• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Client Side Tunnel IPV6 Address

Started by bimmerdriver, April 01, 2013, 09:21:44 AM

Previous topic - Next topic

bimmerdriver

I just updated the software on my router and now if I use what is my ipv6 address (or name your favorite website for checking your up address), it shows the client side tunnel address, not the address allocated out of my subnet. This makes no sense and I think it's a bug. Would someone please comment on this? Is there any valid reason for this to be a "feature" or is it a bug?

kasperd

#1
It sounds like the router started doing NAT66. I don't know of any standard for NAT66, and enabling it by default would be a bug. It could also indicate a transparent proxy is running on the router, not something that should be enabled by default either. A transparent proxy would typically only apply to HTTP, so you'd see different behaviour when using other protocols.

You can for example use telnet ipv6.test-ipv6.com 79 to find your IPv6 address using the finger protocol. That will tell us, if it happens only on HTTP or on other protocols as well.

To give any more detailed answers, we'll need to see some packet dumps from both sides of the router.

bimmerdriver

Quote from: kasperd on April 01, 2013, 10:07:23 AM
It sounds like the router started doing NAT66. I don't know of any standard for NAT66, and enabling it by default would be a bug. It could also indicate a transparent proxy is running on the router, not something that should be enabled by default either. A transparent proxy would typically only apply to HTTP, so you'd see different behaviour when using other protocols.

You can for example use telnet ipv6.test-ipv6.com 79 to find your IPv6 address using the finger protocol. That will tell us, if it happens only on HTTP or on other protocols as well.

To give any more detailed answers, we'll need to see some packet dumps from both sides of the router.
I used putty to try connecting. It reported that the connection was made from the client side tunnel address, so same thing as http. There are no settings in the router about NAT66, at least none that I can find.

bimmerdriver

Quote from: kasperd on April 01, 2013, 10:07:23 AM
It sounds like the router started doing NAT66. I don't know of any standard for NAT66, and enabling it by default would be a bug. It could also indicate a transparent proxy is running on the router, not something that should be enabled by default either. A transparent proxy would typically only apply to HTTP, so you'd see different behaviour when using other protocols.

You can for example use telnet ipv6.test-ipv6.com 79 to find your IPv6 address using the finger protocol. That will tell us, if it happens only on HTTP or on other protocols as well.

To give any more detailed answers, we'll need to see some packet dumps from both sides of the router.
BTW, thanks for the prompt reply to my question. You confirmed what I thought, which is that this is a bug, not a feature. Someone over on the utm forum is trying to convince me that this is a feature.

kasperd

Quote from: bimmerdriver on April 01, 2013, 10:42:08 AMSomeone over on the utm forum is trying to convince me that this is a feature.
Stockholm syndrome.

bimmerdriver

Quote from: kasperd on April 01, 2013, 11:51:47 AM
Quote from: bimmerdriver on April 01, 2013, 10:42:08 AMSomeone over on the utm forum is trying to convince me that this is a feature.
Stockholm syndrome.
Thanks. That really made me laugh!

arader

I had the same issue a while back (http://www.tunnelbroker.net/forums/index.php?topic=2702.0) and mine ended up being NAT66. I use an OpenBSD router and had an old config that didn't specify inet only when doing NAT, so it happily applied NAT rules to both IPv4 and IPv6 traffic.

Once I fixed the config, external sites happily report my machine's IP.