• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How to add/set route from Routed /64 to Tunnel Endpoint?

Started by dawkco, April 03, 2010, 04:22:28 PM

Previous topic - Next topic

dawkco

Quote from: dawkco on April 10, 2010, 10:47:59 AM

So, is there a wget for Windows?  I'd like to do this test myself.


I have ActivePerl installed, maybe there's an implementation of something like wget in there...
Dave W Kelly
DAWKCo(tm) Software

jimb

Quote from: dawkco on April 10, 2010, 10:47:59 AM
Quote from: jimb on April 10, 2010, 04:13:43 AM
Quote from: dawkco on April 10, 2010, 02:56:13 AM
Quote from: jimb on April 10, 2010, 12:51:16 AM
While it's true that the packets are routed out of the tunnel interface, the source address isn't changed.

Sounds good, but it's not what I was seeing.
Well, I can prove it...

Try it yourself.

Ah, Ok I see it now--in fact, I was logging into the forum to correct myself.  I misinterpreted the meaning of how the Prefix Policy table was implemented.

Still, an important feature of the prefix policy is the administrative override of default policies, which Windows doesn't seem to allow for.  Example:  assuming that my web browser used an unspecified address for its outbound connection, the OS should have preferred my routed /64 address as the source address when I had the following prefix policy table entries:

Precedence  Label  Prefix
----------  -----  ----------
...
       40      1  ::/0
       40      1  2001:470:1f05:a85::/64
... etc.

In other words, for any destination address, select the routed /64 address as the source address.  But it didn't work.

So, is there a wget for Windows?  I'd like to do this test myself.

That prefixpolicy thing would only work if the IPv6s in question were on the same interface.  In RFC3484, the outbound interface address overrides the prefix-policy table when using an unspecified source address.  Although, I've tried it on Linux and it still didn't work even when I had two IPv6 publics on one interface and adjusted the "ip addrlabel" table.  But I think this is because of the Linux implementation of it.  I think under linux you must use /etc/gai.conf for outbound source stuff 'cause of the way it's implemented.

Googling for "windows wget" gets me a few choices.  I'm not sure which ones support IPv6 or not.  I know the one in Cygwin does, for Cygwin versions > 1.7.

You could also easily write a perl script to demostrate it.  Just connect to something after filling the desired IPv6 source address in and check the destination for which IPv6 is connecting.  

Unfortunately many of the common built in windows utilities like ping, telnet, etc, don't allow one to specify a source address to use.

dawkco

Quote from: jimb on April 10, 2010, 05:28:40 PM
Googling for "windows wget" gets me a few choices.  I'm not sure which ones support IPv6 or not.  I know the one in Cygwin does, for Cygwin versions > 1.7.

You could also easily write a perl script to demostrate it.  Just connect to something after filling the desired IPv6 source address in and check the destination for which IPv6 is connecting.  

Unfortunately many of the common built in windows utilities like ping, telnet, etc, don't allow one to specify a source address to use.

The WGet for Windows available from here is IPv6 capable:
http://gnuwin32.sourceforge.net/packages/wget.htm

This page has links to all the GNUWin32 packages:
http://gnuwin32.sourceforge.net/packages.html

I returned my IPv6 settings to the original tunnel/gateway configuration, and using WGet I was able to verify that the remotely detected IPv6 source address of a connect was the local IPv6 address that was specifically bound to for the connection by WGet.  OK.

BTW, the ping app on WS2003 and WS2008 has a -S option that allows specification of a source address for the ping (only valid for IPv6).  The thing that threw me off was that whenever I pinged a remote address without specifying the source address, it would always automatically select the tunnel local endpoint IPv6 address.  Of course, now I now why--the Default Address Selection Algorithm and the Default Prefix Policy--and, well, I've learned a lot more than that in the process of figuring it out.

Now, I'm just tinkering with the Windows Firewall to close up a few remaining holes...
Dave W Kelly
DAWKCo(tm) Software

jimb

Ah it's nice they added that option.  XP definitely doesn't have it.

