Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Shadow Hawkins on Monday, 03 March 2014 12:20:34
Hi all!
I want to use a Fritz!Box 7330 with a Heartbeat-Tunnel.
The setup in my Box seems to work. It connects to the tunnel, assigns an IPv6 adress (mysubnet:2) and no further error messages occur. But the current state of my tunnel still is "down". It also seems that my box does not really get that IPv6 adress. If I test my IP, I only see an IPv4 Adress, no IPv6 Adress.
I also tested it with a external pc (Win7) with a different ISP as a client. I installed AICCU, stored the used information in the aiccu.conf file and started the tunnel. I did all necessary steps accoding to wiki / faq / help entries.
AICCU actually starts, the console shows no errors but this strange message:
Heartbeat tunnel still has a local ipv4 adress of 'heartbeat'
....and it seems to "start" the tunnel. But I still see "Tunnel State down" and I don't get an ipv6 adress. So, I guess the problem is not in my fritz!box because my PC has the same issue.
Is it possible that my ISP blocks proto-41 and I have to use an AYIYA tunnel? Did I miss something in my config? Is there way to "find out", that my ISP blocks proto-41?
PS: I first used my tunnel as AYIYA and it worked on my external Win7 PC. I changed the tunnel type to heartbeat to use it with my fritzbox (now -5 ISK thx to this...and can't get the tunnel up... deadend...yay...?)
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Jeroen Massar on Monday, 03 March 2014 12:40:02 But the current state of my tunnel still is "down".
Depends what claims it is down, if you mean the SixXS website, then it is depended on your endpoint pinging, see the FAQ for the details.
If I test my IP, I only see an IPv4 Adress, no IPv6 Adress.
How do you "test your IP"?
See IPv6Check for a check for a host behind your Fritz!Box, which does require you have a subnet configured.
AICCU actually starts, the console shows no errors but this strange message: Heartbeat tunnel still has a local ipv4 adress of 'heartbeat' But I still see "Tunnel State down" and I don't get an ipv6 adress.
Did you run it as a administrator? Also, heartbeat tunnels do not work (easily) behind NAT.
Is it possible that my ISP blocks proto-41 and I have to use an AYIYA tunnel?
There is a possibility, but it is low. AYIYA tunnels btw won't work on Fritz!Box which only supports heartbeat.
Did I miss something in my config?
Did you configure a subnet in the Fritz!Box so that your other computers get an IPv6 address?
Is there way to "find out", that my ISP blocks proto-41?
There are ways, but they are not always 100%, also it is harder to do as your Fritz!Box is likely acting as a NAT and intercepting those packets too.
(now -5 ISK thx to this...and can't get the tunnel up... deadend...yay...?)
Why would that be a deadend?
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Shadow Hawkins on Monday, 03 March 2014 13:41:50
Currently, I do some tests with my win 7 client pc, I don't have physical access to my fritzbox atm.
Depends what claims it is down, if you mean the SixXS website, then it is depended on your endpoint pinging, see the FAQ for the details.
I used "Live Tunnel Status on the PoP" from the sixxs page. It shows "down" after connecting with the aiccu client. I can ping and traceroute the POP ipv4 adress and my own, but every ipv6 ping (e.g. ping ipv6.google.com) fails.
How do you "test your IP"?
http://www.wieistmeineip.com and http://test-ipv6.com/
If I list up my interfaces with "ipconfig" I only see "fe80:...." IPv6 adresses, which are not equal to the tunnels v6 subnet adesses.
That happens when no heartbeat went out yet, should be harmless most of the time.
Ah! Good to know.
Did you run it as a administrator? Also, heartbeat tunnels do not work (easily) behind NAT.
Yes, I run aiccu as admin. My current win 7 client PC is directly connected to a DSL modem and I connect with PPPoE. MAYBE that is one problem->ISP nat, I don't have one.
There is a possibility, but it is low. AYIYA tunnels btw won't work on Fritz!Box which only supports heartbeat.
Yes, I figured that out that standard Fritz!OS only supports Heartbeat tunnels.
And...thats why I was wondering....I had no problem with AYIYA on this Win 7 client PC. Only that Heartbeat tunnel won't "go up".
Did you configure a subnet in the Fritz!Box so that your other computers get an IPv6 address?
No, I setup IPv4 / v6 port forwarding rules to a VPN server within the LAN. I only need remote access to that fritz!Box. I want so use a secured VPN to access my other lan components. Thanks to my ISP nat madness, I can't access my Firtz!Box from the outside. Thats why I hope that a sixxs tunnel will grant a remote access on my box. The Setup is basically his:
LAN (clients + VPN Server) ------> Fritz!Box (with forwarding rules to VPN server) -------> CableModem -------> ISP
The forwarding rules on the box and firewall rules on my server work, as soon as you access the box and choose the correct port, you end on the VPN server. It only works from my intranet or within the private subnet area of the ISP. As soon as you want to access that box from outside (not within ISP's subnet, Intranet) it does not work.
your Fritz!Box is likely acting as a NAT and intercepting those packets too. Ok, good to know.
Why would that be a deadend? Because I can't get my Heartbeat tunnel up to earn ISK's.
For testing purposes I also disabled all firewall rules on my current client PC and did a reconnect and aiccu restart. My tunnel is still down.
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Jeroen Massar on Monday, 03 March 2014 14:54:38 Currently, I do some tests with my win 7 client pc, I don't have physical access to my fritzbox atm.
These are completely different things: different clients, different network connections.
If I list up my interfaces with "ipconfig" I only see "fe80:...." IPv6 adresses, which are not equal to the tunnels v6 subnet adesses.
Which shows that nothing is configured, hence why it does not work.
My current win 7 client PC is directly connected to a DSL modem and I connect with PPPoE. MAYBE that is one problem->ISP nat, I don't have one.
What do you not have NAT or something else?
I had no problem with AYIYA on this Win 7 client PC.
AYIYA is meant to work behind NAT and uses completely different ports and tunneling technique than heartbeat.
Only that Heartbeat tunnel won't "go up".
That can be caused by a lot of things.
No, I setup IPv4 / v6 port forwarding rules to a VPN server within the LAN.
What kind of rules, and why? There is no need to bother with these kind of things in IPv6, every host can have its own address.
Thanks to my ISP nat madness, I can't access my Firtz!Box from the outside.
Who is your ISP and what kind of "nat madness" are you referring to?
The Setup is basically his: LAN (clients + VPN Server) ------> Fritz!Box (with forwarding rules to VPN server) -------> CableModem -------> ISP
Is that IPv4 or IPv6, what kind of forwarding rules are you using? What is the setup of your ISP etc?
Why would that be a deadend? Because I can't get my Heartbeat tunnel up to earn ISK's.
Dynamic tunnels (AYIYA and heartbeat) generate credits every two weeks when they are active. See the FAQ for more details.
For testing purposes I also disabled all firewall rules on my current client PC and did a reconnect and aiccu restart. My tunnel is still down.
As you do not have any IPv6 addresses, that is not strange, as then it will not work.
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Shadow Hawkins on Monday, 03 March 2014 17:07:38 These are completely different things: different clients, different network connections.
I was hoping to find some reasons why that tunnel does not work. IMHO: if it works on my client, it may work on the fritzbox too. I want to find out if the tunnel setup / options are correct.
What do you not have NAT or something else?
No I don't have a nat here but I'm pretty sure my ISP uses NAT.
What kind of rules, and why? There is no need to bother with these kind of things in IPv6, every host can have its own address.
Yes, indeed but I don't want accessible v6 Adresses on my Network components. I want to reach my Box only. Rest should be done with VPN. At least I have this solution in mind.
So....I want VPN tunnel inside the 6to4 tunnel. I don't know if this is possible.
Is that IPv4 or IPv6, what kind of forwarding rules are you using? What is the setup of your ISP etc?
The LAN itself works on IPv4. An own v6 could be possible.
Now I have a different behaviour. I deinstalled the TAP drivers. Now my aiccu console starts and assigns an Ipv6 adress (mysubnet:2).
If I run traceroute / ping the tunnel start point and endpoint (mysubnet:1, mysubnet:2) it works. I also can send ping -6 requests and they are solved.
But, after ~ 30 seconds, I can't send those requests anymore (traceroute to tunnel start point, ping -6 to any adress). It looks like the tunnel went up after I request my connection and went down after a few seconds. I also loose the assigned v6 adress after a few moments.
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Jeroen Massar on Monday, 03 March 2014 17:38:00 > What do you not have NAT or something else? No I don't have a nat here but I'm pretty sure my ISP uses NAT.
