• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Destination unreachable: Address unreachable

Started by yang0914, April 29, 2012, 08:48:27 AM

Previous topic - Next topic

yang0914

Hi, all:
I have created a ipv6 tunnel on a Fedora server with the following commands:

modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 74.82.46.6 local 10.21.0.8 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:23:5d8::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6

I use the private IP address(10.21.0.8) instead of my public address(114.xx.xx.xx)
But when I finish all the steps and ping6 a ipv6 address like 2001:470:23:5d8::1 or www.kame.net,
The response will always show "Destination unreachable: Address unreachable"

Could someone tell me where I have gone wrong?
Thanks.

cholzhauer

Are you able to ping the HE side of the tunnel?

Is your router router properly forwarding protocol41?

yang0914

I can ping the IPv4 address of the remote tunnel end point, but not work with the IPv6 address. ???
And my router can forward the proto41 packets.   

cholzhauer

Yeah I meant if you could ping the ipv6 address.  How do you know your router can forward protocol 41?

yang0914

Because someone else has done this before ...

broquea

Someone with your computers and network, or just someone on the 'net? :)

Post useful stuff like interface configurations and routing table on the machine trying to use the tunnel.

What model NAT appliance are you behind?

Have you tried putting your host in it's DMZ?

yang0914

Someone on the same net.

The following is the output of 'ifconfig -a'.

he-ipv6   Link encap:IPv6-in-IPv4 
          inet6 addr: fe80::a00:20f/128 Scope:Link
          inet6 addr: 2001:470:23:5d8::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:936 (936.0 b)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:452 errors:0 dropped:0 overruns:0 frame:0
          TX packets:452 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:63991 (62.4 KiB)  TX bytes:63991 (62.4 KiB)

p16p1     Link encap:Ethernet  HWaddr 08:00:27:29:AA:C9 
          inet addr:10.21.0.8  Bcast:10.21.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe29:aac9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:718 errors:0 dropped:0 overruns:0 frame:0
          TX packets:952 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:263530 (257.3 KiB)  TX bytes:122182 (119.3 KiB)

sit0      Link encap:IPv6-in-IPv4 
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


Output of 'ip addr':

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: p16p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:29:aa:c9 brd ff:ff:ff:ff:ff:ff
    inet 10.21.0.8/24 brd 10.21.0.255 scope global p16p1
    inet6 fe80::a00:27ff:fe29:aac9/64 scope link
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
12: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
    link/sit 10.21.0.8 peer 74.82.46.6
    inet6 2001:470:23:5d8::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:20f/128 scope link
       valid_lft forever preferred_lft forever


And here is the 'tcpdump -i he-ipv6 ip6' record when I ping6 to the server side of the tunnel:

14:32:21.724235 IP6 yang0914-1-pt.tunnel.tserv22.tyo1.ipv6.he.net > yang0914-1.tunnel.tserv22.tyo1.ipv6.he.net: ICMP6, echo request, seq 1, length 64
14:32:22.730144 IP6 yang0914-1-pt.tunnel.tserv22.tyo1.ipv6.he.net > yang0914-1.tunnel.tserv22.tyo1.ipv6.he.net: ICMP6, echo request, seq 2, length 64
14:32:23.731075 IP6 yang0914-1-pt.tunnel.tserv22.tyo1.ipv6.he.net > yang0914-1.tunnel.tserv22.tyo1.ipv6.he.net: ICMP6, echo request, seq 3, length 64
14:32:24.731518 IP6 yang0914-1-pt.tunnel.tserv22.tyo1.ipv6.he.net > yang0914-1.tunnel.tserv22.tyo1.ipv6.he.net: ICMP6, echo request, seq 4, length 64
14:32:25.733127 IP6 yang0914-1-pt.tunnel.tserv22.tyo1.ipv6.he.net > yang0914-1.tunnel.tserv22.tyo1.ipv6.he.net: ICMP6, echo request, seq 5, length 64

smooker

tcpdump -i p16p1 -n proto 41 -vv

will be more usefull



magnuswallin

#8
Hello!

I hope the OP don't mind that I "hijack" this thread, because I pretty much have the exact same problem, although I use Debian Wheezy.

