Can't remember

gavsdavs · February 25, 2008, 01:56:36 PM

I used btexact's broker for some years, they closed the service down, so I signed up the HE and got myself a tunnel.

I have a small ipv4 network which i want also to run ipv6 on, and route that traffic through a 6-in-4 gateway on a linux firewall.

I used the iproute2 solution, so I now have sit0 and he-ipv6 interfaces.

I'm transmitting frames, but getting nothing back. I can also see the ipv4 frames heading to the v4 address of the tunnel broker, but I'm not getting anything back.

What should I be looking for to diagnose this ?

I don't have an he-ipv6 or sit0 ip neighbours:
[root@router ~]# ip -6 neigh show
fe80::210:a7ff:fe08:5db6 dev eth0 lladdr 00:10:a7:08:5d:b6 REACHABLE

amph · February 25, 2008, 06:48:17 PM

after you log in you should look on the bottom left where it says 'example configs', hit that and then select the second one down 'linux-net-tool' and follow all thoes rules on your linux machine that is connected to the internet, then try to use ipv6 and try to ping the ipv6 ip of the he.net tunnel side.

that config will make sure you have the appropriate sit device..

amph

gavsdavs · February 26, 2008, 12:35:17 AM

Yep, I have tried both net-tools and ip-route2 example configs.
I've also tried disabling ip6tables and just trying it with my firewall as the only access device, and I never get a single frame back from the tunnel broker.

Tunnel setup configs:
--------------------------------
#!/bin/sh
if ! [ -f /proc/net/if_inet6 ]
then echo "IPv6 is not installed!" 1>&2; exit 1; fi
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.26
sleep 2
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:1f08:13b::2/64
route -A inet6 add ::/0 gw fe80::a63:63fe dev sit1 (not sure about this one, I used to need it)
#route -A inet6 add 2000::/3 gw fe80::d579:1855 dev sit1
ifconfig eth0 inet6 add 2001:470:1f08:13b:207:95ff:fe05:92fc/64 (my "internal" interface)
route -A inet6 add ::/0 dev sit1
ifconfig sit1 inet6 add 2001:470:1f08:13b::2/64

- or even -

#ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local 62.49.1.52 ttl 255
#ip link set he-ipv6 up
#ip addr add 2001:470:1f08:13b::2/64 dev he-ipv6
#ip addr add 2001:470:1f08:13b:207:95ff:fe05:92fc/64 dev eth0
#ip route add ::/0 dev he-ipv6
#ip -f inet6 addr
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

--------------------------------

This is ifconfig - lots of frames transmitted, no replies.
sit1 Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f08:13b::2/64 Scope:Global
inet6 addr: fe80::a63:63fe/64 Scope:Link
inet6 addr: fe80::a00:fe/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:171 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:19833 (19.3 KiB)

Is there a verbose way to setup the tunnel to check my configs ?

tcpdump (ppp0, host 216.66.80.26):
08:30:18.961494 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:1f08:13b:210:a7ff:fe08:5db6.36214 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33437: UDP, length 40
08:30:18.971095 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:1f08:13b:210:a7ff:fe08:5db6.36217 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33438: UDP, length 40
08:30:18.971141 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:1f08:13b:210:a7ff:fe08:5db6.36218 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33439: UDP, length 40
08:30:18.971175 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:.1f08:13b:210:a7ff:fe08:5db6.36220 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33440: UDP, length 40
08:30:18.971207 IP 62.49.1.52 > 216.66.80.26: IP6 2001:470:1f08:13b:210:a7ff:fe08:5db6.36221 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33441: UDP, length 40

Frames going to your broker, nothing ever comes back.

