Passing packets between subnet and 6in4 tunnel?

[leeand00]

Hello,

I can use my router to ping ipv6 websites over the Internet via HE 6in4 tunnel. 

I have also allocated a /48 prefix and setup two ipv6 subnets, one for a LAN and one for a DMZ.

(Prefixes)
LAN - 2001:470:bc0e:1::/64
DMZ -2001:470:bc0e:2::/64

Internally to these subnets I have also assigned my router the following ipv6 addresses on the LAN and DMZ respectively:

LAN - 2001:470:bc0e:1::1/64
DMZ - 2001:470:bc0e:2::1/64

Within these subnets I have configured clients, a webserver on the DMZ and a Windows 7 box on the LAN:

Win7 (LAN) - (IPv6 Address Assigned by RADVD)
Linux Webserver (DMZ) - 2001:470:bc0e:2::250

Now while I can indeed ping the address of the router from each of the machines on the subnet, it appears that I am unable to reach the external ipv6 Internet from the clients, even when trying to ping6 the address (not the domain) of a site like ipv6.google.com.

My first thought was that this had something to do with the routing tables on the clients, and I tried checking the default gateway via the ip -6 route list command:

Code Select Expand


user@dmz-host~$ ip -6 route list
2001:470:bc0e:2::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via 2001:470:bc0e:2::1 dev eth0 metric 1024


Which leads me to believe that maybe the router isn't forwarding my packets to the 6in4 tunnel...

I don't understand why this doesn't work, does it have something to do with my firewall, or the fact that I'm using subnets within the /48 prefix?

[cholzhauer]

Props for including all of your IP data in the first post :)

You might need to have a route on your router to forward the packets intended for your /48 network.

For example in my setup  (Internet --- Tunnel Router --- Firewall) I have a rule on my Tunnel Router that forwards all traffic intended for my /48 at the outside interface of my firewall.  Can you sketch a quick diagram of what your setup looks like?

[leeand00]

Sure,

I'm a bit hazy on how to go about representing tunnels in my drawing, but um here is my best shot at it:



And here's the ifconfig output from the router if that will clear up my lack of tunnel drawing ability...

br-lan    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2001:470:bc0e:1::1/64 Scope:Global
          inet6 addr: fe80::224:a5ff:fed8:5395/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:187 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:28299 (27.6 KiB)  TX bytes:29273 (28.5 KiB)

eth0      Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          inet6 addr: fe80::224:a5ff:fed8:5395/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32846 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33387 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5570104 (5.3 MiB)  TX bytes:20064722 (19.1 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:31319 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32174 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4985054 (4.7 MiB)  TX bytes:19954470 (19.0 MiB)

eth0.2    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: 2001:470:bc0e:2::1/64 Scope:Global
          inet6 addr: fe80::224:a5ff:fed8:5395/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1379 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1196 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:113801 (111.1 KiB)  TX bytes:107884 (105.3 KiB)

eth1      Link encap:Ethernet  HWaddr 00:24:A5:D8:53:96
          inet6 addr: fe80::224:a5ff:fed8:5396/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24173 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20012 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14620426 (13.9 MiB)  TX bytes:3046484 (2.9 MiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:162 errors:0 dropped:0 overruns:0 frame:0
          TX packets:162 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:12634 (12.3 KiB)  TX bytes:12634 (12.3 KiB)

mon.wlan0 Link encap:UNSPEC  HWaddr 00-24-A5-D8-53-95-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:296 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:57024 (55.6 KiB)  TX bytes:0 (0.0 B)

pppoe-wan Link encap:Point-to-Point Protocol
          inet addr:xxx.xxx.xxx.xxx  P-t-P:10.7.49.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:50 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:12968 (12.6 KiB)  TX bytes:13814 (13.4 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:53 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9497 (9.2 KiB)  TX bytes:13004 (12.6 KiB)

[cholzhauer]

Well, I take that back.  I just tried to ping and it worked perfectly

Code Select Expand



C:\Users\cholzhauer>ping  2001:470:bc0e:1::1

Pinging 2001:470:bc0e:1::1 with 32 bytes of data:
Reply from 2001:470:bc0e:1::1: time=155ms
Reply from 2001:470:bc0e:1::1: time=154ms
Reply from 2001:470:bc0e:1::1: time=156ms
Reply from 2001:470:bc0e:1::1: time=157ms

Ping statistics for 2001:470:bc0e:1::1:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 154ms, Maximum = 157ms, Average = 155ms

C:\Users\cholzhauer>ping 2001:470:bc0e:2::1

Pinging 2001:470:bc0e:2::1 with 32 bytes of data:
Reply from 2001:470:bc0e:2::1: time=155ms
Reply from 2001:470:bc0e:2::1: time=155ms
Reply from 2001:470:bc0e:2::1: time=154ms
Reply from 2001:470:bc0e:2::1: time=154ms

Ping statistics for 2001:470:bc0e:2::1:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 154ms, Maximum = 155ms, Average = 154ms


Are both the DMZ and LAN not working?

[leeand00]

No, they work in so far as the packets get to the router, but anything beyond the router, you can just forget it...

See example a:

Code Select Expand


user@dmzHost:~$ tracert6 2620:0:1cfe:face:b00c::3
traceroute to 2620:0:1cfe:face:b00c::3 (2620:0:1cfe:face:b00c::3) from 2001:470:bc0e:2::250, 30 hops max, 60 bytes packets
1  2001:470:bc0e:2::1 (2001:470:bc0e:2::1)  9.108 ms  0.416 ms  0.690 ms
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
 26% completed...


[leeand00]

Now if I try to ping anything from the router, that's another story...

Code Select Expand


root@OpenWrt:~# ping6 www.v6.facebook.com
PING www.v6.facebook.com (2620:0:1cfe:face:b00c::3): 56 data bytes
64 bytes from 2620:0:1cfe:face:b00c::3: seq=0 ttl=49 time=183.879 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=1 ttl=49 time=184.513 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=2 ttl=49 time=184.249 ms
^C64 bytes from 2620:0:1cfe:face:b00c::3: seq=3 ttl=49 time=183.980 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=4 ttl=49 time=184.189 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=5 ttl=49 time=184.188 ms
64 bytes from 2620:0:1cfe:face:b00c::3: seq=6 ttl=49 time=183.911 ms
^C
--- www.v6.facebook.com ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 183.879/184.129/184.513 ms
root@OpenWrt:~#


[cholzhauer]

Hmm...something isn't making sense.  From what I can tell, you have Ipv6 addresses on all interfaces of your router

[leeand00]

There's a br-lan should there be a br-dmz?

Do I need to add routes?

[kasperd]

Is the router running Linux as well? What is in /proc/sys/net/ipv6/conf/*/forwarding?

[leeand00]

Yes the router is running OpenWRT Backfire

I believe I remember changing the forwarding setting in accordance with the OpenWRT Wiki page about ipv6:

here is my cat of /proc/sys/net/ipv6/conf/*/forwarding

Code Select Expand


/proc/sys/net/ipv6/conf/6in4-henet/forwarding 2
/proc/sys/net/ipv6/conf/all/forwarding 1
/proc/sys/net/ipv6/conf/br-lan/forwarding 2
/proc/sys/net/ipv6/conf/default/forwarding 1
/proc/sys/net/ipv6/conf/eth0.1/forwarding 1
/proc/sys/net/ipv6/conf/eth0.2/forwarding 2
/proc/sys/net/ipv6/conf/eth0/forwarding 1
/proc/sys/net/ipv6/conf/eth1/forwarding 1
/proc/sys/net/ipv6/conf/lo/forwarding 2
/proc/sys/net/ipv6/conf/mon.wlan0/forwarding 1
/proc/sys/net/ipv6/conf/pppoe-wan/forwarding 2
/proc/sys/net/ipv6/conf/sit0/forwarding 1
/proc/sys/net/ipv6/conf/wlan0/forwarding 1


Most of them are 1's but a few are zeros.