• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Problem with tunnel on Centos.

Started by lynxus, August 12, 2009, 04:32:20 AM

Previous topic - Next topic

lynxus

Hi guys,
Ive got my tunnel.
And have run this config:
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.26
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:470:1f08:b3::2/64
route -A inet6 add ::/0 dev sit1

--
Output ftom ifconfig.

eth0      Link encap:Ethernet  HWaddr 00:19:99:56:C0:53 
          inet addr:217.174.254.30  Bcast:217.174.255.255  Mask:255.255.252.0
          inet6 addr: fe80::219:99ff:fe56:c053/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:536035 errors:0 dropped:0 overruns:0 frame:0
          TX packets:296733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:58459953 (55.7 MiB)  TX bytes:147989333 (141.1 MiB)
          Memory:fc400000-fc420000

eth0:0    Link encap:Ethernet  HWaddr 00:19:99:56:C0:53 
          inet addr:217.174.254.115  Bcast:217.174.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:fc400000-fc420000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:833 errors:0 dropped:0 overruns:0 frame:0
          TX packets:833 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1488999 (1.4 MiB)  TX bytes:1488999 (1.4 MiB)

sit0      Link encap:IPv6-in-IPv4 
          inet6 addr: ::217.174.254.115/96 Scope:Compat
          inet6 addr: ::127.0.0.1/96 Scope:Unknown
          inet6 addr: ::217.174.254.30/96 Scope:Compat
          UP RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

sit1      Link encap:IPv6-in-IPv4 
          inet6 addr: 2001:470:1f08:b3::2/64 Scope:Global
          inet6 addr: fe80::d9ae:fe73/64 Scope:Link
          inet6 addr: fe80::d9ae:fe1e/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:4592 (4.4 KiB)



I cant ping your end:

[root@server217-174-254-30 html]# ping6 2001:470:1f08:b3::1
PING 2001:470:1f08:b3::1(2001:470:1f08:b3::1) 56 data bytes

--- 2001:470:1f08:b3::1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms



Any ideas?

Ive lowered the firewall but still nothing.

Thanks
G

kriteknetworks

I took this from the #ipv6 channel on freenode irc:

manual defaultroute broken in RHEL/CentOS 5.[012], use  2000::/3

lynxus

OK erm?
What?
lol.

not sure what you mean?

jimb

Perhaps the tunnel is binding to both IPv4 addresses?  Try forcing it to bind to one of the two.

Not sure how you do that using ifconfig, but with iproute (which you should be able to install) you can specify the IPv4 local end of the tunnel.

jimb

#4
Quote from: lynxus on August 12, 2009, 04:58:36 AM
OK erm?
What?
lol.

not sure what you mean?
He means that instead of using ::/0 as your default route, use 2000::/3:  route -A inet6 add 2000::/3 dev sit1
(remove the ::/0 route too:  route -A inet6 del ::/0)

lynxus

Ah right.

Ok.

Tried that, still nothing :(

Any other thoughts?

jimb

I also noticed that there are zero RX packets.  So make sure that your firewall isn't blocking.  Make realllly sure.  Check both iptables, and ip6tables.  :P

Also verify that you gave HE the correct IPv4 address for your tunnel endpoint, and that you're using the correct one theirs.

lynxus

Ok,

I just notice ip6tables was on, so just turned off. - No avail.
Ive double checked the details:

        Server IPv4 address:     216.66.80.26
   Server IPv6 address:    2001:470:1f08:b3::1/64
   Client IPv4 address:    217.174.254.30
   Client IPv6 address:    2001:470:1f08:b3::2/64
   Anycasted IPv6 Caching Nameserver:   2001:470:20::2
   Anycasted IPv4 Caching Nameserver:   74.82.42.42
   Routed /48:    2001:470:93e5::/48
   Routed /64:    2001:470:1f09:b3::/64
   RDNS Delegation NS1:    none
   RDNS Delegation NS2:    none
   RDNS Delegation NS3:    none
   ASN:    none
   Registration Date:    Wed, Aug 12, 2009



Any thoughts on what my setup config should actually be?
Ive evidently balled something up lol

jimb

Do this:

tcpdump -n -i eth0 proto 41

Then try to do an ipv6 ping.  Watch the 6in4 traffic.

