Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Problems with ping (or anything else) from outside  (Read 5178 times)

torhowden

  • Newbie
  • *
  • Posts: 4
Problems with ping (or anything else) from outside
« on: February 06, 2011, 03:06:22 PM »

Her is my setup

modprobe sit
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.90
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:yyy7:xx::2/64  > client ipv6 address
route -A inet6 add ::/0 dev sit1
radvd
ip -6 addr add 2001:470:yyy8:xx::100/64 dev eth1 > Routed /64: address

config for radvd give routed "2001:470:yyy8:xx:0000:0000:0000:0000 " 64 addresses

I can ping with every address in my network to any outside network

My problem is that ping from outside network don't get any answer.
appart from this one 2001:470:xxx8:xx::100 my router (Suse linux enterprise edition 11)
this address answers perfectly.

I can ping internally.

Can anyone help  ???
Tor Emil
Logged

comptech

  • Newbie
  • *
  • Posts: 31
Re: Problems with ping (or anything else) from outside
« Reply #1 on: February 06, 2011, 10:32:21 PM »

Does "ip6tables -L" show any rules? 

I can't ping your tunnel end-point or the address assigned to eth1.

Traceroutes just to see traffic going through the tunnel server.
Code: [Select]
core1.sto1.he.net> traceroute ipv6 2001:470:27:a9::2

Tracing the route to IPv6 node  from 1 to 30 hops

  1     1 ms    1 ms    1 ms 1g-eth0.tserv24.sto1.ipv6.he.net [2001:470:0:11e::2]
  2    *       *       *     ?
  3    *       *       *     ?
  4    *       *       *     ?
  5    *       *       *     ?

Code: [Select]
core1.sto1.he.net> traceroute ipv6 2001:470:28:a9::100

Tracing the route to IPv6 node  from 1 to 30 hops

  1     1 ms    1 ms    1 ms 1g-eth0.tserv24.sto1.ipv6.he.net [2001:470:0:11e::2]
  2    *       *       *     ?
  3    *       *       *     ?
  4    *       *       *     ?
  5    *       *       *     ?
Logged

torhowden

  • Newbie
  • *
  • Posts: 4
Re: Problems with ping (or anything else) from outside
« Reply #2 on: February 07, 2011, 12:50:19 AM »

My iptables -L output
Code: [Select]
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state RELATED
input_int  all  --  anywhere             anywhere           
input_ext  all  --  anywhere             anywhere           
input_ext  all  --  anywhere             anywhere           
input_ext  all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int  all  --  anywhere             anywhere           
forward_ext  all  --  anywhere             anywhere           
forward_ext  all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP       all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP       all  --  anywhere             anywhere           

Chain forward_int (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
reject_func  all  --  anywhere             anywhere           

Chain input_ext (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpts:tcpmux:65535 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:tcpmux:65535
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5801 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5801
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5901 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5901
ACCEPT     udp  --  anywhere             anywhere            udp dpts:tcpmux:65535
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP       all  --  anywhere             anywhere           

Chain input_int (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain reject_func (1 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable

I dont understand wy you cant ping my addresses I can from www.berkom.blazing.de
Her is the result from one off them
Code: [Select]
Results:
       1  2a01:30:100a::1  0.798 ms  0.664 ms  0.470 ms
       2  2a01:30:100f::2  21.697 ms  19.391 ms  21.229 ms
       3  2001:470:15:7a::1  27.776 ms  27.935 ms  26.896 ms
       4  gige-g2-5.core1.fra1.he.net (2001:470:0:a5::1)  29.449 ms  29.273 ms  29.315 ms
       5  10gigabitethernet1-1.core1.sto1.he.net (2001:470:0:110::2)  54.403 ms  53.452 ms  60.856 ms
       6  1g-eth0.tserv24.sto1.ipv6.he.net (2001:470:0:11e::2)  52.640 ms  53.822 ms  53.792 ms
       7  2001:470:28:a9::100  84.602 ms  87.132 ms  85.038 ms

