• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Problems with ping (or anything else) from outside

Started by torhowden, February 06, 2011, 03:06:22 PM

Previous topic - Next topic

torhowden

Her is my setup

modprobe sit
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.90
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:yyy7:xx::2/64  > client ipv6 address
route -A inet6 add ::/0 dev sit1
radvd
ip -6 addr add 2001:470:yyy8:xx::100/64 dev eth1 > Routed /64: address

config for radvd give routed "2001:470:yyy8:xx:0000:0000:0000:0000 " 64 addresses

I can ping with every address in my network to any outside network

My problem is that ping from outside network don't get any answer.
appart from this one 2001:470:xxx8:xx::100 my router (Suse linux enterprise edition 11)
this address answers perfectly.

I can ping internally.

Can anyone help  ???
Tor Emil

comptech

Does "ip6tables -L" show any rules? 

I can't ping your tunnel end-point or the address assigned to eth1.

Traceroutes just to see traffic going through the tunnel server.
core1.sto1.he.net> traceroute ipv6 2001:470:27:a9::2

Tracing the route to IPv6 node  from 1 to 30 hops

  1     1 ms    1 ms    1 ms 1g-eth0.tserv24.sto1.ipv6.he.net [2001:470:0:11e::2]
  2    *       *       *     ?
  3    *       *       *     ?
  4    *       *       *     ?
  5    *       *       *     ?


core1.sto1.he.net> traceroute ipv6 2001:470:28:a9::100

Tracing the route to IPv6 node  from 1 to 30 hops

  1     1 ms    1 ms    1 ms 1g-eth0.tserv24.sto1.ipv6.he.net [2001:470:0:11e::2]
  2    *       *       *     ?
  3    *       *       *     ?
  4    *       *       *     ?
  5    *       *       *     ?

torhowden

My iptables -L output
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state RELATED
input_int  all  --  anywhere             anywhere           
input_ext  all  --  anywhere             anywhere           
input_ext  all  --  anywhere             anywhere           
input_ext  all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int  all  --  anywhere             anywhere           
forward_ext  all  --  anywhere             anywhere           
forward_ext  all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP       all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP       all  --  anywhere             anywhere           

Chain forward_int (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
reject_func  all  --  anywhere             anywhere           

Chain input_ext (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpts:tcpmux:65535 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:tcpmux:65535
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5801 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5801
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5901 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5901
ACCEPT     udp  --  anywhere             anywhere            udp dpts:tcpmux:65535
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP       all  --  anywhere             anywhere           

Chain input_int (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           

Chain reject_func (1 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable


I dont understand wy you cant ping my addresses I can from www.berkom.blazing.de
Her is the result from one off them
Results:
       1  2a01:30:100a::1  0.798 ms  0.664 ms  0.470 ms
       2  2a01:30:100f::2  21.697 ms  19.391 ms  21.229 ms
       3  2001:470:15:7a::1  27.776 ms  27.935 ms  26.896 ms
       4  gige-g2-5.core1.fra1.he.net (2001:470:0:a5::1)  29.449 ms  29.273 ms  29.315 ms
       5  10gigabitethernet1-1.core1.sto1.he.net (2001:470:0:110::2)  54.403 ms  53.452 ms  60.856 ms
       6  1g-eth0.tserv24.sto1.ipv6.he.net (2001:470:0:11e::2)  52.640 ms  53.822 ms  53.792 ms
       7  2001:470:28:a9::100  84.602 ms  87.132 ms  85.038 ms

Results:
       1  2a01:30:100a::1  0.796 ms  2.455 ms  1.803 ms
       2  2a01:30:100f::2  21.859 ms  20.060 ms  19.297 ms
       3  2001:470:15:7a::1  28.924 ms  29.699 ms  28.856 ms
       4  gige-g2-5.core1.fra1.he.net (2001:470:0:a5::1)  26.912 ms  30.154 ms  28.012 ms
       5  10gigabitethernet1-1.core1.sto1.he.net (2001:470:0:110::2)  54.128 ms  55.197 ms  59.994 ms
       6  1g-eth0.tserv24.sto1.ipv6.he.net (2001:470:0:11e::2)  56.148 ms  54.865 ms  54.810 ms
       7  2001:470:27:a9::2  84.474 ms  85.454 ms  87.061 ms



As you can see both is answering ?????????

cholzhauer

x'ing out IP addresses does nothing and makes troubleshooting harder.

torhowden

See the point her is the correct with addresses

Quotemodprobe sit
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.90
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:27:a9::2/64  > client ipv6 address
route -A inet6 add ::/0 dev sit1
radvd
ip -6 addr add 2001:470:28:a9::100/64 dev eth1 > Routed /64: address

config for radvd give routed "2001:470:28:a9:0000:0000:0000:0000 " 64 addresses

I can ping with every address in my network to any outside network
My problem is that ping from outside network don't get any answer.
apart from 2001:470:28:a9::100 my router (Suse linux enterprise edition 11 and 2001:470:27:a9::2

cholzhauer

I just came across this yesterday too...why are you using both sit0 and sit1?

