ipv6 behind an dsl router with nat
Carmen Sandiego on Sunday, 21 December 2003 21:28:26
Hello ipv6-experts,
I'm running a windows xp box as the dmz-host in a natted network (192.168.0.0/24) behind a dsl-router and got problems establishing the tunnel.
In fact it doesn't ping at all and I think it must be the router's fault.
I've tried the BEFSR11 from Linksys (which does support Multicast Pass Through,IPSec Pass Through and PPTP Pass Through) and the DI-604 from Dlink.
In both cases the same result: it doesn't work.
Unfortunately I'm not able to connect the machine directly to the dsl line - but I can assume that the configuration of my client is correct since I've used the script provided by sixxs.
Do you have any ideas?
Thanks,
Gunther
ipv6 behind an dsl router with nat
Jeroen Massar on Sunday, 21 December 2003 21:33:26
1) Google and find the manual
2) DMZ Hosting on page 52
3) Enable that feature for the host that should terminate the endpoint.
Doneeeeee.... and the same for most other routers.
ipv6 behind an dsl router with nat
Carmen Sandiego on Monday, 22 December 2003 01:27:47
Hello Jeroen,
thanks a lot for your help, but the DMZ-feature is already ENABLED for the host I'm talking about. It doesn't work...
Linksys wasn't able to tell me if the router will forward GRE-packets from the internet to the dmz-host but it looks like the router doesn't forward those packets :-(
Is there another way for a tunnel from sixxs?
According to the FAQ "tinc" is what I need. Is it implemented in windows and can it already be used with sixxs?
Maybe if the connection-attempt would come from the host behind the router and the session would be established all the time tunneling would be possible. At least this works for pptp-based vpns.
Thanks for your help in advance.
Gunther
ipv6 behind an dsl router with nat
Carmen Sandiego on Monday, 22 December 2003 01:39:09
I've been able to monitor an interesting behavior
While the heartbeat-software is running the ping to the ipv6-ip of www.sixxs.net replys "ping timed out" but when the heartbeat-client is not running it says "invalid source route specified".
I don't know the exact english message since I'm running the german version of windows but you should know what was meant.
If my router really blocks GRE-packets (is there a tcpdump for windows?) it shouldn't make a difference if heartbet is up or down, right?
ipv6 behind an dsl router with nat
Jeroen Massar on Monday, 22 December 2003 01:41:25
You get that message because the interface that can ping the remote side gets disabled. No source address thus "invalid source route"...
ipv6 behind an dsl router with nat
Jeroen Massar on Monday, 22 December 2003 01:39:23
Thus linksys don't know what they are selling to you ? :)
You might want to try and do a lot of tcpdumps to check if everything is configured correctly and that no errors are being returned.
Also gre == proto-47, ipv6 == proto-41
If I where you I would try and configure the device into bridge mode and let a real NAT box handle the traffic.
ipv6 behind an dsl router with nat
Carmen Sandiego on Monday, 22 December 2003 01:48:30
Hello Jeroen,
I've been using ethereal for Windows (there was no tcpdump....) and it looks like the router really is the evil guy who blocks gre and ipv6.
Now tinc is my only hope.
Do you know if I can participate in sixxs' tinc-betatest?
good night,
Gunther
ipv6 behind an dsl router with nat
Jeroen Massar on Monday, 22 December 2003 02:04:26
There is no tinc betatest as tinc is fully working.
Also see tinc.
ipv6 behind an dsl router with nat
Carmen Sandiego on Monday, 22 December 2003 01:57:05
just something I wanted to add: windump works like tcpdump for windows.
while pinging my ipv6-ip from an external host somewhere in the internet my windows-host reports a lot of arp-queries from ipv6 ips but no data-packets.
Maybe this will help the gurus?
(pD9EA29E4.dip.t-dialin.net is my dialup-ip/hostname)
01:53:14.747741 arp who-has pD9EA29E4.dip.t-dialin.net (a1:70:5:a0:0:16) tell 19
2.168.1.1
01:53:15.747514 arp who-has pD9EA29E4.dip.t-dialin.net (29:e4:60:0:0:0) tell 192
.168.1.1
01:53:16.747580 arp who-has pD9EA29E4.dip.t-dialin.net (29:e4:60:0:0:0) tell 192
.168.1.1
01:53:17.746915 arp who-has pD9EA29E4.dip.t-dialin.net (29:e4:60:0:0:0) tell 192
.168.1.1
01:53:18.499164 arp who-has pD9EA29E4.dip.t-dialin.net (29:e4:60:0:0:0) tell 192
.168.1.1
01:53:18.746920 arp who-has pD9EA29E4.dip.t-dialin.net (1:64:0:16:5:a0) tell 192
.168.1.1
01:53:19.498980 arp who-has pD9EA29E4.dip.t-dialin.net (a1:70:5:a0:0:16) tell 19
2.168.1.1
01:53:19.746715 arp who-has pD9EA29E4.dip.t-dialin.net (1:64:0:16:5:a0) tell 192
ipv6 behind an dsl router with nat
Jeroen Massar on Monday, 22 December 2003 02:06:08
192.168.1.1 is your linksys router?
