• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IP is not ICMP pingable?

Started by flawedspirit, April 24, 2011, 03:24:08 PM

Previous topic - Next topic

flawedspirit

IP is not ICMP pingable. Please make sure ICMP is not blocked. If you are blocking ICMP, please allow <serveraddress> through your firewall.

I'm sure this question is asked a hundred times, but I can't seem to find reference to this exact error anywhere, and this is stopping me from creating a tunnel at all.

How do I go about enabling ICMP, if that's the problem? Dispite having some experience in network configuration, this problem seems to be above my pay-grade, so to speak. I always assumed that ICMP would be enabled by default; I mean, it's ICMP, of all the protocols in the world! So far I've tried allowing ICMP through windows firewall, and running the router in DMZ mode, to no avail.

Router: 2Wire 2701HG-G
ISP: Bell Canada
OS: Windows 7

If you need any other information, I'll try and dig it up.

cessnaflyer

My understanding is that HE uses ICMP pings to your public IPv4 address to verify connectivity for your IPv6 tunnel.

For the 2wire 2701HG router, check under the Firewall tab, then Advanced Settings.  Verify that "Block Ping" is not checked.

It makes perfect sense that every household should have its own /48 once IPv6 is more widely used.  After all, it's not like we'll run out of IP addresses... again.

flawedspirit

#2
Thank you very much. That certainly got me moved forward! I still can't access any services that require an IPv6 address, but I suspect that may be my ISP's fault. Bell Canada actively blocking IPv6 would not ever surprise me.
They practically block IPv4 access too...

cessnaflyer

Hrm, it's possible, but I wouldn't expect so.  If your border router is the 2wire 2701HG, how are you planning to terminate your tunnel?  On your Windows box?  If so, you need some way to get the packets from the public interface of your router to your Windows box.

It makes perfect sense that every household should have its own /48 once IPv6 is more widely used.  After all, it's not like we'll run out of IP addresses... again.

cholzhauer

If you've gotten past the ICMP problem, let's see some more info.

What commands did you use to set up your tunnel?

flawedspirit

After I set the tunnel up, I was given the following commands to use:

netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 65.95.6.93 216.66.38.58
netsh interface ipv6 add address IP6Tunnel 2001:470:1c:28::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1c:28::1
(via Windows 7 command prompt)
Now, it told me to replace my external IP with what DHCP gives me, so I assumed the second line becomes:

netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.2.12 216.66.38.58

Is this what you're referring to?

Also, if I did mess up anywhere, how do I remove the new interface so I can start over without being warned about conflicting names?

cessnaflyer

So, here's the $64,000 question: How are you getting the tunnel packets from the WAN interface of your router to your Windows box?

Looking at the manual for your 2wire router, this seems like it will be somewhat tricky.  I don't see any settings that would allow forwarding of just Next Protocol 41 (v6 tunnel) traffic, nor forwarding of traffic based on source IP.  Really, the only option I see is to use the "DMZplus" option to have all traffic sent to your Windows box.  (I don't recommend this: that way lies pwnage.)

Here's an even better question, which others on the forum may find a bit heretical (sorry): if you're just trying to set up IPv6 on your Windows box and not create an entire IPv6 subnet for your network, why not just use Teredo?  It's installed by default in Windows Vista and 7, and it handles all of the issues with your router.  You don't get your own /64 or /48, but it doesn't require any changes to be made to your router to work.

If you'd like to provide IPv6 service for your entire network, one option you can check out is to set up a small, cheap Linux box inside your network.  (It could even be an old box you already have, reformatted to run whatever Linux you'd like.)  Make it your "DMZ" in the router, then use it to both terminate your end of the HE tunnel and provide IPv6 routing for the rest of your network.

To undo and start over, run the commands in reverse:

netsh interface ipv6 del route ::/0 IP6Tunnel 2001:470:1c:28::1
netsh interface ipv6 del address IP6Tunnel 2001:470:1c:28::2
netsh interface ipv6 del v6v4tunnel IP6Tunnel 65.95.6.93 216.66.38.58
netsh interface teredo set state enabled
(optional)

It makes perfect sense that every household should have its own /48 once IPv6 is more widely used.  After all, it's not like we'll run out of IP addresses... again.

cholzhauer

Cessnaflyer does have a point with his suggestion of Teredo, but I think that's a last resort.

I'm with you and would want a tunnel from HE over Teredo.  Yes, putting something in the DMZ exposes it to more traffic, but in this case, I don't have a problem with it.  If you do use your Windows machine, just turn on the firewall and keep it patched...you'd do the same thing with a Linux machine.

Quote
netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 65.95.6.93 216.66.38.58
netsh interface ipv6 add address IP6Tunnel 2001:470:1c:28::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1c:28::1
(via Windows 7 command prompt)
Now, it told me to replace my external IP with what DHCP gives me, so I assumed the second line becomes:

netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.2.12 216.66.38.58

Is this what you're referring to?

Yep.  That second line is wrong, which it looks like you've figured out. (Replace your public IP with the 192.168.2.12)

flawedspirit

So setting my router to DMZ mode should do the trick?

Please forgive my density in this matter; I'm only just working out how IPv4 works in my CCNA classes, and IPv6 is a whole new animal. While I suppose I don't have to have IPv6 functionality, I prefer to be ahead of the curve when it comes to my computer. I just like being a part of the future ;)

cholzhauer

Yeah, try DMZ mode.

For more back ground, read this. (Just so you know what you're doing)

http://en.wikipedia.org/wiki/DMZ_(computing)