• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Tunnel Broker now works from Router, but not Windows 7 PC

Started by srappleyea, November 01, 2014, 12:03:26 PM

Previous topic - Next topic

srappleyea

Hello all,

So first, a little background.  I am a student, trying to help develop a Networking lab exercise for college students around IPv6.  I am working with a Windows 7 PC, which is attached via ethernet to a MikroTik router (the same make and model being used by the students).  That router is itself attached via ethernet to an ActionTec router / dsl modem that services my entire local network. 

After some considerable trial and error, and putting my MikroTik router in the DMZ of the ActionTec router, I am now able to ping IPv6 addresses from within my MikroTik RouterOS by using Hurricane Electric's tunnel broker.  Hooray!  Success!  Except that I still can't access any ipv6 address from my PC.  IPv6 IS enabled on my PC, and I can successfully ping the local IPv6 address of my MikroTik router from my PC.

Does anyone know why the tunnel works from my router but not my PC?

mattwilson9090

Where are you getting the IPv6 addresses you are assigning the PC? You should be assigning them from your your routed /64 or /48.
Matt Wilson

cholzhauer

Furthermore, what address did you assign to the inside interface of your router?

srappleyea

I'm set up with DHCP from my ActionTec router, so I haven't actually assigned any ip addresses.  Are you saying I need to remove DHCP service from my "outside" router and use my MikroTik router to provide IP addresses?

cholzhauer

I'm sort of surprised that device does dhcpv6.  Even so, you need slaac to get routing info

Manually assign an address out of your routed /64 to the inside interface of your router and give an address in the same subnet to your pc.  We can move to dynamic stuff after everything works

mattwilson9090

We didn't say anything about DHCP. However you have DHCP configured for IPv4 won't change as a result of any of this.

What we are saying is that the IPv6 addresses that the computers are using needs to come from your routed /64 or /48.

I'm guessing that you gave the MicroTik router the Client IPv6 address and nothing else. It needs to also have one of the routed /64 or /48 addresses, and the computers would then have addresses from that same subnet that are assigned statically, via SLAAC, or via DHCPv6.

Where are the PC's getting their IPv6 addresses now?
Matt Wilson

cholzhauer

Oops, read into that too much, thanks for clarifying my point

srappleyea

#7
Quote from: mattwilson9090 on November 01, 2014, 07:39:52 PM
We didn't say anything about DHCP. However you have DHCP configured for IPv4 won't change as a result of any of this.

What we are saying is that the IPv6 addresses that the computers are using needs to come from your routed /64 or /48.

I'm guessing that you gave the MicroTik router the Client IPv6 address and nothing else. It needs to also have one of the routed /64 or /48 addresses, and the computers would then have addresses from that same subnet that are assigned statically, via SLAAC, or via DHCPv6.

Where are the PC's getting their IPv6 addresses now?

I haven't actually configured any IPv6 addresses except, as you correctly guessed, the client IPv6 address address.  Existing IPv6 addresses were assigned by my actiontec router via DHCPv6. 

I can see my PC's IPv6 address in the MikroTik's IPv6 address list, but if I'm understanding you correctly I still need to do something like:

/ipv6 address add address=(/64 address on my tunnelbroker page) advertise=yes interface=ether2   (ether2 is the port my PC is connected to)

Is that right?  I just tried that, no luck yet accessing ipv6 addresses from my pc but I'm thinking there are more steps?

UPDATE: Also, I'm looking at my /ipconfig right now on my pc and I have a ton of IPv6 addresses (probably from all the experimenting I've been doing).  I'm trying to get rid of the extras but haven't been able to yet.  Are those going to get in the way?

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:470:b:523:etc.
   IPv6 Address. . . . . . . . . . . : 2001:470:dcd9:1:etc.
   Temporary IPv6 Address. . . . . . : 2001:470:b:523:etc.
   Temporary IPv6 Address. . . . . . : 2001:470:dcd9:etc.
   Link-local IPv6 Address . . . . . : fe80::c549:etc.
   IPv4 Address. . . . . . . . . . . : 192.168.88.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::d6ca:etc.
                                       192.168.88.1

mattwilson9090

Again where are you getting the address that you assigning by DHCPv6? I don't mean what technical method are you using to assign IPv6, I mean how do you know to use the addresses that you are using. Are they coming from your routed /64 or routed /48 that HE electric assigned you when your tunnel was created? If they aren't coming from there you are not going to get IPv6 access to the internet. Without knowing where you are getting these addresses it's almost impossible to help you with this.