In that case configure your endpoint with the IP of your external box and everything should work.
When dumping use -n as hostnames don't tell a thing.
ipv6 behind an dsl router with nat
Shadow Hawkins on Thursday, 25 December 2003 10:15:39
you could try to create proto 41 packets from another host from outside.
I used hping for this and saw that my girlfriend's router (DLink DI-614+) is blocking all "unknown" protocols with "protocol unreachable" even when the host is in DMZ and is configured to forward all IP traffic to the correct host
ipv6 behind an dsl router with nat
Shadow Hawkins on Saturday, 10 January 2004 23:01:43
I am having the same problem here.
I placed my Linux computer in the DMZ (it used to be my router but now i am using an smc barricade wlan router). That Linux box is still working fine, it gives ipv6 connectivity to my WinXP clients using radvd.
Despite what SMC says on the website:
Q: Does the Barricade work with IP version 6?
A: Barricade is not compatible with IPv6. Since most hosts on the Internet only support IPv4. If you would like to access the Internet using IPv6 you will need a Ipv6 to IPv4 gateway.
As far as i know, the IPng/sixxs tunnels qualifies for a 'ipv6-to-ipv4 gateway' and yet all proto-41 traffic is blocked according to tcpdump. And both the clients and the linux box cant ping the remote endpoint.
I have to contact SMC first, otherwise i have to remove the tunnel. I have this tunnel for more than 2.5 years. Would a pitty, even though i hardly used IPv6 for anything else but IRC && news.
ipv6 behind an dsl router with nat
Jeroen Massar on Saturday, 10 January 2004 23:47:41
If I where you I'd stick to the linux box as a router anyways ;)
And complain *hard* to SMC that the box doesn't do what you expect it to do.
ipv6 behind an dsl router with nat
Shadow Hawkins on Sunday, 11 January 2004 21:10:21
I was thinking about that too. But in that case i still cant provide my clients ipv6 connectivity as the SMC barricade is blocking the ipv6 traffic coming from the router (WAN interface) to the clients in the LAN.
But i think the people at SMC should provide me info on how to get it working again, as ipv6-in-ipv4 should be supported.
ipv6 behind an dsl router with nat
Jeroen Massar on Sunday, 11 January 2004 21:14:51
Could you drawn an ascii setup ? Do you mean that even 'switched' traffic that goes through the SMC box gets dropped when it is IPv6 ?
ipv6 behind an dsl router with nat
Shadow Hawkins on Sunday, 11 January 2004 22:59:54
The Barricade has a 4-port switch.
some lil acsii art, i hope it makes sense.
-------------
| @home |
| cable modem |
--------------
|
| UTP cable to WAN interface
|
-------------------- UTP in port 1 of switch ----------------------
| SMC Barricade |-------------------------- | Linux box (obsolete) |
------------------- ----------------------
| wireless 54mbit connection
|
---------------------------------
| WinXP Client (edgecrusher) |
---------------------------------
In the Barricade's config i specified that Obsolete is in the DMZ. Obsolete gives edgecrusher an ipv6 address using radvd and ping6 to edgecrusher is possible:
root@obsolete:~# ping6 edgecrusherv6
PING edgecrusherv6(edgecrusherv6) 56 data bytes
64 bytes from edgecrusherv6: icmp_seq=1 ttl=64 time=1.62 ms
and edgecrusher can connect to obsolete (tested using 'nc6 -6 -l -p 8000' on obsolete and 'telnet 3ffe:8114:2000:440::1 8000' on edgecrusher.
But all traffic coming from the LAN (or DMZ) with destination cable modem/outsid the LAN is dropped. icmpv6 requests are send according to tcpdump, but no replies are coming back.
ipv6 behind an dsl router with nat
Jeroen Massar on Sunday, 11 January 2004 23:27:50
With this I assume you have a proto-41 tunnel from obsolete to the POP.
