Weird problem with access through SpeedTouch (O2 wireless box in UK)

[trevorwarwick]

I'm terminating my HE IPv6 tunnel on a Cisco 87x which is behind the Thomson Speedtouch provided by my ISP. I've got it mostly working, but with one problem I can't solve.

The config is basically   DSL --- SpeedTouch (ether) ----- (ether) Cisco 87x ----- Windows 7 PC

IPv6 access to the internet from the PC works just fine. E.g. http://ip6.me tells me the correct IPv6 address, I can get to ipv6.google.com etc etc.

However, I can't ping my end of the HE tunnel from outside. I can ping the HE end of the tunnel. Debug on the Cisco router shows that it's not receiving any IPv6 ICMP packets if pinged from outside. I do have an access-list in place, but the counters aren't going up either (and I've tried removing it too). So I'm suspecting that the Speedtouch is doing something odd.

The SpeedTouch is configured with

Code Select Expand


:service system ifadd name=PING_RESPONDER group=wan
:mapadd intf=O2_ADSL2plus type=nat outside_addr=216.66.80.26 inside_addr=192.168.1.8 access_list=192.168.1.8 mode=inbound weight=10
:connection unbind application=IP6TO4 port=0


Which are various incantations I've previously found via a lot of googling.

I've also tried disabled the ids and firewall on the Speedtouch to no apparent effect.

So what's puzzling is that since it's mostly working, what could the Speedtouch be doing  differently with incoming rather than outgoing flows ? It's not smart enough (AFAIK) to actually look at the IPv6 traffic in the tunnel. I'm pretty sure the problem is there rather than with the Cisco config since I'm a lot more confident with my ability to debug IOS IPv6, and I can't see anything wrong with that.

[trevorwarwick]

A bit more debugging seems to show that it's inbound static NAT for the 6to4 protocol on the Speedtouch that isn't working. Unclear whether this is a bug or misconfiguration, but the documentation for these devices is so woeful it's virtually impossible to find out. Keeping the 6to4 NAT active with a regular outbound IPv6 ping allows inbound traffic to work, so I'll use that as a workaround for now.

[kasperd]

The workaround you mention in your followup is almost exactly what I would have suggested. The "Server IPv6 Address" for your tunnel should be the ideal remote address to ping for this purpose.

I suggest you measure for how long the NAT entry stays active and set the ping interval just under half that lifetime. That way you don't drop off the net in case a single ping is lost.

I noticed that your config said 6to4, but what you are using is not exactly 6to4. A configured tunnel (such as tunnelbroker.net) and 6to4 are two different ways of using 6in4. AFAIK it is easier to get a configured tunnel working through NAT than to get 6to4 working through NAT, in particular using ping to keep the NAT entry alive will work better for a configured tunnel than for 6to4.

However if your NAT unit really does have code specifically to handle NATing of 6to4, and you try to use that for a configured tunnel, who knows how that will end up behaving?

[trevorwarwick]

Thanks for the reply. Yep, I realise the difference between 6to4 and a configured tunnel.  In the Speedtouch NAT config, there seems no generic way of getting at the IP protocol field, so you can't say "match on IP protocol 41", the only option you have is the canned "6to4" option.  There is actually a "protocol=6to4" term missing from the mapadd config I included above. Without that, it doesn't work at all.

Code Select Expand


:mapadd intf=O2_ADSL2plus type=nat outside_addr=216.66.80.26 inside_addr=192.168.1.8 access_list=192.168.1.8 protocol=6to4 mode=inbound weight=10


[nickbeee]

Also a UK O2 user - I just got my tunnel up and running but I'm using  a Netgear DG834v3 instead of the O2 Wireless Box. The DG834 is running NAT and I have  Cisco 1711 on the LAN side configured for the tunnel. I've looked at the tunnel traffic between the Cisco and the Netgear with Wireshark and I can see protocol 41 flowing both ways.
I didn't have to configure any firewall rules on the DG834, it just worked  8)
The Cisco required the LAN ip address as my end of the tunnel rather than my public ipv4.

[shogsbro]

Also a O2 broadband subscriber in UK, dynamic IP. Endpoint is Zurich POP (216.66.80.98), as London wasn't available.

Also having problems with blocked inbound 6to4 packets (protocol #41) after the connection-tracker in Thomson TG587 V2 box times out (1 minute by default). Workaround is likely a cron-job pinging the other end of the tunnel every 55 secs.

:connection timerconfig
tcpidle          : 15' 0"
tcpneg           : 2' 0"
tcpkill          : 1 0"
udpidle          : 1"
udpkill          : 2' 4"
icmpkill         : 1' 0"
ipidle           : 1' 0"
ipkill           : 0"

Need to enable IPv4 PING responses before tunnelbroker.net will create tunnel
:service system ifadd name=PING_RESPONDER group=wan

:connection list nr=10
...
170  6to4  ACTIVE      0           [............] IP6TO4       [....]       59"
 INIT: 340  172. 16. 11.251:0          216. 66. 80. 98:0          [.......S..] LocalNetwork     12 6to4    0
 RESP: 341  216. 66. 80. 98:0           94.193. 45.205:0          [R......S..] O2_ADSL2plus     12 6to4    0
...

As I understand the Thomson firmware, the NAT templates are applied by the router when the external IP changes, so I added both a current map and a template.

:nat mapadd intf=O2_ADSL2plus type=nat outside_addr=94.193.45.205 inside_addr=172.16.11.251 protocol=6to4
:nat maplist expand=enabled
...
10 NAT  O2_ADSL2plus    94.193.45.205                  172.168.11.251                 0
                        Access List................... 172.168.11.251
                        Foreign Address............... any
                        Protocol...................... 6to4
                        Flags......................... Static
                        Weight........................ 10
                        Description................... Two-way NAT
                        Creator Data.................. 0
...
:nat tmpladd group=wan type=nat outside_addr=0.0.0.1 inside_addr=172.16.11.251 protocol=6to4
:nat tmpllist expand=enabled
...
20 NAT  any             wan      0.0.0.1                        172.16.11.251                  1
                        Access List................... 172.16.11.251
                        Foreign Address............... any
                        Protocol...................... 6to4
                        Flags......................... Static
                        Weight........................ 10
                        Description................... Two-way NAT
                        Creator Data.................. 0
...