How to add/set route from Routed /64 to Tunnel Endpoint?

[dawkco]

Hi.  I'm running WS2008, WS2003 and Win2000 Server on a public network with no routers in my area of control.  Internet access is through a multilayer switch set up as a port blocking firewall.

I set up the IPv6 Tunnel Endpoint on my WS2008 machine, set an "Allow" rule for Protocol 41 on the switch and I am now able to ping the local and remote tunnel endpoints, as well as IPv6 sites on the Internet.

However, when I try to set an IPv6 address from the Routed /64 into my NIC on the WS2008 machine, I get no access to/from that IPv6 address.  I tried setting the tunnel endpoint as the Gateway, but I get an error message because the gateway (tunnel endpoint) and the NIC address are on different subnets.

My tunnel endpoint is 2001:470:1f04:a85::2
My Routed /64 is 2001:470:1f05:a85::/64

I'm trying to use:
2001:470:1f05:a85::6 on the WS2008 machine
2001:470:1f05:a85::7 on the Win2000 Server machine
2001:470:1f05:a85::9 on the WS2003 machine
2001:470:1f05:a85::10 on the WS2003 machine

But I don't know how to add/set a route between the two subnets to make this work.  Adding a router is not an option.  I'm sure there is probably some easy way to do this by setting static routes in some routing tables, but the Netsh documentation doesn't amplify much on what the commands really mean in practice.  Can anybody steer me in the right direction?

Thanks.

Dave

[jimb]

On the WS2008 machine you need to have a default route for IPv6 pointing through the tunnel interface, so:

netsh int ipv6 add route ::/0 <ifindex or name of tunnel inteface> 2001:470:1f04:a85::1

(but you've probably already done that if you can ping stuff on the IPv6 internet unless it's using Teredo).

Then on all other machines you'd set the default route to the WS2008 machine like so:

netsh int ipv6 add route ::/0 <ifindex or name of LAN interface> 2001:470:1f05:a85::6

This will cause the other machines to send IPv6 traffic for the internet to the WS2008 box which will route it through the tunnel.

As for setting up IPv6 forwarding and firewall rules on the 2008 box to allow it to be an IPv6 router, that's something I haven't done.  :P

[dawkco]

jimb,

Thanks, but the tunnel route was already set up correctly and that works OK.

The Problem is that the Routed /64 addresses can't reach the tunnel.  The Routed /64 addresses are on a different subnet than the tunnel endpoint and I need a way to route from the Routed /64 addresses to the tunnel (without adding a hardware router!).

BTW, I'm not running Windows Firewall, so that's not an issue.

Anybody else?!

[jimb]

jimb,

Thanks, but the tunnel route was already set up correctly and that works OK.

The Problem is that the Routed /64 addresses can't reach the tunnel.  The Routed /64 addresses are on a different subnet than the tunnel endpoint and I need a way to route from the Routed /64 addresses to the tunnel (without adding a hardware router!).

BTW, I'm not running Windows Firewall, so that's not an issue.

Anybody else?!

That WILL route the routed /64 to and through the tunnel.

Both the WS2008 box, and all the boxes on the LAN have connected routes to 2001:470:1f05:a85::/64 by virtue of the fact that they have addresses from that network configured on their LAN interfaces.  So they can talk to each other on the LAN.

The WS2008 knows how to get to the IPv6 internet by virtue of the default route whose next hop is set to the HE tunnel server on the other side of the 6in4 tunnel.

The hosts on the LAN know how to get to the IPv6 internet by virtue of the default route whose next hop is the WS2008 box.  The WS2008 box needs to be set up as a router.  To do that, it needs to have whatever it might need done to it to tell it to forward IPv6 (e.g. act as a router).  Not sure how to do THAT.  It also needs the firewall set up to allow the traffic, but since you have that turned off (inadvisable since it will make your hosts wide open to the internet) that probably doesn't matter (even though you spoke of the Windows firewall allow rule in your last message).

Try this:  ping the WS2008 box's LAN interface from the other hosts.  Can you reach them?  Now try to ping the WS2008's tunnel interface address.  Can you reach that?  Now try to ping the other side of the tunnel from one of the LAN boxes.  If you can reach that you know the WS2008 box is routing IPv6 traffic.  

If not, check logs and such, and look into whatever you need to do to tell windows to be a router, if anything is required (the equivalent net.ipv4.ip_forward = 1 on linux).  

The route commands I gave you will take care of the routing side of things though.  Any firewall or ip forwarding policy issues you'll have to figure out.

-Jim

EDIT: You also may want to make sure the ipv6 privacy stuff is turned off on at least the WS2008 router machine, since you probably don't want it changing IPv6 addresses automatically.  (netsh int ipv6 set privacy disabled)

[dawkco]

That WILL route the routed /64 to and through the tunnel.

