• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

A few (related ?) problems with HE/tunnelbroker.net

Started by cowboy, September 17, 2009, 06:37:42 PM

Previous topic - Next topic

cowboy

First I want to say thanks, I've had a tunnel for quite some time, and went stagnant during an ISP switch -- I've just recently really getting everything going (now waiting on IPv6 glue records for my domain... then, sage, here I come) :)

Anyway, I tried to send this all in a mail to ipv6@he.net and was met with an epic fail:
n8I1KA0c025717: to=<ipv6@he.net>, ctladdr=<cowboy@....> (2000/2000), delay=00:05:11, xdelay=00:05:10, mailer=esmtp, pri=123492, relay=he.net. [IPv6:2001:470:0:76::2], dsn=4.0.0, stat=Deferred: 403 User mailbox unable to accept mail

That mail is now in deferred status, so if the problem gets fixed, you can ignore the rest of this :)

Assuming you'll see this, before the problem is fixed, I'll repeat it here:

Subject: Administratively prohibited - tunnel misconfiguration, or actually blocked ?

Endpoint:   2001:470:1F03:2a7::1/64
My side:    2001:470:1F03:2a7::2/64
Routed /48: 2001:470:a897::/48

All addresses in that routed range (ie: 2001:470:a897:200:216:ceff:fe6e:56f2/64)
Are receiving ICMP type 1 (Unreachable) code 1 (Administratively prohibited) from 2001:470:1F03:2a7::1/64
when trying to telnet to irc.ipv6.freenode.net:

$ telnet  irc.ipv6.freenode.net  6667
Trying 2001:6b0:5:1688::10...
Trying 2001:6b0:e:2018::172...
Trying 2001:1418:13:1::25...
Trying 2001:19f0:feee::dead:beef:cafe...
telnet: Unable to connect to remote host: Permission denied

But other things are working:
ping6 irc.ipv6.freenode.net
PING irc.ipv6.freenode.net(denis.it.su.se) 56 data bytes
64 bytes from denis.it.su.se: icmp_seq=1 ttl=49 time=206 ms
64 bytes from denis.it.su.se: icmp_seq=2 ttl=49 time=197 ms
64 bytes from denis.it.su.se: icmp_seq=3 ttl=49 time=196 ms
64 bytes from denis.it.su.se: icmp_seq=4 ttl=49 time=198 ms
^C
--- irc.ipv6.freenode.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 196.696/199.607/206.458/4.023 ms

traceroute6 irc.ipv6.freenode.net
traceroute to irc.ipv6.freenode.net (2001:6b0:5:1688::10), 30 hops max, 80 bytepackets
1  2001:470:a897:200::2 (2001:470:a897:200::2)  20.362 ms  28.854 ms  33.836 m
cowboy.tunnel.tserv2.fmt.ipv6.he.net (2001:470:1f03:2a7::1)  150.172 ms 15.555 ms  150.939 ms
v702.core1.fmt1.he.net (2001:470:0:1f::1)  160.324 ms  162.951 ms  164.074 s
10gigabitethernet1-1.core1.pao1.he.net (2001:470:0:2e::2)  151.172 ms 168.41 ms  171.579 ms
10gigabitethernet1-1.core1.lax1.he.net (2001:470:0:34::2)  184.130 ms 191.09 ms  194.669 ms
10gigabitethernet4-3.core1.nyc4.he.net (2001:470:0:10e::2)  225.352 ms 206891 ms  199.609 ms
10gigabitethernet1-2.core1.lon1.he.net (2001:470:0:3e::2)  272.905 ms 202.79 ms  215.233 ms
8  2001:7f8:4::a2b:1 (2001:7f8:4::a2b:1)  214.229 ms  214.588 ms  285.572 ms
dk-ore.nordu.net (2001:948:0:f00b::1)  291.764 ms  294.024 ms  288.587 ms
10  se-fre.nordu.net (2001:948:0:f03f::1)  288.984 ms  277.994 ms  285.273 ms
11  c1sth-so-6-0-0.sunet.se (2001:948:0:f051::2)  284.169 ms  255.835 ms  258.79 ms
12  a1sth-su.sunet.se (2001:6b0:dead:beef:2::222)  259.465 ms  230.460 ms  279.50 ms
13  giga-su2-gw-ge2-2.su.se (2001:6b0:5:3::1)  270.846 ms  275.921 ms  311.303 s
14  ipv6-gw-fa0-0.su.se (2001:6b0:5:5::2)  311.430 ms  314.961 ms  322.888 ms
15  shall6-gw1.it.su.se (2001:6b0:5:ffb::2)  323.997 ms  345.737 ms  346.780 ms
16  denis.it.su.se (2001:6b0:5:1688::10)  400.534 ms  439.063 ms  477.019 ms

SMTP was flowing both directions in ipv6 (at least to lizst.debian.org), but seems to have stopped on 2009.09.15

However http to tunnelbroker.net, he.net, ipv6.google.com, etc is all working fine.

