SixXS::Sunset 2017-06-06

Problems with 6in4 static tunnel (Endpoint is behind a NAT)
[gb] Shadow Hawkins on Saturday, 16 October 2010 20:08:59
I've a strange problem with my static tunnel - outbound ipv6 connectivity is working fine, but the PoP can't ping my endpoint for some reason. My ipv6 endpoint is behind a home router (Thomson TG585v7) and I've set it up to forward 6in4 packets (using information described at http://www.tunnelbroker.net/forums/index.php?topic=633.0). The endpoint itself is running Debian Linux 2.6.32-5-sparc64, has both iptables and ip6tables setup and has full outgoing ipv6 connectivity - applications and traceroutes both work. Outgoing ping to PoP works:
PING gblon02.sixxs.net(gblon02.sixxs.net) 56 data bytes 64 bytes from gblon02.sixxs.net: icmp_seq=1 ttl=64 time=33.1 ms 64 bytes from gblon02.sixxs.net: icmp_seq=2 ttl=64 time=36.2 ms 64 bytes from gblon02.sixxs.net: icmp_seq=3 ttl=64 time=38.8 ms 64 bytes from gblon02.sixxs.net: icmp_seq=4 ttl=64 time=36.9 ms ^C --- gblon02.sixxs.net ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 33.185/36.315/38.863/2.054 ms
PING 77.75.104.126 (77.75.104.126) 56(84) bytes of data. 64 bytes from 77.75.104.126: icmp_req=1 ttl=58 time=39.2 ms 64 bytes from 77.75.104.126: icmp_req=2 ttl=58 time=35.0 ms 64 bytes from 77.75.104.126: icmp_req=3 ttl=58 time=35.2 ms 64 bytes from 77.75.104.126: icmp_req=4 ttl=58 time=47.1 ms ^C --- 77.75.104.126 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 35.045/39.164/47.186/4.928 ms
The iptables lines which are likely to be relevant are:
iptables -A INPUT -s 77.75.104.126 -p 41 -j ACCEPT
and
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ifconfig output:
eth0 Link encap:Ethernet HWaddr 00:03:ba:13:0c:71 inet addr:192.168.1.200 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 2a01:348:254::1/64 Scope:Global inet6 addr: fe80::203:baff:fe13:c71/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2234824 errors:0 dropped:0 overruns:0 frame:0 TX packets:355 errors:1949494 dropped:0 overruns:0 carrier:1949494 collisions:0 txqueuelen:1000 RX bytes:688703450 (656.7 MiB) TX bytes:107850 (105.3 KiB) Interrupt:9 sixxs Link encap:IPv6-in-IPv4 inet6 addr: 2a01:348:6:3b0::2/64 Scope:Global inet6 addr: fe80::c0a8:1c8/64 Scope:Link UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1 RX packets:51 errors:0 dropped:0 overruns:0 frame:0 TX packets:61 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6968 (6.8 KiB) TX bytes:5985 (5.8 KiB)
Routing table:
2a01:348:6:3b0::/64 via :: dev sixxs proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 0 2a01:348:254::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 via :: dev sixxs proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 0 default via 2a01:348:6:3b0::1 dev sixxs metric 1024 mtu 1280 advmss 1220 hoplimit 0
The system is also running radvd to route my subnet to other hosts. As far as I can tell, the 6in4 tunnel worked fine and responded to pings from the PoP until this morning, when it stopped responding. I'm unsure what has gone wrong. So far I've tried an ifdown/ifup on the tunnel interface and resetting the ipv6 nat rule on the router.
Problems with 6in4 static tunnel (Endpoint is behind a NAT)
[ch] Jeroen Massar SixXS Staff on Saturday, 16 October 2010 20:18:44
Are you sure that your NAT box is properly forwarding packets, also when there where no packets from the inside (your network) to the outside (the PoP)? No ICMPv4 or other packets are coming back from your endpoint. Is your IPv4 address truly static, did it not change by now? How did you configure your tunnel? Why not use AYIYA instead which solves the whole NAT issue?