Indeed the SMC is broken, it should carry the proto-41 especially as you put it in the DMZ. Mind you btw that DMZ (De Militarized Zone) is a very wrong term as in that case you shouldn't be able to connect to edgecrusher at all...
ipv6 behind an dsl router with nat
Shadow Hawkins on Monday, 12 January 2004 00:24:34 With this I assume you have a proto-41 tunnel from obsolete to the POP.
that's indeed correct. I am not sure if edgecrusher can connect to ipv6 sites once the SMC is allowing proto-41 traffic. Traffic should go to obsolete first which has the tunnel installed and then back on the same interface to the SMC/cablemodem. Is this going to be a problem?
Indeed the SMC is broken, it should carry the proto-41 especially as you put it in the DMZ. Mind you btw that DMZ (De Militarized Zone) is a very wrong term as in that case you shouldn't be able to connect to edgecrusher at all...
I thought that hosts within DMZ were unable to initiate connections to hosts inside the LAN. But a simple nmap scan by obsolete showed some open ports on edgecrusher.
But hosts in a DMZ are supposed to be on a different network? I am glad SMC used a wrong term when they're talking about DMZs, otherwise i couldnt use obsolete as an IMAP-server etc ;)
ipv6 behind an dsl router with nat
Jeroen Massar on Monday, 12 January 2004 00:28:39 Is this going to be a problem?
Should not be as Obsolete is the IPv6 gateway, doesn't matter what IPv4 wants to do as you got a route over Obsolete.
If you do a traceroute now it should go to Obsolete and then into nothingness because the tunnel doesn't terminate etc...
ipv6 behind an dsl router with nat
Shadow Hawkins on Monday, 12 January 2004 12:07:23
Thanx for the fast replies ;)
If you do a traceroute now it should go to Obsolete and then into nothingness because the tunnel doesn't terminate etc...
tracert6 noc.sixxs.net
Tracing route to noc.sixxs.net [2001:838:1:1:210:dcff:fe20:7c7c]
from 3ffe:8114:2000:440:f1c2:8053:4c64:ba2b over a maximum of 30 hops:
1 3ffe:8114:2000:440::1 reports: No route to destination.
Trace complete.
A tcpdump on Obsolete while tracing shows that it's trying to noc.sixxs.net:
12:02:23.965881 3ffe:8114:2000:440:f1c2:8053:4c64:ba2b > noc.sixxs.net: icmp6: e
cho request [hlim 1]
So far, so good. I keep posting updates here when i get a reply from the SMC helpdesk
ipv6 behind an dsl router with nat
Shadow Hawkins on Sunday, 11 January 2004 19:50:26
Jasper,
Keep us posted please. BTW which router you use?
ipv6 behind an dsl router with nat
Shadow Hawkins on Sunday, 11 January 2004 23:00:56
I use a SMC barricade 2804WBR V2 wlan router.
ipv6 behind an dsl router with nat
Shadow Hawkins on Tuesday, 13 January 2004 19:11:40
I suggest to test your Route like this:
- download and compile hping2 on obsolete
- configure obsolete with a static IP on subnet foo
- configure your cable router for a static IP on WAN side on subnet foo,gateway is obsolete
- configure DMZ to go to edgecrusher on subnet bar
- put obsolete into the WAN port of your router
In this configuration obsolete should play the role of a outside host. Run tcpdump (or something similar on WinXP), then test basic connectivity with a ping or tcp connection (should work as the router should forward the traffic to "dmz host")
Now you can generate fake protocol 41 traffic with hping2 and check if this traffic is also forwarded to edgecrusher
My results doing such test on routers I had access to :
- D-Link DI-614+ - does not work - router blocks with protocol unreachable
- Linksys WRT54G - WORKS (I use a customized firmware here but probably works too with standard firmware)
Probably your router behaves like the D-Link DI-614+. There are 2 options
a) Complain until the firmware gets fixed. (you might complain until the end of the world if the vendor decides not to fix it)
b) Return your router and get another which is working
ipv6 behind an dsl router with nat
Shadow Hawkins on Wednesday, 14 January 2004 05:44:50
Alex
WOW, the Linksys WRT54G works?! *D
What model do you have: WRT54G v1.0, WRT54G v1.1, WRT54Gv2 or WRT54G-VPN.
Can you confirm the setup? Just want to be shure
The router config:
WAN port: static (whatever IP and subnet from ISP)
Router internal: default (ie 192.168.1.1 sub 255.255.255.0)
DMZ to v4/v6 PC
PC config:
LAN: private (ie 192.168.1.2 sub 255.255.255.0.)or DHCP from router?
Gatway: internal router(192.168.1.1) or static WAN?