Other then that, if you drop the firewall, does everything work?

comptech

I'm guessing the reason he has sit0 and sit1 is because it's the config tunnelbroker generates for Linux-net-tools (which is correct as far as I know):
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.90
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470::X/64
route -A inet6 add ::/0 dev sit1


The same traceroutes I did yesterday are now working:
core1.sto1.he.net> traceroute ipv6 2001:470:27:a9::2

Tracing the route to IPv6 node  from 1 to 30 hops

 1     1 ms    1 ms    1 ms 1g-eth0.tserv24.sto1.ipv6.he.net [2001:470:0:11e::2]
 2    32 ms   36 ms   33 ms torhowden-1-pt.tunnel.tserv24.sto1.ipv6.he.net [2001:470:27:a9::2]


core1.sto1.he.net> traceroute ipv6 2001:470:28:a9::100

Tracing the route to IPv6 node  from 1 to 30 hops

 1     1 ms    1 ms    1 ms 1g-eth0.tserv24.sto1.ipv6.he.net [2001:470:0:11e::2]
 2    34 ms   44 ms   36 ms 2001:470:28:a9::100


Did you change anything?

What about the output for "ip6tables -L"?  "iptables -L" only shows rules for IPv4.

torhowden

#7
Mr. typo was out walking again  ;D

her is ip6tables
Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     all      anywhere             anywhere            
ACCEPT     all      anywhere             anywhere            state ESTABLISHED
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED
input_int  all      anywhere             anywhere            
input_ext  all      anywhere             anywhere            
input_ext  all      anywhere             anywhere            
input_ext  all      anywhere             anywhere            
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all      anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination        
forward_int  all      anywhere             anywhere            
forward_ext  all      anywhere             anywhere            
forward_ext  all      anywhere             anywhere            
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP       all      anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all      anywhere             anywhere            
ACCEPT     ipv6-icmp    anywhere             anywhere            
ACCEPT     all      anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
target     prot opt source               destination        
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp parameter-problem
LOG        all      2001:470:28:a9::/64  2000::/3            limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-FORW '
ACCEPT     all      2001:470:28:a9::/64  2000::/3            state NEW,RELATED,ESTABLISHED
ACCEPT     all      2000::/3             2001:470:28:a9::/64 state RELATED,ESTABLISHED
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP       all      anywhere             anywhere            

Chain forward_int (1 references)
target     prot opt source               destination        
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere            state RELATED,ESTABLISHED ipv6-icmp parameter-problem
LOG        all      2001:470:28:a9::/64  2000::/3            limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-FORW '
ACCEPT     all      2001:470:28:a9::/64  2000::/3            state NEW,RELATED,ESTABLISHED
ACCEPT     all      2000::/3             2001:470:28:a9::/64 state RELATED,ESTABLISHED
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
reject_func  all      anywhere             anywhere            

Chain input_ext (3 references)
target     prot opt source               destination        
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp router-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp router-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp neighbour-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp neighbour-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere            ipv6-icmp redirect
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpts:tcpmux:65535 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpts:tcpmux:65535
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpt:domain
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpt:ssh
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5801 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpt:5801
LOG        tcp      anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:5901 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp      anywhere             anywhere            tcp dpt:5901
ACCEPT     udp      anywhere             anywhere            udp dpts:tcpmux:65535
ACCEPT     udp      anywhere             anywhere            udp dpt:domain
LOG        all      anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP       all      anywhere             anywhere            

Chain input_int (1 references)
target     prot opt source               destination        
ACCEPT     all      anywhere             anywhere            

Chain reject_func (1 references)
target     prot opt source               destination        
REJECT     tcp      anywhere             anywhere            reject-with tcp-reset
REJECT     udp      anywhere             anywhere            reject-with icmp6-port-unreachable
REJECT     all      anywhere             anywhere            reject-with icmp6-addr-unreachable
DROP       all      anywhere             anywhere            


I have not done any changes in my setup
And firewall is not started yet due to testing (one problem taken away)

her is a tracroute for 2001:470:28:a9::300 one of my internal servers
Results:
      1  2a01:30:100a::1  0.730 ms  0.512 ms  0.541 ms
      2  2a01:30:100f::2  19.429 ms  20.223 ms  21.175 ms
      3  2001:470:15:7a::1  29.431 ms  29.303 ms  29.092 ms
      4  gige-g2-5.core1.fra1.he.net (2001:470:0:a5::1)  27.411 ms  28.966 ms  29.101 ms
      5  10gigabitethernet1-1.core1.sto1.he.net (2001:470:0:110::2)  52.398 ms  73.993 ms  54.787 ms
      6  1g-eth0.tserv24.sto1.ipv6.he.net (2001:470:0:11e::2)  54.685 ms  52.950 ms  54.751 ms
      7  2001:470:27:a9::2  84.687 ms  85.132 ms  83.624 ms
      8  * * * and continuing to number 30


TEH

comptech

If you don't have ip6tables running the only other idea that comes to mind is a routing problem.  What does "route -6" show?

timbaldwin

Quote from: torhowden on February 08, 2011, 12:09:03 AM
I have not done any changes in my setup
And firewall is not started yet due to testing (one problem taken away)

Based on that ip6tables output you do have a firewall that is blocking incoming connections.