... The WS2008 box needs to be set up as a router.  To do that, it needs to have whatever it might need done to it to tell it to forward IPv6 (e.g. act as a router).  Not sure how to do THAT.  It also needs the firewall set up to allow the traffic, but since you have that turned off (inadvisable since it will make your hosts wide open to the internet) that probably doesn't matter (even though you spoke of the Windows firewall allow rule in your last message).

...

If not, check logs and such, and look into whatever you need to do to tell windows to be a router, if anything is required (the equivalent net.ipv4.ip_forward = 1 on linux).  

The route commands I gave you will take care of the routing side of things though. ...

-Jim

EDIT: You also may want to make sure the ipv6 privacy stuff is turned off on at least the WS2008 router machine, since you probably don't want it changing IPv6 addresses automatically.  (netsh int ipv6 set privacy disabled)

Unfortunately, the "add route" command you recommended, which is what was used to build the tunnel in the first place, does NOT cause the Routed /64 addresses to route to and through the tunnel.  Example, if I set my NIC address to 2001:470:1f05:a85::6 (which is in the routed /64) and then try to ping either tunnel endpoint from that address, it fails, as follows:

C:\>ping -6 -S 2001:470:1f05:a85::6 2001:470:1f04:a85::1
Pinging 2001:470:1f04:a85::1 from 2001:470:1f05:a85::6 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2001:470:1f04:a85::1:
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping -6 -S 2001:470:1f05:a85::6 2001:470:1f04:a85::2
Pinging 2001:470:1f04:a85::2 from 2001:470:1f05:a85::6 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2001:470:1f04:a85::2:
   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

BTW, I tried this with no gateway address on the NIC, then with the local tunnel endpoint IP as the NIC gateway address, then with the remote tunnel endpoint IP as the NIC gateway address, and then even with the NIC address as the gateway address.  None of those worked.

However, as I noted before, the tunnel does work if you access it from the "IP6Tunnel" interface itself.  Example:

C:\>ping -6 2001:470:1f04:a85::1
Pinging 2001:470:1f04:a85::1 from 2001:470:1f04:a85::2 with 32 bytes of data:
Reply from 2001:470:1f04:a85::1: time=17ms
Reply from 2001:470:1f04:a85::1: time=103ms
Reply from 2001:470:1f04:a85::1: time=122ms
Reply from 2001:470:1f04:a85::1: time=62ms

Ping statistics for 2001:470:1f04:a85::1:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 17ms, Maximum = 122ms, Average = 76ms

The "Allow" rule I set for Protocol 41 was on the multilayer switch hardware, not Windows Firewall--as I said Windows Firewall is turned OFF.

I'm thinking that  netsh interface ipv6 set privacy only applies if you're using Autoconfigured addresses, which I'm not.  I'll try disabling privacy, but I doubt it has anything to do with it.

Obviously, my original question was and still is--How do I set up the WS2008 NIC to act as a router?  Other than that, we seem to keep repeating ourselves here.  I appreciate your effort, but could we get back to my original question, please?

[cholzhauer]

There is a flag you need to set in the "netsh int ipv6 int#" properties

I don't have a Server 2008 or vista machine in front of me, so I can't give you the exact syntax.  I know there is a flag you need to set though to tell the OS to act as a router.

Googling around for "netsh ipv6 flags" or something should help.

[dawkco]

I'm not finding anything that works.

[jimb]

Your non-working pings are probably do to the router functionality thing I mentioned earlier.  It's what cholz was talking about too.  

Googling around a bit, I think you have to turn on routing and remote access and enable routing.

These technet sections are probably worth looking at:

http://technet.microsoft.com/en-us/library/cc757719%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc781568%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc730711%28WS.10%29.aspx#BKMK_4

[cholzhauer]

Is this Server 2008 R2 or just Server 2008?

Back when I was with Sixxs, I tried using a Server 2008 machine to host my tunnel.  Long story short, it didn't work, and I'm trying to remember why.  It was caused by Server 2008; I can't remember if it was a bug in the Sixxs program or if it was in Server 2008.

If you can wait, tomorrow when I get to work I can poke around in netsh and let you know what I find.

[dawkco]

Your non-working pings are probably do to the router functionality thing I mentioned earlier.  It's what cholz was talking about too.  

Googling around a bit, I think you have to turn on routing and remote access and enable routing.

These technet sections are probably worth looking at:...

Yeah, that was I was thinking too.  I was about to install RRAS, but ran out of time last night.  I'll try today.  It's looks a bit involved because installing IP Routing requires installing RRAS, which requires installing NAP, and so on.  I just want the routing with the least impact otherwise (i.e., admin, side-effects, etc.).

I'll post back later...

[dawkco]

Is this Server 2008 R2 or just Server 2008?

