• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6-enabled websites unreachable over IPv6 tunnel; default gateway reachable

Started by jcap, April 28, 2013, 12:07:26 PM

Previous topic - Next topic

jcap

Hi guys, for the past day I've been trying to set up an IPv6 tunnel between my Windows 7 desktop and HE.  I went through the process of creating an account and running the configuration commands provided, but my tunnel appears to be only half-working.

My desktop is behind a router, so I replaced my public IPv4 address with the NAT'd IP address of my desktop.
netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 172.20.0.10 216.66.22.2
netsh interface ipv6 add address IP6Tunnel 2001:470:7:16d::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:7:16d::1


All of the commands are successfully executed.  Below is the output of ipconfig:
Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c401:d429:7422:8b6d%10
   IPv4 Address. . . . . . . . . . . : 172.20.0.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.20.0.1

Tunnel adapter isatap.{DDEB9578-95AE-4C01-A433-299848103B06}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter IP6Tunnel:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:470:7:16d::2
   Link-local IPv6 Address . . . . . : fe80::cc04:8dc3:173f:6434%19
   Default Gateway . . . . . . . . . : 2001:470:7:16d::1


Unfortunately, I am not able to ping IPv6-enabled websites:
Pinging ipv6.l.google.com [2607:f8b0:400c:c04::93] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.


A tracert to ipv6.google.com times out at the first hop and all subsequent hops.
Tracing route to ipv6.l.google.com [2607:f8b0:400c:c04::67]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.


My initial guess would be that the tunnel was not established, or that my router was blocking protocol 41.  In my research this seemed to be the most common cause for people unable to ping an IPv6-enabled website.
However, I am able to successfully ping the default gateway (2001:470:7:16d::1), which I assume reflects that the tunnel is established.
Pinging 2001:470:7:16d::1 with 32 bytes of data:
Reply from 2001:470:7:16d::1: time=30ms
Reply from 2001:470:7:16d::1: time=28ms
Reply from 2001:470:7:16d::1: time=27ms
Reply from 2001:470:7:16d::1: time=26ms


What is the problem here? :-/

kasperd

I don't see any obvious problem in your configuration. The NAT not passing protocol 41 would also have been my first guess at a problem. But I agree that when you can ping the tunnel server, that doesn't sound like the problem after all.

I think we are going to need some more information to figure out what could possibly be going wrong here. I think it would be useful to install Wireshark on that machine and take a look on what packets are really being passed between the computer and the router.

cholzhauer


kasperd

Quote from: cholzhauer on April 29, 2013, 04:45:30 AMTry adding an address from your routed /64 to your LAN interface
You are suspecting Windows uses a link local address from the LAN interface for the communication rather than the global address on the tunnel interface? I believe that would be a violation of two of the rules for address selection specified in RFCs.

Broken implementations exists, so it is worth trying to add a global address to the LAN interface to see if that helps.

cholzhauer

I've seen it before, but I think it was on an older version of Windows.  (I guess I'm just grasping at straws)

In any event, if the OP wants to use Windows to route for other hosts, he'll need the address anyway.