• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Problems getting tunnel to work behind NAT router

Started by jonmoore, April 03, 2009, 09:48:13 AM

Previous topic - Next topic

jonmoore

I've got two machines.  One of which is connected directly to our ATT router and has a public IP address.  I setup a tunnel on this machine, and everything works well.  So, I'm assuming the next issue is with me and not with ATT, etc.

The other computer I have, is on our local network.  The only device between this one and the "big internet" is a Cisco 1811.  I have full access via some nat statements on the Cisco router.  The computer is running Ubuntu Linux 8.10 and I setup the tunnel using the commands on tunnelbroker.net

modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 209.51.161.14 local 70.159.118.70 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f06:1fd::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr


I can ping the IPv4 address of the remote end, but not the IPv6 address.

I read often about needing to allow protocol 41 on some devices to acomplish this, so I do have an ACL of permit protocol 41 any any on the ingress ACL of our router.

Obviously, I'm doing something wrong here.  Any help would be awesome.

broquea

Is that ubuntu machine configured with the 70.159.118.70 IP?

jonmoore

Quote from: broquea on April 03, 2009, 09:53:40 AM
Is that ubuntu machine configured with the 70.159.118.70 IP?

I probably should have made that more clear.  Or just left the first part out. 

70.159.118.70 is the Cisco 1811 router.  The Ubuntu is on the other side of that router with a private IPv4 address (currently: 192.168.0.71).

broquea

Ok then, on that first line, change from using the Cisco's IP, to that 192.168 IP

so tear down the interface, and rerun the updated commands

jonmoore

Created new tunnel as directed

ip tunnel add he-ipv6 mode sit remote 209.51.161.14 local 192.168.0.71 ttl 255


Using ping6 I get this:

jonmoore@blank:~$ ping6 -c3 2001:470:1f06:1fd::1
PING 2001:470:1f06:1fd::1(2001:470:1f06:1fd::1) 56 data bytes
From 2001:470:1f06:1fd::2 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:470:1f06:1fd::2 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:470:1f06:1fd::2 icmp_seq=3 Destination unreachable: Address unreachable

--- 2001:470:1f06:1fd::1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2013ms


Showing the link

12: he-ipv6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
    link/sit 192.168.0.71 peer 209.51.161.14

broquea

And the tunnel-server has the tunnel configured, but also cannot ping6 your side. Might still be something inbetween that is causing this, but unsure what that would be. But I've verified that our side is configured correctly for your tunnel.

jonmoore

If I take out the 1811 and just connect direct, everything works.  So it's obviously something with the 1811 causing issues.

Are there any specific configurations that I need on the router in order to allow this type of action to happen?

bbrother

#7
Hi there,

Instead of opening a new topic, I reply on this threat about my issue. I have the same problem as the guy who started the topic.
I have added a tunnel thru the website, with my endpoint set to 82.170.193.94, which is my actual internet address my ISP gave me.

Ive watched the video tutorial which added a v6 tunnel by simply copy and paste. I tried the same, but I get nothing back.

I also tried some tips which were suggested in this thread, but my the most far i get is this:

debian:~# ping6 ipv6.google.com
PING ipv6.google.com(fx-in-x68.google.com) 56 data bytes
From bbrother-1-pt.tunnel.tserv11.ams1.ipv6.he.net icmp_seq=1 Destination unreachable: Address unreachable
From bbrother-1-pt.tunnel.tserv11.ams1.ipv6.he.net icmp_seq=2 Destination unreachable: Address unreachable
From bbrother-1-pt.tunnel.tserv11.ams1.ipv6.he.net icmp_seq=3 Destination unreachable: Address unreachable
From bbrother-1-pt.tunnel.tserv11.ams1.ipv6.he.net icmp_seq=4 Destination unreachable: Address unreachable


Thing I noticed is that the HE website shows; bbrother-1.tunnel.tserv11.ams1.ipv6.he.net, it seems different?

I had XS4ALL's (dutch ISP) IPv6 tunnel working when I was a customer there.
I moved to a new ISP and added HE's tunnel to the same computer, but its not working ;(

Any suggestions are greatly appreciated.

thanks :)
I just

broquea

Tunnel wasn't 100% configured, just did it by hand. However still cannot ping6 your side. Your IPv4 endpoint does respond tho. Maybe an ip6tables rule? unhappy default route?

bbrother

No, it is working now ;)

The Debian box was shutdown after v6 not working.
Just configured it, and now it works :)

PING ipv6.google.com(fx-in-x68.google.com) 56 data bytes
64 bytes from fx-in-x68.google.com: icmp_seq=1 ttl=58 time=105 ms
64 bytes from fx-in-x68.google.com: icmp_seq=2 ttl=58 time=110 ms


many thanks!