I've tried switching my default route (linux) to using just the device (he-ipv6), and using the endpoint + device, to no avail.

Am I likely doing something wrong, or is there something else at play ?

Thanks,
--
Rick
--
Rick Nelson

cowboy

One thing I did notice in the mail log was that he.net apparently tries caller-verification - and I prohibit EXPN and VRFY
unless one is authenticated (or on the private network).

Standard (& old school) security.
--
Rick Nelson

jimb

Hrm.  My /48 can get to ipv6.chat.us.freenode.net juts fine.

You may want to check to see if it's not your firewall.  I've seen firewalls do that sort of thing before (fake ICMP responses when blocking) when the policy prohibits them from connecting to some site.  Stuff like websense mostly, IIRC.

cowboy

Thanks, I've heard from another US HE user that they also can make it through fine.

My firewall is straight Linux iptables/ip6tables, and I'm able to get freenode.net via ipv4 just fine.

It certainly never hurts to take another gander at the mess of scripts that create the firewall, however :)

--
rick
--
Rick Nelson

jimb

Yeh I have the same setup.  Linux/iptables/ip6tables.  No scripts though.  I just do it by hand and use ip6tables-save, etc.  May wanna check logs too to make sure it's not dropping, etc.  Scripts could be doing anything really.  :P

EDIT: You may also want to do a tcpdump on the ipv6 interface and make sure the ICMP messages are coming from the HE side of your tunnel.  If so maybe it's some ACL on their side, or something like that.

broquea

You have an ancient tunnel on a tunnel-server that blocked IRC pre-2007, and these days is only used for BGP tunnels (although we didn't nuke people off of them completely, that would have been rude/mean).

I've just removed that IRC filter, so please retest.

cowboy

I've already used wireshark(old name tripwire) to verify that the icmp responce was coming from the upstream endpoint.

I do need to cleanup my scripts, I started with a script per interface (for forwarding/masq), and one per service (smtp, irc, http...) With a config file per host (so the scripts were the same).

it'd certainly be a faster startup to just use save/restore, but a less general (all my config files/scripts are in SVN, and cfengine is used to push/pull state to the various machines) -- overkill for my network size, but thats what I do (not to mention that I use the same setup at work).

--
Rick
--
Rick Nelson

cowboy

Quote from: broquea on September 17, 2009, 07:55:35 PM
You have an ancient tunnel on a tunnel-server that blocked IRC pre-2007, and these days is only used for BGP tunnels (although we didn't nuke people off of them completely, that would have been rude/mean).

hrm, does that mean I'll should be pestering my DNS provider (as soon as they get the glue records done) to update them to a new /48 ?

Quote from: broquea on September 17, 2009, 07:55:35 PM
I've just removed that IRC filter, so please retest.

Aha... I'm not going insane (well, not because of this at any rate) :)

Indeed, I'm now connected just fine...  but should I be contemplating moving to a new tunnel ?  I'd like to wait until they get one round of .org glue records figured out before throwing them a new range, but it isn't that big a deal.

Thanks for fixing this, you guys rock !
--
Rick Nelson

jimb

LOL.  So it was an ACL on the HE side.  Heh.  Had no idea they blocked IRC back in the day.  Not surprising though, since it's often associated with hax0rz, etc (botnet control, hacker hangouts, etc).

BTW, Wireshark was called Ethereal before.  Tripwire is a whole 'nother thing (tracks changes to your system, etc).

cowboy

Quote from: jimb on September 17, 2009, 08:19:12 PM
BTW, Wireshark was called Ethereal before.  Tripwire is a whole 'nother thing (tracks changes to your system, etc).

Sigh, /me puts the bottle back in the cupboard, I've obviously had enough for one day,  I don't know how I managed to screw that up, I've been running both for (maybe too) many years :)
--
Rick Nelson

jimb