Where I can download the customized firmware you use!
ipv6 behind an dsl router with nat
Shadow Hawkins on Wednesday, 14 January 2004 08:22:21
I only did tests with fake ipv6 tunnel packets so far (similar to the test above). But in some days I probably can confirm that it works in a real environment. If I dare it I even might try to recompile a kernel with IPv6 and tunneling support for the router and try to get heartbeat-client running. The WRT54G is running a customized Linux system on a MIPS CPU and most of the sources are available (except things like the WLAN kernel module which is object code only)
I am using the version 1.1 of this router but they are very similar in hardware and at least the 1.1 models can run 2.x firmware
The firmware I am using is from sveasoft.com (Samadhi2 - v2.00.8.6sv), downloadable at ftp.sveasoft.com. Flashing custom firmware is at own risk of course. It is probably not needed if you want only forward the IPv6 tunnel (proto 41) but it gives some very nice gadgets (like a openssh shell to the router)
The setup with a static IP or subnet should work too although I cannot test it as I have a DSL dialup here with a dynamic IPv4 here.
ipv6 behind an dsl router with nat
Shadow Hawkins on Wednesday, 14 January 2004 08:30:01
There are many broadcomm hardware based WLAN accesspoints which runs linux. For example Linksys WRT54G and Buffalo WBR-G54. More information can be found at http://www.seattlewireless.net/index.cgi/LinksysWrt54g
There is also open source firmware project http://openwrt.sf.net
ipv6 behind an dsl router with nat
Shadow Hawkins on Tuesday, 20 January 2004 14:55:28
I have used this wrt54g, without v6, and it works quite well but doesn't have a DSL modem on board.
I would like to buy an ipv6 capable router with built-in (A)DSL capabilities, as i'm thinking of switching to dsl. Does anyone have experience with the dlink dsl 604+? I found a site, which says something about ipv6 multicast, but I'm not sure if that's what I'm looking for.
http://www.nantes-wireless.org/pages/wiki/index.php/ConfigurationDuDSL604+
Is there a router which does have all these capabilities on board? The router part is mainly for backup purposes. Whenever the linux gateway drops out, I'd like to be able to set up simple NAT so other clients can still use the internet connection.
update: Also found this document http://www.luxembourg.ipv6tf.org/31_xdsl.pdf , which says in theory, every router with bridging support, supports ipv6. Can you confirm this information?
Thanks
ipv6 behind an dsl router with nat
Jeroen Massar on Tuesday, 20 January 2004 15:04:10
Ofcourse because a Layer 2 switch/bridge doesn't, or better said, shouldn't care about Layer 3 protocols. For multicast though a L2 device does have to snoop L3 at some times. Fortunatly Ethernet simply specifies that MAC's starting with 33:33: should be broadcasted to all the ports and most switches/bridges adhere to that.
Note that you should not mix up bridging with routing and switching.
Hub: Sending all packets from everyone to everyone else
Switching: Sending packets from A only to B
Routing: Sending packets from A to C (over B)
Bridging: Extending A with B
ipv6 behind an dsl router with nat
Shadow Hawkins on Tuesday, 20 January 2004 16:04:44
hmm quite confusing, as i do not have enough knowledge about routing and stuff. But as I understand, it should basically work (should ;) )
I ordered this router (dlink dsl604+), my dsl subscription starts somewhere next month, and I'll let you people know how it turns out to be.
Thanks!
Aykut
ipv6 behind an dsl router with nat
Shadow Hawkins on Monday, 09 February 2004 17:01:41
My connection details have finally arrived, I can now connect to adsl, without ipv6 though...
there's a part in my router's manual (a DSL604+ from dlink), which says it can pass through some data, but I can't find that menu in the webinterface.
--begin copy from manual--
Layer 2 Filtering
The Layer 2 Filter function of the Router can be
configured to drop a number of packets types as they are
encountered on either interface. This is especially useful
is the Router is configured to operate as a simple bridge.
The packet types that can be filtered are the following:
⢠ARP
⢠PPPoE
⢠IP Multicast
⢠IPv6 Multicast
⢠IP Broadcast (blocked by default)
⢠RARP (blocked by default)
⢠IPX
⢠NetBEUI
⢠Appletalk
⢠IEEE 802.1Q packets (blocked by default)
⢠Bridge Management Information
A check mark in the box indicates the packet type will
be passed. Any packet types that are not checked will be
dropped by the Router. Select the packet type you want
to allow to pass and click the OK button.
--end copy from manual--
(copy of manual in pdf format available here: http://web.tiscali.it/adslbox012/dlink/dsl604+_ug_VA3_v02_3.pdf )
I updated the firmware to the latest one, still the same thing. Enabling a DMZ doesn't work..
what can i do ? I noticed a "Bridge VC mux" mode, is that useful for me?
greetings
Aykut
Posting is only allowed when you are logged in. |