Back when I was with Sixxs, I tried using a Server 2008 machine to host my tunnel.  Long story short, it didn't work, and I'm trying to remember why.  It was caused by Server 2008; I can't remember if it was a bug in the Sixxs program or if it was in Server 2008.

If you can wait, tomorrow when I get to work I can poke around in netsh and let you know what I find.

I'm on Server 2008 Standard.  The tunnel is fine--it's just getting the Routed/64 to work that's a problem.  If I only had one machine, I could just use the tunnel endpoint and be done, but I have two Name Servers and a Web/Mail Server that I want to start hosting via IPv6 also, so I need the Routed /64.  And, I'd like to start taking the IPv6 Cert. exams.  Adding another hardware router is just impractical in my setup.

BTW, the tunnel was constructed with the following:
netsh interface teredo set state disabled
netsh interface ipv6 add v6v4tunnel IP6Tunnel 65.168.232.6 72.52.104.74
netsh interface ipv6 add address IP6Tunnel 2001:470:1f04:a85::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f04:a85::1

I set the NIC address as follows:
netsh interface ipv6 add address interface="Local Area Connection" address=2001:470:1f05:a85::6
netsh interface ipv6 set interface interface="Local Area Connection" forwarding=enabled advertise=enabled nud=enabled routerdiscovery=enabled

Note:  I originally, tried routerdiscovery=disabled along with the following route table entries, which didn't work either.  Also, I updated the system registry value IPEnableRouter to (DWORD)1 at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

I tried adding the following route table entries, one at a time--I deleted non-working route table entries as I went--none worked:

netsh interface ipv6 add route prefix=::/0 interface="Local Area Connection" nexthop=2001:470:1f04:a85::1 publish=yes

netsh interface ipv6 add route prefix=::/0 interface="Local Area Connection" nexthop=2001:470:1f04:a85::2 publish=yes

netsh interface ipv6 add route prefix=::/0 interface="Local Area Connection" nexthop=2001:470:1f05:a85::6 publish=yes

netsh interface ipv6 add route prefix=2001:470:1f05:a85::/64 interface="Local Area Connection" nexthop=2001:470:1f04:a85::1 publish=yes

netsh interface ipv6 add route prefix=2001:470:1f05:a85::/64 interface="Local Area Connection" nexthop=2001:470:1f04:a85::2 publish=yes

And, I tried using no default gateway entry at all.  Since nothing worked, I just disabled IPv6 on the NIC for now.  The tunnel still works and I currently have the following IPv6 route table:

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::/0                       15  2001:470:1f04:a85::1
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    256  2001:470:1f04:a85::2/128   15  IP6Tunnel
No       Manual    256  fe80::/64                  15  IP6Tunnel
No       Manual    256  fe80::200:5efe:65.168.232.6/128   16  Local Area Connection* 8
No       Manual    256  fe80::4571:e519:fffa:2d7f/128   15  IP6Tunnel
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       Manual    256  ff00::/8                   15  IP6Tunnel

My next move is to try installing RRAS.  I've had bad experiences with RRAS in the past (on Win2K and WS2003), so I'm not expecting a miracle...wish me luck.

[jimb]

I think the routing service is needed just for Windows to route packets from one interface to another.  Perhaps it does this by sending it off to a service.  I don't know enough about windows internal architecture to know for sure.

On linux, IP routing is built into the proto stack in the kernel, but needs to be enabled for security reasons by essentially flipping a bit.

I'm not sure why you would have added some of those routes.

The only default routes you need is the default pointing to the other side of the tunnel on the box which the tunnel lives on (your IPv6 router), and then default routes on the other boxes pointing to the tunnel box.

If you are in a VM environment, might be easier to load up linux or BSD or something and make that your IPv6 router.  :P

[dawkco]

I think the routing service is needed just for Windows to route packets from one interface to another.  Perhaps it does this by sending it off to a service.  ...

On linux, IP routing is built into the proto stack in the kernel, but needs to be enabled for security reasons by essentially flipping a bit.

I'm not sure why you would have added some of those routes.

The only default routes you need is the default pointing to the other side of the tunnel on the box which the tunnel lives on (your IPv6 router), and then default routes on the other boxes pointing to the tunnel box.

If you are in a VM environment, might be easier to load up linux or BSD or something and make that your IPv6 router.  :P

I was just trying things to see if I could get it to work.  Now I'll try RRAS.  I guess I just leave the WS2008 NIC Default Gateway setting blank...(?)

I'm not running in VM environment now, so that would be a bigger hassle (I think).

[jimb]

Yes.  The WS2008 box is your Ipv6 router, and the route to the IPv6 internet is via the tunnel interface, so the only default route you need on that box is via the tunnel interface.  There should be no default route pointing through the LAN NIC since the way "out" is via the 6in4 tunnel virtual NIC.

[dawkco]

Do me a favor--see if you can successfully ping the following address:

2001:470:1f05:a85::6

Thanks.