I cannot ping6 any ipv6 addresses, all I get back is:
ping6 ipv6.google.com
PING ipv6.google.com(la-in-x93.1e100.net) 56 data bytes
From magnuswallin-1-pt.tunnel.tserv24.sto1.ipv6.he.net icmp_seq=1 Destination unreachable: Address unreachable


The only ipv6 address I can successfully ping is my own endpoint:
ping6 2001:470:27:6d9::2
PING 2001:470:27:6d9::2(2001:470:27:6d9::2) 56 data bytes
64 bytes from 2001:470:27:6d9::2: icmp_seq=1 ttl=64 time=0.165 ms


I can not reach the HE endpoint:
ping6 2001:470:27:6d9::1
PING 2001:470:27:6d9::1(2001:470:27:6d9::1) 56 data bytes
From 2001:470:27:6d9::2 icmp_seq=1 Destination unreachable: Address unreachable


When I set this up, I followed this excellent guide. And here is what my /etc/network/interfaces looks like:
# Entries for the ipv6 tunnel below
auto ipv6_tunnel
iface ipv6_tunnel inet6 v4tunnel
       address 2001:470:27:6d9::2
       netmask 64
       endpoint 216.66.80.90
       local 49.99.222.99 # <- that is not my actual ip!
       gateway 2001:470:27:6d9::1
       ttl 255
       dns-nameservers 2001:470:20::2 74.82.42.42


A traceroute indeed tells me that the host is down. And here is the output of ip route:
ip -6 route
2001:470:27:6d9::1 dev ipv6_tunnel  metric 1024
2001:470:27:6d9::/64 via :: dev ipv6_tunnel  proto kernel  metric 256
fe80::/64 dev wlan0  proto kernel  metric 256
fe80::/64 via :: dev ipv6_tunnel  proto kernel  metric 256
default via 2001:470:27:6d9::1 dev ipv6_tunnel  metric 1024


I have tried to disable ALL firewalls, both in the router (NAT), and on the server itself, to no avail. I also tried putting the server in the NAT's DMZ, no change.

If someone sees any obvious errors in my setup, I would appreciate if you could point them out. Also, there is talk of routers potentially not forwarding protocol 41. I honestly have no idea if my router does that or not, if you could tell me how to find out I'd be happy to try that out.

Thanks for reading and kind regards,
MW

Edit: I just want to let you know that ipv4 access (globally and locally) to the server works just fine!
Edit2: SOLVED! Funny, I changed my /etc/network/interfaces to my internal ip:
# Entries for the ipv6 tunnel below
auto ipv6_tunnel
iface ipv6_tunnel inet6 v4tunnel
        address 2001:470:27:6d9::2
        netmask 64
        endpoint 216.66.80.90
        local 192.168.1.160
        gateway 2001:470:27:6d9::1
        ttl 255
        dns-nameservers 2001:470:20::2 74.82.42.42


And all of a sudden it works! However, I tried this yesterday - and then it didn't work  ???

Anyways, it seems to be working fine for now. I hope maybe this information can be of help to someone else.
Best regards,
MW

kcochran

That's exactly why the following is on the example configuration pages:
QuoteNOTE: When behind a firewall appliance that passes protocol 41, use the IPv4 address you get from your appliance's DHCP service instead of the IPv4 endpoint you provided to our broker.

magnuswallin

#10
Quote from: kcochran on September 27, 2013, 04:12:26 AM
That's exactly why the following is on the example configuration pages:
QuoteNOTE: When behind a firewall appliance that passes protocol 41, use the IPv4 address you get from your appliance's DHCP service instead of the IPv4 endpoint you provided to our broker.
Yes, I realize that. I also tried that yesterday - then it didn't work, but today it did. For a while...

Now, after rebooting the server, I am (almost) back at square one:
ping6 ipv6.google.com
PING ipv6.google.com(lb-in-x63.1e100.net) 56 data bytes
^C
--- ipv6.google.com ping statistics ---
28 packets transmitted, 0 received, 100% packet loss, time 27216ms


This is frustrating!

Edit: Ok, it seems as if I get a new IP (external ipv4) from my isp at infrequent intervals. Sigh, better call them.
Edit 2: Ok, I called my isp. Apparently there has been a fire in their cables nearby, and they are currently working on fixing that - which means that the system is undergoin constant changes. I think this is the root of all my problems; the ever-changing external ipv4 address!