• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Routing issues with HE tunnel

Started by cisws, January 25, 2014, 11:39:49 AM

Previous topic - Next topic

cisws

I hope somebody can explain my issue: I have successfully set up a HE 6to4 tunnel from my Netgear WNR3500v2 router. But I cannot reach all of my servers on the Internet. I have three hosts:

MacDevelop (home):  inet6 2002:541c:c056:e472:62fb:42ff:fef2:437e/64
bup04 (at Transip):    inet6 addr: 2a01:7c8:aaaf:18e::1/48
mf01 (at Claranet):    inet6 addr: 2a02:830:1:8::67/64

I can connect from MacDevelop to bup04.
I can connect from bup04to mf01
But I cannot connect from MacDevelop to mf01

On mf01 there are no firewall rules blocking icmp at mf01. I asked Claranet to check if they have a clue, but from their border router the route to HE is known:

c1-br1#show ipv6 route 2002:541c:c056:e472:2acf:e9ff:fe07:f33b
Routing entry for 2002::/16
  Known via "bgp 65012", distance 20, metric 1, type external
  Route count is 1/1, share count 0
  Routing paths:
    FE80::224:38FF:FEAA:6D80, TenGigabitEthernet4/8
      MPLS label: nolabel
      Last updated 4d19h ago


Some traceroutes:

MacDevelop:/ root# traceroute6 mf01.ipv6.cis-websolutions.nl
traceroute6 to mf01.ipv6.cis-websolutions.nl (2a02:830:1:8::67) from 2002:541c:c056:e472:62fb:42ff:fef2:437e, 64 hops max, 12 byte packets
1  2002:541c:c056:e472:c23f:eff:fe5b:f990  0.394 ms  0.405 ms  0.427 ms
2  * * *
3  * * *
4  * * *

MacDevelop:/ root# traceroute6 bup04.ipv6.cis-websolutions.nl
traceroute6 to bup04.ipv6.cis-websolutions.nl (2a01:7c8:aaaf:18e::1) from 2002:541c:c056:e472:62fb:42ff:fef2:437e, 64 hops max, 12 byte packets
1  2002:541c:c056:e472:c23f:eff:fe5b:f990  0.376 ms  0.285 ms  0.270 ms
2  * * *
3  * * *
4  * * *


[root@bup04 ~]# tracepath6 mf01.ipv6.cis-websolutions.nl
1?: [LOCALHOST]                      pmtu 1500
1:  v313.router1.dcg.transip.net               0.323ms asymm  2
1:  v313.router1.dcg.transip.net               0.231ms asymm  2
2:  30gigabitethernet1-3.core1.ams1.he.net     6.038ms
3:  gig2-2.tc1-br1.nl.clara.net                1.135ms
4:  2a02:830:0:1::e                            6.295ms
5:  2a02:830:0:1::1e                           6.916ms
6:  2a02:830:1:8::67                           6.698ms !A
     Resume: pmtu 1500

[rls@mf01 ~]$ traceroute6 2002:541c:c056:e472:62fb:42ff:fef2:437e  (MacDevelop)
traceroute to 2002:541c:c056:e472:62fb:42ff:fef2:437e (2002:541c:c056:e472:62fb:42ff:fef2:437e), 30 hops max, 80 byte packets
1  2a02:830:1:8::1 (2a02:830:1:8::1)  0.599 ms  0.567 ms  0.551 ms
2  2a02:830:0:1::1d (2a02:830:0:1::1d)  0.330 ms  0.260 ms  0.270 ms
3  2a02:830:0:1::d (2a02:830:0:1::d)  5.357 ms  5.263 ms  5.203 ms
30gigabitethernet1-3.core1.ams1.he.net (2001:7f8:1::a500:6939:1)  5.529 ms  5.499 ms  5.617 ms
6to4.ams1.he.net (2001:470:0:190::2)  5.535 ms  5.641 ms  5.460 ms
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  *^C

[root@bup04 ~]# tracepath6 2002:541c:c056:e472:62fb:42ff:fef2:437e  (MacDevelop)
1?: [LOCALHOST]                      pmtu 1500
1:  v313.router1.dcg.transip.net               0.677ms asymm  2
1:  v313.router1.dcg.transip.net               0.226ms asymm  2
2:  te-3-3.nl-ams3-br02.widexs.net             0.806ms
3:  te-1-1-913.nl-ams1-cr02.widexs.net        10.316ms
4:  ipv6-relay.widexs.nl                       1.073ms
5:  ipv6-relay.widexs.nl                       1.056ms pmtu 1280
5:  no reply
6:  no reply
7:  no reply
8:  no reply
9:  no reply
10:  no reply
11:  no reply


Some pings:

MacDevelop:/ root# ping6 bup04.ipv6.cis-websolutions.nl         
PING6(56=40+8+8 bytes) 2002:541c:c056:e472:62fb:42ff:fef2:437e --> 2a01:7c8:aaaf:18e::1
16 bytes from 2a01:7c8:aaaf:18e::1, icmp_seq=0 hlim=59 time=14.684 ms
16 bytes from 2a01:7c8:aaaf:18e::1, icmp_seq=1 hlim=59 time=37.042 ms
16 bytes from 2a01:7c8:aaaf:18e::1, icmp_seq=2 hlim=59 time=14.367 ms
16 bytes from 2a01:7c8:aaaf:18e::1, icmp_seq=3 hlim=59 time=24.601 ms
^C
--- bup04.ipv6.cis-websolutions.nl ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 14.367/22.674/37.042/9.260 ms



