• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPV6 tunnel routing local network

Started by Daiman Meijers, June 25, 2012, 07:42:14 AM

Previous topic - Next topic

Daiman Meijers

Hi all,

I'm busy with the tunnebroker's ipv6 brokers.
This is my situation:
linux server
eth1      Link encap:Ethernet  HWaddr 00:07:E9:05:16:FA
          inet addr:77.249.150.212  Bcast:77.249.150.255  Mask:255.255.255.0
          inet6 addr: fe80::207:e9ff:fe05:16fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:515961 errors:0 dropped:0 overruns:0 frame:0
          TX packets:329168 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:305494218 (291.3 MiB)  TX bytes:132382982 (126.2 MiB)

eth2      Link encap:Ethernet  HWaddr 00:07:E9:05:16:FB
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2001:470:d5af::1/48 Scope:Global
          inet6 addr: fe80::207:e9ff:fe05:16fb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:379403 errors:0 dropped:0 overruns:0 frame:0
          TX packets:507452 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54381808 (51.8 MiB)  TX bytes:418808062 (399.4 MiB)

he-ipv6   Link encap:IPv6-in-IPv4
          inet6 addr: 2001:470:1f14:110e::2/64 Scope:Global
          inet6 addr: fe80::4df9:9642/128 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:23390 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22930 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2247419 (2.1 MiB)  TX bytes:2342599 (2.2 MiB)

I can ping the ipv6 addresses from behind the server to an ipv6 in my internal network.
But if i ping from an box on my internal network to an external ipv6 address i get with some ip addresse an time out.

With 2a00:1450:4007:803::1013 i got response
and with 2a00:1450:4007:803::1011 i get an time out.

Can any help me.

Kind regards,
Daiman

broquea

#1
Have you enabled ipv6 forwarding in sysctl.conf?
Are the hosts on the lan configured with a /48 netmask?
I can ping6 2001:470:d5af::1 so the /48 is definitely correctly routed to your side of the tunnel.

EDIT - also I can ping both 2a00:1450:4007:803::1013 and 2a00:1450:4007:803::1011 from native HE IPv6 colo, so they should respond to a tunnel

Daiman Meijers

The routing is enabled ofcourse

[root@ams proc]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
net.ipv6.conf.all.forwarding = 1

the internal hosts has an ipv6 in the /48 range

like 2001:470:d5af::beef:1
and gateway 2001:470:d5af::1

broquea

I cannot ping6 2001:470:d5af::beef:1

--- 2001:470:d5af::beef:1 ping statistics ---
19 packets transmitted, 0 received, 100% packet loss, time 17999ms


Any ip6tables rules on your linux machine with the tunnel? Anything on 2001:470:d5af::beef:1 filtering ICMPv6?

Daiman Meijers


cholzhauer

Quote
inet6 addr: 2001:470:d5af::1/48 Scope:Global

I don't think this is right...what are you trying to do here?

Daiman Meijers

that is the gateway ipv6 for the internal hosts
What is not right?

cholzhauer

the /48.

I assume what you're trying to do is assign an address to this adapter so you can route to/from it.  If that's the case, you need to pick a /64 and assign an address from there...in your case, something like 2001:470:d5af:1::1/64 would work.

When you do the routing you can use the whole /48, but when you assign an address,  it has to be a /64

Daiman Meijers


cholzhauer

Well I can tell you it won't work the way it is now.

Did you email HE to make sure it was allocated and routed correctly?

You do need to route the /48 though...you don't need to manually route the /64 because it's on link, but you will need to route the whole /48.

Why don't you change it back to /64 and post a copy of your routing tables

broquea

It doesn't *have* to be a /64, he can burn the entire /48 on a link. OVH and FDC have been doing that for years much to their customers' dismay and complaint ;) He is doing static IP configuration, so as long as it is configured for the correct range it should work (or else you couldn't ping that gateway address he configured).

However he has said that he can ping6 1 external address, but not another. If you could do some traces from your lan machine to either address, see where the one that doesn't reply times out.

broquea

Quote from: cholzhauer on June 25, 2012, 08:15:42 AM
Well I can tell you it won't work the way it is now.

Did you email HE to make sure it was allocated and routed correctly?

