|
Need help
![[fr]](/s/countries/fr.gif) Carmen Sandiego on Tuesday, 19 August 2003 09:45:58
hi,
I have receive an email from tunnel robot who inform me that my tunnel to IPng has not been replying to pings for a period of time.
My firewall accept all form my POP (212.19.192.219)
An friend have test to ping6 my ipv6 (3ffe:8114:1000::595) and that works
I have any idea ? :?
Need help
![[de]](/s/countries/de.gif) Shadow Hawkins on Saturday, 31 July 2010 09:46:55
...This is a pretty old thread but it is the one linked from the corresponding FAQ entry so I guess it must be the right one...
I have a linux router (Debian 5 with standard 2.6 kernel). This router uses PPPoE to connect to the internet and uses NAT to connect my LAN to it, too. A few days ago I started connecting my LAN to IPv6 so I requested a static Sixxs tunnel. My PoP is Netcologne in Germany (Netcologne is also my DSL ISP). The tunnel is working fine but after some time it is no longer reachable from outside. As soon as I generate IPv6 traffic from the inside then the tunnel is again working correctly. So I guess this is exactly the problem explained in this FAQ item and this linked forum thread: https://www.sixxs.net/faq/connectivity/?faq=conntracking
But both solutions mentioned in the FAQ don't work for me. When I do "iptables -t raw -A PREROUTING --proto 41 -j NOTRACK" then the IPv6 tunnel is not working at all any longer. Not from inside and not from outside. And the other solution with excluding ipv6 stuff from the MASQUERADING rule doesn't have any effect. The tunnel still stops working after some idle time.
Is there still no working solution after 7 years?
My current workaround is a cronjob like this:
* * * * * root fping6 SOME-IPV6-HOST -q -p 15000 -c 3 > /dev/null
Replace SOME-IPV6-HOST with the IP of a IPv6 host on the internet. I ping my own server hosted by Hetzner in Germany (Which has native IPv6 connection). I think the IP of the tunnel endpoint should work, too. This cronjob sends a ping every 15 seconds. I tried 60 seconds (So on each cron run it simply sends one ping) but this was not enough.
Need help
Shadow Hawkins on Saturday, 31 July 2010 15:04:51
Ah, I found the problem. At least NOTRACK can now be used. Let's see if this also solves the idle problem.
My error was that my firewall was NOT allowing proto 41. So the only reason why the tunnel was working at all was the rule to allow incoming established connections. And this no longer works when ipv6 traffic is excluded from connection tracking. So I added these two:
iptables -I INPUT -j ACCEPT -i ppp+ -p ipv6 -s TUNNEL_ENDPOINT_IPV4
iptables -t raw -A PREROUTING --proto 41 -j NOTRACK
I removed the ping-cronjob-workaround and I hope that the tunnel will now be stable even after some idle time.
Need help
![[nl]](/s/countries/nl.gif) Shadow Hawkins on Tuesday, 19 August 2003 11:09:56
Did your POP ping's make it before, e.g. check your "last alive" for your tunnel. If so, are you doing NAT/connection tracking? That is a known obstacle, see elsewhere on this forum
Good luck
Need help
Carmen Sandiego on Tuesday, 19 August 2003 11:23:36
Yeah my POP ping Before my last Alive is 2003-08-16 13:33:59 ...
I have no make change on my network or on my iptables rules ...
Need help
Shadow Hawkins on Tuesday, 19 August 2003 11:39:28
But if you use NAT/conn track your firewall remembers the connection and allows it. When it forgets it the pings get droped, if you use NAT/conn track read elsewhere on this forum...
P.S. Maybe time to make a FAQ about this, quite some people have this problem...
P.P.S. https://noc.sixxs.net/forum/?msg=setup-25261
Need help
Carmen Sandiego on Tuesday, 19 August 2003 12:23:37
this is a paste of my iptables rules :
ACCEPT ipv6 -- anywhere anywhere
ACCEPT ipv6-icmp-- anywhere 62.212.X.X
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 2/min burst 5
and i have just add this :
ACCEPT all -- tunnelserver.ipng.nl 62.212.x.x
Need help
Shadow Hawkins on Tuesday, 19 August 2003 13:12:05
To prevent ipv6 to be masquaraded, which seems te be the problem I also added -t !41 to my -j MASQ statement, since then I've had no problems.
Something like:
IPTABLES -t nat -A POSTROUTING --proto ! 41 -o $EXTIF -j MASQUERADE
Dirkjan
P.S. Not sure whether this is the official or correct solution, but it works for me
Need help
That is indeed the correct solution, as then the packets for proto 41 are not being tracked. Note that for security reasons you might better be NATing only
a certain prefix (eg -s 10.0.0.0/8) and over a certain interface, that is, only your internal one(s).
Need help
Carmen Sandiego on Tuesday, 19 August 2003 17:10:00
Thx for your help i have one question :
"IPTABLES -t nat -A POSTROUTING --proto ! 41 -o $EXTIF -j MASQUERADE"
$EXTIF is my ppp0 ? or my eth0 ?
41 <-- What is ?
Thx
Need help
Shadow Hawkins on Tuesday, 19 August 2003 17:28:13
Oke,
41 is the protocol number for ipv6(the ! means everything but) and $EXTIF is your network interface to the outside world, so for dial up ppp0 or for cable/dsl/lan that would be eth0. If you don't fully understand this rule please read some docs and/or howto's, to brush up your iptables knowledge. As mentioned by Jeroen Masser above you should also include the -s option.
Need help
Carmen Sandiego on Tuesday, 19 August 2003 17:35:18
Thx,
for the moment and for test this rules have have add this :
iptables -t nat -A POSTROUTING --proto ! 41 -o ppp0 -j MASQUERADE
I wait for look is my pop can ping correctly my ip
:r
Need help
Carmen Sandiego on Tuesday, 19 August 2003 22:46:15
My POP can't ping my ip
so i have try to ping my ipv6 from another box of a friend and that works :
debian:~# ping6 3ffe:8114:1000::595
PING 3ffe:8114:1000::595(3ffe:8114:1000::595) 56 data bytes
64 bytes from 3ffe:8114:1000::595: icmp_seq=2 ttl=56 time=369 ms
64 bytes from 3ffe:8114:1000::595: icmp_seq=3 ttl=56 time=374 ms
64 bytes from 3ffe:8114:1000::595: icmp_seq=4 ttl=56 time=360 ms
64 bytes from 3ffe:8114:1000::595: icmp_seq=5 ttl=56 time=364 ms
so i don't understand why my POP can't ping my ipv6
Anyone have an idea ? :? :?
|
![[ch]](/s/countries/ch.gif)
on Tuesday, 19 August 2003 13:19:50
Posting is only allowed when you are