If I change between iproute2 and net-tools methods I have to update both my ipv4 firewall and my ip6 firewall to correctly declare my external interfaces. I do this, but I never get anything back. I don't block anything on the firewall either.

broquea · February 26, 2008, 12:54:47 AM

I've verified your config exists on the tunnel server.
I cannot ping either your ipv4 endpoint or your side of the /64 from the tunnel server.
Please paste the output of: route -A inet6 -n

amph · February 26, 2008, 01:45:41 AM

correct me if i'm wrong (and maybe this is his problem) but the tunnel should be setup on a machine directly connected to the internet with a public routable ip address...

i havn't tried to set one of these up via nat yet but i'm not sure how nat would handle it since there are no ports to forward (though, icmp can be natted due to header ID's and the such....)

gavsdavs · February 26, 2008, 12:57:42 PM

external IP is 62.49.1.52. Deliberately ignores unsolicited pings. Is that required ?
[root@ponsonby ~]# route -A inet6 -n
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::1/128 :: U 0 2 1 lo
::10.0.0.254/128 :: U 0 0 1 lo
::10.99.99.254/128 :: U 0 0 1 lo
::127.0.0.1/128 :: U 0 0 1 lo
::/96 :: U 256 0 0 sit0
2001:470:1f08:13b::/128 :: U 0 0 2 lo
2001:470:1f08:13b::/128 :: U 0 0 2 lo
2001:470:1f08:13b::2/128 :: U 0 10 1 lo
2001:470:1f08:13b:207:95ff:fe05:92fc/128 :: U 0 0 1 lo
2001:470:1f08:13b::/64 :: U 256 238 0 sit1
2001:470:1f08:13b::/64 :: U 256 0 0 eth0
fe80::/128 :: U 0 0 2 lo
fe80::/128 :: U 0 0 2 lo
fe80::/128 :: U 0 0 2 lo
fe80::a00:fe/128 :: U 0 0 1 lo
fe80::a63:63fe/128 :: U 0 0 1 lo
fe80::207:95ff:fe05:92fc/128 :: U 0 49 1 lo
fe80::260:97ff:fed9:91a/128 :: U 0 0 1 lo
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 sit1
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 sit1
::/0 fe80::a63:63fe UG 1 373 0 sit1
::/0 :: U 1 0 0 sit1

connectivity is pppoatm 32 bit netmask through demon over adsl.
[root@ponsonby ~]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
194.159.161.36 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.99.99.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 194.159.161.36 0.0.0.0 UG 0 0 0 ppp0
[root@ponsonby ~]#

The firewall doesn't allow firewall to originate ICMP, here's a traceroute to the tunnel broker from a machine behind the firewall

# traceroute 216.66.80.26
traceroute to 216.66.80.26 (216.66.80.26), 30 hops max, 40 byte packets
1 ponsonby.gda-adsl.demon.co.uk (10.99.99.254) 0.524 ms 0.406 ms 0.415 ms
2 anchor-hg-5-lo100.router.demon.net (194.159.161.36) 25.228 ms 25.279 ms 33.124 ms
3 anchor-access-4-s155.router.demon.net (194.159.161.161) 33.129 ms 33.123 ms 33.098 ms
4 anchor-inside-4-g6-0-4.router.demon.net (194.159.161.94) 41.003 ms 41.036 ms 41.010 ms
5 park-border-1-g1-0-0.router.demon.net (194.70.98.90) 40.856 ms 40.826 ms 48.681 ms
6 gsr12012.lon.he.net (195.66.224.21) 48.693 ms 45.556 ms 53.442 ms
7 216.66.80.26 (216.66.80.26) 53.444 ms 30.541 ms 30.484 ms

I'm a bit confused by why my external (sit1) interface's address turns out to be
2001:470:1f08:13b::2/64

And the suffix you've allocated me is:
2001:470:1f08:13b::/64.

Isn't that, like, errr, the same network ? (therefore routing won't work with two interfaces of the firewall in the same subnet, will it ?)

samh · February 26, 2008, 01:32:18 PM

Quote from: gavsdavs on February 26, 2008, 12:57:42 PM

I'm a bit confused by why my external (sit1) interface's address turns out to be
2001:470:1f08:13b::2/64

And the suffix you've allocated me is:
2001:470:1f08:13b::/64.

