Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Draytek router - tunnel only works in one direction  (Read 1633 times)

JulianR.B

  • Newbie
  • *
  • Posts: 6
Draytek router - tunnel only works in one direction
« on: January 26, 2020, 05:15:28 AM »

I have a Draytek 2760 router and a Linux box behind it. Set up the tunnel fine (using the local private IP address instead of the public address of the router as it passes Proto 41) and have access to IPv6 land  :D

No problem pining my local IPv6 address and the HE end of the tunnel (traceroute6 confirms that it is being routed correctly) and again have all TCP/IP access to the IPv6 world  ;D ;D

Now from a different machine someone is trying to access my tunnel (legitimately!) but can only ping the HE end of the tunnel and not the one on my Linux box. Also no TCP/IP access to services running on that machine's ports.  :(

I have set up a tunnel locally, using a second linux box to emulate the HE end of the tunnel, as a test and can ping both ends of the tunnel from both machines.

Support guys at HE have been really helpful but we can't figure it out.

Anyone had any experience of trying to get through a Draytek from the outside world?

Thanks.
Logged

tomkep

  • Newbie
  • *
  • Posts: 7
Re: Draytek router - tunnel only works in one direction
« Reply #1 on: January 29, 2020, 11:39:50 AM »

Did you set your Draytek router forwarding - to DNAT and forward protocol 41 to your Linux box? Your OUTGOING traffic MAY be matched by connection tracking - hence you can see the responses. It WILL NOT work most of the times for your incoming traffic.
Logged

JulianR.B

  • Newbie
  • *
  • Posts: 6
Re: Draytek router - tunnel only works in one direction
« Reply #2 on: January 29, 2020, 04:33:41 PM »

Pretty sure Protocol 41 is being passed as I need to supply my local IP to the tunnel and using my public IP does not work. I don't know anything about DNAT, and can't find anything with Google, can you explain more?
Logged

mikma

  • Newbie
  • *
  • Posts: 3
Re: Draytek router - tunnel only works in one direction
« Reply #3 on: February 02, 2020, 10:36:23 AM »

If "Block routing connections initiated from WAN" is enabled then it probably blocks all access from the WAN. I have no idea if it's possible to write firewall rules which controls the IPv6 access or if the binary on/off switch is the only available configuration.

Quote
Usually, IPv6 network sessions/traffic from WAN to LAN will be blocked by IPv6 firewall to prevent remote client accessing into the PCs on LAN in default.   IPv6 - Check the box to make the packets (routed from WAN to LAN) via IPv6 being accepted by such router. It is effective only for the packets routed but not for packets translated by NAT

https://www.draytek.com.tw/ftp/Vigor2760-Delight/Manual/DrayTek_UG_Vigor2760-D_V2.1.pdf
Logged

tjeske

  • Full Member
  • ***
  • Posts: 105
Re: Draytek router - tunnel only works in one direction
« Reply #4 on: February 02, 2020, 03:23:32 PM »

Nah, the Draytek shouldn't know anything about IPv6. It should just see IPv4 packets. I'm running my tunnel behind a Cisco firewall and it doesn't care about the contents of the packets to/from the tunnel-endpoint.

Could it still be a firewall issue?
Logged

JulianR.B

  • Newbie
  • *
  • Posts: 6
Re: Draytek router - tunnel only works in one direction
« Reply #5 on: February 02, 2020, 07:06:51 PM »

Itís not the firewall on the Linux box as it works on a local test configuration between two local machines not going through the router. There is very little in the router firewall apart from port redirections in the NAT config. I set up the Linux box to be the DMZ and then the tunnel failed in both directions which I still find hard to explain.

Has anyone got this working on any Draytek router?
Logged

tjeske

  • Full Member
  • ***
  • Posts: 105
Re: Draytek router - tunnel only works in one direction
« Reply #6 on: February 05, 2020, 09:49:05 AM »

I don't know...if the tunnel works in general and you can access IPv6 resources (are you really sure about that???), then the Draytek seems to pass proto 41 successfully. Why it doesn't work in DMZ, no idea. How did you make the Draytek to forward proto 41 to your linux box?
Logged

JulianR.B

  • Newbie
  • *
  • Posts: 6
Re: Draytek router - tunnel only works in one direction
« Reply #7 on: February 05, 2020, 10:07:28 AM »

Definitely have IPv6 access as I disabled IPv6 for the adaptor in the Linux box and have access to an IPv6 only website when the tunnel-broker is up and don't have access when it's down.

I never enabled proto 41 in the Draytec. Initially it did not work when I used my public IP address of the router but then changed to using my local IPv4 address (192.168.xxx.xxx) as it suggests in the setup guide and it all started working. So I assumed proto 41 is being passed.
Logged

tjeske

  • Full Member
  • ***
  • Posts: 105
Re: Draytek router - tunnel only works in one direction
« Reply #8 on: February 10, 2020, 06:59:27 PM »

Weird. How would the Draytek know where it should pass proto 41 to?

Maybe there's some 6rd or teredo/miredo going on in your network? What's your public IPv6 address? (you can find out by visiting ip6.me)
Logged