• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Routing Tunnel Inside Network - Can Ping Addresses but Unable to Browse Website

Started by benberding, June 28, 2012, 12:38:01 PM

Previous topic - Next topic

benberding

Hi Everyone,

I have the most frustrating problem; I have scoured the web and been unable to find any solutions. I also called Hurricane Electric, and while they were very nice, they were not sure either. They suggested that I post on this forum.
I have setup a tunnel and it seems to work great! My problem is that I want to route the tunnel onto our local network for the clients to access.
The tunnel seems to route properly; I can ping every IPv6 website I know of, but if I try to access the website in a browser, I cannot. It simply waits for the IPv6 version to timeout, and then reverts to the IPv4 site.
I do not know what would cause this behavior. Furthermore, on the gateway server, the IPv6 works fine; you can ping and browse the native IPv6 websites, just once you try it from a client computer, you cannot browse.
Our setup is a little complex, but simple at the same time. If you have any suggestions or ideas, I would love to hear them.


Setup:

We have 3 servers, all running Windows Server 2008 R2 Enterprise. One of the servers we are trying to setup as a gateway server, right now, it just does DirectAccess (A new Microsoft Technology that utilizes IPv6, in case you are not familiar. A fancy IPv6 VPN.). We would like to have it handle all internet connections in the future, and have a plan for this.
Everything was working fine until the Internet started using IPv6 the other day. Our entire internal network is native IPv6, since it is required for DirectAccess. We are not using ISATAP and it is blocked in DNS. When IPv6 Day came, the DNS started resolving the IPv6 address of websites, instead of the IPv4 address. Now we have no choice but to find an IPv6 connection to the internet or always have to wait for the connection to timeout in the browser. Our ISP does not offer IPv6 yet, even to businesses, so we setup the tunnel. If we could just get it to browse, then we would be all set.
With our internal, native, IPv6, we are using Unique Local Addresses (ULA). From everything I have read, it should not be a problem to have both the global and ULA addresses on each interface. I have even read that it may be the preferred method so you will always have a constant address regardless of what happens to your ISP. The ULAs are distributed via DHCPv6, while the servers have been assigned static IPv6 addresses. We host our DNS internally with the assistance of Google DNS forwarders.
All of the clients are Windows 7 Enterprise 64-bit. They all get the addresses fine. I was a little confused about the gateway addresses. At first, we had our DHCPv6/Domain Controller (DC) advertising its default route. It was with the netsh -> advertisedefaultroute=enabled command, it was not publishing anything as it used DHCPv6. This worked great. Now, it seems that the gateway should be advertising the default route; however, clients do not seem to like this, they get confused and take a long time to talk to the DC. Both of them advertising a route may work.
However, if you forget about all that for a second, and you setup a client with just a global address, and the gateway server's link local address as the gateway, it still does not work. You can ping great, all day long, but if you try to browse, it just does not work.
We have removed and disabled anything that might get in the way while trying to get this to work. The gateway server just has a direct connection to the internet. The only thing is Windows Built-in firewall on the server and clients. I have tried disabling this and it does not seem to make a difference, even though it does seem like this could be a firewall issue.
The tunnel is setup on the gateway server with what Microsoft calls a Direct Point-to-point Adapater (I just realized Microsoft misspelled that!).

Configuration:

Tunnel Adapter – IP6Tunnel:

  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . . . . . . . : Microsoft Direct Point-to-point Adapater
  Physical Address . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled . . . . . . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address . . . . . . . . . . . . . . . . : 2001:aaa:b:cc::2(Preferred)
  Link-local IPv6 Address . . . . . . . .: fe80::dddd:eeee:ffff:gggg%17(Preferred)
  Default Gateway . . . . . . . . . . . . .: 2001:aaa:b:cc::1
  DNS Servers . . . . . . . . . . . . . . . . .: fec0:0:0:ffff::1%1
                                                               fec0:0:0:ffff::2%1
                                                               fec0:0:0:ffff::3%1
  NetBIOS over Tcpip . . . . . . . . . . .: Disabled

Routes:†‡

Publish    Type         Met   Prefix                                                                 Idx    Gateway/Interface Name
----------  -----------   -------  ------------------------------------------------------  -----  -------------------------------------------------
Yes          Manual    256   ::/0                                                                       17    2001:aaa:b:cc::1
Yes          Manual    1100 ::/0                                                                       15    2002:hhhh:iiii::hhhh:iiii
No           Manual    256   ::1/128                                                                1       Loopback Pseudo-Interface 1
No           Manual    8        2001::/32                                                           18    Teredo Tunneling Pseudo-Interface
No           Manual    256   2001:aaa:b:cc::/64                                            17    IP6Tunnel
No           Manual    256   2001:aaa:b:cc::2/128                                       17    IP6Tunnel
Yes          Manual    256   2001:aaa:jjjj::/64                                              13    Local Area Connection
No           Manual    256   2001:aaa:jjjj::/128                                            13    Local Area Connection
No           Manual    256   2001:aaa:jjjj::1/128                                          13    Local Area Connection
No           Manual    256   2001:aaa:jjjj:0:kkkk:llll:mmmm:nnnn/128   13    Local Area Connection
Yes          Manual    1000 2002::/16                                                           15    6TO4 Adapter
No           Manual    256   2002:oooo:pppp::oooo:pppp/128                15    6TO4 Adapter
No           Manual    256   2002:oooo:qqqq::oooo:qqqq/128                15    6TO4 Adapter
No           Manual    256   fd00::/64                                                            13    Local Area Connection
No           Manual    256   fd00::2/128                                                       13    Local Area Connection
No           Manual    256   fd00::6702:2aad:bdc4:b09d/128                  13    Local Area Connection
Yes          Manual    256   fd00:0:0:rrrr::/64                                             16    IPHTTPSInterface
No           Manual    256   fd00:0:0:rrrr::/128                                           16    IPHTTPSInterface
No           Manual    256   fd00::rrrr:ssss:tttt:uuuu:vvvv/128                16    IPHTTPSInterface
No           Manual    256   fe80::/64                                                           17    IP6Tunnel
No           Manual    256   fe80::/64                                                           13    Local Area Connection
No           Manual    256   fe80::/64                                                           11    Wide Area Connection
No           Manual    256   fe80::/64                                                           18    Teredo Tunneling Pseudo-Interface
No           Manual    256   fe80::/64                                                           16    IPHTTPSInterface
No           Manual    256   fe80::kkkk:llll:mmmm:nnnn/128                  13    Local Area Connection
No           Manual    256   fe80::wwww:xxxx:yyyy:zzzz/128                  11    Wide Area Connection
No           Manual    256   fe80::1111:2222:3333:4444/128                 18   Teredo Tunneling Pseudo-Interface
No           Manual    256   fe80::dddd:eeee:ffff:gggg/128                     17   IP6Tunnel
No           Manual    256   fe80::ssss:tttt:uuuu:vvvv/128                       16    IPHTTPSInterface
No           Manual    256   ff00::/8                                                              1    Loopback Pseudo-Interface 1
No           Manual    256   ff00::/8                                                              16    IPHTTPSInterface
No           Manual    256   ff00::/8                                                              18    Teredo Tunneling Pseudo-Interface
No           Manual    256   ff00::/8                                                              17    IP6Tunnel
No           Manual    256   ff00::/8                                                              13    Local Area Connection
No           Manual    256   ff00::/8                                                              11    Wide Area Connection

It is worth noting that of the above connections, there are 3 IPv4 addresses statically assigned.
1 IPv4 static local address on the Local Area Connection – Index 13, which connects to the Local Network.
2 IPv4 static public addresses on the Wide Area Connection – Index 11, which connects to the Internet.
The 2 static public IPv4 addresses are needed for Teredo to function correctly. 1 address to come in and 1 to go out. This is also why you see 2 almost identical 2002 addresses on the 6TO4 Adapter, one for each public IPv4 address.

So, that is the story. Any help anyone could provide would be greatly appreciated!!! Even if you just know of a situation where you could ping, but not browse, please let me know. I do not even know what I should be looking for. I am very grateful for any help anyone can provide. I would also be more than happy to provide more information that would be helpful.

Thank you,
Ben Berding

Some names and addresses have been altered for security purposes. The altered part of the name or address is represented in BLUE and has been replaced with a letter to represent identical sequences in different names or addresses.
      Example – Original:

            contoso.com | contoso.net | fabrikam.com
            2001:DB8:1234:5678::/64 | 2001:DB8:1234:5678::5732 | 2001:DB8:ABCD:ABCD::55 | fe80:DB8:1234:ABCD::27
      Example – After Redaction:
            aaaaaaa.bbb | aaaaaaa.ccc | dddddddd.bbb
            2001:eee:ffff:gggg::/64 | 2001:eee:ffff:gggg::5732 | 2001:eee:hhhh:hhhh::55 | fe80:eee:ffff:hhhh::27
The ISATAP entries from the routing table have been removed, as they are not active.

cholzhauer

Just to make sure I"m understanding you correctly, you're doing address allocation with DHCP now?  The default gateway is normally a fe80 address, that's why I'm wondering

benberding

This may sound crazy, but both. I have DHCPv6 allocating the Unique Local Addresses, and I have RA's for the Global addresses. I have since discovered that they could both be sent out from the DHCPv6, but I do not think this is causing a problem.

I thought my gateway address was a fe80 address. On the tunnel, I have the gateway set as the server address for HE's tunnel server. It was my understanding that this is correct. A fe80 address is advertised to all of the clients and points to the gateway server.

Thank you for taking the time to think about this, I appreciate any help I can get at this point. I did want to point out that I am using the routed /48 instead of the /64. Do you think that could be a problem?

cholzhauer

As long as you're using /64's out of your /48, you should be fine.  You may want to email ipv6@he.net and ask them to make sure your /48 is being routed correctly though (and make sure you're routing it correctly on your end...you don't need to manually route your routed /64 because it's "on link" but you will need a route for your /48)

benberding

Well I changed it to the /64 and it did not seem to change, still the same behavior. I called HE before I posted on this forum, and asked them to check. The guy said it should be fine and did not need checking. I am not sure if he ever checked it or not. Is it different emailing them?

The first time I setup the tunnel, I spent 3 days trying to get it to work; it never did. I finally read someone's blog who said his did not work at first either, so he deleted it and made a new one. Therefore, that is what I did, and it worked right away! Now I am just stuck with this one that half works. I am not sure if I should make another or not. I have become a little burned out on this problem, but I have to get it to work.