• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Can ping, but can't connect

Started by optichost, February 20, 2012, 04:21:55 AM

Previous topic - Next topic

optichost

Trying to tunnel through NAT.  Custom Linux router.

iptables:
iptables -t nat -A PREROUTING -p 41 -i eth1 -d 24.199.***.** -j DNAT --to-destination 192.168.0.10
iptables -t nat -A POSTROUTING -p 41 -o eth0 -s 192.168.0.10 -j SNAT --to-source 24.199.***.**
iptables -t nat -A PREROUTING -p all -i eth1 -d 24.199.***.** -j DNAT --to-destination 192.168.0.10
iptables -t nat -A POSTROUTING -p all -o eth0 -s 192.168.0.10 -j SNAT --to-source 24.199.***.**

sysctl -w net.ipv6.conf.all.forwarding=1 is good.
I can ping any ipv6 host, but all ipv6 connections time out.
Strangely, the port scanner on here can see that I have SSH and Apache open on the box, I just can't make any outgoing IPv6 connections.

On the client side:
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 216.66.22.2 local 192.168.0.10 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:e548::20 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

# ping6 ipv6.google.com
PING ipv6.google.com(yw-in-x67.1e100.net) 56 data bytes
64 bytes from yw-in-x67.1e100.net: icmp_seq=1 ttl=56 time=44.9 ms

--- ipv6.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms


Please help, I'm at my wit's end.

kasperd

Quote from: optichost on February 20, 2012, 04:21:55 AMI just can't make any outgoing IPv6 connections.
What happens when you try? Running tcpdump while trying to telnet to port 80 on some webserver should give some hint about the reason.

If you are able to complete a threeway handshake, but you cannot transfer data, then you most likely have an MTU problem.

If you can't even complete a handshake, then it is not an MTU problem. And I would take a look at the IPv6 firewall rules.

As for the iptables rules I am using:
-A PREROUTING -i eth0 -p ipv6 -j DNAT --to-destination 10.x.y.z
-A POSTROUTING -o eth0 -j MASQUERADE

I don't think the use of SNAT instead of MASQUERADE is the problem.

optichost

I have 5 IPv4 addresses, which adds to the complexity.  I can't just masquerade, or it'll take my first IP.
I checked out tcpdump and it looks like I can handshake, it's getting blocked by the router.  Good call.  I'll put the tunnel on my 'default' ip, and see what happens.

optichost

Still no dice.

tcpdump output:
17:02:15.538645 IP 192.168.0.10 > tserv13.ash1.ipv6.he.net: IP6 2001:470:e548::20.53452 > 2001:41d0:2:8a4e::.ircd: Flags , seq 1324326693, win 4260, options [mss 1420,sackOK,TS val 911218 ecr 0,nop,wscale 6], length 0
17:02:18.544557 IP 192.168.0.10 > tserv13.ash1.ipv6.he.net: IP6 2001:470:e548::20.53452 > 2001:41d0:2:8a4e::.ircd: Flags , seq 1324326693, win 4260, options [mss 1420,sackOK,TS val 914224 ecr 0,nop,wscale 6], length 0

^ When trying to connect to an IPv6 IRC server

It will just sit there, and time out eventually.

broquea

#4
So is it only IRC? Because unless you are a Sage (which you aren't,yet), new tunnels have IRC blocked. You have to reach Sage on the cert program to unblock IRC filtering on your tunnel. Unless this tunnel was created prior to Oct. 2011.

optichost

I'll have to check.  They're servers that I'm trying to set the tunnels up on, so I don't think there's an IPv6 compatible browser.

optichost

I'll be damned... you're right.  I can access http://ipv6.google.com/ through a PHP script I just wrote.  Thanks, man.  Much appreciated.

aamkeri

I had same issue. I tried a lot of things - even tried setting up a new connection - but it didn't work. I called his provider and found that some of his settings were incorrect, so we reset them. I can ping out and recieve so that's not an issue. I just keep getting 'Page Cannot Be Displayed'.