Glad to see you got it going.  I've never set up windows to be a router before, now I guess I have some idea how to do it if I ever need to.  :P

kzyhlm

So guys did you find out what to do to make W2008 to ping from that router /64 addres excep removing that local ipv6 endpoint addres from IP6Tunnel ??
On windows 7 you just need to enable RRAS and it will automaticly work <LOL>

dawkco

Quote from: kzyhlm on January 25, 2011, 03:19:10 PM
So guys did you find out what to do to make W2008 to ping from that router /64 addres excep removing that local ipv6 endpoint addres from IP6Tunnel ??
On windows 7 you just need to enable RRAS and it will automaticly work <LOL>

@kzyhlm,

Yes, buried down there somewhere was the fact that binding your outbound connection to a specific address seems to work OK.  (See the stuff about WGet.)

I also found that enabling RRAS was required on WS2003 and WS2008 in order to get IPv6 routing from machines on the LAN to the tunnel interface (without any hardware router).

However, that doesn't change the fact that outbound connections that are not specifically bound to a routed /64 address will appear to be coming from the tunnel endpoint address.  This is also true on Win7 (I have it too).

I'm hoping it won't be a big deal.  Most service daemons have an option to bind to specific addresses if needed, and as jimb noted, we usually don't care which address our client software uses (e.g., web browser, etc.).  When you're hosting multiple domains that require different IP's (for SSL/TLS enabled services), it becomes an important issue.  We're still in testing mode right now, but things seems to be working OK so far.
Dave W Kelly
DAWKCo(tm) Software

kleroen

After some experimenting I believe I found a solution to the problem.

Instead of removing your endpoint IP from the tunnel, get it marked as deprecated by setting the preferred lifetime to 0 secs


netsh interface ipv6 set address IP6Tunnel <client endpoint IP> preferredlifetime=0s


The address will still be completely reachable, but any other address assigned elsewhere will be preferred over it.

smrtguy


dawkco

Quote from: kleroen on February 07, 2011, 05:29:28 PM

After some experimenting I believe I found a solution to the problem.  Instead of removing your endpoint IP from the tunnel, get it marked as deprecated by setting the preferred lifetime to 0 secs


netsh interface ipv6 set address IP6Tunnel <client endpoint IP> preferredlifetime=0s


The address will still be completely reachable, but any other address assigned elsewhere will be preferred over it.


kleroen, that is brilliant!

After re-reading the relevant RFC's:

http://www.rfc-editor.org/rfc/rfc3484.txt
http://www.rfc-editor.org/rfc/rfc2462.txt
http://www.rfc-editor.org/rfc/rfc3315.txt

specifically searching for the keywords:  deprecated, lifetime, preferred, valid; It now seems obvious--I am convinced that you have found the correct solution.  In fact, I have also deprecated the link-local address assigned to the tunnel interface (just for good measure).

Everything is now working as I originally thought it should.  Thank You!

Dave W Kelly
DAWKCo(tm) Software

dawkco

Quote from: smrtguy on February 07, 2011, 11:48:53 PM

Hi!
how am  I configure IPV6.


smrtguy,

First, enable the RRAS (Routing and Remote Access Service) and make sure it's started (running).  You don't have to configure anything in RRAS, but make sure the service itself is set to Automatic startup mode.

Next, use the 'netsh' program to do the following.

Notes:  in the commands below, replace the items in <angle_brackets> with the correct values--don't include the angle brackets in the commands.  The following commands are compatible with Vista/Server 2008 and Win 7; the commands for XP/Server 2003 are a bit different (get help with 'netsh int /?' or 'netsh int ipv6 /?', etc.).

Your Host to HE IPv6-in-IPv4 Tunnel Interface Setup:


netsh int teredo set state disabled
netsh int ipv6 6to4 set state disabled
netsh int ipv6 isatap set state disabled
netsh int ipv6 add v6v4tunnel "IPv6 Tunnel" <your_tun_endpt_ipv4_addr> <he_tun_endpt_ipv4_addr>
netsh int ipv6 add address "IPv6 Tunnel" <your_tun_endpt_ipv6_addr> preferredlifetime=0s
netsh int ipv6 add route ::/0 "IPv6 Tunnel" <he_tun_endpt_ipv6_addr> publish=yes
netsh int ipv6 set interface "IPv6 Tunnel" forwarding=enabled nud=enabled routerdiscovery=enabled


Your Host IPv6 NIC Setup:


netsh int ipv6 add address "Local Area Connection" <your_/64_ipv6_addr>
netsh int ipv6 set interface "Local Area Connection" forwarding=enabled nud=enabled routerdiscovery=enabled
netsh int ipv6 add dnsserver "Local Area Connection" <dns_server1_ipv6_addr>
netsh int ipv6 add dnsserver "Local Area Connection" <dns_server2_ipv6_addr> 2



That's about it.  You should then be able to ping the HE tunnel endpoint IPv6 address and any other remote IPv6 address (that allows pings).  For example:


ping -6 <some_remote_IPv6_addr>


If that works, you're good to go on the IPv6 Internet.
Dave W Kelly
DAWKCo(tm) Software

cholzhauer


Sandertjuhh

#56
Hi there,

I'm trying to get my IP6 Tunnel work over my network.... I'm almost done but I'm missing only one thing (go outside my network with IPv6).
Both pc's are Windows 7 systems.