I did say that I can ping6 his lan gateway IP in the /48:

~$ mtr 2001:470:d5af::1 -c 1 -r
HOST: ipvsixme                    Loss%   Snt   Last   Avg  Best  Wrst StDev
 1.|-- f0-6.switch14.fmt2.he.net  0.0%     1    0.7   0.7   0.7   0.7   0.0
 2.|-- 10gigabitethernet8-4.core  0.0%     1    0.6   0.6   0.6   0.6   0.0
 3.|-- 10gigabitethernet1-1.core  0.0%     1    9.9   9.9   9.9   9.9   0.0
 4.|-- 10gigabitethernet3-3.core  0.0%     1   40.4  40.4  40.4  40.4   0.0
 5.|-- 10gigabitethernet8-2.core  0.0%     1   61.2  61.2  61.2  61.2   0.0
 6.|-- 10gigabitethernet7-2.core  0.0%     1   76.6  76.6  76.6  76.6   0.0
 7.|-- 10gigabitethernet1-2.core  0.0%     1  144.1 144.1 144.1 144.1   0.0
 8.|-- 10gigabitethernet5-2.core  0.0%     1  148.6 148.6 148.6 148.6   0.0
 9.|-- tserv1.ams1.he.net         0.0%     1  155.2 155.2 155.2 155.2   0.0
10.|-- ams.ip6.bitshosting.nl     0.0%     1  165.1 165.1 165.1 165.1   0.0


You *can* use /48 on links and hosts, it just isn't very conservative.

Daiman Meijers

#12
  1   <1 ms   <1 ms   <1 ms  ams.ip6.bitshosting.nl [2001:470:d5af::1]
 2    29 ms    17 ms    15 ms  Bitshostingnl-2.tunnel.tserv11.ams1.ipv6.he.net
[2001:470:1f14:110e::1]
 3    13 ms    17 ms    12 ms  gige-g2-13.core1.ams1.he.net [2001:470:0:7d::1]

 4    11 ms    15 ms    14 ms  amsix-router.google.com [2001:7f8:1::a501:5169:1
]
 5    22 ms    10 ms    13 ms  2001:4860::1:0:8
 6    11 ms    11 ms    28 ms  2001:4860::8:0:2daf
 7    19 ms    23 ms    29 ms  2001:4860::8:0:2ac4
 8    34 ms    27 ms    61 ms  2001:4860::8:0:3df4
 9   105 ms    26 ms    42 ms  2001:4860::1:0:9f2
10    24 ms    40 ms    24 ms  2001:4860:0:1::225
11    23 ms    24 ms    23 ms  par03s02-in-x13.1e100.net [2a00:1450:4007:803::1
013]

De trace is voltooid.

this is the working one.


  1     *        *        *     Time-out bij opdracht.
  2     *        *        *     Time-out bij opdracht.
  3    15 ms    49 ms    13 ms  gige-g2-13.core1.ams1.he.net [2001:470:0:7d::1]

  4    12 ms    77 ms    14 ms  amsix-router.google.com [2001:7f8:1::a501:5169:1
]
  5    19 ms    15 ms    25 ms  2001:4860::1:0:4b3
  6    14 ms    14 ms    31 ms  2001:4860::8:0:2db0
  7    20 ms    21 ms    23 ms  2001:4860::8:0:2ac4
  8    32 ms    25 ms    25 ms  2001:4860::8:0:3df4
  9    40 ms    24 ms    73 ms  2001:4860::1:0:9f2
10    34 ms    33 ms    33 ms  2001:4860:0:1::225
11    22 ms    27 ms    23 ms  par03s02-in-x11.1e100.net [2a00:1450:4007:803::1
011]

De trace is voltooid.

this is the one were i cant ping to it

broquea

#13
Ok, but your trace shows that you reached it. I think Google does at times filter things oddly. Some hosts ping, other times UDP traces stop short of the destination, etc. Not certain why your linux box/router and the tserv don't reply in your traceroute, but the Google destination certainly did. I think this is a non-problem unless you are getting sent to 2a00:1450:4007:803::1011 when browsing Google, and the page isn't loading. Try a tracepath6 to the destination and see if there is any mtu mangling along the way. If you are behind pppoe you can try tuning the HE side of the tunnel to 1472 (in the broker's webUI), and then set your he-ipv6 tunnel interface to that as well.

Daiman Meijers

the linux server is on a public network.
on the linux server what funging as router can ping, wget, traceroute and tracepath.
but on my pc what has an ipv6 i got problems with it.
Is there any way to fix it.
its not only with google it is on more websites with ipv6