Isn't that, like, errr, the same network ? (therefore routing won't work with two interfaces of the firewall in the same subnet, will it ?)

2001:470:1f08:13b::/64 is your Point to Point /64

2001:470:1f09:13b::/64 is your routed /64

Can you describe this setup a little more? Your drop goes into a firewall (What kind of Firewall? Does it pass protocol 41 traffic? Have you tried with a directly connected machine taking the firewall out of the loop?) Unfortunately with IPv6 it either works out of the box, or its a game of "Guess the Problem". Taking items out of the loop and simplifying it shows you where the borked member is :)

gavsdavs · February 26, 2008, 02:26:33 PM

The linux machine *is* the firewall.
It has a PCI ADSL modem in it, and it uses ppp to establish my connection to demon.

I have a v4 firewall on it which does pass protocol 41.

i will adjust for the subnet change and let you know how I get on.

Thanks

gavsdavs · February 26, 2008, 02:50:41 PM

Connectivity established (from the firewall without the policy enabled), by problem is in the forwarding somewhere.

[root@ponsonby ~]# traceroute6 www.kame.net
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 40 byte packets
1 gavsdavs.tunnel.tserv5.lon1.ipv6.he.net (2001:470:1f08:13b::1) 29.971 ms 37.774 ms 37.715 ms
2 2001:470:0:67::1 (2001:470:0:67::1) 37.668 ms 45.598 ms 45.553 ms
3 ge-0.linx.londen03.uk.bb.gin.ntt.net (2001:7f8:4::b62:1) 45.507 ms 53.427 ms 53.383 ms
4 as-0.r20.nycmny01.us.bb.gin.ntt.net (2001:418:0:2000::1a9) 133.277 ms 133.232 ms 141.149 ms
5 as-2.r21.sttlwa01.us.bb.gin.ntt.net (2001:418:0:2000::5) 229.145 ms 229.083 ms 229.050 ms
6 as-2.r21.osakjp01.jp.bb.gin.ntt.net (2001:218:0:2000::75) 332.960 ms 309.313 ms 301.540 ms
7 ae-4.r21.tokyjp01.jp.bb.gin.ntt.net (2001:218:0:2000::dd) 309.365 ms 317.316 ms 309.669 ms
8 xe-4-1.a15.tokyjp01.jp.ra.gin.ntt.net (2001:218:0:6000::116) 285.455 ms 293.383 ms 517.999 ms
9 ge-8-2.a15.tokyjp01.jp.ra.gin.ntt.net (2001:218:2000:5000::82) 293.815 ms 293.767 ms 301.714 ms
10 * vlan44.cisco2.fujisawa.wide.ad.jp (2001:200:0:3::105) 301.628 ms *
11 ve-4.nec2.yagami.wide.ad.jp (2001:200:0:1c04:230:13ff:feae:5b) 309.515 ms 317.437 ms 317.402 ms
12 lo0.alaxala1.k2.wide.ad.jp (2001:200:0:4800::7800:1) 317.343 ms 325.284 ms 317.230 ms
13 orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085) 294.131 ms 301.916 ms 293.889 ms

Thanks for taking the time to help.

gavsdavs · February 26, 2008, 03:14:20 PM

Ok, I'm stuck at the basics, I do this:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

And it isn't forwarding traffic.

Traceroutes are working from the firewall, but I get no reply from my subnet hosts.

