Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: why it just doesn't work?  (Read 5306 times)

zhmhua

  • Newbie
  • *
  • Posts: 5
why it just doesn't work?
« on: September 26, 2012, 07:16:01 PM »

my system is CentOS 6.2

Firstly, I enable the ICMP and put my host in the DMZ(my router does not have place to specify the 41 protocol).

I created my tunnel and followed the instruction:

Code: [Select]
me$ sudo ip tunnel add he-ipv6 mode sit remote 216.218.224.42 local 192.168.2.5 ttl 255
me$ sudo ip link set he-ipv6 up
me$ sudo ip addr add 2001:470:1f0e:1113::2/64 dev he-ipv6
me$ sudo ip route add ::/0 dev he-ipv6

and this is my ifconfig result:
Code: [Select]
he-ipv6   Link encap:IPv6-in-IPv4  
          inet6 addr: fe80::c0a8:205/128 Scope:Link
          inet6 addr: 2001:470:1f0e:1113::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1472  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3370 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:345224 (337.1 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:138 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13220 (12.9 KiB)  TX bytes:13220 (12.9 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:1B:77:27:F7:9D  
          inet addr:192.168.2.5  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:77ff:fe27:f79d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1492  Metric:1
          RX packets:143822 errors:0 dropped:0 overruns:0 frame:0
          TX packets:99503 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:143461793 (136.8 MiB)  TX bytes:11951462 (11.3 MiB)

everything seems ok till now, but...

Code: [Select]
me$ ping6 ipv6.google.com
PING ipv6.google.com(yx-in-x67.1e100.net) 56 data bytes

here is the tcpdump record when I was trying to ping6 google
Code: [Select]
me# tcpdump -i he-ipv6
tcpdump: WARNING: he-ipv6: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on he-ipv6, link-type RAW (Raw IP), capture size 65535 bytes
17:36:40.835081 IP6 zhmhua-1-pt.tunnel.tserv8.dal1.ipv6.he.net > yx-in-x68.1e100.net: ICMP6, echo request, seq 1, length 64
17:36:41.834629 IP6 zhmhua-1-pt.tunnel.tserv8.dal1.ipv6.he.net > yx-in-x68.1e100.net: ICMP6, echo request, seq 2, length 64
17:36:42.834605 IP6 zhmhua-1-pt.tunnel.tserv8.dal1.ipv6.he.net > yx-in-x68.1e100.net: ICMP6, echo request, seq 3, length 64
(repeat...)

I think the address was resolved successfully, but it is just not able to ping.
I have tried both the outside IP and the NAT IP, It made no difference.

Can you figure out what's wrong with my operation? or need I present more diagnostic information?
« Last Edit: September 27, 2012, 02:41:31 PM by zhmhua »
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: why it just doesn't work?
« Reply #1 on: September 26, 2012, 07:35:43 PM »

Your router is probably blocking protocol 41
Logged

zhmhua

  • Newbie
  • *
  • Posts: 5
Re: why it just doesn't work?
« Reply #2 on: September 27, 2012, 10:18:41 AM »

But I have put my host in the DMZ.

Your router is probably blocking protocol 41
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2714
Re: why it just doesn't work?
« Reply #3 on: September 27, 2012, 10:21:44 AM »

That doesn't matter.  Some routers/firewalls have a DMZ mode that's "broken" when it comes to protocol41.  The only thing you can do is try a packet capture and see what you can see.
Logged

zhmhua

  • Newbie
  • *
  • Posts: 5
Re: why it just doesn't work?
« Reply #4 on: September 27, 2012, 02:48:30 PM »

I have updated the packet capture result from tcpdump, can you help me to see what the problem is?

That doesn't matter.  Some routers/firewalls have a DMZ mode that's "broken" when it comes to protocol41.  The only thing you can do is try a packet capture and see what you can see.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: why it just doesn't work?
« Reply #5 on: September 27, 2012, 02:56:45 PM »

If you don't see inbound Protocol 41 packets in your PCAP, that is the problem :)
Logged

zhmhua

  • Newbie
  • *
  • Posts: 5
Re: why it just doesn't work?
« Reply #6 on: September 27, 2012, 03:01:28 PM »

then can I have it solved?

If you don't see inbound Protocol 41 packets in your PCAP, that is the problem :)
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: why it just doesn't work?
« Reply #7 on: September 27, 2012, 03:03:01 PM »

get a new router. plenty of posts on here to find in a search that report routers that the tunnel can terminate on or behind. I terminated my HE tunnel on a D-Link DIR-825 until Comcast provided me with native IPv6.
« Last Edit: September 27, 2012, 03:04:49 PM by broquea »
Logged

nickbeee

  • tunneld
  • Jr. Member
  • **
  • Posts: 72
  • I do this just for fun.
Re: why it just doesn't work?
« Reply #8 on: September 29, 2012, 04:19:39 PM »

Zhmhua, Please tell us what your router is that is doing the NAT. Even though you are in a DMZ you are still behind NAT and some NAT firewalls explicitly block protocol 41. So do some Wireless LAN controllers.

Is it a real PC or is it running in a virtual machine?

Take a tcpdump of the ipv4 interface that the tunnel terminates on which appears to be wlan0. That's where the protocol-41 should be, not on the tunnel (ipv6) interface.
Code: [Select]
tcpdump -i wlan0will probably be quite busy so you will need to filter it...
Code: [Select]
tcpdump -i wlan0 'proto 41'will show only tunnel traffic.

If your interface complains about promiscuous mode because it's a wlan then try
Code: [Select]
tcpdump -p -i wlan0 'proto 41'
We are expecting to see outbound protocol-41 here.

« Last Edit: September 29, 2012, 04:23:48 PM by nickbeee »
Logged
Nick B.

Tunnelling with [Open|Net|Free]BSD and IOS.
IPv6 courtesy of   HE and   Sixxs.

zhmhua

  • Newbie
  • *
  • Posts: 5
Re: why it just doesn't work?
« Reply #9 on: October 09, 2012, 05:10:50 PM »

I am sorry for the delay.
I am running on a real machine, and my router's brand is BELKIN. I don't fully understand what do you mean by "is doing the NAT", but I have tried all the commands as your suggestion, but no key word 'proto 41' was found.

It's very kind of you, thank you.

Zhmhua, Please tell us what your router is that is doing the NAT. Even though you are in a DMZ you are still behind NAT and some NAT firewalls explicitly block protocol 41. So do some Wireless LAN controllers.

Is it a real PC or is it running in a virtual machine?

Take a tcpdump of the ipv4 interface that the tunnel terminates on which appears to be wlan0. That's where the protocol-41 should be, not on the tunnel (ipv6) interface.
Code: [Select]
tcpdump -i wlan0will probably be quite busy so you will need to filter it...
Code: [Select]
tcpdump -i wlan0 'proto 41'will show only tunnel traffic.

If your interface complains about promiscuous mode because it's a wlan then try
Code: [Select]
tcpdump -p -i wlan0 'proto 41'
We are expecting to see outbound protocol-41 here.


Logged