• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Win XP: Impossible to reconcile IPv6 with the Firewall ???

Started by Ninho, November 16, 2011, 10:13:45 AM

Previous topic - Next topic

Ninho

Gents, the more I dig the more I am finding Microsoft XP is very much 6-in-4 tunneling hostile !
Maybe it's because they want to promote their "solution" (Teredo). Whatever...

Apart from the issue with some Windows update raised in the other thread (please have a look and see if you can help), there are problems with the (so-called) Windows firewall.

Allowing ICMP for all interfaces (and all message types just to be sure), yet the minute I turn the darned "firewall" on, the HE tunnel ceases to work ! Turn it off and IP6 is working again;  >:( Grrr...

Who was telling me it "just works" for "everybody" has certainly not been trying to use an XP box as his 6in4 router  :(

Por favor Senhores ajudem !

broquea

XP had IPv6 support as experimental at best. You would be better served running a virtualbox with Linux in it on the XP machine as the router. Or upgrading to a modern version of Windows that doesn't run experimental IPv6 code. Vista/2008/7 all have a proper, non-experimental, IPv6 stack for the Windows platform.

Ninho

QuoteXP had IPv6 support as experimental at best

Microsoft would beg to differ, I'm sure <G>. "Experimental" was IPv6 in Windows 2000 and XP with no service packs. Starting at SP1 and certainly SP2+ it is no more experimental. Maybe buggy, maybe terrible, I don't know, but experimental ? /not/ !

Furthermore I found their "experimental" support (as of Windows 2000) to be much better than later incarnations, as far as 6-in-4 tunnels go. You seem to be pushing people to "upgrade" to even later Windows versions, but, considering the trend, upgrading is only likely to bring more problems and vulnerabilities, assuming it solves this particular problem <G>

MS is not going to get one more cent from my pocket. Ever. And the money I was fool enough to give them I want back in getting it to work as advertised (as far as humanly possible)  ;=)

Dear Broquea, I think I understand your expertise is not so much with MS Windows (and I'm not blaming you!) Among the wealth of experts and system admins who contribute to this forum (you know who I mean)  I surely hope one or two of them can give definite answers other than "old Windows is flaky, new Windows is great" - I can't believe none has run Windows XP during all the years it was mainstream.

Respectfuly


antillie

Even if the IPv6 stack in XP isn't experimental it certainly is outdated. XP implements site local addresses and a few other things that have long since been deprecated from the RFCs. Honestly I am very surprised that XP can even talk to a modern IPv6 box at all with how non standards compliant its stack is. I'm not knocking MS here, XP's IPv6 stack was quite standards compliant when it was written 10+ years ago. But the standards have changed a bit since then and XP isn't going to be getting any updates for its IPv6 stack, ever. Also, several IPv4 to IPv6 transitional technologies, such as several forms of tunneling, either hadn't been fully written yet, or have changed quite a bit since then so its perfectly understandable why XP has problems with them today. And I seriously doubt there will ever be a patch from MS for this either.

And I would be very surprised if anyone ever tried to run IPv6 on Windows XP for more than a few days in anything larger than a lab until the past year or so. So its very probable that there are plenty of issues with the IPv6 stack in XP that aren't known about yet because it was simply never really used in the wild or subjected to any serious large scale deployment and security/stability testing. Sure people are starting to play with it now, but those same people are also moving to Windows 7/2008 in droves. Note that MS, the only people able to fix any such issues, are firmly in the "moving to Windows 7/2008" camp.

If you want to do anything even remotely serious with IPv6 Windows XP is probably not the OS for you. I am in complete agreement with broquea here, you really should upgrade to a modern OS. If you don't like MS nothing says that you have to go to Windows 7. Linux, BSD, and MacOSX are all perfectly IPv6 capable. Although honestly 64 bit Windows 7 + Server 2008 R2 is probably one of the best platforms from a security and ease of use ratio perspective out of box. IMO, XP needs to go. It was great in its day, but its day has long since past.

Ninho

' Morning, Antillie !
QuoteIf you want to do anything even remotely serious with IPv6 Windows XP is probably not the OS for you.

Not going to argue. I'm hardly doing more than playing with IPv6 for the fun of learning, and doing so not only in Windows XP. But with Linux there are fewer problems (if any), so I don't have to come asking questions <G>

QuoteAlso, several IPv4 to IPv6 transitional technologies, such as several forms of tunneling, either hadn't been fully written yet, or have changed quite a bit since then so its perfectly understandable why XP has problems with them today.