Results:
       1  2a01:30:100a::1  0.796 ms  2.455 ms  1.803 ms
       2  2a01:30:100f::2  21.859 ms  20.060 ms  19.297 ms
       3  2001:470:15:7a::1  28.924 ms  29.699 ms  28.856 ms
       4  gige-g2-5.core1.fra1.he.net (2001:470:0:a5::1)  26.912 ms  30.154 ms  28.012 ms
       5  10gigabitethernet1-1.core1.sto1.he.net (2001:470:0:110::2)  54.128 ms  55.197 ms  59.994 ms
       6  1g-eth0.tserv24.sto1.ipv6.he.net (2001:470:0:11e::2)  56.148 ms  54.865 ms  54.810 ms
       7  2001:470:27:a9::2  84.474 ms  85.454 ms  87.061 ms


As you can see both is answering ?????????
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2729
Re: Problems with ping (or anything else) from outside
« Reply #3 on: February 07, 2011, 05:04:37 AM »

x'ing out IP addresses does nothing and makes troubleshooting harder.
Logged

torhowden

  • Newbie
  • *
  • Posts: 4
Re: Problems with ping (or anything else) from outside
« Reply #4 on: February 07, 2011, 07:34:35 AM »

See the point her is the correct with addresses

Quote
modprobe sit
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.90
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:27:a9::2/64  > client ipv6 address
route -A inet6 add ::/0 dev sit1
radvd
ip -6 addr add 2001:470:28:a9::100/64 dev eth1 > Routed /64: address

config for radvd give routed "2001:470:28:a9:0000:0000:0000:0000 " 64 addresses

I can ping with every address in my network to any outside network
My problem is that ping from outside network don't get any answer.
apart from 2001:470:28:a9::100 my router (Suse linux enterprise edition 11 and 2001:470:27:a9::2
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2729
Re: Problems with ping (or anything else) from outside
« Reply #5 on: February 07, 2011, 07:36:15 AM »

I just came across this yesterday too...why are you using both sit0 and sit1?

Other then that, if you drop the firewall, does everything work?
Logged

comptech

  • Newbie
  • *
  • Posts: 31
Re: Problems with ping (or anything else) from outside
« Reply #6 on: February 07, 2011, 04:59:24 PM »

I'm guessing the reason he has sit0 and sit1 is because it's the config tunnelbroker generates for Linux-net-tools (which is correct as far as I know):
Code: [Select]
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.90
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470::X/64
route -A inet6 add ::/0 dev sit1

The same traceroutes I did yesterday are now working:
Code: [Select]
core1.sto1.he.net> traceroute ipv6 2001:470:27:a9::2

Tracing the route to IPv6 node  from 1 to 30 hops

  1     1 ms    1 ms    1 ms 1g-eth0.tserv24.sto1.ipv6.he.net [2001:470:0:11e::2]
  2    32 ms   36 ms   33 ms torhowden-1-pt.tunnel.tserv24.sto1.ipv6.he.net [2001:470:27:a9::2]

Code: [Select]
core1.sto1.he.net> traceroute ipv6 2001:470:28:a9::100

Tracing the route to IPv6 node  from 1 to 30 hops

  1     1 ms    1 ms    1 ms 1g-eth0.tserv24.sto1.ipv6.he.net [2001:470:0:11e::2]
  2    34 ms   44 ms   36 ms 2001:470:28:a9::100

Did you change anything?