Traceroute from a host behind the firewall, as seen on sit1 on the firewall:
23:13:28.354957 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37549 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33437: UDP, length 40
23:13:28.355498 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37550 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33438: UDP, length 40
23:13:28.355707 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37551 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33439: UDP, length 40
23:13:28.355758 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37552 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33440: UDP, length 40
23:13:28.355788 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37554 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33441: UDP, length 40
23:13:28.355817 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37555 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33442: UDP, length 40
23:13:28.355845 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37556 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33443: UDP, length 40
23:13:28.355873 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37558 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33444: UDP, length 40
23:13:28.355902 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37559 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33445: UDP, length 40
23:13:28.355929 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37560 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33446: UDP, length 40
23:13:28.355957 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37561 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33447: UDP, length 40
23:13:28.355985 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37563 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33448: UDP, length 40
23:13:28.356013 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37564 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33449: UDP, length 40
23:13:28.358017 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37565 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33450: UDP, length 40
23:13:28.358157 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37566 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33451: UDP, length 40
23:13:28.358262 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37567 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33452: UDP, length 40
23:13:33.357315 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37568 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33453: UDP, length 40
23:13:33.357524 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37569 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33454: UDP, length 40
23:13:33.357595 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37570 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33455: UDP, length 40
23:13:33.357650 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37572 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33456: UDP, length 40
23:13:33.357695 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37574 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33457: UDP, length 40
23:13:33.357739 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37575 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33458: UDP, length 40
23:13:33.357783 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37576 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33459: UDP, length 40
23:13:33.357826 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37577 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33460: UDP, length 40
23:13:33.357870 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37578 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33461: UDP, length 40
23:13:33.357914 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37579 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33462: UDP, length 40
23:13:33.357957 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37580 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33463: UDP, length 40
23:13:33.358002 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37581 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33464: UDP, length 40
23:13:33.358048 IP6 2001:470:1f09:13b:210:a7ff:fe08:5db6.37582 > 2001:740:c000:0:2d0:b7ff:fe74:2a8b.33465: UDP, length 40

(Start of a) Traceroute from the firewall itself (using sit1 as source IP)
23:12:45.060352 IP6 2001:470:1f08:13b::2.33022 > 2001:200:0:8002:203:47ff:fea5:3085.traceroute: UDP, length 40
23:12:45.061760 IP6 2001:470:1f08:13b::2.33023 > 2001:200:0:8002:203:47ff:fea5:3085.33435: UDP, length 40
23:12:45.062699 IP6 2001:470:1f08:13b::2.33024 > 2001:200:0:8002:203:47ff:fea5:3085.33436: UDP, length 40
23:12:45.063470 IP6 2001:470:1f08:13b::2.33025 > 2001:200:0:8002:203:47ff:fea5:3085.33437: UDP, length 40
23:12:45.064215 IP6 2001:470:1f08:13b::2.33026 > 2001:200:0:8002:203:47ff:fea5:3085.33438: UDP, length 40
23:12:45.065137 IP6 2001:470:1f08:13b::2.33027 > 2001:200:0:8002:203:47ff:fea5:3085.33439: UDP, length 40
23:12:45.065851 IP6 2001:470:1f08:13b::2.33028 > 2001:200:0:8002:203:47ff:fea5:3085.33440: UDP, length 40
23:12:45.067187 IP6 2001:470:1f08:13b::2.33029 > 2001:200:0:8002:203:47ff:fea5:3085.33441: UDP, length 40
23:12:45.067876 IP6 2001:470:1f08:13b::2.33030 > 2001:200:0:8002:203:47ff:fea5:3085.33442: UDP, length 40
23:12:45.068681 IP6 2001:470:1f08:13b::2.33031 > 2001:200:0:8002:203:47ff:fea5:3085.33443: UDP, length 40
23:12:45.069415 IP6 2001:470:1f08:13b::2.33032 > 2001:200:0:8002:203:47ff:fea5:3085.33444: UDP, length 40
23:12:45.070166 IP6 2001:470:1f08:13b::2.33033 > 2001:200:0:8002:203:47ff:fea5:3085.33445: UDP, length 40
23:12:45.071440 IP6 2001:470:1f08:13b::2.33034 > 2001:200:0:8002:203:47ff:fea5:3085.33446: UDP, length 40
23:12:45.072152 IP6 2001:470:1f08:13b::2.33035 > 2001:200:0:8002:203:47ff:fea5:3085.33447: UDP, length 40
23:12:45.073007 IP6 2001:470:1f08:13b::2.33036 > 2001:200:0:8002:203:47ff:fea5:3085.33448: UDP, length 40
23:12:45.073704 IP6 2001:470:1f08:13b::2.33037 > 2001:200:0:8002:203:47ff:fea5:3085.33449: UDP, length 40
23:12:45.088658 IP6 2001:470:1f08:13b::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.094122 IP6 2001:470:1f08:13b::2.33038 > 2001:200:0:8002:203:47ff:fea5:3085.33450: UDP, length 40
23:12:45.096691 IP6 2001:470:1f08:13b::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.096699 IP6 2001:470:1f08:13b::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.096706 IP6 2001:470:0:67::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.102252 IP6 2001:470:1f08:13b::2.33039 > 2001:200:0:8002:203:47ff:fea5:3085.33451: UDP, length 40
23:12:45.103229 IP6 2001:470:1f08:13b::2.33040 > 2001:200:0:8002:203:47ff:fea5:3085.33452: UDP, length 40
23:12:45.103935 IP6 2001:470:1f08:13b::2.33041 > 2001:200:0:8002:203:47ff:fea5:3085.33453: UDP, length 40
23:12:45.104692 IP6 2001:470:0:67::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.104700 IP6 2001:470:0:67::1 > 2001:470:1f08:13b::2: ICMP6, time exceeded in-transit for 2001:200:0:8002:203:47ff:fea5:3085, length 96
23:12:45.108004 IP6 2001:470:1f08:13b::2.33042 > 2001:200:0:8002:203:47ff:fea5:3085.33454: UDP, length 40
23:12:45.108858 IP6 2001:470:1f08:13b::2.33043 > 2001:200:0:8002:203:47ff:fea5:3085.33455: UDP, length 40