If you post the details from your HE tunnel that would help a lot so we can figure out what your doing right and wrong.

I get the impression that the MicroTik router is the endpoint for your HE tunnel, so why are you trying to handout address from the Actiontec via DHCPv6? If things are configured as I think they are, the PC's aren't even directly "seeing" the Actiontec, so it won't be assigning IPv4 or IPv6 addresses to them. It also shouldn't be necessary for anything to be in the DMZ of anything else. Generally speaking, that's a very insecure way to do things.

As an example my network looks this way (I'm not discussing anything that isn't related to my IPv6 setup so a few pieces aren't mentioned, there's a UTM firewall in this mix as well, but it's transparently passing HE tunnel traffic so I wont' mention it to simplify things). Ethernet port from cable modem is connected to WAN port on Linksys WRT54G-TM router. One of the LAN ports on that router is connected to the WAN port on an ASUS RT-N66U modem., which is then connected to my gigabit switch that has everything else connected to it. The ASUS router is the endpoint for my HE tunnel. It is also assigned one of the addresses from my routed /64. The PC's in this LAN assign themselves IPv6 addresses in the routed /64 that is configured on the router.

I really can't asses most of the information from your IPCONFIG without knowing where your IPv6 addresses are coming from so I'm not going to comment on that right now.
Matt Wilson

srappleyea

#9
Thanks for your help, sorry if I'm a little thick.  From what I've gathered, yes, the problem is that my ipv6 addresses are NOT coming from my routed /64 HE assigned ip block.  The problem is, I'm still enough of a newb with this that I don't know HOW to make my computer take an IP address from that block and nowhere else.  I imagine it's something I have to do from within my MikroTik router, maybe there's also something I have to do from my PC, I don't know.  Still trying to figure that out.  Just knowing that's where the problem lies at least helps a lot though.

My MicroTik IS, in fact, the endpoint for my HE tunnel.  I'm not really trying to take the addresses I got from the Actiontec (and whatever other source all those came from), I just don't know how to get rid of them and get them from somewhere else! 

As to the DMZ business, I was trying for two weeks to get this tunnel working any other way; I think generally lack of configuration capability on the ActionTec is preventing me.  Tried just forwarding, even tried temporarily disabling the firewall (Very temporary!), but just couldn't get it to work that way.  Not ideal, but it's the best I have for now.

Here are my HE details:

IPv6 Tunnel Endpoints
Server IPv4 Address:216.218.226.238
Server IPv6 Address:2001:470:a:523::1/64
Client IPv4 Address:71.221.71.110
Client IPv6 Address:2001:470:a:523::2/64
Routed IPv6 Prefixes
Routed /64:2001:470:b:523::/64

cholzhauer

I think something like this will work


netsh int ipv6 delete address 2001:470:b:523:etc
netsh int ipv6 delete address 2001:470:dcd9:1:etc


The easiest thing might be to do a


netsh interface ipv6 reset


That will reset everything to defaults allowing you to create your tunnel again.

After you create your tunnel, assign the addresses like so:

Inside interface of router: 2001:470:b:524::1
Interface of PC: 2001:470:b:524::2

   

mattwilson9090

Then yes, if the IPv6 addresses on your PC are not from your routed /64 then you won't be making any IPv6 connections from them. At this point I'd suggest not worry about any sort of dynamic address assignment such as SLAAC or DHCPv6 and manually assign address just to make sure the "pipes" are working correctly. After that you can worry about dynamic assignment.

For all I know the firmware on your router might not even be able to help with SLAAC. I haven't worked with one of those routers, and I don't know it's interface, with GUI or CLI, so I can't tell you how to do things, only what needs to be accomplished.

I'm not sure what you were doing with forwarding or DMZ, but none of that is necessary for an HE tunnel. The HE traffic is passed through via Protocol 41 (not Port 41), and since it's a Protocol, not a Port, you can't even do forwarding of that traffic. There are some ISP's and routers that don't properly pass Protocol 41, and the only solution to that is generally to get different equipment or to get the ISP to life their blocks. Using a DMZ might be a jury rig to get things working, but I wouldn't suggest using it in the long run. Remember, enabling a DMZ, at least the way it's defined on most routers is functionally the same as disabling the "firewall" since it just passes all traffic through without examining it.

Based on the tunnel information you provided, your router will have two IPv6 address. The first is Client IPv6 Address:2001:470:a:524::2/64, that's the one used to establish your end of the tunnel, and what allows your router to communicate via IPv6 with the internet. The second one will be from your Routed /64:2001:470:b:524::/64. You could assign it as 2001:470:b:524::2 just to keep the machine address the same, with the only difference between the network portion of the address. That's how I simplify things for myself.

Then follow cholzhauer suggestions of running "netsh interface ipv6 reset" on your PC to reset all of the IPv6 settings back to default to start over. Finally assign your PC and address of 2001:470:b:524::100 with the gateway address being the routers fe80 address. (cholzhauer address suggestions would work as well, mine just come from my own personal style for doing things) After that you should be able to reach the internet via IPv6 from the PC.

One other piece of advice. Since this work is apparently being done as some sort of college assignment, get your professor involved. Let them look over what you've already done and critique it. Aside from being inexperienced, from some of your descriptions you seem to have done some decidedly odd things. I could tell far more (and recommend far more) from a 5 minute hands on look at your setup than I could tell you in days of back and forth on a message board. After all, that is one part of a college instructors job, to help their student and provide help and guidance. It's an invaluable resource, use it.
Matt Wilson

cholzhauer

Quote from: mattwilson9090 on November 02, 2014, 01:31:22 PM

I'm not sure what you were doing with forwarding or DMZ, but none of that is necessary for an HE tunnel. The HE traffic is passed through via Protocol 41 (not Port 41), and since it's a Protocol, not a Port, you can't even do forwarding of that traffic. There are some ISP's and routers that don't properly pass Protocol 41, and the only solution to that is generally to get different equipment or to get the ISP to life their blocks. Using a DMZ might be a jury rig to get things working, but I wouldn't suggest using it in the long run. Remember, enabling a DMZ, at least the way it's defined on most routers is functionally the same as disabling the "firewall" since it just passes all traffic through without examining it.

FYI DMZ mode is often needed if a specific forwarding device doesn't recognize proto41... the idea being that instead of filtering the wrong stuff, the device will just send all traffic to the specified endpoint and let the endpoint sort it out.

mattwilson9090

Ok, thanks. I've never run into that. If you can't avoid it because of limitations of equipment that an ISP provides, you can't avoid it. I had a router once that was provided by an ISP which seemed to block Protocol 41, meaning I couldn't reestablish my HE tunnel. Luckily it wasn't one of those annoying combined router/modems so I was able to use something else in it's place and everything worked great.
Matt Wilson

srappleyea

Thanks for all the help guys, sorry I've been away for a couple of days.  I do in fact have one of those annoying combined router/modems, and while it has GRE capabilities that are supposed to help with situations like this, I haven't been able to get it to work.  So, DMZ.

So I have verified that my PC is pulling IPv6 addresses from my MikroTik.  I unplugged the Internet cable from my MikroTik router then connected the PC, so that the PC was ONLY talking to the MikroTik, and saw the ipv6 addresses get populated in my ipconfig.  However, I guess it isn't pulling it properly or something?  Still no ipv6 connectivity from my PC.  No doubt something I'm doing wrong in my setup.  Here are the details from my ipconfig LAN on the PC:

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:470:b:523:540f:5fef:c3c4:21d5
   Temporary IPv6 Address. . . . . . : 2001:470:b:523:2017:9ba0:e3fb:ad4d
   Link-local IPv6 Address . . . . . : fe80::540f:5fef:c3c4:21d5%20
   IPv4 Address. . . . . . . . . . . : 192.168.88.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::d6ca:6dff:feb5:a276%20
                                       192.168.88.1

And the ipv6 addresses from the "addresses" table on my MikroTik (sit1 is the name of my tunnel interface, ether2 is where my PC is plugged in):
Address:                                  Interface:
2001:470:a:523::2/64                sit1
2001:470:b:523::2/64                ether2-master-local
fe80::3f9b:a276/64                    sit1

First two are global, last one is local.  The addresses do match up with what I currently have from Hurricane Electric.  Any thoughts on what I'm doing wrong?  I really appreciate the help!