• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Tunnel only works after tracert from other hosts

Started by phxazcraig, February 05, 2011, 08:58:08 AM

Previous topic - Next topic

phxazcraig

Learning IPv6 here.  Have a small home/business network, and I've set up an IPv6 tunnel through HE on a SuSE SLES10.3 server. 

From the server, I can always ping IPv6 addresses and browse to IPv6 websites.  So far, so good.  I enabled routing on the server, and I set up radvd.   From all my other IPv6 hosts, I can see a default route pointing to the local IPv6 address of my SuSE tunnel server.   All my other hosts can ping the tunnel server's local and global IPv6 addresses.  (But they cannot ping any of the tunnel addresses at any time - the ::1 and ::2 addresses given to me by Hurricane Electric).

From other hosts in my network, I have intermittent success.   (I have Windows, NetWare and Linux hosts and servers).  From Windows 7 or Windows 2008 server, if I ping -6 ipv6.google.com, it fails.  However, if I first tracert -6 ipv6.google.com, I get responses back, and THEN the ping -6 to google or other sites works.   And I can then browse IPv6 websites from any of my network hosts.

Wait a minute or so, and pinging and browsing to IPv6 fails again, except from the SuSE tunnel server.   Repeat the tracert -6 test, and the tunnel is active for all hosts again.

What's going on here, and how can I keep the tunnel functional full-time?


packetmail

#1
This looks like a routing issue, something I had issues with as well.  You need to remove the routed /64 from the tunnel interface.  Here is my "6up.sh" script I call from /etc/rc.local to bring up the tunnel.  I hope this helps.


#!/bin/sh

/sbin/modprobe ipv6

#Bring up the 6in4 tunnel, defaults from HE.
/sbin/ip tunnel add he-ipv6 mode sit remote 216.66.22.2 local 192.168.1.4 ttl 255
/sbin/ip link set he-ipv6 up
/sbin/ip addr add 2001:db8:7::2/64 dev he-ipv6
/sbin/ip route add ::/0 dev he-ipv6
/sbin/ip -f inet6 addr

#Allocate an IPv6 address to he-ipv6 and eth0 from our routed /64
/sbin/ip addr add 2001:db8:8::2/64 dev he-ipv6
/sbin/ip addr add 2001:db8:8::1/64 dev eth0

#Remove the routed /64 from the he-ipv6 tunnel to avoid routing loops.
/sbin/ip -6 route del 2001:db8:8::/64 dev he-ipv6

#Enable Forwarding
/sbin/sysctl -w net.ipv6.conf.default.forwarding=1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

#Start radvd for IPv6 LAN announcement
/etc/init.d/radvd start

#Tunnel keep alive.
/usr/bin/sudo -u nobody -g nogroup /usr/bin/nohup /bin/ping6 -I eth0 -nn -W 5 -i 120 -s 20 -p 4b6565702d416c697665 2001:db8:7::1 > /dev/null 2>&1 &


Here is my radvd.conf, my MTU is set to 1472 (1500 - 8 bytes PPPoE overhead - 20 bytes 6in4 overhead = 1472).  My internal DNS server is at 2001:db8:8::f3


interface eth0 {
AdvSendAdvert on;
AdvLinkMTU 1472;
AdvDefaultPreference high;
prefix 2001:db8:8::/64 {AdvOnLink on; AdvAutonomous on;};
RDNSS 2001:db8:8::f3 {};
};

phxazcraig

Wow - that was it - thanks!

Removing the route you suggested worked fine.   

Now the hard part - can you explain what was happening there, and why that was necessary?

packetmail

Quote from: phxazcraig on February 05, 2011, 10:12:46 AMNow the hard part - can you explain what was happening there, and why that was necessary?

Glad it worked, so, best as I understand it it's a routing loop.  When you use 'ip -6 addr add' when adding the routed /64 to the 6in4 tunnel you add a default route for that /64 network and since it's part of the 6in4 itself you create a self-pointed routing loop on the tunnel interface.  A route for the routed /64 isn't necessary on the tunnel interface.  Here is the routing table I am using:


#:~$ ip -6 route
2001:db8:7::/64 via :: dev he-ipv6  proto kernel  metric 256  mtu 1472 advmss 1412 hoplimit 0
2001:db8:8::/64 dev eth0  proto kernel  metric 256  mtu 1492 advmss 1432 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1492 advmss 1432 hoplimit 0
fe80::/64 via :: dev he-ipv6  proto kernel  metric 256  mtu 1472 advmss 1412 hoplimit 0
default dev he-ipv6  metric 1024  mtu 1472 advmss 1412 hoplimit 0
#:~$

cholzhauer

Right...no need to add the routing line for a /64 that your computer is already a member of.

IE if your routed /64 is 2001:db8:1234:4567::/64 and your computer has 2001:db8:1234:4567::2, your computer already knows where to send traffic...you don't need to tell it again.  It's a directly connected interface...you only need to tell it about addresses/subnets/routes that aren't directly connected.