• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 connectivity drops after a short while (Firewall issue)

Started by jmwhite, October 20, 2014, 01:50:08 AM

Previous topic - Next topic

jmwhite

Hi all,

I've been a user of the Tunnel Broker service for a couple of years, mainly on my home network using one of my /64 tunnels on my DD-WRT router.

More recently I stepped up a level by adding IPv6 connectivity to a couple of CentOS VPS servers which run web services like Apache, Dovecot, Exim etc with the intention of providing dual stack connectivity.

Tunnel interface: sit1
WAN interface: eth0

I setup my Hurricane Electric tunnel correctly on sit1 and added a primary IPv6 address to my eth0 interface, along with a few IPv6 secondary addresses within my /64.

IPv6 connectivity initially works, I am able to traceroute and ping IPv6 addresses as well access web services over IPv6 from a IPv6 enabled client. After a short while however IPv6 requests timeout (both incoming and outgoing). I believe this to be a firewall issue as flushing iptables/ip6tables brings back the connectivity, re-enabling the firewall allows connectivity to work for a short while before being blocked again.

I don't directly use iptables/ip6tables but use ConfigServer Security & Firewall which acts as wrapper for formulating the firewall rules for both v4 and v6. I haven't previously had a problem with IPv4 connectivity, so I'm thinking I need additional ip6tables configuration that the csf.conf is not providing by default, my initial thought is perhaps its because a tunnel interface is being used, rather than native connectivity on eth0 only.

I can provide any route, network interface output, but I just wanted to ask initially if anyone could think of a problem that I haven't thought of, or has had similar experiences with CSF as the IPv4/IPv6 firewall.

Many thanks,

James

cholzhauer

A easy work around is to run ping in a cron job every 5 minutes or so to keep the connection open.

jmwhite

Quote from: cholzhauer on October 20, 2014, 05:28:31 AM
A easy work around is to run ping in a cron job every 5 minutes or so to keep the connection open.

Thanks for your reply.

Does this behaviour seem normal though? I use a tunnel on my router at home and the firewall rules don't cause any problems like this. Obviously the OS is different, as is the setup of interfaces for tunnel configuration, but overall same outcome.

cholzhauer

Normal?  No, but there are questions throughout this forum where people describe the same situation.  I can't say for sure if they have the same router as you, but there are some over-zealous firewalls that cut the connection if no traffic uses the connection for some period of time.  Since you're using iptables I suspect there is some sort of way to fix this, but I have no idea what it would be as I'm not familiar with the software.

jmwhite

I'll keep that workaround in mind, I have however been reviewing my setup a little closer, and may have figured out the reason why.

I've been so focused on ip6tables being the issue that I forgot about proto 41 for 6in4, I've added these iptables rules in csfpre.sh:


iptables -t filter -I INPUT -p 41 -j ACCEPT
iptables -t filter -I OUTPUT -p 41 -j ACCEPT


As a test before hand I waited till the IPv6 connectivity went down then applied these two rules (didn't disable/flush the firewall), and the connectivity immediately came back.

That might be the missing firewall rules. I've flushed the firewall and restarted it and will see if IPv6 connectivity is maintained.