Check to see which IPv4 address that the tunnel is trying to use.  It should be using 217.174.254.30.  If it's not, and it's using 217.174.254.115 instead, then there's your problem.  Force it it use 217.174.254.30.  I think you might be able to do it by using "ifconfig sit0 inet6 del ::217.174.254.115/96", but I'm not sure.  I always use the "iproute" commands instead of ifconfig for this sort of thing, because the tunnel setup, etc is much easier to use.

lynxus

Gah, Still no luck.

Ive tried the iproute way but nada:

iptables and ip6tables are both off.
Any thoughts anyone?

[root@server217-174-254-30 ~]# modprobe ipv6
[root@server217-174-254-30 ~]# ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local 217.174.254.30 ttl 255
[root@server217-174-254-30 ~]# ip link set he-ipv6 up
[root@server217-174-254-30 ~]# ip addr add 2001:470:1f08:b3::2/64 dev he-ipv6
[root@server217-174-254-30 ~]# ip route add ::/0 dev he-ipv6
[root@server217-174-254-30 ~]# ip -f inet6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 100
    inet6 fe80::219:99ff:fe56:c053/64 scope link
       valid_lft forever preferred_lft forever
5: he-ipv6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480
    inet6 2001:470:1f08:b3::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::d9ae:fe1e/128 scope link
       valid_lft forever preferred_lft forever
[root@server217-174-254-30 ~]#
[root@server217-174-254-30 ~]#
[root@server217-174-254-30 ~]# ping6 2001:470:1f08:b3::2
PING 2001:470:1f08:b3::2(2001:470:1f08:b3::2) 56 data bytes
64 bytes from 2001:470:1f08:b3::2: icmp_seq=0 ttl=64 time=0.027 ms
64 bytes from 2001:470:1f08:b3::2: icmp_seq=1 ttl=64 time=0.026 ms

--- 2001:470:1f08:b3::2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.026/0.026/0.027/0.005 ms, pipe 2
[root@server217-174-254-30 ~]# ping6 2001:470:1f08:b3::1
PING 2001:470:1f08:b3::1(2001:470:1f08:b3::1) 56 data bytes

--- 2001:470:1f08:b3::1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

[root@server217-174-254-30 ~]#



[root@server217-174-254-30 ~]# service ip6tables stop
[root@server217-174-254-30 ~]# ping6 2001:470:1f08:b3::1
PING 2001:470:1f08:b3::1(2001:470:1f08:b3::1) 56 data bytes

--- 2001:470:1f08:b3::1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

[root@server217-174-254-30 ~]# service iptables stop
[root@server217-174-254-30 ~]# ping6 2001:470:1f08:b3::1
PING 2001:470:1f08:b3::1(2001:470:1f08:b3::1) 56 data bytes

--- 2001:470:1f08:b3::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

[root@server217-174-254-30 ~]#

broquea

FYI: tunnel appears configured correctly for your 217.174.254.30 IP address, however we cannot ping either your IPv4 address or IPv6. I'd guess that either the machine is offline, or filtering ICMP/ICMPv6.

lynxus

#11
Just turned the firewalls back on.

it could* ping them when i setup the tunnel, so i would assume your end is fine.

Must be something here causing it.

Changed firewall rule to allow icmp

jimb

Perhaps there's another firewall on the way to the internet?  Your ISP/hosting company blocking proto 41?

lynxus

it could be possible however i dont think there is as its just a dedicated 10meg feed.

Is there anyway to verify this?

jimb

#14
Quote from: lynxus on October 14, 2009, 02:23:14 PM
it could be possible however i dont think there is as its just a dedicated 10meg feed.

Is there anyway to verify this?

Ask the host?  You could also sniff on the interface with tcpdump or something (see my above message).  If you don't see return IPv4 proto 41 traffic it either means the outbound or inbound is being blocked.  

EDIT: Also, presuming you haven't checked already, you may want to see if the host offers native IPv6?