• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Can I establish a tunnel with external ip not pingable?

Started by realdreams, January 30, 2012, 12:19:20 PM

Previous topic - Next topic

realdreams

My ISP blocks external ping(along with many other things so that users can't run server...) Not really anything I can do about it. Is there still a way to establish a tunnel?

kasperd

There are two questions to be asked here. Question one is can you somehow get the HE tunnel server to setup a tunnel with an endpoint it cannot ping. Question two is can you get a 6in4 tunnel to work through that ISP at all.

An ISP that blocks ping shouldn't exist in the first place. They were supposed to have lost all their customers to the competition. But somehow some companies get to stay in business even when they shouldn't, so let's get back to your question.

Can you get a tunnel to work with an IP that is not pingable? It may be worth trying setting up the tunnel with a different IP and then changing the IP after the tunnel is created. You can probably find somebody who will help you by letting you use their IP address for just setting up the tunnel. Now whether any of the methods for changing the IP will work in that case, I don't know. It might be that every one of them will check that the IP is pingable.

I don't know what the purpose of verifying that the address is pingable in the first place as I can't really see any reason why there would be a strong correlation between an IP being pingable and it being usable for the tunnel or any strong correlation between an IP being pingable and it being the correct IP to be using for the tunnel.

If you can somehow get the tunnel set up with an IP that isn't pingable, there still isn't any guarantee that it will work. There are ISPs that provide routers where it will fail even though the IP is pingable.

The question is whether you can get protocol 41 traffic back and forth. If NAT is involved, you need a bit of luck to get it working. It may be that the NAT has absolutely no knowledge about what protocol 41 is, but is still able to get it working. The way it would work is as follows:

  • Your tunnel endpoint sends 6in4 packet to tunnel server
  • NAT doesn't know what it is, but it remembers that your local IP is talking protocol 41 with the IP of the tunnel server.
  • NAT masquerades source IP and passes packet on to tunnel server.
  • Tunnel server sends a 6in4 packet to the IP of the NAT.
  • NAT recognizes protocol 41 and IP of the tunnel server and passes the packet to local IP of tunnel endpoint.

The above certainly doesn't work in all cases. But I have seen two routes where it did work. (Incidentally those two routers had builtin DNS servers that would blow up if you did AAAA lookups, so you had to configure every machine on the LAN to ignore the DNS servers announced by the DHCP server.)

HE used to be doing a beta of a different tunnel protocol that might have helped you, but that is deprecated now, I don't know if you can even sign up for it anymore. If you cannot get it to work, you may have better luck with another tunnel provider. At least sixxs.net is supposed to be offering tunnels that will work through most stuff. Unfortunately I never made it through their bureaucracy for setting up a username, so I haven't seen for myself what their tunnels can do.

cholzhauer

Keep in mind that even when you switch IP addresses that the new IP has to respond to ICMP

Qed

I have the same problem, my ISP is bloccking ICMP echo requests directed to my ip address. The packets is just not reaching my router.

I can ping the the server with no problems. I don't get what's the reason of that "ping check" :-/

kasperd

Quote from: Qed on March 23, 2012, 11:57:40 PMI don't get what's the reason of that "ping check"
I guess the reason for this check is that it has always been done like that.

kriteknetworks

Likely to ascertain a live tunnel endpoint before HE starts routing packets to it.

kasperd

Quote from: kriteknetworks on March 25, 2012, 11:46:10 AMLikely to ascertain a live tunnel endpoint before HE starts routing packets to it.
No. Far the majority of the IPv4 addresses responding to ICMP echo requests are not valid 6in4 tunnel endpoints. And it is entirely possible to have a working tunnel endpoint, which does not respond to ICMP echo requests. And judging from the number of times this question has come up, I guess there are multiple people in that situation.

There will be significant numbers of false positives and false negatives. I don't even see a reason to think there is a strong correlation between an IPv4 address responding to ICMP echo requests, and it being a valid 6in4 tunnel endpoint.

It would make much more sense to send a probe with an ICMPv6 echo request. That would of course require a bit of additional configuration as the user would have to also specify which IPv6 address the request should be send to.

sseif57

Quote from: realdreams on January 30, 2012, 12:19:20 PM
My ISP blocks external ping(along with many other things so that users can't run server...) Not really anything I can do about it. Is there still a way to establish a tunnel?
i used a fake one and got  working tunnel while my ip is not pingable