• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Problem getting tunnel to work on FreeBSD 7.2

Started by cholzhauer, October 01, 2009, 12:39:29 PM

Previous topic - Next topic

cholzhauer

Not sure what I'm missing, maybe another pair of eyes will help?

ifconfig gif0 create
ifconfig gif0 192.168.102.191 209.51.181.2
ifconfig gif0 inet6 2001:470:1f10:2aa::2 2001:470:1f10:2aa::1 prefixlen 128
route add -inet6 default 2001:470:1f10:2aa::1
ifconfig gif0 up

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:c0:7d:ce
        inet6 fe80::20c:29ff:fec0:7dce%em0 prefixlen 64 scopeid 0x1
        inet 192.168.102.191 netmask 0xfffffe00 broadcast 192.168.103.255
        inet6 2001:470:c27d:2aa::3 prefixlen 64
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active

gif0: flags=8011<UP,POINTOPOINT,MULTICAST> metric 0 mtu 1280
        inet 192.168.102.191 --> 209.51.181.2 netmask 0xff000000
        inet6 fe80::20c:29ff:fec0:7dce%gif0 prefixlen 64 scopeid 0x4
        inet6 2001:470:1f10:2aa::2 --> 2001:470:1f10:2aa::1 prefixlen 128

(Passing all IP traffic through the firewall to that NAT address)



Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0 =>
default                           2001:470:1f10:2aa::1          UGS        gif0
::1                               ::1                           UHL         lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2001:470:1f10:2aa::1              link#4                        UHL        gif0
2001:470:1f10:2aa::2              link#4                        UHL         lo0
2001:470:c27d:2aa::/64            link#1                        UC          em0
2001:470:c27d:2aa::3              00:0c:29:c0:7d:ce             UHL         lo0

kriteknetworks

Having not described the problem, hard to say, could you elaborate?

cholzhauer

Whoops, sorry.

This is what I get when I try to ping something.

[carl@venus ~]$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:1f10:2aa::2 --> 2001:4860:b002::68
ping6: sendmsg: Network is down
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
ping6: sendmsg: Network is down
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
ping6: sendmsg: Network is down
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
^C
--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


broquea

#3
Is your IPv4 endpoint up to date? I can ping it from the tunnelbroker.net machine, not the tserv (guessing an ICMP allow filter). Is ICMPv6 blocked? I ask since the tserv cannot ping6 your side of the tunnel.

cholzhauer

no firewall of any sort.  you wont be able to ping6 the address because i cant get the tunnel online

broquea

Quote from: cholzhauer on October 01, 2009, 06:46:20 PM
no firewall of any sort.  you wont be able to ping6 the address because i cant get the tunnel online

so no firewall, but nat, so does the nat pass proto41?

cholzhauer

I'm passing all IP traffic to the NAT IP address. I would assume that would include protocol41?

Is tcp/41 the same thing?

I've also tried using the outside IP to create the tunnel, but that hasn't worked either

broquea

Quote from: cholzhauer on October 01, 2009, 07:45:49 PM
I'm passing all IP traffic to the NAT IP address. I would assume that would include protocol41?

Is tcp/41 the same thing?

I've also tried using the outside IP to create the tunnel, but that hasn't worked either

no, protocol 41 is not a tcp/udp port, whatever NAT/firewall stuff you are using, needs to pass protocol 41 to hosts behind it. make sure protocols are being passed. Also since you are nat/firewalled, you can't specify the WAN ip when behind that. You could do it if it was being created on the machine with that IP configured on it.

cholzhauer

I'm passing all IP traffic to 12.199.185.10; there isn't any traffic that's being blocked.

access-list outside_acl extended permit ip any host 12.199.185.10

jimb

Quote from: cholzhauer on October 02, 2009, 05:10:27 AM
I'm passing all IP traffic to 12.199.185.10; there isn't any traffic that's being blocked.

access-list outside_acl extended permit ip any host 12.199.185.10
Are you reserving an entire IP and static NATing the whole thing to your inside BSD router?  With IOS I think this is the only way to do it.  Also, if you are doing that, might as well hang the BSD router on the outside network.  :P

cholzhauer

QuoteAre you reserving an entire IP and static NATing the whole thing to your inside BSD router?

Yep, the entire address is reserved for the machine.  It's not really IOS based, but it's close enough.

jimb

Quote from: cholzhauer on October 03, 2009, 06:52:38 AM
QuoteAre you reserving an entire IP and static NATing the whole thing to your inside BSD router?

Yep, the entire address is reserved for the machine.  It's not really IOS based, but it's close enough.
Hm.  Well if you can't get that firewall, whatever it is, to do what you want, you could always take that IP out of the NAT, put it on a 2nd interface (presuming it has one) of the BSD box and hang it on the outside with a restrictive PF set up which only allows pings and proto 41.  Then you wouldn't have to worry about NAT or the firewall at all.

cholzhauer

I managed to get everything working, but now I'm unable to provide access for the rest of my subnet.

I am trying to use an IPv6 range assigned from Sixxs with this He tunnel end point..would that be the source of my problems?

If not...

I have set the default route in my firewall to point to my router
ipv6 route Outside ::/0 2001:4978:1d8:d000:20e:cff:feda:59db

Here is /etc/rc.conf

ipv6_network_interfaces="em0 lo0 gif1"
ipv6_gateway_enable="YES"
ipv6_defaultrouter="2001:470:1f10:2aa::1"
ipv6_ifconfig_em0="2001:4978:1d8:d000::9"
ipv6_prefix_em0="2001:4978:1d8:d000"
gif_interfaces="gif1"
gifconfig_gif1="12.199.185.10 209.51.181.2"
ipv6_ifconfig_gif1="2001:470:1f10:2aa::2/64"


Routing table from freebsd router:

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0 =>
default                           2001:470:1f10:2aa::1          UGS        gif1
::1                               ::1                           UHL         lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2001:470:1f10:2aa::/64            link#5                        UC         gif1
2001:470:1f10:2aa::1              link#5                        UHLW       gif1
2001:470:1f10:2aa::2              link#5                        UHL         lo0
2001:4978:1d8:c000::/64           2001:4978:1d8:d000:21d:a2ff:feaf:2ffd UGS         em0
2001:4978:1d8:d000::              00:0e:0c:da:59:db             UHL         lo0 =>
2001:4978:1d8:d000::/64           link#2                        UC          em0
2001:4978:1d8:d000::9             00:0e:0c:da:59:db             UHL         lo0
2001:4978:1d8:d000::10            00:1c:25:20:d2:be             UHLW        em0
2001:4978:1d8:d000:20e:cff:feda:59db 00:0e:0c:da:59:db             UHL         lo0
2001:4978:1d8:d000:21d:a2ff:feaf:2ffd 00:1d:a2:af:2f:ff             UHLW        em0
2001:4978:1d8:e000::/64           2001:4978:1d8:d000:21d:a2ff:feaf:2ffd UGS         em0
2001:4978:1d8:f000::/64           2001:4978:1d8:d000:21d:a2ff:feaf:2ffd UGS         em0


IPv6 access from the freebsd router works fine.

Thanks

broquea

Quote from: cholzhauer on October 13, 2009, 09:51:51 AM
I managed to get everything working, but now I'm unable to provide access for the rest of my subnet.

I am trying to use an IPv6 range assigned from Sixxs with this He tunnel end point..would that be the source of my problems?

Totally your problem, use Sixxs address space with Sixxs tunnels, don't mix the two. If you use our tunnel, use the statically routed /64 subnet we allocate when your tunnel is created.