• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Tunnel Broker now works from Router, but not Windows 7 PC

Started by srappleyea, November 01, 2014, 12:03:26 PM

Previous topic - Next topic

cholzhauer

So sit1 is the outside interface and ether2 is the inside interface?

Can you ping fe80::d6ca:6dff:feb5:a276%20 from your Win7 computer?  Can you ping 2001:470:b:523::2 ?

srappleyea

#16
Yes, I can ping both of those.  FYI, I deleted fe80::3f9b:a276/64 on my MikroTik with the intention of recreating it, but now I get an error "failure: can not add link local address".  But, I can still ping ipv6 from within my router, so I guess I won't worry about that.  Not sure what's missing now to get this thing working from my PC  ???

mattwilson9090

Why did you delete that address? Has the router automatically replaced it with something else?

How far up the chain are you able to ping IPv6 addresses (not domain names or URL's) from within the router? How far up are you able to ping from within the Windows 7 machine? You may or may not have a DNS issue going on, which is why I'm asking about pinging the addresses.

From what I can tell here, it looks like things are set up properly. Unfortunately I'm not familiar with your router, it's firmware, or it's interface. Do you have any confirmation that this router and the firmware running on it truly supports IPv6? I've seen firmware that although you can assign it an IPv6 address, it doesn't actually support routing IPv6.

Also, have you followed up on my suggestion that you speak to your professor about this? You did say that this whole thing is related to some sort of college project so that's a resource you should definitely use. Message boards can be helpful, but they aren't a replacement for hands on experience with a device.
Matt Wilson

srappleyea

I deleted that address while I was just experimenting with some different configurations, thinking I would put it right back.  Didn't work out.

pinging "up the chain" is a good suggestion; I find that, while I can't ping a url from my pc like "ipv6.google.com" nor access it from a browser, I am able to ping some ipv6 addresses.  Here is a traceroute of pinging the HE server ipv6:

Tracing route to 2001:470:a:523::1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  2001:470:b:523::2
  2    34 ms    33 ms    34 ms  2001:470:a:523::1

Trace complete.

And while it is ridiculously hard trying to find a ping-able ipv6 address anywhere out on the wider web, I did find this address from Google DNS, and did a traceroute on it:

Tracing route to 2001:4860:4860::8888 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  2001:470:b:523::2
  2    36 ms    36 ms    36 ms  2001:470:a:523::1
  3    35 ms    43 ms    34 ms  2001:470:0:9b::1
  4    35 ms    35 ms    34 ms  2001:470:0:130::2
  5    38 ms    57 ms    63 ms  2001:4860::1:0:610
  6    34 ms    34 ms    34 ms  2001:4860::8:0:699a
  7    41 ms    41 ms    69 ms  2001:4860::8:0:61de
  8    42 ms    61 ms    41 ms  2001:4860::2:0:ab
  9     *        *        *     Request timed out.
10    42 ms    42 ms    41 ms  2001:4860:4860::8888

Trace complete.

So it looks like it gets out there.  Putting this address - [2001:4860:4860::8888] - in a browser gives me nothing though, but that may be just because there's nothing there that a browser could really read.

I can confirm that this MikroTik does support IPv6.

My professor has been unavailable this last week, though I have talked to him briefly about this problem.  I will be talking to him again tomorrow, but unfortunately since this lab is still under development (hence my work), he hasn't had a lot of the answers I've needed thus far.  He's pretty knowledgeable, don't get me wrong, but not on the details of this particular process.

Okay, here's a good one.  Maybe this will help.  I can ping 2607:f0d0:1002:51::4 from my PC (which is supposedly www.cyberciti.biz), but putting http://[2607:f0d0:1002:51::4]/ into my browser doesn't work.  Does that help anyone know what's going on?  When I was on a network that supported ipv6 without any need for a tunnel, I was able to get on to websites like ipv6.google.com, so it's not like it's browser related.  Very strange.

mattwilson9090

Ok, then you're problem is not one of IPv6 connectivity. It sounds like a DNS issue where whatever DNS server you are using (probably IPv4) does not properly support AAAA records. A properly configured IPv4 DNS server should still be able to return AAAA records. Pinging by IP address is a basic troubleshooting technique as well as pinging by URL.

Add the following IPv6 DNS server addresses to your Windows machine 2620:0:ccc::2 and 2620:0:ccd::2 They are recursive IPv6 DNS servers provided by OpenDNS. To read more about them see https://www.opendns.com/about/innovations/ipv6/

Due to the way that many web servers are set up trying to substitute the IP address for the domain name often yields inconclusive or misleading results, especially with a server that you don't completely control.

I do have to say, if your professor is unknowledgeable about IPv6 why is he having a student who knows less than him setup a lab for him?
Matt Wilson

srappleyea

#20
Yes, that does the job, thank you!!!  One more question though.  Apparently as soon as I enabled that ipv6 DNS, I did gain access to IPv6 sites, but immediately lost access to ipv4 sites.  Same kind of DNS issue; I can ping an address, but can't browse to it.  I tried configuring my ipv4 to use Google's public ipv4 DNS, but still can't access any website that doesn't have IPv6 enabled.  That isn't the behavior I was expecting, but perhaps that is normal?

Thanks for your help getting me here!  The reason my professor doesn't know as much about configuring IPv6 to run over a tunnel is because he's never done anything with it before.  This class that I'm taking is project based.  I was looking for a project to do, and he had a lab he wanted developed, so I volunteered to take on the project to fulfill the requirements of the class.

cholzhauer

Quote
One more question though.  Apparently as soon as I enabled that ipv6 DNS, I did gain access to IPv6 sites, but immediately lost access to ipv4 sites.  Same kind of DNS issue; I can ping an address, but can't browse to it.  I tried configuring my ipv4 to use Google's public ipv4 DNS, but still can't access any website that doesn't have IPv6 enabled.  That isn't the behavior I was expecting, but perhaps that is normal?

No, not normal at all.  The IPv6/IPv4 address just determines how you talk to the DNS server, it doesn't affect which records are returned to you.  Your computer makes the decision on how to talk to a device over v4/v6 based on the proprieties it has (all modern OS's prefer v6 over v4)

mindlesstux

#22
I have been halfway following this thread so I may be asking something that was already asked/stated.
Did you use the the example configuration of the tunnel from your tunnel details page on tunnelbroker.net?

It should look like something:
/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=WWW.XXX.YYY.ZZZ mtu=1280 name=sit1 remote-address=216.66.22.2
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:YYYY:ZZZZ::1 scope=30 target-scope=10
/ipv6 address add address=2001:470:YYYY:ZZZZ::2/64 advertise=yes disabled=no eui-64=no interface=sit1


That will setup the tunnel between the router and HE.net assuming no problems there.

The next thing that I did not see was how you have your LAN setup in the MikroTik.  Are all the ports on a bridge or are they switched?
I have my ports bridged, as to allow for me to put VPN connections into the same LAN segment, so to get LAN IPv6 connectivity all I had to add to the example configuration was,
/ipv6 address
add address=2001:470:XXXX:ZZZZ::254 interface=bridge-lan

*Please note this is X not Y address, HE gives you a routed /64, use that here.

The LAN route in the router was automatically added when I did that.  Also this also has advertise set as a default yes so systems in the network get setup statlessly so I dont have to mess with a DHCPv6 server.

As for DNS I have all the systems running in dual stacked mode right now with IPv4 DHCP handing out a single IP address, the routers, as the DNS entry.

I then configured the routers DNS server as follows,
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=2001:4860:4860::8888,8.8.8.8,2001:4860:4860::8844,8.8.4.4


Leaves me with a caching DNS server that can fall back to v4 when needed.

Not sure if any of this helps you in getting it setup on your router for your LAN.  If there are any other problems I would be willing to help out more.


*edit*
Going through the thread once more, saw there were some configuration questions. IF there are any other configuration questions and IF you do not mind internal and external IPs being listed you could do a "/export hide-sensitive" on the console (SSH/Telnet/Terminal in winbox) and copy/paste the output into a code block.  It might make it easier for some of us to follow along how things are setup.

mattwilson9090

Initially the problem was one of using the proper IPv6 address range, ie needing to assign the router /64 addresses to PC's.

After that we realized there was a DNS issue as well, namely that he needed to assign IPv6 DNS addresses to the PC's. It seemed like an IPv6 issue at first because he was only pinging URL's, not IPv6 addresses.

Now there seems to be an IPv4 DNS issue.

I'm not sure how you are assigning IPv4 addressing to your PC's, either static or via DHCP. Try using 208.67.222.222 and 208.67.220.220. Those are OpenDNS's IPv4 DNS servers and will complement the IPv6 ones you are using. A properly configured IPv4 and IPv6 (recursive) DNS server should be returning both A and AAAA records so I'm not sure why you're having this new issue with IPv4 hosted sites.
Matt Wilson

srappleyea

@mindlesstux I have been able to get the configuration on my mikrotik set up all right, but as Matt pointed out the issues now seem to be all about the DNS.  I did try configuring my router's DNS server as you showed, but no luck.

So to update, I found out that if I put my MikroTik IPv6 address as the DNS server address on my windows machine, it will actually work to get me browsing on ipv6 sites.  I have now tried using my MikroTik DNS, OpenDNS, and Google's public DNS.  In each case, I have tried both letting my PC get the IPv4 DNS address automatically, and manually pairing each DNS service to it's matching IPv4 address.  My PC, which is perhaps gaining sentience and a bad attitude (I just saw the Age of Ultron trailer), has apparently decided to take the preference for IPv6 and turn it in to "If IPv6 is available, nothing else is allowed!"  Though I suppose that's not perfectly accurate, since I also realized that if I know the actual 4-octet IPv4 address of a site, I can still browse to it.  I don't know.  It appears that I can do one or the other, but not both.  If i ditch the IPv6 DNS, it switches back to IPv4 just fine.

There was a posting on Microsoft answers where someone appeared to be having a similar problem, but I tried the one solution given, and like the other poster at the bottom of the page that solution did not work for me.
http://answers.microsoft.com/en-us/windows/forum/windows_8-networking/ipv4-no-internet-access-but-ipv6-connectivity-is/55c47fc7-b493-4ed9-bc92-5b6bb5589740?tab=question&status=AllReplies#tabs

I am out of ideas.  I think I will just have to accept that I can do one or the other, but not both.  It will be interesting to see if my professor, using the walkthrough I'm providing, will have the same issues, or if it's some weird combination of factors with my equipment and provider here.

mattwilson9090

It sounds to me as if there is some sort of problem with the computer itself. Not knowing the full history of what you've done it's hard to point to.

One way you can test whether this a computer or network issue is to try another device that's IPv6 capable. Another Windows, *nix, or Mac machine would do. A mobile device such as a tablet or smatphone could, but I don't always trust how they handle IPv6. Alternatively, if you have a hard drive that isn't being used, temporarily swap it for the drive in your computer and do a quick and dirty install of Windows 7 or later and see how a clean install of Windows in your network connects to IPv4 and IPv6. If DHCv4 and RA (router advertisement) for SLAA on your computer are configured properly and there are no other network issues, then at most you might just need to configure the "new" Windows computer with IPv6 DNS addresses.
Matt Wilson