Even if I were to install Seven (I did run it as a virtual machine downloadable from MS itself, and you bet I hated the thing!) I wouldn't bet a kopek that the problems would go out. For instance KB978338 says the update (which seems to block HE's 6in4 tunnels) was not intended for Vista and Seven because its functionality is already integrated there.

The main problem with MS Windows is not bugs in my modest opinion, its opacity.

Regarding the particular problems with XP SP3 updates and 6in4 tunnelling , where - beyond this forum -do you think I might get (free!) serious and thorough answers from MS MVPs or Gurus ?
Can you (you all) advise for the right newsgroup [but MS has abandoned its own news groups] and/or web fora where those experts hide out ?

Thank you very much for your interest and advising

cholzhauer

When I get back in the office i'll try and make it work..what does your setup look like?

antillie

Quote from: Ninho on November 17, 2011, 02:56:06 AM
Even if I were to install Seven (I did run it as a virtual machine downloadable from MS itself, and you bet I hated the thing!) I wouldn't bet a kopek that the problems would go out. For instance KB978338 says the update (which seems to block HE's 6in4 tunnels) was not intended for Vista and Seven because its functionality is already integrated there.

When this functionality was written for Windows Vista and 7 MS probably wrote it as part of the original OS with IPv6 in mind. I seriously doubt this was the case when they wrote the patch for XP since IPv6 support has never been a big priority for XP. Honestly I really like Windows 7. Personally I consider it to be a worthy successor to XP in every way.

Quote from: Ninho on November 17, 2011, 02:56:06 AM
Regarding the particular problems with XP SP3 updates and 6in4 tunnelling , where - beyond this forum -do you think I might get (free!) serious and thorough answers from MS MVPs or Gurus ?
Can you (you all) advise for the right newsgroup [but MS has abandoned its own news groups] and/or web fora where those experts hide out ?

I suspect that the only answer you will get from the vast majority of Windows admins and MS support people will be that you should upgrade to Windows 7. The point is that Windows XP's IPv6 support is what it is. If something works, great. If it doesn't, oh well. MS probably isn't going to fix it and most people aren't going to bother trying to find a work around. XP is just too old and klunky to bother.

Ninho

Quote from: cholzhauer on November 17, 2011, 07:37:59 AM
When I get back in the office i'll try and make it work..what does your setup look like?

Great, Carl ! Comparison will be very valuable. My settings are simple enough,

ADSL (IPv4/PPPoA) --> Alcatel Speedtouch 510 (passes IP proto 41 thru to) --> Windows XP comp.

The Speedtouch includes an ethernet switch to which other computers connect directly or over powerline - no wireless here!

Softwarewise, I had to replace tcpip6.sys and 9to4svc.dll by their pre-KB978338 versions, and disable the Firewall. These annoying changes I would like to avoid, precisely.
Else nothing special, I used old style ipv6.exe commands, and it just works with the specified limits.

:: ipv6 config -  Windows XP sp3
 ipv6 -p rtu ::/0 2/::216.66.80.30 pub
 ipv6 -p adu 2/2001:470:1f0A:69a::2

:: be the IPv6 gateway for our LAN :
:: interface 6 = Ethernet: local area adapter
 ipv6 -p rtu 2001:470:1f0B:69a::/64 6 pub
 ipv6 -p ifc 2 forw
 ipv6 -p ifc  6 forw adv
_______________________________________________________

Ah! Also, vain trials to override 6in4 packet controls per KB978338, in my hosts file :

127.0.0.1       localhost
216.66.80.30 isatap.lan  # lan is a (pseudo)domain provided by DHCP
216.66.80.30 isatap.sanguine  # sanguine is computername
216.66.80.30 isatap.mydomain.com  # taken verbatim from MS article (silly, no?)

I doubt in fact isatap has anything to do with my settings; as almost always, the MS article provides cooking recipes which might or might not apply to your situation, without much explanation.

cholzhauer

Works fine for me...the IPv6 config part took me five to ten minutes

OS is Windows XP x64 SP2 with all available updates


netsh interface ipv6 add v6v4tunnel "ip6tunnel" 2001:470:1f06:141a::1 2001:470:1f06:141a::2
netsh interface ipv6 add v6v4tunnel "ip6tunnel" 205.251.163.12 209.51.161.14
netsh int ipv6 add route ::/0 "ip6tunnel" 2001:470:1f06:141a::1


That allows me to ping ipv6.google.com with no problem

I did disable ISATAP and 6to4

My tunnel server is directly connected to the Internet

Ninho

Quote from: cholzhauer on November 21, 2011, 11:23:33 AM
Works fine for me...

Och! Danke shönn, Carl! For some reason had not seen your message till this moment.

