Tunnel Configuration

[dfrandin]

I have a small home network I'm trying to configure for ipv6 support on all systems. All are either Debian/Ubuntu Linux or Win2003/XP/Win7. My firewall/gateway is a Linksys WRT54GL with Tomato 1.27 firmware. I have the Linksys iptables configured to pass proto 41 to one of my Linux machines which have the sit0/sit1 tunnel pseudoadapters configured. It also runs radvd configured with my tunnel's /64 prefix. I've added google's ipv6 dns entries to the linux machines resolv.conf. I can ssh into this linux machine and ping6 ipv6.google.com ok. It appears I have this portion working fine. However, here's my problem: I've been trying to get my wife's Win7 system to do ipv6 and not having too much luck. I have the ipv6 protocol on win7 set to get an address automatically, google's v6 dns in the dns tab, and it appears to be doing that, except for the fact I see what appears to be an assigned address in my /64 prefix, and the gateway address of the sit1 v6 address on my "gateway" linux machine. I also see an fe80 v6 address both in the gateway area and in the link-local area. I get no connectivity using the 2001:470:c:ce::2 address. To my understanding, that should work, but of course, I'm a rank newbie with ipv6, so I'm probably missing something important.. Help!!!

Dave

(Win7 ipconfig)

Ethernet adapter Local Area Connection:                                       
                                                                               
   Connection-specific DNS Suffix  . : cox.net                                 
   IPv6 Address. . . . . . . . . . . : 2001:470:d:ce:e542:c9ae:d505:11c1       
   Temporary IPv6 Address. . . . . . : 2001:470:d:ce:cde8:b6ef:b696:149d       
   Link-local IPv6 Address . . . . . : fe80::e542:c9ae:d505:11c1%10           
   IPv4 Address. . . . . . . . . . . : 192.168.240.2                           
   Subnet Mask . . . . . . . . . . . : 255.255.255.0                           
   Default Gateway . . . . . . . . . : 2001:470:c:ce::2                       
                                       fe80::212:3fff:fe24:fe94%10             
                                       192.168.240.1                           

[cholzhauer]

My thoughts

1) do any other systems that receive an address via RA work?
2) no need to manually add the 2001 address as the gateway...the link local address will work fine.
3) I assume the 2001 address you have as the gateway is the public address of your gateway...are you able to ping that from the win7 station that doesn't work?

[dfrandin]

My thoughts

1) do any other systems that receive an address via RA work?
2) no need to manually add the 2001 address as the gateway...the link local address will work fine.
3) I assume the 2001 address you have as the gateway is the public address of your gateway...are you able to ping that from the win7 station that doesn't work?

Thanks for the reply...
Wife's win7 machine is the first of the machines on the network that I've tried to configure. I'd started to try setup on one of my Win2003 servers.. Apparently you can load the ipv6 protocol there, via the gui, but all configuration is via netsh... YUCK! So I decided to try first on a better candidate, being win7.  I assume when you say "Link-Local address" you mean the fe80:: prefixed address in my ipconfig printout above? 

To my understanding, since I'm running the tunnel endpoints (sit0/sit1) on an internal machine, not my firewall machine, I don't have a "public" address.. The Linksys WRT54GL is extremely ram-limited, as I'm running snmp and openvpn on it, so I strongly suspect running the setup for the tunnel endpoints on it would make it a bit overloaded. So I pointed the iptables entry on the Linksys for proto 41/ipv6 to the internal machine (192.168.240.4), thinking that the ipv6 address assigned by the tunnel config (sit1) would be my "gateway" to the tunnel.. Apparently this is not the case.. From the win7 machine a "ping -6 2001:470:c:ce::2" gets me nada... An ifconfig on the linux box gets me

sit0      Link encap:IPv6-in-IPv4
          inet6 addr: ::192.168.240.4/96 Scope:Compat
          inet6 addr: ::127.0.0.1/96 Scope:Unknown
          UP RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:5 dropped:0 overruns:0 carrier:5
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

sit1      Link encap:IPv6-in-IPv4
          inet6 addr: 2001:470:c:ce::2/64 Scope:Global
          inet6 addr: fe80::c0a8:f004/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:92550 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95118 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11067746 (11.0 MB)  TX bytes:11069179 (11.0 MB)


I'm fairly familiar with ipv4 routing/etc, but this seems to be quite a bit different...

Dave

[kasperd]

I've added google's ipv6 dns entries to the linux machines resolv.conf.

You mean you put 2001:4860:4860::8888 and 2001:4860:4860::8844 in /etc/resolv.conf? Google won't give you AAAA records for google.com if you use Google's own DNS servers. If you use HEs resolver on 2001:470:20::2 instead you will get AAAA records for google.com.

I get no connectivity using the 2001:470:c:ce::2 address. To my understanding, that should work, but of course, I'm a rank newbie with ipv6, so I'm probably missing something important..

There is a lot of things that could be going wrong, so it is hard to start guessing at what exactly you got wrong.

2001:470:d:ce:e542:c9ae:d505:11c1

If I do a traceroute to that address I see a routing loop:
6  gige-gbge0.tserv15.lax1.ipv6.he.net (2001:470:0:9d::2)  205.765 ms  183.192 ms  180.510 ms
7  escaped-1-pt.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:ce::2)  203.354 ms  203.310 ms  203.285 ms
8  gige-gbge0.tserv15.lax1.ipv6.he.net (2001:470:0:9d::2)  212.493 ms  208.279 ms  212.267 ms
9  * * *
10  gige-gbge0.tserv15.lax1.ipv6.he.net (2001:470:0:9d::2)  224.958 ms  209.618 ms  209.334 ms
11  * * *
12  gige-gbge0.tserv15.lax1.ipv6.he.net (2001:470:0:9d::2)  224.233 ms  227.788 ms *
13  * * *

It appears somehow you configured your gateway to not actually have a route to 2001:470:d:ce::/64 and instead route it over the default route back through the tunnel to the tunnel server, which of course routes it back to your gateway.

At least if I am reading that right, it means you did at least remember to enable forwarding on the gateway.

Default Gateway . . . . . . . . . : 2001:470:c:ce::2

This doesn't look right. I see this IP address when doing a traceroute from the outside, so this is the virtual interface facing out from the gateway. The default gateway shouldn't be the interface facing out, it should be the physical interface facing inwards as that is the only one which is on the local network.

[kasperd]

I'm fairly familiar with ipv4 routing/etc, but this seems to be quite a bit different...

It is really not all that different. And in fact IPv6 should be slightly simpler to deal with than IPv4 since you don't have to worry about NAT.

But tunnelling is a bit more complicated than your typical home network setup. It would be just as complicated to set up an IPv4 tunnel. If your ISP provided you with native IPv6 you'd probably find that easier to set up than an HE tunnel (assuming your router supports it).

It does look like the forwarding of protocol 41 through your Linksys is working, so that is the good news. I didn't spot a mistake in your sit interface configuration either, and traceroute didn't suggest that is where the mistake would be.

I think the problem with your IPv6 configuration is on the physical interface of the tunnel endpoint. Can you give us the ifconfig output for eth0 (or whatever interface you are using) on the tunnel endpoint?