• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

configuring speedstream 4200 tobe a lan router

Started by crobertp, June 26, 2009, 09:55:55 AM

Previous topic - Next topic

crobertp

this adsl modem has a builtin dhcp server
and do auto login on my isp

thus the modem cable is connected on a 40 port switch instead of on a pc .

in turn each lan pc has a cable to the switch box

this setup is working well on ipv4 ...
via dhcp each pc gets a  different ip. eg:192.168.254.1 ... 192.168.254.2  and on and on ...
the adsl modem (gateway) has a ip 192.168.254.254
and a public ipv4 eg:    189.24.143.137

*however this setup is not working with ipv6

eg: my pc is running windws xp sp3
C:\>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . : cp3
       IP Address. . . . . . . . . . . . : 192.168.254.1
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       IP Address. . . . . . . . . . . . : fe80::20c:6eff:fe03:e29%4
       Default Gateway . . . . . . . . . : 192.168.254.254

Ethernet adapter aiccu:

       Media State . . . . . . . . . . . : Media disconnected

Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%6
       Default Gateway . . . . . . . . . :

Tunnel adapter Automatic Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . : cp3
       IP Address. . . . . . . . . . . . : fe80::5efe:192.168.254.1%2
       Default Gateway . . . . . . . . . : ::209.51.161.58

C:\>

C:\>ping ipv6.google.com

Pinging ipv6.l.google.com [2001:4860:0:2001::68] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2001:4860:0:2001::68:
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>



any clues on gettig ipv6 working on my pc ?

ps: i did this on my pc

ipv6 install
ipv6 rtu ::/0 2/::209.51.161.58 pub
ipv6 adu 2/2001:470:4:c4::2


thanks

jimb

The firewall on your speedstream needs to be configured to pass 6in4 traffic (IP protocol 41), and static destination NAT it to your windows box.

crobertp

#2
Still dont works

I did this ...

ipv6 uninstall

then C:\>netsh interface ipv6 install
Ok.
and then
C:\>netsh interface ipv6 show teredo
Teredo Parameters
---------------------------------------------
Type                    : default
Server Name             : default
Client Refresh Interval : default
Client Port             : default
State                   : offline
Error                   : none


C:\>#netsh interface ipv6 add v6v4tunnel IP6Tunnel 189.24.143.137 216.66.22.2
'#netsh' is not recognized as an internal or external command,
operable program or batch file.

C:\>netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.254.1 216.66.22.2
Ok.


C:\>netsh interface ipv6 add address IP6Tunnel 2001:470:7:ff::2
Ok.


C:\>netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:7:ff::1
Ok.


C:\>ping ipv6.google.com

Pinging ipv6.l.google.com [2001:4860:0:2001::68] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2001:4860:0:2001::68:
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping ipv6.google.com

Pinging ipv6.l.google.com [2001:4860:0:2001::68] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2001:4860:0:2001::68:
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>




my windows box at ip 192.168.254.1 is running DMZ with windows firewall off
Firewall DMZ Configuration

Current DMZ Status: Enabled
Current DMZ Host IP Address: 192.168.254.1


current speedstream firewall
nbound IP Filter Rules

Rule
No. Status Access Protocol Source
Interface Source
Address Source
Mask Source
Port Op Destination
Interface Destination
Address Destination
Mask Destination
Port Op Log Enable
Disable Delete
2202 P,E,N permit TCP any any any any any 192.168.254. 1 host = 23 no Protected Protected
2204 E permit GRE any any any N/A any any any N/A no
2206 E deny TCP any any any any any 127. 0. 0. 1 host = 53 no
2206 E permit 50 any any any N/A any any any N/A no
2207 E permit 41 any any any N/A any any any N/A no
2208 E,S permit UDP any any any any any 127. 0. 0. 1 host = 53 no
2210 E deny UDP any any any any any 127. 0. 0. 1 host = 53 no
2212 P,E,N permit UDP any any any any any 192.168.254. 1 host = 4627 no Protected Protected
2214 E,N permit UDP any any any any any 192.168.254. 1 host = 4371 no
2216 P,E,N permit UDP any any any any any 192.168.254. 1 host = 3990 no Protected Protected
2220 P,E,N permit UDP any any any any any 192.168.254. 1 host = 3614 no Protected Protected



I running DMZ with firewall off , thus I should receive ALL traffic that does not belongs to other user
however still not working ...

any recomendations ?

Thanks

jimb

#3
Try baby steps.  Can you ping the other side of the tunnel with v6?  Try to ping 2001:470:7:ff::1 .

If the DMZ functionality forwards all unsolicited traffic to your windows box, then it should be working, although I don't know speedstreams.  Does it have a firewall log?  Can you tell if it's dropping the traffic or not?

EDIT:  It looks like it has options for logging.  Turn on some logging rules.  Have it log dropped packets so you know what it's dropping.

If you're sure it's configured right and should be passing IP 41 traffic to your inside box, then perhaps your ISP is dropping IP proto 41.  In that case, you're only real choice is to try Teredo.

Also, you may want to RTFM:  http://service.sympatico.ca/img_gallery/SpeedStream4200_EN.pdf

If you are "turning off" the firewall, you are turning off NAT.

crobertp

the other side is  not pingable 

C:\>ping 2001:470:7:ff::1

Pinging 2001:470:7:ff::1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2001:470:7:ff::1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping 2001:470:7:ff::2

Pinging 2001:470:7:ff::2 with 32 bytes of data:

Reply from 2001:470:7:ff::2: time<1ms
Reply from 2001:470:7:ff::2: time<1ms
Reply from 2001:470:7:ff::2: time<1ms
Reply from 2001:470:7:ff::2: time<1ms

Ping statistics for 2001:470:7:ff::2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>


speedstream firewall log
Firewall Log

0000-00-00 246:15:18     E |Firewall             |D:19:0 TCP 70.37.129.165:80 -> 192.168.254.3:55293  len=852  id=43708  DF=1 MF=0  byte-off=0

0000-00-00 246:15:37     E |Firewall             |D:19:0 TCP 70.37.129.165:80 -> 192.168.254.3:55293  len=852  id=10155  DF=1 MF=0  byte-off=0

0000-00-00 246:16:13     E |Firewall             |D:19:0 TCP 70.37.129.165:80 -> 192.168.254.3:55293  len=852  id=55913  DF=1 MF=0  byte-off=0

0000-00-00 246:17:16     E |Firewall             |D:19:0 TCP 70.37.129.165:80 -> 192.168.254.3:55293  len=852  id=54611  DF=1 MF=0  byte-off=0

0000-00-00 246:18:20     E |Firewall             |D:19:0 TCP 70.37.129.165:80 -> 192.168.254.3:55293  len=852  id=44098  DF=1 MF=0  byte-off=0

0000-00-00 246:19:24     E |Firewall             |D:19:0 TCP 70.37.129.165:80 -> 192.168.254.3:55293  len=852  id=35091  DF=1 MF=0  byte-off=0

0000-00-00 257:21:44     E |Attack Detected      |TCP packet fragmented - 92.72.194.77:33120 -> 189.24.143.137:563  len=40  id=0



btw: if instead of using he-ipv6 I set teredo client ,
then all ipv6 things works ,
however I cannot run a ipv6 web server on my pc ,
cause then, my ipv6 ip keeps changing.

thanks


jimb

Take a look at the edits in my last message.

Basically, what you need to get that speedstream to do is:


  • 1.  Match any incoming traffic from the internet: source IP == HE tunnel server, dest IP == your public IP, IP protocol == 41, ACTION:  NAT that destination address to 192.168.254.1
  • 2.  Put rules in the firewall (filtering) for any incoming traffic from the internet matching:  source IP == HE tunnel server, dest IP == 192.168.254.1 (presuming that filtering is done after NAT), ACTION:  permit, log = yes

However one gets a speedstream to do that, that's what you need to do.

You may also want the put a deny-all rule at the bottom of your rule list which logs, just so you can see what traffic your firewall is dropping, unless it logs dropped traffic automatically.

If worse comes to worse, and you can't get the speedstream to do a simple NAT like that, you may want to see if you have the options of simply bridging all your traffic through the speedstream, and using another more capable router/firewall behind it.

Also, do you realize that if your IP changes, you'll need to reconfigure you tunnel w/ HE every time?

It may be better to use some sort of DynDNS (if there's one out there that does v6) and use Teredo or 6to4 for your IPv6 servers.