MacDevelop:/ root# ping6 mf01.ipv6.cis-websolutions.nl
PING6(56=40+8+8 bytes) 2002:541c:c056:e472:62fb:42ff:fef2:437e --> 2a02:830:1:8::67
^C
--- mf01.ipv6.cis-websolutions.nl ping6 statistics ---
13 packets transmitted, 0 packets received, 100.0% packet loss


[root@bup04 ~]# ping6 mf01.ipv6.cis-websolutions.nl
PING mf01.ipv6.cis-websolutions.nl(2a02:830:1:8::67) 56 data bytes
64 bytes from 2a02:830:1:8::67: icmp_seq=1 ttl=59 time=6.14 ms
64 bytes from 2a02:830:1:8::67: icmp_seq=2 ttl=59 time=6.18 ms
64 bytes from 2a02:830:1:8::67: icmp_seq=3 ttl=59 time=6.32 ms
64 bytes from 2a02:830:1:8::67: icmp_seq=4 ttl=59 time=6.17 ms
^C
--- mf01.ipv6.cis-websolutions.nl ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3565ms
rtt min/avg/max/mdev = 6.147/6.207/6.324/0.068 ms


Where does it go wrong?

Regards,
Roland

broquea

Well, its 6to4. You just happen to be using HE's relay in one direction. Maybe the relay your home machine is using doesn't have a route to mf01, because there is a chance that relay your home ISP reaches, doesn't (and even less likely is HE's relay). You should set up an actual HE 6in4 tunnel at home, and not rely on the 6to4 relays.

kasperd

Quote from: cisws on January 25, 2014, 11:39:49 AMI have successfully set up a HE 6to4 tunnel from my Netgear WNR3500v2 router.
Here is the first problem. You have mixed up 6in4 and 6to4. With 6to4 packets are routed using anycast, you are not choosing a provider, packets are simply routed through the nearest provider, who announce the prefix. With 6in4 addresses are allocated from some providers range of native IPv6 addresses. There are multiple 6in4 providers including HE. Each provider has some advantages and disadvantages, you get to choose, which suits your needs best.

Quote from: cisws on January 25, 2014, 11:39:49 AMBut I cannot reach all of my servers on the Internet. I have three hosts:

MacDevelop (home):  inet6 2002:541c:c056:e472:62fb:42ff:fef2:437e/64
bup04 (at Transip):    inet6 addr: 2a01:7c8:aaaf:18e::1/48
mf01 (at Claranet):    inet6 addr: 2a02:830:1:8::67/64
None of those are using HE. The first is using 6to4, the others I suppose are using native IPv6 from providers which are independent from HE.

Because of the anycast nature of 6to4, you have little control over the path packets are taking. 6to4 works great when both endpoints are using 6to4, however if you choose to use 6to4, you need to worry about how you get traffic between 6to4 endpoints and native IPv6 endpoints as reliable as possible. Packets in each direction will get routed to the closest 6to4 relay, which means you are depending on two different 6to4 relays for the communication. Moreover since you have no prior agreement with the provider of 6to4 relays, there is also no guarantees about availability.

You have two ways to move ahead here. You can either make the necessary arrangements for as reliable communication between 6to4 and native IPv6 as possible, or you can switch from 6to4 to 6in4 (for example by using a tunnel through HE). Some of the steps needed in order to get 6to4 and native IPv6 communicating reliably are a good idea in both cases, so I'll start by explaining those.

Quote from: cisws on January 25, 2014, 11:39:49 AMI can connect from MacDevelop to bup04.
This shows that there are working relays for communication in both directions for this communication. Knowing this will help us narrow down the problem you have with the other communication.

Quote from: cisws on January 25, 2014, 11:39:49 AMBut I cannot connect from MacDevelop to mf01
The packets from your 6to4 host (2002:541c:c056:e472:62fb:42ff:fef2:437e) will go through the same 6to4 relay on the way out, regardless of which native IPv6 address they are being sent to. Since it worked with the other hosst, we can assume your 6to4 host does have access to a working relay.

I can ping 2a02:830:1:8::67 from an HE address, but when I try to ping it from a 6to4 address, I get no reply. This is consistent with your observations, and I think we can conclude that 2a02:830:1:8::67 does not have access to a functional 6to4 relay. You have three options to get that resolved:
  • Do a traceroute from 2a02:830:1:8::67 to any 6to4 address in order to find the location of the 6to4 relay. Complain to whoever is hosting a defective 6to4 relay.
  • Contact your hosting provider and ask them to run a 6to4 relay, such that you don't have to rely on a third party.
  • Setup your own 6to4 relay on the host.
Setting up your own is probably the most productive of those three. And while you are at it, you can set up a teredo relay as well.

In order to be able to set up those relays, you need to have a public IPv4 address on that host. So questions are, do you have a public IPv4 address on that host, and what OS is it running?

cisws

Thank you both for your answers. I used the 6to4 tunnel because this is the only option in my router at he moment. An even that is no stable as my route looses connectivity a fe time per day an a restart is necessary to bring it back again.

I don't want to configure additional tunnels, relays or whatever on my web servers. Too much work for osts that have native ipv6. I'll try to find another way for ipv6 from home.

Thanks again,
Cheers, Roland

kasperd

Quote from: cisws on January 28, 2014, 02:31:09 PMI used the 6to4 tunnel because this is the only option in my router at he moment.
Sounds unlikely. What router is it?

Quote from: cisws on January 28, 2014, 02:31:09 PMI don't want to configure additional tunnels, relays or whatever on my web servers. Too much work
It takes less than five minutes to configure both 6to4 and Teredo relays on a server, if you have tried it before. And once it has been configured, you don't need to touch it again.