• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Help with 6in4 tunnel to NAT'ed Win7 via IPCop (linux based) router.

Started by neils58, March 01, 2010, 06:46:04 AM

Previous topic - Next topic

neils58

As in the subject, I am trying to connect my Windows7 laptop (internal ipv4 192.168.1.117) over my ipv6 tunnel, and i have a NATting IPCop router in the way.
On the windows machine I have run the following:
netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.117 216.66.80.26
netsh interface ipv6 add address IP6Tunnel 2001:470:1f08:88a::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f08:88a::1
netsh interface ipv6 set route 2001:470:1f08:88a::2/64 IP6Tunnel metric=4


On the IPCop machine I couldn't see a handy option in the web interface for forwarding protocol 41, google wasn't particularly helpful, but i ssh'd in and ran the following -

# iptables -t filter -A INPUT -p ipv6 -s 0/0 -d 0/0 -j ACCEPT
# iptables -t filter -A OUTPUT -p ipv6 -s 0/0 -d 0/0 -j ACCEPT
# iptables -t filter -A FORWARD -p ipv6 -s 0/0 -d 192.168.1.117/24 -j ACCEPT


What have I missed? I can ping the IPv4 address of the tunnel server (216.66.80.26) ok, so connectivity that way is fine, and i can ping the local 2001:470:1f08:88a::2 address, but cant ping any 2001:470:1f08:88a::1 or any IPv6 internet hosts.


Laptop IPConfig, route table etc:
C:\Users\Neil>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Zarf-Delta
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : localdomain

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : ****************
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Fast Ethernet
   Physical Address. . . . . . . . . : ************
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fca4:b97f:c18:ea4e%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.117(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 27 February 2010 21:14:41
   Lease Expires . . . . . . . . . . : 01 March 2010 15:32:18
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 234890158
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-0E-F2-96-00-23-AE-07-1C-84

   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : *****************
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{34FF5EFB-A21D-4BDA-AC4E-72C27AC731D6}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter IP6Tunnel:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Direct Point-to-point Adapater
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Neil>route print
===========================================================================
Interface List
16...00 1f 3a d7 43 16 ......Bluetooth Device (Personal Area Network)
11...00 23 ae 07 1c 84 ......Broadcom NetLink (TM) Fast Ethernet
13...00 1d e0 3a 71 89 ......Intel(R) Wireless WiFi Link 4965AGN
  1...........................Software Loopback Interface 1
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
27...00 00 00 00 00 00 00 e0 Microsoft Direct Point-to-point Adapater
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.117     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.117    276
    192.168.1.117  255.255.255.255         On-link     192.168.1.117    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.117    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.117    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.117    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
11    276 fe80::/64                On-link
11    276 fe80::fca4:b97f:c18:ea4e/128
                                    On-link
  1    306 ff00::/8                 On-link
11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
If Metric Network Destination      Gateway
  0 4294967295 ::/0                     2001:470:1f08:88a::1
  0      4 2001:470:1f08:88a::/64   On-link
===========================================================================

C:\Users\Neil>ping -6 ipv6.google.com

Pinging ipv6.l.google.com [2a00:1450:8006::6a] with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.

Ping statistics for 2a00:1450:8006::6a:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Neil>



IPCop iptables -L
root@ipcop:~ # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
BADTCP     all  --  anywhere             anywhere
ACCOUNT_INPUT  all  --  anywhere             anywhere
CUSTOMINPUT  all  --  anywhere             anywhere
FW_ADMIN   all  --  anywhere             anywhere
FW_INPUT   all  --  anywhere             anywhere
FW_IPCOP   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW
DROP       all  --  127.0.0.0/8          anywhere            state NEW
DROP       all  --  anywhere             127.0.0.0/8         state NEW
REDINPUT   all  --  anywhere             anywhere
FW_XTACCESS  all  --  anywhere             anywhere            state NEW
FW_LOG     all  --  anywhere             anywhere
ACCEPT     ipv6 --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
BADTCP     all  --  anywhere             anywhere
ACCOUNT_FORWARD_IN  all  --  anywhere             anywhere
ACCOUNT_FORWARD_OUT  all  --  anywhere             anywhere
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
CUSTOMFORWARD  all  --  anywhere             anywhere
FW_FORWARD  all  --  anywhere             anywhere
FW_IPCOP_FORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW
DROP       all  --  127.0.0.0/8          anywhere            state NEW
DROP       all  --  anywhere             127.0.0.0/8         state NEW
PORTFWACCESS  all  --  anywhere             anywhere            state NEW
FW_LOG     all  --  anywhere             anywhere
ACCEPT     ipv6 --  anywhere             Zarf-Delta

