mac os-x assistance

gyounger · February 18, 2011, 04:00:45 PM

Hello,

So I've spent a bit of time trying to get a tunnel up between my mac with os-x 10.6 and tunnelbroker. However, the tunnel does not appear to work. I cannot reach the tunnelbroker server ipv6 address. Any assistance would be appreciated.

gif0 is up as well as associated interfaces. using nat ip address for tunnel and en1 airport interface.

bash-3.2# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
   inet 127.0.0.1 netmask 0xff000000
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
   tunnel inet 192.168.x.240 --> 66.220.18.42
   inet6 fe80::7e6d:62ff:fe8b:fcf0%gif0 prefixlen 64 scopeid 0x2
   inet6 <my tunnelbroker ipv6 ending in 2> --> <tunnelbroker ipv6 server ending in 1> prefixlen 128
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   ether 7c:6d:62:8b:fc:f0
   media: autoselect
   status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   ether 58:b0:35:6a:71:01
   inet6 fe80::5ab0:35ff:fe6a:7101%en1 prefixlen 64 scopeid 0x5
   inet 192.168.x.240 netmask 0xffffff00 broadcast 192.168.x.255
   media: autoselect
   status: active

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.x.1 UGSc 65 0 en1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 2 5787 lo0
169.254 link#5 UCS 0 0 en1
192.168.x link#5 UCS 2 0 en1
192.168.x.1 f0:7d:68:72:e9:d2 UHLWI 83 461 en1 1129
192.168.x.230 0:90:a9:82:3a:d6 UHLWI 1 29286 en1 1164
192.168.x.240 127.0.0.1 UHS 0 0 lo0

Internet6:
Destination Gateway Flags Netif Expire
default <tunnelbroker ipv6 server ending in 1> UGSc gif0
::1 ::1 UH lo0
<my tunnelbroker ipv6 ending in 2>    UH gif0
<my tunnelbroker ipv6 ending in 2> link#2 UHL lo0
fe80::%lo0/64 fe80::1%lo0 Uc lo0
fe80::1%lo0 link#1 UHL lo0
fe80::%gif0/64 link#2 UC gif0
fe80::7e6d:62ff:fe8b:fcf0%gif0 link#2 UHL lo0
fe80::%en1/64 link#5 UC en1
fe80::5ab0:35ff:fe6a:7101%en1 58:b0:35:6a:71:1 UHL lo0
ff01::/32 ::1 Um lo0
ff02::/32 ::1 UmC lo0
ff02::/32 link#2 UmC gif0
ff02::/32 link#5 UmC en1

i can ping my side of the ipv6 tunnel, but not the tunnelbroker server. i can ping the far end of the ipv4 tunnel too.

bash-3.2# ping6 <my tunnelbroker ipv6 ending in 2
PING6(56=40+8+8 bytes) <my tunnelbroker ipv6 ending in 2> --> <my tunnelbroker ipv6 ending in 2>
16 bytes from <my tunnelbroker ipv6 ending in 2>, icmp_seq=0 hlim=64 time=0.115 ms
16 bytes from <my tunnelbroker ipv6 ending in 2>, icmp_seq=1 hlim=64 time=0.172 ms
^C
--- removed::2 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.115/0.143/0.172/0.029 ms

ping tunnel broker ipv6 - doesn't work

bash-3.2# ping6 <tunnelbroker ipv6 server ending in 1>
PING6(56=40+8+8 bytes) <my tunnelbroker ipv6 ending in 2> --> <tunnelbroker ipv6 server ending in 1>
Request timeout for icmp_seq=0
Request timeout for icmp_seq=1
^C
::1 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

bash-3.2# ping 66.220.18.42
PING 66.220.18.42 (66.220.18.42): 56 data bytes
64 bytes from 66.220.18.42: icmp_seq=0 ttl=55 time=205.516 ms
64 bytes from 66.220.18.42: icmp_seq=1 ttl=55 time=204.730 ms
64 bytes from 66.220.18.42: icmp_seq=2 ttl=55 time=204.911 ms
^C
--- 66.220.18.42 ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/stddev = 204.730/205.052/205.516/0.336 ms

What am I missing here? If there are additional steps necessary please let me know.

Thanks

cholzhauer · February 19, 2011, 01:01:00 PM

x'ing out ip addresses makes it hard for us to follow.

Since you're behind NAT, did you use your NAT address to create the tunnel?

gyounger · February 19, 2011, 07:06:36 PM

Yes, the NAT ip address was used to create the tunnel. .240 is the host NAT ip address on the MAC.

cholzhauer · February 20, 2011, 06:23:01 AM

Probably a protocol41 issue then...is your ISP blocking it at some point? Is there a rule in your firewall to allow it? If not, try moving your host to the DMZ.

gyounger · February 21, 2011, 12:14:56 PM

For testing I disabled by host FW (.240), router FW (.1), and verified there is no FW on ISP end blocking anything. I put my host in the DMZ just for kicks. Still no luck. Bugger! So it's looking like my dsl router might not pass protocol 41. It's a cheap d-link. Any further steps to verify that?

I will try to stitch up the tunnel at work today to bypass the dlink and my ISP. Thanks for the pointers.

cholzhauer · February 21, 2011, 12:16:47 PM

I haven't found a way to check to see if a router/firewall/device is passing protocol41

if you find one, please let me know ;)

antillie · February 21, 2011, 01:26:31 PM

The easiest way I can think of to check would be to fire up a packet sniffer on the host that is terminating the tunnel then send some IPv6 traffic from a host on the other side of the tunnel and see if the sniffer picks up anything.

Or you could put a Cisco device between the DSL modem and the tunnel box with an ACL the specifically permits protocol 41 and see if you get any inbound hit counts on the ACL.

gyounger · February 21, 2011, 03:40:20 PM

The problem resides in the fact I can't get to the other end of the IPv6 tunnel. So if I can't get to/ping6 the IPv6 Tunnel Broker Server IP, which is essentially my IPv6 gateway, then no other IPv6 traffic can reach me. I did a tcpdump on the host, but that didn't provide much information other than I am sending Protocol 41 traffic and not receiving it.

The obvious culprit is the d-link dsl router. The only way to get something in front of the d-link is to put another dsl router in. I need something to terminate the DSL, so just any Cisco device won't work. Maybe I can run the d-link in bridging mode.

cholzhauer · February 21, 2011, 07:19:54 PM

yeah, bridge is the way to go

News:

mac os-x assistance