• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

New tunnel: ICMP blocked - P41 seems fine.

Started by servowire, March 05, 2013, 01:45:06 AM

Previous topic - Next topic

servowire

Hi,

After many days of fiddling around and searching i've become so desperate as to create a topic.

Case: When trying to create a tunnel I get the error:
QuoteIP is not ICMP pingable. Please make sure ICMP is not blocked. If you are blocking ICMP, please allow 66.220.2.74 through your firewall.
This is because my ISP does not allow me to change the ICMP inbound settings on my router. So no ICMPv4 for me.
When running other 6to4 6in4 type of appliances I am able to use them, so IP Protocol41 seems to be relayed.

My problem is: The ICMP pre-check prevents me from creating a tunnel, that, imho would work fine.

Is there any way around this?

Thanks,
Jeroen

cholzhauer


lucifer1111

i met same problem....

my isp blocked the ping from 66.220.2.74

i am from China....

servowire

My modem (called experiabox by Dutch provider KPN) blocks ICMPv4. Period (ISP confirmed).

So I installed a Cisco: My TV stops working (powered by the experiabox special VPN or something) - BUT

HE ipv6 tunnel works! -

Back to the Experiabox (so no ping) - no tunnel is build any more.

ICMP really seems needed to get the tunnel working by HE.

Bummer, really :( - Now i have to use Teredo to get ipv6

broquea

#4
If you got your HE tunnel to work, that means your Cisco responded to ICMP. The IPv4 endpoint only has to respond to ICMP at the time of creation, not forever. So if you got the tunnel working, swapped out the Cisco for original CPE, and the tunnel stops working, that sounds more like Protocol 41 is getting blocked by that device. If the CPE/modem was actually configuring 6to4 on itself and handing out RAs to the LAN, then that isn't Protocol 41 being passed behind it to hosts. At that point it is treated like native IPv6 on the LAN portion.

So to recap in order of steps tried:

1) existing CPE/modem filters ICMP, can't create tunnel
2) replace CPE/modem with Cisco, ICMP works and tunnel gets created and works
3) put back in old CPE/modem, and tunnel stops working

Unless you deleted your tunnel after getting it working with the Cisco, it should still be configured on HE's side. If this is the case then definitely that CPE/modem does more than filter ICMP, it filters Protocol 41 tunnels to hosts behind it. You'll definitely need to use UDP based tunnels if you have to use that CPE/modem. Options at that point are Teredo, GOGO6, Sixxs.

cholzhauer

Quote
You'll definitely need to use UDP based tunnels if you have to use that CPE/modem. Options at that point are Teredo, GOGO6, Sixxs.

All of which aren't your first choice, but at this point, he's right, it's all your left with.

servowire

#6
Everybody and broquea. Thanks for your help!.

Yes broquea that is exacly what happened. So P41 gets filtered. Too bad.

Does Hurricane have UDP Teredo service? I am willing to pay for a good one!

-SixX did not accept my application (they said my name was fake, well, it's a bit odd but not fake!)
-Microsoft Teredo gateway is slow (800ms+ ping)
-GOGo six is weird and requires software. Also sets DNS; I don't want that.

Wasted 10 hours on this :( really sad.

kasperd

This question keeps coming up. The restriction seems to serve no purpose whatsoever. It is a fact that there will be both false positives and false negatives. I know of no reason to even think there is a correlation between the IPv4 address you specify being the correct address, and the address responding to ICMP echo request.

Other 6in4 providers such as Netassist does not have such restriction.

Quote from: servowire on March 05, 2013, 11:39:50 AMDoes Hurricane have UDP Teredo service? I am willing to pay for a good one!
The Teredo relays servicing the tunnelbroker.net service are not very reliable.

Even if you are willing to pay for good Teredo relays, that won't help you. Because you need IPv6 access first. Besides you get the best Teredo relay by running your own. Once you have IPv6 access all you need in order to run a Teredo relay is a public IPv4 address.

If you are willing to pay, there are plenty of options for you to get IPv6. I recommend you consider the following three options (in this order):

  • Find a better ISP which will give you a public IPv4 address which you have actual control over along with native IPv6.
  • Send an email to HE asking how much it costs to get your account exempt from the ICMP echo request requirement.
  • Rent a dual stack VPS and set up your own personal tunnel server. You need one where you can get a routed prefix, which is /63 or shorter.

Quote from: servowire on March 05, 2013, 11:39:50 AMSixX did not accept my application (they said my name was fake, well, it's a bit odd but not fake!)
Welcome in the club. They reject tons of people based on nothing. In my case they started out saying something about not liking my mailserver. So I created a new email address on a different server asking them to use that instead, only to be told I am not allowed to use a secondary email address when signing up, you must use your primary address.

Quote from: servowire on March 05, 2013, 11:39:50 AMMicrosoft Teredo gateway is slow (800ms+ ping)
To the best of my knowledge, Microsoft don't run any Teredo relays. I just pinged www.bing.com over Teredo, the Teredo relay which Microsoft is using for that is 216.66.84.182. In other words instead of running their own, they use Hurricane Electric for Teredo service.

Microsoft do run a pool of Teredo servers, which Windows machines will use by default. But the Teredo servers are not nearly as critical to the performance as the Teredo relays. There are other Teredo servers available, but I don't think it will make much of a difference. Also the Teredo client in Windows is very picky. So there is no guarantee all the available Teredo servers can be used from Windows. If you are using an operating system like Linux, then Miredo is a nice client. It is very forgiving and can work with just about any Teredo server.