• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Draytek router - tunnel only works in one direction

Started by JulianR.B, January 26, 2020, 05:15:28 AM

Previous topic - Next topic

JulianR.B

I have a Draytek 2760 router and a Linux box behind it. Set up the tunnel fine (using the local private IP address instead of the public address of the router as it passes Proto 41) and have access to IPv6 land  :D

No problem pining my local IPv6 address and the HE end of the tunnel (traceroute6 confirms that it is being routed correctly) and again have all TCP/IP access to the IPv6 world  ;D ;D

Now from a different machine someone is trying to access my tunnel (legitimately!) but can only ping the HE end of the tunnel and not the one on my Linux box. Also no TCP/IP access to services running on that machine's ports.  :(

I have set up a tunnel locally, using a second linux box to emulate the HE end of the tunnel, as a test and can ping both ends of the tunnel from both machines.

Support guys at HE have been really helpful but we can't figure it out.

Anyone had any experience of trying to get through a Draytek from the outside world?

Thanks.

tomkep

Did you set your Draytek router forwarding - to DNAT and forward protocol 41 to your Linux box? Your OUTGOING traffic MAY be matched by connection tracking - hence you can see the responses. It WILL NOT work most of the times for your incoming traffic.

JulianR.B

Pretty sure Protocol 41 is being passed as I need to supply my local IP to the tunnel and using my public IP does not work. I don't know anything about DNAT, and can't find anything with Google, can you explain more?

mikma

If "Block routing connections initiated from WAN" is enabled then it probably blocks all access from the WAN. I have no idea if it's possible to write firewall rules which controls the IPv6 access or if the binary on/off switch is the only available configuration.

QuoteUsually, IPv6 network sessions/traffic from WAN to LAN will be blocked by IPv6 firewall to prevent remote client accessing into the PCs on LAN in default.   IPv6 - Check the box to make the packets (routed from WAN to LAN) via IPv6 being accepted by such router. It is effective only for the packets routed but not for packets translated by NAT

https://www.draytek.com.tw/ftp/Vigor2760-Delight/Manual/DrayTek_UG_Vigor2760-D_V2.1.pdf

tjeske

Nah, the Draytek shouldn't know anything about IPv6. It should just see IPv4 packets. I'm running my tunnel behind a Cisco firewall and it doesn't care about the contents of the packets to/from the tunnel-endpoint.

Could it still be a firewall issue?

JulianR.B

It's not the firewall on the Linux box as it works on a local test configuration between two local machines not going through the router. There is very little in the router firewall apart from port redirections in the NAT config. I set up the Linux box to be the DMZ and then the tunnel failed in both directions which I still find hard to explain.

Has anyone got this working on any Draytek router?

tjeske

I don't know...if the tunnel works in general and you can access IPv6 resources (are you really sure about that???), then the Draytek seems to pass proto 41 successfully. Why it doesn't work in DMZ, no idea. How did you make the Draytek to forward proto 41 to your linux box?

JulianR.B

Definitely have IPv6 access as I disabled IPv6 for the adaptor in the Linux box and have access to an IPv6 only website when the tunnel-broker is up and don't have access when it's down.

I never enabled proto 41 in the Draytec. Initially it did not work when I used my public IP address of the router but then changed to using my local IPv4 address (192.168.xxx.xxx) as it suggests in the setup guide and it all started working. So I assumed proto 41 is being passed.

tjeske

Weird. How would the Draytek know where it should pass proto 41 to?

Maybe there's some 6rd or teredo/miredo going on in your network? What's your public IPv6 address? (you can find out by visiting ip6.me)