I never get a reply for traffic for my subnet....any ideas ?

gavsdavs · February 26, 2008, 03:38:07 PM

A test from http://www.tunnelbroker.net/connectivity.php

to 2001:470:1f09:13b:hostaddress

Traceroute6 result:
1 2001:470:0:57::1 (2001:470:0:57::1) 21.855 ms 4.941 ms 0.229 ms
2 10g-1-2.core1.sjc2.ipv6.he.net (2001:470:0:2f::2) 0.716 ms 0.666 ms 0.622 ms
3 10g-1-3.core1.nyc4.ipv6.he.net (2001:470:0:33::2) 79.892 ms 79.967 ms 89.68 ms
4 10g-1-2.core1.lon1.ipv6.he.net (2001:470:0:3e::2) 148.445 ms 148.401 ms 148.431 ms
5 2001:470:0:67::2 (2001:470:0:67::2) 148.646 ms 148.599 ms 148.539 ms
6 2001:470:0:67::1 (2001:470:0:67::1) 148.542 ms 148.531 ms 148.575 ms
7 2001:470:0:67::2 (2001:470:0:67::2) 148.704 ms 148.782 ms 149.794 ms
8 2001:470:0:67::1 (2001:470:0:67::1) 148.638 ms 148.697 ms 149.846 ms
9 2001:470:0:67::2 (2001:470:0:67::2) 148.86 ms 148.87 ms 148.827 ms
10 2001:470:0:67::1 (2001:470:0:67::1) 148.953 ms 156.709 ms 149.86 ms
11 2001:470:0:67::2 (2001:470:0:67::2) 149.058 ms 149.049 ms 149.049 ms
12 2001:470:0:67::1 (2001:470:0:67::1) 148.991 ms 158.161 ms 148.996 ms
13 2001:470:0:67::2 (2001:470:0:67::2) 149.129 ms 149.147 ms 149.076 ms
14 2001:470:0:67::1 (2001:470:0:67::1) 149.222 ms 149.207 ms 149.072 ms
15 2001:470:0:67::2 (2001:470:0:67::2) 149.227 ms 149.199 ms 149.347 ms
16 2001:470:0:67::1 (2001:470:0:67::1) 149.377 ms 149.307 ms 149.21 ms
17 2001:470:0:67::2 (2001:470:0:67::2) 149.481 ms 149.443 ms 149.544 ms
18 2001:470:0:67::1 (2001:470:0:67::1) 156.154 ms 149.431 ms 149.452 ms
19 2001:470:0:67::2 (2001:470:0:67::2) 159.581 ms 149.554 ms 149.524 ms
20 2001:470:0:67::1 (2001:470:0:67::1) 149.597 ms 149.546 ms 149.605 ms
21 2001:470:0:67::2 (2001:470:0:67::2) 150.229 ms 149.771 ms 150.023 ms
22 2001:470:0:67::1 (2001:470:0:67::1) 149.741 ms 149.732 ms 152.884 ms
23 2001:470:0:67::2 (2001:470:0:67::2) 149.861 ms 149.934 ms 149.94 ms
24 2001:470:0:67::1 (2001:470:0:67::1) 149.785 ms 149.887 ms 149.872 ms
25 2001:470:0:67::2 (2001:470:0:67::2) 150.029 ms 150.107 ms 149.991 ms
26 2001:470:0:67::1 (2001:470:0:67::1) 150.055 ms 150.783 ms 150.011 ms
27 2001:470:0:67::2 (2001:470:0:67::2) 150.236 ms 150.225 ms 150.19 ms
28 2001:470:0:67::1 (2001:470:0:67::1) 150.243 ms 150.649 ms 150.189 ms
29 2001:470:0:67::2 (2001:470:0:67::2) 150.362 ms 158.275 ms 150.351 ms
30 2001:470:0:67::1 (2001:470:0:67::1) 150.352 ms 160.398 ms 155.436 ms

What's broken here ?

broquea · February 26, 2008, 03:57:01 PM

Looks like the broker hadn't put in the static route. It is there now, and I'll look into what went wrong.
Please retest.

gavsdavs · February 27, 2008, 12:38:43 AM

It did, eventually. I was blocking some icmp responses, some of which I've now allowed through.
Not sure if it was the icmp that got the routing working, but here's a traceroute from behind the firewall.

# traceroute6 -n www.kame.net
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 40 byte packets
1 2001:470:1f09:13b:207:95ff:fe05:92fc 0.307 ms 0.252 ms 0.232 ms (my firewall)
2 2001:470:1f08:13b::1 31.501 ms 39.490 ms 39.283 ms
3 2001:470:0:67::1 39.248 ms 47.160 ms 47.166 ms
4 2001:7f8:4::b62:1 47.139 ms 55.007 ms 55.017 ms
5 2001:418:0:2000::1a9 135.037 ms 134.952 ms 134.973 ms
6 2001:418:0:2000::5 230.861 ms 230.762 ms 230.727 ms
7 2001:218:0:2000::75 334.692 ms 303.424 ms 303.166 ms
8 2001:218:0:2000::dd 302.941 ms 302.969 ms 295.297 ms
9 2001:218:0:6000::116 303.138 ms 303.154 ms 295.627 ms
10 2001:218:2000:5000::82 295.499 ms 287.590 ms 295.490 ms
11 2001:200:0:3::105 303.459 ms * *
12 2001:200:0:1c04:230:13ff:feae:5b 303.446 ms 287.553 ms 287.501 ms
13 2001:200:0:4800::7800:1 295.487 ms 295.428 ms 303.298 ms
14 2001:200:0:8002:203:47ff:fea5:3085 295.361 ms 295.422 ms 295.318 ms

Question: how do i configure the firewall to respond to:

07:57:39 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
08:34:45 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
08:34:46 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
08:34:46 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
08:35:19 ponsonby Drop-ip6-In - IN=sit1 OUT= TUNNEL=216.66.80.26->62.49.1.52 SRC=2001:0470:1f08:013b:0000:0000:0000:0001 DST=2001:0470:1f08:013b:0000:0000:0000:0002 LEN=64 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0

(That's seen on the firewall by ip6tables).

News:

Can't remember

amph

amph