Problems with 6in4 static tunnel (Endpoint is behind a NAT)
[gb] Shadow Hawkins on Saturday, 16 October 2010 21:54:45
Are you sure that your NAT box is properly forwarding packets, also when there where no packets from the inside (your network) to the outside (the PoP)?
As far as I can tell, outgoing ipv6 is working. I tried pinging the endpoint just now, from an external host, and got a response:
PING 2a01:348:6:3b0::2: 56 data bytes 64 bytes from cl-945.lon-02.gb.sixxs.net (2a01:348:6:3b0::2): icmp_seq=0. time=77.3 ms 64 bytes from cl-945.lon-02.gb.sixxs.net (2a01:348:6:3b0::2): icmp_seq=1. time=76.3 ms 64 bytes from cl-945.lon-02.gb.sixxs.net (2a01:348:6:3b0::2): icmp_seq=2. time=77.0 ms 64 bytes from cl-945.lon-02.gb.sixxs.net (2a01:348:6:3b0::2): icmp_seq=3. time=75.4 ms 64 bytes from cl-945.lon-02.gb.sixxs.net (2a01:348:6:3b0::2): icmp_seq=4. time=84.7 ms ----2a01:348:6:3b0::2 PING Statistics---- 5 packets transmitted, 5 packets received, 0% packet loss round-trip (ms) min/avg/max/stddev = 75.4/78.1/84.7/3.8
Is your IPv4 address truly static, did it not change by now?
The NAT box itself has a static ipv4 address.
How did you configure your tunnel?
I put the following lines in /etc/network/interfaces:
auto sixxs iface sixxs inet6 v4tunnel address 2a01:348:6:3b0::2 netmask 64 endpoint 77.75.104.126 ttl 64 up ip link set mtu 1280 dev sixxs up ip route add default via 2a01:348:6:3b0::1 dev sixxs
Why not use AYIYA instead which solves the whole NAT issue?
I was using AYIYA at first, but decided to switch to a static tunnel (mainly to gain additional ISK quicker).
Problems with 6in4 static tunnel (Endpoint is behind a NAT)
[ch] Jeroen Massar SixXS Staff on Saturday, 16 October 2010 23:46:36
I am fairly sure you are hitting a time out in the connection tracker / state tables of either your Linux box or your NAT box, at least that is what it looks like from the outside. (See the FAQ, or in short: when you don't use it from the inside, the outside can't get in, when you do use it from the inside, there is state thus the outside can send packets to the inside...)
Problems with 6in4 static tunnel (Endpoint is behind a NAT)
[de] Shadow Hawkins on Wednesday, 12 January 2011 15:21:42
You can simple ping6 your PoPs IPv6 every minute, that should keep your NATs firewall open.
#!/bin/bash while [ 0 -eq 0 ] do ping6 -c 1 $POPs_IPv6 sleep 60 done
Of course with this method, you won't be able to offer any service to the outside world, so i guess the best way is to open your NATs firewall for protocol 41 and forward it to your endpoint. Best regards, Friedrich
Problems with 6in4 static tunnel (Endpoint is behind a NAT)
[gb] Shadow Hawkins on Wednesday, 02 March 2011 16:22:48
I also run a tunnel endpoint behind a TG585v7. The TG585 sets up a NAT session when there's outgoing proto 41 packets, which appears to stay active for around a minute or so. But
nat mapadd intf=Internet type=nat outside_addr=<wan_ipv4> inside_addr=<lan_ipv4> protocol=6to4 mode=inbound
doesn't seem to create the static nat mapping it should. I also tried unbinding the IP6to4 "helper" - it was something like
connection unbind application=IP6TO4 port=0
- but this didn't help either. Should anyone else come across this thread who has managed to make a TG585 remember to forward protocol 41 I'd appreciate knowing how... :-) meanwhile Friedrich's suggestion is keeping my tunnel open. Jon
Problems with 6in4 static tunnel (Endpoint is behind a NAT)
[ch] Jeroen Massar SixXS Staff on Wednesday, 02 March 2011 16:22:06
Or you could just use AYIYA which does not need anything special in the NAT box nor does it need to have the tunnel pinged every minute as the included heartbeat already solves that.

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker