Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Problems getting tunnel to work behind NAT router  (Read 9076 times)

jonmoore

  • Newbie
  • *
  • Posts: 4
Problems getting tunnel to work behind NAT router
« on: April 03, 2009, 09:48:13 AM »

I've got two machines.  One of which is connected directly to our ATT router and has a public IP address.  I setup a tunnel on this machine, and everything works well.  So, I'm assuming the next issue is with me and not with ATT, etc.

The other computer I have, is on our local network.  The only device between this one and the "big internet" is a Cisco 1811.  I have full access via some nat statements on the Cisco router.  The computer is running Ubuntu Linux 8.10 and I setup the tunnel using the commands on tunnelbroker.net
Code: [Select]
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 209.51.161.14 local 70.159.118.70 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f06:1fd::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

I can ping the IPv4 address of the remote end, but not the IPv6 address.

I read often about needing to allow protocol 41 on some devices to acomplish this, so I do have an ACL of permit protocol 41 any any on the ingress ACL of our router.

Obviously, I'm doing something wrong here.  Any help would be awesome.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: Problems getting tunnel to work behind NAT router
« Reply #1 on: April 03, 2009, 09:53:40 AM »

Is that ubuntu machine configured with the 70.159.118.70 IP?
Logged

jonmoore

  • Newbie
  • *
  • Posts: 4
Re: Problems getting tunnel to work behind NAT router
« Reply #2 on: April 03, 2009, 09:59:15 AM »

Is that ubuntu machine configured with the 70.159.118.70 IP?

I probably should have made that more clear.  Or just left the first part out. 

70.159.118.70 is the Cisco 1811 router.  The Ubuntu is on the other side of that router with a private IPv4 address (currently: 192.168.0.71).
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: Problems getting tunnel to work behind NAT router
« Reply #3 on: April 03, 2009, 10:02:44 AM »

Ok then, on that first line, change from using the Cisco's IP, to that 192.168 IP

so tear down the interface, and rerun the updated commands
Logged

jonmoore

  • Newbie
  • *
  • Posts: 4
Re: Problems getting tunnel to work behind NAT router
« Reply #4 on: April 03, 2009, 10:19:27 AM »

Created new tunnel as directed
Code: [Select]
ip tunnel add he-ipv6 mode sit remote 209.51.161.14 local 192.168.0.71 ttl 255

Using ping6 I get this:
Code: [Select]
jonmoore@blank:~$ ping6 -c3 2001:470:1f06:1fd::1
PING 2001:470:1f06:1fd::1(2001:470:1f06:1fd::1) 56 data bytes
From 2001:470:1f06:1fd::2 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:470:1f06:1fd::2 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:470:1f06:1fd::2 icmp_seq=3 Destination unreachable: Address unreachable

--- 2001:470:1f06:1fd::1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2013ms

Showing the link
Code: [Select]
12: he-ipv6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
    link/sit 192.168.0.71 peer 209.51.161.14
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: Problems getting tunnel to work behind NAT router
« Reply #5 on: April 03, 2009, 10:42:37 AM »

And the tunnel-server has the tunnel configured, but also cannot ping6 your side. Might still be something inbetween that is causing this, but unsure what that would be. But I've verified that our side is configured correctly for your tunnel.
Logged

jonmoore

  • Newbie
  • *
  • Posts: 4
Re: Problems getting tunnel to work behind NAT router
« Reply #6 on: April 03, 2009, 10:52:25 AM »

If I take out the 1811 and just connect direct, everything works.  So it's obviously something with the 1811 causing issues.

Are there any specific configurations that I need on the router in order to allow this type of action to happen?
Logged

bbrother

  • Newbie
  • *
  • Posts: 2
Re: Problems getting tunnel to work behind NAT router
« Reply #7 on: May 03, 2009, 01:40:49 PM »

Hi there,

Instead of opening a new topic, I reply on this threat about my issue. I have the same problem as the guy who started the topic.
I have added a tunnel thru the website, with my endpoint set to 82.170.193.94, which is my actual internet address my ISP gave me.

Ive watched the video tutorial which added a v6 tunnel by simply copy and paste. I tried the same, but I get nothing back.

I also tried some tips which were suggested in this thread, but my the most far i get is this:

debian:~# ping6 ipv6.google.com
PING ipv6.google.com(fx-in-x68.google.com) 56 data bytes
From bbrother-1-pt.tunnel.tserv11.ams1.ipv6.he.net icmp_seq=1 Destination unreachable: Address unreachable
From bbrother-1-pt.tunnel.tserv11.ams1.ipv6.he.net icmp_seq=2 Destination unreachable: Address unreachable
From bbrother-1-pt.tunnel.tserv11.ams1.ipv6.he.net icmp_seq=3 Destination unreachable: Address unreachable
From bbrother-1-pt.tunnel.tserv11.ams1.ipv6.he.net icmp_seq=4 Destination unreachable: Address unreachable


Thing I noticed is that the HE website shows; bbrother-1.tunnel.tserv11.ams1.ipv6.he.net, it seems different?

I had XS4ALL's (dutch ISP) IPv6 tunnel working when I was a customer there.
I moved to a new ISP and added HE's tunnel to the same computer, but its not working ;(

Any suggestions are greatly appreciated.

thanks :)
I just
« Last Edit: May 03, 2009, 01:42:40 PM by bbrother »
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: Problems getting tunnel to work behind NAT router
« Reply #8 on: May 03, 2009, 01:48:21 PM »

Tunnel wasn't 100% configured, just did it by hand. However still cannot ping6 your side. Your IPv4 endpoint does respond tho. Maybe an ip6tables rule? unhappy default route?
Logged

bbrother

  • Newbie
  • *
  • Posts: 2
Re: Problems getting tunnel to work behind NAT router
« Reply #9 on: May 07, 2009, 08:46:33 AM »

No, it is working now ;)

The Debian box was shutdown after v6 not working.
Just configured it, and now it works :)

PING ipv6.google.com(fx-in-x68.google.com) 56 data bytes
64 bytes from fx-in-x68.google.com: icmp_seq=1 ttl=58 time=105 ms
64 bytes from fx-in-x68.google.com: icmp_seq=2 ttl=58 time=110 ms


many thanks!
Logged