• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Tunnel will not come up after being disconnected for 1-2 weeks

Started by mollien, September 02, 2013, 05:26:18 PM

Previous topic - Next topic

mollien

Hi all,

I have been looking all over the place but cannot find an answer that works. I have been happily using my IPv6 tunnel for the past 5 years (tunnel was created on September 1st, 2008) until about two weeks ago.

I removed the MAC spoofing setting from my m0n0wall router that was needed for a previous provider. As an unintended result, the m0n0wall got passed a regular DHCP address by the UVerse modem (which did not 'recognize' my device anymore), resulting in NAT behind NAT. This will obviously cause issues with endpoint termination for VPN, VoIP and IPv6. :-)

Today, I reverted the setting (put back the spoofed MAC address) and my m0n0wall once again received the public IP. Everything is back up and running, except for the IPv6 tunnel.

All devices got rebooted, Tunnelbroker can ICMP-ping my endpoint, no further changes have been made to the IPv6 configuration. Internal to my network, IPv6 works - I can ping, traceroute and hit various services on my servers over IPv6. I can ping the client side of the tunnel (the IPv6 WAN side of my m0n0wall), but cannot ping the server side of the tunnel.

In short: I cannot get out on IPv6, and the outside cannot see me on IPv6. Seems like a clear issue with the tunnel itself, right?

My m0n0wall tells me that the POINTOPOINT tunnel is 'UP':

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
   tunnel inet <PUBLIC IPv4 ADDRESS> --> 209.51.161.58
   inet6 fe80::20d:b9ff:fe17:c0%gif0 prefixlen 64 scopeid 0x1a
   inet6 <IPv6 CLIENT ADDRESS PROVIDED BY HE> prefixlen 64

I am at a loss on how to troubleshoot this further. I read somewhere that HE.net might disable tunnels that are idle for some time. Is that correct and if so, could that be the problem? How do I fix that?

Thanks,

Cas


kcochran

We don't disable tunnels for lack of use, they get removed.  If the tunnel shows up on the website, it's configured on the tunnel server.

As to U-verse, the type of setting that I know worked for me, is getting the RG into what they call "router behind router" mode.  At that point the RG acts like a bridge for the internet side of things, and almost completely gets out of the way of layer3 traffic (traceroutes don't work outbound, but meh).  I then setup an Airport Extreme as the tunnel anchor, and things worked from there.  The main fun part is getting the RG into that mode, but it's the most transparent mode it seems to have.

mindlesstux

I am gonna ask a silly question,

Which Uverse modem & firmware do you have?  I can point to several threads where the latest firmware att pushed out to 3801's basically breaks the tunnel.

kcochran

Yeah, mine's just the 3800-B.  No easy way to get into it to check the firmware without rewiring to directly connect in, which I can't easily do at the moment, since that'd drop all my open connections.

mindlesstux

kcochran,

If you wanted, I would trust you, I could set you up an account on my router & raspberry pi to bounce through to mess with an updated 3801.  Granted, a couple of posts indicate that it is indeed a firmware problem.  2wire/pace is working on it, eta on a fix, is about as useful as trying to guess the outcome of 1000 d6 rolls.

mollien

I have the 3801HGV, firmware revision 6.9.1.42-enh.tm

I think I also found the setting that does router-behind-router detection, but cannot submit it since the password is on the device itself.. :-) Will do that tonight when I get home.. (thanks for the heads-up)

Will post later on to see if my tunnel comes back..


mollien

Mhm.. I just got the password from the UVerse router and it will not let me change the setting without reconfiguring my network setup. Right now, my m0n0wall is set up as the DMZ host, which has always worked well... Reconfiguring my network is not really an option at this time....

The 'Upgrade Log' on the UVerse box shows that the initial software version is the same as the current version, with the exception of the '-enh.tm' part.

I have tried pointing the tunnel to a different endpoint IP and, once accepted, placing it back in the hopes that it would reset the tunnel, but no such luck.

Is there any other way to troubleshoot the tunnel from the HE.NET end, other than using the IPv6 portscan?

mindlesstux

Nothing wrong with HE.net, its the firmware on the "Modem."

Mine is at 6.9.1.42-enh.tm as well.  I saw the issue coming, and know the exact hour they updated my modem for me.  No way to revert it other than downgrading to the 3800.

I got around the problem by using a 3rd party VPN provider on my MikroTik router behind the "Modem."

In my troubleshooting I got att customer care to enable the IPv6 option for me in the modem, that did nothing other than give me access to ipv6 from att.  Not all to impressed by their offering right now.

mollien

Oh, that's horrible.. Another reason to move away from AT&T... Never had these issues with XFinity...

BTW: I was not implying a problem at the HE.NET end, but sometimes it helps to see some more info than ping alone to put you on the right track...

What exactly do you mean by '3rd party vpn'? An IPv4 VPN through which you tunnel your IPv6 traffic?

mindlesstux

Ah, I keep saying 3rd party, due to I use my work vpn, and when it existed the he.net vpn.

3rd party, meaning nothing I have any control over at all, something I went out and purchased.  (I had another need for having a remote IP elsewhere, this problem pushed the need)

I got around it by using my desktop at work to ping the tunnel, I could all the way to the ip on HE's end.  Then doing the reverse, could not get past my router.  The only thing that has changed in my home network was the application of the 3801's firmware update, and it broke things.

Yeah I am routing my v6 tunnel in a v4 pptp tunnel, not the ideal situation but it works for now.

techniq

This problem got me 2 days ago and now my he.net tunnel is down.  Any new ETA from 2wire?  This is really making me not miss my good 'ole cable modem which was truly a bridge.

mollien

I am going to stop banging my head up against the wall. I am switching back to Xfinity. On the line with them now.. :-)

kcochran

Looks like someone finally found the Golden Path through AT&T support.  I haven't tried this yet, but it looks like there's light at the end of the tunnel.  Or a train.

http://mailman.nanog.org/pipermail/nanog/2013-November/062304.html