SixXS::Sunset 2017-06-06

No ping response from PoP
[ru] Shadow Hawkins on Monday, 29 December 2014 13:52:15
Hello! I can't setup static 6in4 tunnel properly. At first, when i send ping6 request from my endpoint to PoP, it isn't responding, but local ping6 requests and regular ping is ok. I have a Zyxel keenetic giga 2 as DMZ host under NAT. It's can't traceroute, and i configuring it remotely, so help me please. P.S. I've disabled my tunnel until i find any ideas.
No ping response from PoP
[ch] Jeroen Massar SixXS Staff on Monday, 29 December 2014 15:17:25
Hello! I can't setup static 6in4 tunnel properly.
What Operating System?
At first, when i send ping6 request from my endpoint to PoP, it isn't responding,
What addresses are involved, what is your running/active configuration?
but local ping6 requests and regular ping is ok.
What do you mean with 'local ping6 requests' and what with 'regular ping'?
I have a Zyxel keenetic giga 2 as DMZ host under NAT.
Proto-41 behind NAT is asking for problems. See the FAQ for the details. AYIYA exists for a reason.
No ping response from PoP
[ru] Shadow Hawkins on Monday, 29 December 2014 20:04:10
What Operating System?
Zyxel have NDMS v2 firmware based on linux, but unfortunately that linux isn't editable, i can only select from vendor approved packages, there is not so many of them.
What addresses are involved, what is your running/active configuration?
(config)> show running-config ! $$$ Model: ZyXEL Keenetic Giga II ! $$$ Version: 2.0 ! $$$ Agent: http/ci ! $$$ Last change: Mon, 29 Dec 2014 13:49:51 GMT ! $$$ Md5 checksum: 875c8d198fd2e480cbec89f291a873e2 system set net.ipv4.ip_forward 1 set net.ipv4.tcp_fin_timeout 30 set net.ipv4.tcp_keepalive_time 120 set net.ipv4.netfilter.ip_conntrack_tcp_timeout_established 1200 set net.ipv4.netfilter.ip_conntrack_max 10240 set vm.swappiness 100 set net.ipv6.conf.all.forwarding 1 hostname Keenetic_Giga clock date 29 Dec 2014 22:09:55 clock timezone Europe/Moscow domainname WORKGROUP ! ntp server 0.pool.ntp.org ntp server 1.pool.ntp.org ntp server 2.pool.ntp.org ntp server 3.pool.ntp.org known host Desktop 00:1d:7d:04:09:51 access-list _WEBADMIN_ISP permit icmp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 permit tcp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 port eq 23 permit tcp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 port eq 80 permit tcp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 permit udp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ! isolate-private interface Switch0 port 4 mode access access vlan 1 ! port 3 mode access access vlan 1 ! port 2 mode access access vlan 1 ! port 1 mode access access vlan 1 ! port 0 mode access access vlan 2 ! up ! interface Switch0/VLAN1 description "Home VLAN" security-level private ip dhcp client dns-routes ip dhcp client name-servers up ! interface Switch0/VLAN2 name ISP description "Broadband connection" mac address factory wan security-level public ip address dhcp ip dhcp client dns-routes ip dhcp client name-servers ip access-group _WEBADMIN_ISP in ip global 700 ipv6 address auto ipv6 prefix auto ipv6 name-servers auto up ! interface WifiMaster0 country-code RU compatibility BGN up ! interface WifiMaster0/AccessPoint0 name AccessPoint description "Wi-Fi access point" mac access-list type none security-level private wps authentication wpa-psk ns3 PNJRQeLlJVUYYedT/8FerYB/ encryption enable encryption wpa2 ip dhcp client dns-routes ip dhcp client name-servers ssid Keenetic-1412 wmm up ! interface WifiMaster0/AccessPoint1 name GuestWiFi description "Guest access point" mac access-list type none security-level private ip address 10.1.30.1 255.255.255.0 ip dhcp client dns-routes ip dhcp client name-servers ssid Guest wmm down ! interface WifiMaster0/AccessPoint2 mac access-list type none security-level public ip dhcp client dns-routes ip dhcp client name-servers down ! interface WifiMaster0/AccessPoint3 mac access-list type none security-level public ip dhcp client dns-routes ip dhcp client name-servers down ! interface WifiMaster0/WifiStation0 security-level public encryption disable ip address dhcp ip dhcp client dns-routes ip dhcp client name-servers down ! interface Bridge0 name Home description "Home network (Wired and wireless hosts)" inherit Switch0/VLAN1 include AccessPoint security-level private ip address 192.168.1.1 255.255.255.0 ip dhcp client dns-routes ip dhcp client name-servers ipv6 address auto up ! interface TunnelSixInFour0 description tunnel ip remote 77.109.111.178 ipv6 address 2a02:578:5002:1ba::2 ipv6 prefix 2a02:578:5002:81ba::/64 ipv6 name-servers auto ipv6 force-default up ! ip dhcp pool _WEBADMIN range 192.168.1.33 192.168.1.52 bind Home enable ! ip dhcp pool _WEBADMIN_GUEST_AP range 10.1.30.33 10.1.30.52 bind GuestWiFi enable ! ip dhcp host 00:1d:7d:04:09:51 192.168.1.2 ip arp 192.168.1.254 ff:ff:ff:ff:ff:ff ip arp 192.168.1.254 ff:ff:ff:ff:ff:ff ip nat Home ip nat GuestWiFi ip static udp ISP 9 192.168.1.254 9 !WOL ip static tcp ISP 3389 192.168.1.2 3389 !RDP ipv6 subnet Default bind Home number 0 mode slaac debug ! ipv6 local-prefix default ppe upnp lan Home user admin password md5 4b4e276668d8cb0082bf003542aa0f02 password nt c85ae31291f201a5f816e43dc428f4c7 tag cli tag http tag cifs tag printers ! service dhcp service dns-proxy service cifs service http service telnet service ntp-client service upnp cifs automount permissive ! printer 04e8:325b name "Xerox Phaser 3117" type cifs port 9100 ! I get connection from my provider through GPON. GPON router D-Link DPN-r5402 have firmware customized by provider, so most of its options are cut out. It can forward ports, route packets to DMZ host(that is my choice), have NAT that i can't disable. So it is very poor device. Here is 192.168.0.0/24 covered with unstoppable NAT. My Zyxel have 192.168.0.2 address in that subnet. From there it successfully takes internet connection, and, as soon as it configured as DMZ host, every single packet. It have its own 192.168.1.0/24 subnet which is my home network, so i can use all of my Zyxel services and i almost forget my provider for such a circumcision that they made to D-Link.
What do you mean with 'local ping6 requests' and what with 'regular ping'?
By local ping6 i mean ping to addresses like fd04:8c2d:6ab9:0:ee43:f6ff:fe04:ebc8, that Zyxel made without my permission. As i know, it is not public address, so i said it is local. And interface TunnelSixInFour0 successfully responding at ping6 as 2a02:578:5002:1ba::2
Proto-41 behind NAT is asking for problems. See the FAQ for the details. AYIYA exists for a reason.
I'm not sure i can configure AYIYA at Zyxel. There is only 6in4 option.
No ping response from PoP
[ch] Jeroen Massar SixXS Staff on Monday, 29 December 2014 21:38:12
Zyxel have NDMS v2 firmware based on linux, but unfortunately that linux isn't editable, i can only select from vendor approved packages, there is not so many of them.
If it contains any form of Linux then they have to comply with the GPL and provide it all... Hence, ask with a lawyer tone where the source is.
Here is 192.168.0.0/24 covered with unstoppable NAT.
As you are behind a NAT you cannot control, your better option is to use AYIYA.
as soon as it configured as DMZ host, every single packet.
DMZ kind of setups typically fail at one point or another.
By local ping6 i mean ping to addresses like fd04:8c2d:6ab9:0:ee43:f6ff:fe04:ebc8, that Zyxel made without my permission.
That is a ULA address, some providers like to turn that on. Try finding a ULA option somewhere and turn it off.
I'm not sure i can configure AYIYA at Zyxel. There is only 6in4 option.
There are ZyXELs out there that have a AICCU client built-in...

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker