Setup Hurricane Electric tunnel on Zyxel USG XX?

jea101 · August 05, 2012, 03:09:27 PM

My USG 50 arrived Thursday and I have a working IPv4 setup. Since it supports IPv6 in IPv4 I would like to use it to manage a Hurricane Electric IPv6 tunnel. Are there instructions somewhere on how to do this for a USG XX? I have the HE end setup. However, the example in the USG manual is for a point to point tunnel between two Zywalls.

cholzhauer · August 05, 2012, 03:40:44 PM

I would think its the same basic idea. What options are they looking for?

jea101 · August 06, 2012, 08:00:18 AM

After going through the setup again I found that the USG LAN IP needs to be 2001:470:1f0e:1134::2/64 instead of /128. I also had to add a firewall rule to allow IP6to 4 (protocol 41) and manually configure the HE IPv6 DNS server. The windows 7 PCs now have valid IPv6 addresses in the same /64

However, if I do a tracert to google.com the name is resolved to an IPv6 address which implies that DNS is working but the trace times out. I don't see anything being blocked by the firewall so I don't know why tracert isn't working.

C:\Users\janderso>tracert google.com

Tracing route to google.com [2001:4860:800a::71]
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 ^C
C:\Users\janderso>

cholzhauer · August 06, 2012, 08:22:29 AM

Let's see your routing table

jea101 · August 06, 2012, 08:33:14 AM

Code Select


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\janderso>route print
===========================================================================
Interface List
 16...4c eb 42 40 d5 0d ......Intel(R) Centrino(R) Wireless-N 1030
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.30.30.1    172.30.30.211    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.30.30.0    255.255.255.0         On-link     172.30.30.211    276
    172.30.30.211  255.255.255.255         On-link     172.30.30.211    276
    172.30.30.255  255.255.255.255         On-link     172.30.30.211    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     172.30.30.211    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     172.30.30.211    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    172.24.80.161  Default
          0.0.0.0          0.0.0.0      172.30.30.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 16    281 ::/0                     fe80::ca6c:87ff:fe36:f82e
  1    306 ::1/128                  On-link
 18     58 2001::/32                On-link
 18    306 2001:0:9d38:953c:30b8:503:9e9f:fcd3/128
                                    On-link
 16     33 2001:470:1f0e:1134::/64  On-link
 16    281 2001:470:1f0e:1134:449e:56a8:92c1:caa0/128
                                    On-link
 16    281 2001:470:1f0e:1134:a09e:8e1d:2703:62e7/128
                                    On-link
 16    281 fe80::/64                On-link
 18    306 fe80::/64                On-link
 18    306 fe80::30b8:503:9e9f:fcd3/128
                                    On-link
 16    281 fe80::a09e:8e1d:2703:62e7/128
                                    On-link
  1    306 ff00::/8                 On-link
 18    306 ff00::/8                 On-link
 16    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\janderso>

cholzhauer · August 06, 2012, 08:38:41 AM

So fe80::ca6c:87ff:fe36:f82e is the address of your Zyxel?

Is there an option on the Zyxel where you tell it to route ipv6 traffic?

jea101 · August 06, 2012, 08:53:05 AM

That is the link local address of the router. There is a policy route that tells it to route IPv6 from the LAN2 interface to the tunnel. Note from my second post that the PC is able to access the DNS server via the tunnel and resolve google.com.

jea101 · August 06, 2012, 09:35:29 AM

I was using the client /64 for the LAN subnet instead of the routed /64. Here is the new route print.

Code Select



Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\janderso>route print
===========================================================================
Interface List
 16...4c eb 42 40 d5 0d ......Intel(R) Centrino(R) Wireless-N 1030
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.30.30.1    172.30.30.211    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.30.30.0    255.255.255.0         On-link     172.30.30.211    276
    172.30.30.211  255.255.255.255         On-link     172.30.30.211    276
    172.30.30.255  255.255.255.255         On-link     172.30.30.211    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     172.30.30.211    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     172.30.30.211    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    172.24.80.161  Default
          0.0.0.0          0.0.0.0      172.30.30.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 16    281 ::/0                     fe80::ca6c:87ff:fe36:f82e
  1    306 ::1/128                  On-link
 18     58 2001::/32                On-link
 18    306 2001:0:9d38:953c:3c10:f8e:53e1:e12c/128
                                    On-link
 16     33 2001:470:1f0f:1134::/64  On-link
 16    281 2001:470:1f0f:1134:6946:1dcf:a269:da1c/128
                                    On-link
 16    281 2001:470:1f0f:1134:a09e:8e1d:2703:62e7/128
                                    On-link
 16    281 fe80::/64                On-link
 18    306 fe80::/64                On-link
 18    306 fe80::3c10:f8e:53e1:e12c/128
                                    On-link
 16    281 fe80::a09e:8e1d:2703:62e7/128
                                    On-link
  1    306 ff00::/8                 On-link
 18    306 ff00::/8                 On-link
 16    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\janderso>

jea101 · August 06, 2012, 10:56:53 AM

After I fixed the subnet problem I can ping google.com. However tracert still fails. Should tracert work through the tunnel?

Code Select



C:\Users\janderso>ping google.com

Pinging google.com [2001:4860:4002:801::1004] with 32 bytes of data:
Reply from 2001:4860:4002:801::1004: time=91ms
Reply from 2001:4860:4002:801::1004: time=89ms
Reply from 2001:4860:4002:801::1004: time=87ms
Reply from 2001:4860:4002:801::1004: time=85ms

Ping statistics for 2001:4860:4002:801::1004:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 85ms, Maximum = 91ms, Average = 88ms

C:\Users\janderso>tracert google.com

Tracing route to google.com [2001:4860:4002:801::1004]
over a maximum of 30 hops:

  1    27 ms     2 ms     3 ms  2001:470:1f0f:1134::1
  2     *        *        *     Request timed out.
  3  ^C
C:\Users\janderso>nslookup google.com
Server:  ordns.he.net
Address:  2001:470:20::2

Non-authoritative answer:
Name:    google.com
Addresses:  2001:4860:4002:801::1004
          74.125.227.32
          74.125.227.38
          74.125.227.34
          74.125.227.33
          74.125.227.46
          74.125.227.36
          74.125.227.37
          74.125.227.40
          74.125.227.35
          74.125.227.41
          74.125.227.39


C:\Users\janderso>

cholzhauer · August 06, 2012, 11:16:58 AM

Yes, traceroute should work

jea101 · August 07, 2012, 07:03:08 AM

It appears that the USG 50 has a problem with IPv6 tracert. I let the trace run to completion and it actually got to google.com on hop number 12. The first line in my trace is the USG routed /64 IPv6 address. For a test I turned the firewall off and restarted the USG to be sure it was actually off. Firewall on or off I get request timed out for all but the first and last hops.

Code Select

 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\janderso>tracert -d google.com

Tracing route to google.com [2001:4860:4002:801::1005]
over a maximum of 30 hops:

  1     2 ms     2 ms     3 ms  2001:470:1f0f:1134::1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12    96 ms    78 ms    78 ms  2001:4860:4002:801::1005

Trace complete.

C:\Users\janderso>

dtalwar · August 12, 2012, 11:31:55 AM

My setup is exactly the same as the OP, with the same issue and the same symptoms. Ping works but not tracert. I suspect some configuration tweak is necessary on the USG but even after spending a good few hours, I haven't been able to figure it out.

News:

Setup Hurricane Electric tunnel on Zyxel USG XX?