What about the output for "ip6tables -L"?  "iptables -L" only shows rules for IPv4.
Logged

torhowden

  • Newbie
  • *
  • Posts: 4
Re: Problems with ping (or anything else) from outside
« Reply #7 on: February 08, 2011, 12:09:03 AM »

Mr. typo was out walking again  ;D

her is ip6tables
Code: [Select]
Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all      anywhere             anywhere            
ACCEPT     all      anywhere             anywhere            state ESTABLISHED
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED
input_int  all      anywhere             anywhere            
input_ext  all      anywhere             anywhere            
input_ext  all      anywhere             anywhere            
input_ext  all      anywhere             anywhere            
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all      anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination        
forward_int  all      anywhere             anywhere            
forward_ext  all      anywhere             anywhere            
forward_ext  all      anywhere             anywhere            
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP       all      anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all      anywhere             anywhere            
ACCEPT     ipv6-icmp    anywhere             anywhere            
ACCEPT     all      anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
target     prot opt source               destination        
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp parameter-problem
LOG        all      2001:470:28:a9::/64  2000::/3            limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-FORW '
ACCEPT     all      2001:470:28:a9::/64  2000::/3            state NEW,RELATED,ESTABLISHED
ACCEPT     all      2000::/3             2001:470:28:a9::/64 state RELATED,ESTABLISHED
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP       all      anywhere             anywhere            

Chain forward_int (1 references)
target     prot opt source               destination        
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp parameter-problem
LOG        all      2001:470:28:a9::/64  2000::/3            limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-FORW '
ACCEPT     all      2001:470:28:a9::/64  2000::/3            state NEW,RELATED,ESTABLISHED
ACCEPT     all      2000::/3             2001:470:28:a9::/64 state RELATED,ESTABLISHED
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
reject_func  all      anywhere             anywhere            

Chain input_ext (3 references)
target     prot opt source               destination        
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp router-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp router-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp neighbour-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp neighbour-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp redirect
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpts:tcpmux:65535 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpts:tcpmux:65535
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpt:domain
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpt:ssh
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5801 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpt:5801
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5901 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpt:5901
ACCEPT     udp      anywhere             anywhere            udp dpts:tcpmux:65535
ACCEPT     udp      anywhere             anywhere            udp dpt:domain
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP       all      anywhere             anywhere            

Chain input_int (1 references)
target     prot opt source               destination        
ACCEPT     all      anywhere             anywhere            

Chain reject_func (1 references)
target     prot opt source               destination        
REJECT     tcp      anywhere             anywhere            reject-with tcp-reset
REJECT     udp      anywhere             anywhere            reject-with icmp6-port-unreachable
REJECT     all      anywhere             anywhere            reject-with icmp6-addr-unreachable
DROP       all      anywhere             anywhere            

I have not done any changes in my setup
And firewall is not started yet due to testing (one problem taken away)

her is a tracroute for 2001:470:28:a9::300 one of my internal servers
Code: [Select]
Results:
       1  2a01:30:100a::1  0.730 ms  0.512 ms  0.541 ms
       2  2a01:30:100f::2  19.429 ms  20.223 ms  21.175 ms
       3  2001:470:15:7a::1  29.431 ms  29.303 ms  29.092 ms
       4  gige-g2-5.core1.fra1.he.net (2001:470:0:a5::1)  27.411 ms  28.966 ms  29.101 ms
       5  10gigabitethernet1-1.core1.sto1.he.net (2001:470:0:110::2)  52.398 ms  73.993 ms  54.787 ms
       6  1g-eth0.tserv24.sto1.ipv6.he.net (2001:470:0:11e::2)  54.685 ms  52.950 ms  54.751 ms
       7  2001:470:27:a9::2  84.687 ms  85.132 ms  83.624 ms
       8  * * * and continuing to number 30

TEH
« Last Edit: February 08, 2011, 12:11:23 AM by torhowden »
Logged

comptech

  • Newbie
  • *
  • Posts: 31
Re: Problems with ping (or anything else) from outside
« Reply #8 on: February 12, 2011, 08:41:53 AM »

If you don't have ip6tables running the only other idea that comes to mind is a routing problem.  What does "route -6" show?
Logged

timbaldwin

  • Newbie
  • *
  • Posts: 6
Re: Problems with ping (or anything else) from outside
« Reply #9 on: February 14, 2011, 01:31:42 AM »

I have not done any changes in my setup
And firewall is not started yet due to testing (one problem taken away)

Based on that ip6tables output you do have a firewall that is blocking incoming connections.
Logged