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCOUNT_OUTPUT  all  --  anywhere             anywhere
CUSTOMOUTPUT  all  --  anywhere             anywhere
ACCEPT     ipv6 --  anywhere             anywhere

Chain ACCOUNT_FORWARD_IN (1 references)
target     prot opt source               destination

Chain ACCOUNT_FORWARD_OUT (1 references)
target     prot opt source               destination

Chain ACCOUNT_INPUT (1 references)
target     prot opt source               destination

Chain ACCOUNT_OUTPUT (1 references)
target     prot opt source               destination

Chain BADTCP (2 references)
target     prot opt source               destination
PSCAN      tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PSCAN      tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PSCAN      tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
PSCAN      tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
PSCAN      tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
NEWNOTSYN  tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW

Chain CUSTOMFORWARD (1 references)
target     prot opt source               destination

Chain CUSTOMINPUT (1 references)
target     prot opt source               destination

Chain CUSTOMOUTPUT (1 references)
target     prot opt source               destination

Chain FW_ADMIN (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:oa-system
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds

Chain FW_DMZHOLES (0 references)
target     prot opt source               destination

Chain FW_FORWARD (1 references)
target     prot opt source               destination

Chain FW_INPUT (1 references)
target     prot opt source               destination

Chain FW_IPCOP (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http-alt
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request

Chain FW_IPCOP_FORWARD (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain FW_LOG (2 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level warning prefix `RED DROP '
DROP       all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level warning prefix `GREEN REJECT '
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere

Chain FW_XTACCESS (1 references)
target     prot opt source               destination

Chain NEWNOTSYN (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `NEW not SYN? '
DROP       all  --  anywhere             anywhere

Chain PORTFWACCESS (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.1.102       tcp dpt:12443
ACCEPT     udp  --  anywhere             192.168.1.102       udp dpt:12443

Chain PSCAN (5 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `TCP Scan? '
LOG        udp  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `UDP Scan? '
LOG        icmp --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `ICMP Scan? '
LOG        all  -f  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `FRAG Scan? '
DROP       all  --  anywhere             anywhere

Chain REDINPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:bootps dpt:bootpc
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc

Chain WIRELESSFORWARD (0 references)
target     prot opt source               destination

Chain WIRELESSINPUT (0 references)
target     prot opt source               destination


neils58

Nevermind, cleaned house and started again, this time using netsh interface ipv6 add v6v4tunnel interface=IP6Tunnel 192.168.1.117 216.66.80.26 becasue i'm on 64 bit.

C:\Users\Neil>ping -6 ipv6.google.com

Pinging ipv6.l.google.com [2a00:1450:8006::63] with 32 bytes of data:
Reply from 2a00:1450:8006::63: time=61ms
Reply from 2a00:1450:8006::63: time=63ms
Reply from 2a00:1450:8006::63: time=83ms
Reply from 2a00:1450:8006::63: time=62ms

Ping statistics for 2a00:1450:8006::63:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 61ms, Maximum = 83ms, Average = 67ms

C:\Users\Neil>


:D

jimb

BTW, you shouldn't need the INPUT or OUTPUT chain rules on the iptables firewall.

All you need is a NAT rule for proto 41 traffic (iptables --append PREROUTING --table nat --destination <outside IP>  --proto 41 --jump DNAT --to-destination <inside IP>), and a rule in the FORWARD chain allowing the traffic to the NATed IP (as you had in your OP).

May I suggest, however, that you simply terminate your 6in4 tunnel to the Linux router instead of the Windows box?  That way you wouldn't even need to deal with NAT, and you could use your routed /64 IPv6 on the inside for any machine you want on your LAN, and even automate address assignment by using radvd or DHCPv6.  Just make sure you set up ip6tables so your IPv6 enabled boxen aren't wide open.

montaj0211

access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0
group-policy hillvalleyvpn attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  tunnel-group hillvalleyvpn general-attributes
  default-group-policy hillvalleyvpn

Mierdin

Quote from: jimb on March 01, 2010, 01:10:21 PM
May I suggest, however, that you simply terminate your 6in4 tunnel to the Linux router instead of the Windows box?  That way you wouldn't even need to deal with NAT, and you could use your routed /64 IPv6 on the inside for any machine you want on your LAN, and even automate address assignment by using radvd or DHCPv6.  Just make sure you set up ip6tables so your IPv6 enabled boxen aren't wide open.

I agree - this seems to be the best way to go. I wouldn't normally be opposed to terminating the tunnel to a router so that there's no additional hardware needed, since the same results are produced, but I bricked (not permanently) a few routers by doing that with DD-WRT.