If your ISP uses NAT then for sure proto-41 based tunnels (static & heartbeat) will not work, as the ISPs NAT will never know where to send proto-41 packets to.
What kind of rules, and why? There is no need to bother with these kind of things in IPv6, every host can have its own address.
Yes, indeed but I don't want accessible v6 Adresses on my Network components. I want to reach my Box only. Rest should be done with VPN. At least I have this solution in mind.
So....I want VPN tunnel inside the 6to4 tunnel. I don't know if this is possible.
You really want IPv4-VPN inside IPv6 inside IPv4, and then the latter is likely IPv4 in IPv6, this as most ISPs doing IPv4 NAT do IPv6 deployments along with DSLITE ?
Sounds a big layering and overhead issue to me.
You might want to consider the fact that IPv4 is old and gone and that if you do something you should be doing it with IPv6...
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Shadow Hawkins on Thursday, 06 March 2014 09:54:48 If your ISP uses NAT then for sure proto-41 based tunnels (static & heartbeat) will not work, as the ISPs NAT will never know where to send proto-41 packets to.
I changed my tunnel back to AYIA. It works now. I also did a huge reconfig on my Fritzbox, IPv6 works now, also within my lan. I only need to test my OpenVPN stuff.
Now the plan is:
OpenvpnServer + LAN (IPv6) --- Fritz!Box (IPv6) --- Internet --- mobile Client (ayiya tunnel + OpenVPN tunnel)
Now....on the client side.... is it possible to have an ayiya tunnel which carries a vpn tunnel to my server? The Problem is, I only can Aacess my fritzbox + its forwarding rules to the OpenVPN server if my client has a valid ipv6 adress, thats why I Need to use the tunnel.
In the meanwhile, another client problem occured: I'm blocked from the tic server (too many queries). The Problem is: I'am still in the setup phase of my config. The multi tap install for my openvpn client (1 for the tunnel, 1 for openvpn) leaded to tap device losses for aiccu and I needed reconnects...
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Shadow Hawkins on Thursday, 06 March 2014 09:55:53
PS: how Long does it take to get "unblocked" again?
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Jeroen Massar on Thursday, 06 March 2014 10:15:41 Now the plan is: OpenvpnServer + LAN (IPv6) --- Fritz!Box (IPv6) --- Internet --- mobile Client (ayiya tunnel + OpenVPN tunnel)
Why bother with OpenVPN if you have static addresses?
In the meanwhile, another client problem occured: I'm blocked from the tic server (too many queries).
You did not notice the warnings from the TIC server?
See the FAQ for details about this.
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Shadow Hawkins on Thursday, 06 March 2014 10:50:24 Why bother with OpenVPN if you have static addresses?
I want to encrypt my datatransfer into my lan. There is project data etc. stored. Thats why.
You did not notice the warnings from the TIC server?
I noticed and read the faq's. But sadly, during that "try and error" config I needed some reconnect. Now....how Long does it take to get unblocked again?
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Jeroen Massar on Thursday, 06 March 2014 11:08:43 Why bother with OpenVPN if you have static addresses? I want to encrypt my datatransfer into my lan. There is project data etc. stored. Thats why.
IPSEC and/or TLS are great ways to solve that. Note that IPSEC would make everything transparent.
> You did not notice the warnings from the TIC server? I noticed and read the faq's. But sadly, during that "try and error" config I needed some reconnect.
If you noticed and read the FAQ you would know.
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Shadow Hawkins on Thursday, 06 March 2014 12:09:21 IPSEC and/or TLS are great ways to solve that. Note that IPSEC would make everything transparent.
Yep, this comes with openvpn. I also have older ipv4 only parts in my network. Therefore, I need to run it in parallel. ATm that vpn solution seems to work.
If you noticed and read the FAQ you would know.
TIC faq says: "the block will be extended for a longer period of time"
and "we have configured a ratelimit"
It would be interesting to know about that "ratelimit" and "period of time"...
Heartbeat Tunnel trouble (Client PC and Fritz!Box)
Jeroen Massar on Thursday, 06 March 2014 13:15:39 It would be interesting to know about that "ratelimit" and "period of time"...
We do not divulge what our detection method is, this as then people will just try to circumvent them.
Do actually read the FAQ, restarts are not needed, ever.
Posting is only allowed when you are logged in. |