeout for icmp_seq=1
Request timeout for icmp_seq=2

(followed by failed traceroute, failing on the tunnel server)

imac:bin root# traceroute6 -n 2001:470:1f15:109f::f2
traceroute6 to 2001:470:1f15:109f::f2 (2001:470:1f15:109f::f2) from 2001:5c0:1400:a::d3, 64 hops max, 12 byte packets
 1  2001:5c0:1400:a::d2  18.991 ms  18.163 ms  17.947 ms
 2  2001:4de0:1000:a22::1  18.783 ms  18.361 ms  18.672 ms
 3  2001:4de0:a::1  18.518 ms  18.686 ms  18.468 ms
 4  2001:7f8:1::a500:6939:1  29.018 ms  25.165 ms  32.461 ms
 5  2001:470:0:7d::2  23.255 ms  23.693 ms  22.734 ms
 6  2001:470:1f14:109f::2  20.448 ms  20.572 ms  20.628 ms
 7  2001:470:1f14:109f::2  3016.277 ms !A  3019.986 ms !A *
Logged

digidoc

  • Newbie
  • *
  • Posts: 12
Re: routed network only reachable on tunnel server
« Reply #5 on: December 20, 2010, 08:26:43 AM »

it gets even weirder
if i keep the ping from outside running to hws2, the one that is timing out,
the moment i do a ping6 from hws2 to the hws1 on its routable address
the outside ping to hws2 start working again !?
maybe ipv6 and 2.4.37 was not a good idea ;-( ?
i am trying to get some legacy servers reachable but cannot upgrade the kernel due to an old app running on it
any help appreciated
regards
hoyte

Logged

digidoc

  • Newbie
  • *
  • Posts: 12
Re: routed network only reachable on tunnel server
« Reply #6 on: December 20, 2010, 09:29:46 AM »

after putting the tunnel server on a newer kernel, things seem to be working more stable

[root@mon1 mail]# uname -a
Linux mon1 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 athlon i386 GNU/Linux

apparently the 2.4.37 kernel can't handle the tunnel router in ipv6 very well

regards
hoyte
Logged