First I've enabled RRAS on my "server".

I got my tunnel working on my "server" systems with the commands dawkco posted above. I could ping around the world of IPv6.
But when i try to surf to "http://ipv6.whatismyv6.com/" of "http://ipv6.google.com" I got a 404 error. But I could ping that hosts so the tunnel is working.

I tried to give my server a IPv6 IP with the following commands:

netsh int ipv6 add address "LAN verbinding" 2001:470:1f14:132f::5
netsh int ipv6 set interface "LAN verbinding" forwarding=enabled nud=enabled routerdiscovery=enabled
"LAN verbinding" is dutch for "Local Area Connection"

And see here I can surve around the world too! The site http://ipv6.whatismyv6.com/ tell me my IPv6 is 2001:470:1f14:132f::5 and thats correct!

So my job on the server is done I guess?

I tried my other Windows 7 system en put the commands in here:

netsh int ipv6 add address "Draadloze netwerkverbinding" 2001:470:1f14:132f::6
netsh int ipv6 set interface "Draadloze netwerkverbinding" forwarding=enabled nud=enabled routerdiscovery=enabled
"Draadloze netwerkverbinding" is dutch for "Wireless networkconnection"



When I try to ping to 2001:470:1f14:132f::5 i got the following results:
Reply from 2001:470:1f14:132f::55: tijd=564 ms
Reply from 2001:470:1f14:132f::5: tijd=1 ms
Reply from 2001:470:1f14:132f::5: tijd=1 ms
Reply from 2001:470:1f14:132f::5: tijd=4 ms

So my internal connection is working.

When I try to ping the host-end-point IP from my tunnel: 2001:470:1f14:132f::2

I got 4 times "Destination Unreachable"

So I can't come out my network with IPv6.

I'm hoping someone can help me out to fix IPv6 for my local network. What did I do wrong?

This are my ipv6 routes:
[edit]
C:\Users\Sandertjuhh>netsh int ipv6 show route

Public.  Type      Met  Voorvoegsel               Idx  Naam gateway/interface
-------  --------  ---  ------------------------  ---  ------------------------
Nee      Handmatig 256  ::1/128                     1  Loopback Pseudo-Interface
1
Nee      Handmatig 256  2001:470:1f14:132f::/64    12  Draadloze netwerkverbinding
Nee      Handmatig 256  2001:470:1f14:132f::6/128   12  Draadloze netwerkverbinding
Nee      Handmatig 256  fe80::/64                  14  Bluetooth-netwerkverbinding
Nee      Handmatig 256  fe80::/64                  12  Draadloze netwerkverbinding
Nee      Handmatig 256  fe80::/64                  11  LAN-verbinding
Nee      Handmatig 256  fe80::25e3:b5f5:a977:6aad/128   14  Bluetooth-netwerkverbinding
Nee      Handmatig 256  fe80::415b:1088:4741:91dc/128   11  LAN-verbinding
Nee      Handmatig 256  fe80::f9bb:941e:531:e179/128   12  Draadloze netwerkverbinding
Nee      Handmatig 256  ff00::/8                    1  Loopback Pseudo-Interface
1
Nee      Handmatig 256  ff00::/8                   14  Bluetooth-netwerkverbinding
Nee      Handmatig 256  ff00::/8                   12  Draadloze netwerkverbinding
Nee      Handmatig 256  ff00::/8                   11  LAN-verbinding
[/edit]
Handmatig is dutch for Manual

[edit2]
On request my IPv6 Range is: 2001:470:1f14:132f/64
[/edit2]

cholzhauer

unblock your IP address, I have no idea what addresses you're using and can't help

Sandertjuhh


cholzhauer

Can you ping the ::1 address of your tunnel?  If yes, your tunnel is up.  If no, tunnel is not up.

If yes, what does the routing table look like one one of the hosts that isn't working?