Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: netgear fvs318  (Read 4623 times)

copycats

  • Newbie
  • *
  • Posts: 3
netgear fvs318
« on: October 08, 2009, 08:10:19 PM »

Hey, can anyone tell me yes or no  ??? is it possible to connect to Hurricane Electric from behind a netgear fvs318v3 router? Before you flame, really did spend lots of time looking through this forum, and anywhere else I could think of. My ifconfig output looks just like many who have this working, and don't know how to tell if the router passes protocol 41.
Thanks in advance for your two (three) letters! :) :(
Logged

jimb

  • Hero Member
  • *****
  • Posts: 805
  • ^^^ Warped picture
Re: netgear fvs318
« Reply #1 on: October 08, 2009, 09:10:13 PM »

For your specific router, it looks like it does not allow arbitrary transport proto forwarding, and only allows TCP or UDP ports.  So you must either use the DMZ functionality (make your 6in4 router IP the DMZ), or rely on inside initiated 6in4 traffic opening a hole to the tunnel server in your firewall's connection table.

If you opt for the DMZ functionality, make sure you secure your 6in4 router, as any unsolicited/unmapped traffic will automatically be forwarded to it.  

If you rely on the connection table, you should determine the TTL of the connection table entries on your firewall(perhaps by trial and error), and set up a cron job or something similar on the 6in4 router to do an IPv6 ping at some interval just short of that TTL.  So for instance, if the TTL is about 5 minutes, set up a cron job or ping with an interval of say, 4 minutes 55 seconds.  That way it will keep the hole open.

Whichever you do, make sure you checkmark the "Respond to Ping on Internet WAN Port" item on the rules page.

The easiest way to determine whether the firewall is forwarding the traffic properly is to just do a tcpdump and look for 6in4 traffic between your 6in4 router and the tunnel server (going in both directions).  Something like "tcpdump -i eth0 -n proto 41".  If you don't see 6in4 traffic coming from the tserv destined for your router, it means your firewall is blocking it.

Also, make sure you are using the PRIVATE IPv4 address of your 6in4 router as the IPv4 tunnel source address on the 6in4 router, and not your public IP.

It might be possible that your firewall just plain refuses to forward proto 41.  In that case, see if there's a new firmware version fixing this problem, or complain to Netgear about it, or get a new firewall.  :P
« Last Edit: October 08, 2009, 09:12:42 PM by jimb »
Logged

copycats

  • Newbie
  • *
  • Posts: 3
Re: netgear fvs318
« Reply #2 on: October 08, 2009, 10:35:07 PM »

Thank you for the speedy and informative reply.
Already tried most of what you advised, will get the rest done in the morning.
Firmware on the router is the latest (unless they updated while typing this reply)(odds?).

Again, many thanks. ;D
Logged

copycats

  • Newbie
  • *
  • Posts: 3
Re: netgear fvs318
« Reply #3 on: October 09, 2009, 10:09:11 PM »

Well, here is the update.
Started up wireshark, filtered to only see packets addressed to the Hurricane Electric side v4 address of 72.52.104.74. "ping" with that address shows up in wireshark and the netgear router logs. "ping6" shows up in wireshark (they are actually reading the encap packets for the address) and the netgear router is a black hole for logging. Big fat blank (not considering the normal network traffic here). And yes, that was with DMZ enabled for the host that was pinging.  >:( >:( >:( And yes, respond to ping on the WAN side has been enabled for months, and still is.
Looks like a dead issue, thanks again for your help!
Logged