I'll try and mimic your config, using netsh and a new tunnel interface instead of ipv6.exe and the prebuilt tunnel interface. Shall keep you all updated !

QuoteMy tunnel server is directly connected to the Internet
Bitte what do you mean by that exactly ?

--
Ninho

cholzhauer

I mean that there is nothing between my tunnel server and the internet...no firewall, nothing..it's just connected directly to my internet router.

Ninho

Quote from: cholzhauer on November 24, 2011, 03:15:34 PM
...no firewall, nothing..it's just connected directly to my internet router.

Oh, just that! I wondered if you might have  meant you connected directly to the core
of the internet - or at least to a much fatter pipe than usual home connections afford...

Anyways, I've now tried a configured tunnel using netsh commands (btw those commands you posted above don't seem quite right; I followed HE's instructions on my "tunnel details" page instead).

The result : that doesn't work, at all for me, with or without the XP firewall  ???

Reverting to my usual voodo (using ipv6.exe and the prebuilt interface number 2 instead of "creating" a tunnel interface) works as usual (i.e. without firewall; the Windows firewall blocks ipv6)

Sooo... my conclusions :

1. I'm content with my own, personal, exclusive config after all   ;)

2. The reason the way which is working for you and others, doesn't seem to work for me, may reside in my router (part of the speedtouch ADSL appliance) : this router doesn't pass native ipv6, only packets encapsulated in ipv4 protocol #41. Maybe this is a difference between our settings ? When you were doing that experiment, was the link between your XP computer and the internet router passing native IPv6 packets ?

Otherwise I'm clueless as well as baffled !

Regards

corrected typo

cholzhauer

Regarding the router...i'm not sure...its just the router that's managed by my isp...I would assume that it forwards traffic as it gets it, no encapsulation.

Sheila22Gascon

IPv6 support is still experimental under Windows XP and the stack has to be enabled manually.

To enable the Windows XP IPv6 stack:
From the Windows desktop press the "start" button.
Click on "Control Panel".
Assuming that the Control Panel is in classic view mode, click on "Network Connections".
Right click on the connection that needs to have the IPv6 stack enabled and go to "Properties"
On the properties window click on the "Install..." button.
On the "Select Network Component Type" window, select the "Protocol" option and then click on the "Add..." button.
On the "Select Network Protocol" window select "Microsoft TCP/IP version 6" and then click the "Ok" button.

The Microsoft IPv6 stack is now enabled for your network connection.

There is no graphical configuration of IPv6 properties/settings. A command line tool used netsh is used to configure IPv6 for interfaces.

To add or delete an IPv6 Address:
From a windows command line invoke the netsh tool by typing "netsh" and then pressing the enter key.
Next change the context of netsh to interface by typing "interface" and press enter.
Change the context of the interface to ipv6 mode by typing "ipv6" and pressing enter.
The command to add an address has the form of "add address [interface=]<string> [address=]<IPv6 Adress>"
a. Example: add address interface="Local Area Connection 2" 2001:1945:feed:deef::1

Deletion can be handled in the same manner by using keyword delete instead of keyword add.

Hope this helps.

Ninho

@All : best wishes for 2012 !

I'm afraid I shall resurrect this thread...

@Sheila : thanks but I have IPv6, and the IPv6-in-IP tunnel, working properly in XP. The problem is the Windows XP SP3 firewall kills this completely, and the question, whether it's possible to configure the FW to let 6-in-4 alone, or if it's an incompatible configuration.

@Cholz : reading your Nov. 21 post again, I can't see any mention of the firewall. Was it activated during your tests ? If not, a crucial comparison element has been missing...

On my XP system, as soon as the firewall is active, it drops every outgoing packet to the tunnel (protocol 41). I've checked this fact both in the firewall's own log and with a packet capture utility. It would probably also drop incoming packets, but there are none left to block since I can't send requests  :=)

There doesn't seem to be any setting for the firewall either in the graphical interface or netsh commands that change this behaviour. Deactivatin the FW immediately restores communication thru the tunnel.

The dropped packets have :
ipv4 proto = 41, source IP = 10.0.0.1, dest IP=216.66.80.30 (Frankfurter tunnel server)
ipv6 payload: source = my local IP6 , dest = whatever

I have no idea what the firewall doesn't like in my packets :=)
Until proven otherwise, I assume it simply doesn't support 6-in-4.

Incidentally  we have here a case of the MS firewall dropping outgoing packets, whereas all their documentation (that I have seen) says it is intended to drop unsollicited ingoing... one more case of MS documentation being incomplete, misleading or plain wrong.

Please confirm whether your tunnels work with the XP FW active or not !

Thanks


--
Ninho