• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

[SOLVED] Tunnel stopped working on Ubiquiti EdgeRouter

Started by ivordurham, January 28, 2021, 09:06:02 AM

Previous topic - Next topic

ivordurham

Since I originally set up our HE IPv6 tunnel (not actually used much yet), we added a second broadband service and configured our EdgeRouter X for load balancing. The second service is somewhat faster than the first so I wanted to explore moving the HE tunnel from eth0 to eth1. Before making any changes I double-checked the tunnel from the router's CLI and found "ping6 google.com" not responding. I'm assuming ping from the CLI is outside the firewall. The router dashboard says the tunnel is "Connected" and shows traffic being transmitted, but nothing being received. "show interfaces tunnel tun0 brief" shows state/link as u/u. "show interfaces tunnel tun0" does shows RX > 6M packets received, but that number is now static while the TX numbers are increasing. I tried "show interfaces tunnel tun0 capture" and see only outbound packets. The router uptime is "3 months 4 weeks 1 day" as I type, so receiving packets must have stopped during those ~4 months. I don't know if adding the second connection on eth1 affected the tunnel through eth0, but that's the only change in the interim I believe. I'm currently stumped. I've attached our (redacted) configuration in the hope someone can offer a hint on how to further diagnose or correct why incoming packets on the HE tunnel are not being received. Thanks in advance.
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-name IPv6-FW {
        default-action drop
        description "IPv6 Firewall"
        rule 10 {
            action accept
            log disable
            protocol icmpv6
        }
        rule 20 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 70 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
   ... BEGIN PORT FORWARDING RULES LIKE:
        rule NN {
            action accept
            description "DESCRIPTION"
            destination {
                address 192.168.1.XXX
                port YY
            }
            log disable
            protocol tcp
        }
   ... END PORT FORWARDING RULES ...
        rule 90 {
            action accept
            description "Encapsulated IPv6 Packets"
            log disable
            protocol 41
        }
        rule 110 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "ICMP to Router"
            log disable
            protocol icmp
            state {
                established enable
                invalid disable
                new enable
                related disable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1420
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address yyy.yyy.yyy.85/28
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN 2"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        address xxxx:xxxx:1f05:xxxx::1/64
        description Local
        firewall {
            in {
                modify balance
            }
        }
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 1420
                managed-flag false
                max-interval 600
                name-server 2001:4860:4860::8888
                other-config-flag false
                prefix xxxx:xxxx:1f05:xxxx::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS xxxx:xxxx:1f04:xxxx::2 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
    tunnel tun0 {
        address xxxx:xxxx:1f04:xxxx::2/64
        description "HE IPv6 Tunnel"
        encapsulation sit
        firewall {
            in {
                ipv6-name IPv6-FW
            }
            local {
                ipv6-name IPv6-FW
            }
        }
        local-ip yyy.yyy.yyy.85
        multicast disable
        remote-ip 72.52.104.74
        ttl 255
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
        sticky {
            dest-addr disable
            dest-port disable
            proto disable
            source-addr enable
            source-port disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    wan-interface eth0
}
protocols {
    static {
        interface-route6 ::/0 {
            next-hop-interface tun0 {
            }
        }
        route 0.0.0.0/0 {
            next-hop yyy.yyy.yyy.81 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.199
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dhcpv6-server {
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name tunnelTTTTTT.tunnel.tserv3.fmt2.ipv6.he.net
                    login OURHELOGIN
                    password OURHEUPDATEKEY
                    server ipv4.tunnelbroker.net
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        ... IPv4 PORT FORWARDING RULES ...


        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name TheCatHouse
    login {
        user admin {
            authentication {
                encrypted-password ENCRYPTEDPASSWORD
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
        ipsec disable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
    traffic-analysis {
        dpi enable
        export enable
    }
}




/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.11.5274269.200221.1028 */

ivordurham

The cause was the load balancing configuration. The solution was to add a static route for the HE server network to use the interface for which HE had the public IP address:
set protocols static interface-route 72.52.104.0/24 next-hop-interface eth0