|
Ticket ID: SIXXS #6340290 Ticket Status: User PoP: fihel01 - DNA Oy (Helsinki)
IPv6 tunnel down after enabling UPnP for Xbox 360
![[fi]](/s/countries/fi.gif) Shadow Hawkins on Tuesday, 24 January 2012 21:51:06
Tag [/b] is not closed
IPv6 tunnel down after enabling UPnP for Xbox 360
Shadow Hawkins on Tuesday, 24 January 2012 21:53:27
Sorry for the broken first post.
Before enabling UPnP I had my IPv6 tunnel working with AYIYA (via AICCU) without problems. I tried to get Xbox Live connectivity to work through my network setup so I installed linux-igd package and configured it to use following configuration (like instructed at http://shorewall.net/UPnP.html) in /etc/upnpd.conf:
create_forward_rule = yes
forward_chain_name = forwardUPnP
prerouting_chain_name = UPnP
/etc/default/linux-igd:
EXTIFACE=eth0
INTIFACE=eth1
ALLOW_MULTICAST=yes
/etc/shorewall/rules:
allowinUPnP loc $FW
forwardUPnP net loc
How ever this didn't work so I created DNAT rules in /etc/shorewall/rules:
DNAT net loc:192.168.1.2 udp 88
DNAT net loc:192.168.1.2 tcp 88
DNAT net loc:192.168.1.2 udp 3074
DNAT net loc:192.168.1.2 tcp 3074
This enabled Xbox Live connectivity so but disabled my IPv6 for some reason. I removed the linux-igd package with sudo aptitude purge linux-igd and restarted my server but the IPv6 connectivity didn't come back.
I have tried resynching clocks with sudo /etc/init.d/ntp restart and I have tried to restart aiccu with sudo /etc/init.d/aiccu restart.
sudo aiccu test outputs (with verbose true in /etc/aiccu.conf):
Tunnel Information for T2612:
POP Id : fihel01
IPv6 Local : 2001:14b8:100:2b::2/64
IPv6 Remote : 2001:14b8:100:2b::1/64
Tunnel Type : ayiya
Adminstate : enabled
Userstate : enabled
sudo aiccu version: AICCU 2007.01.15-console-linux by Jeroen Massar (installed from the Ubuntu-server repo).
Pinging to the tunnel end point gives 100% packet loss:
ping6 2001:14b8:100:2b::1
PING 2001:14b8:100:2b::1(2001:14b8:100:2b::1) 56 data bytes
--- 2001:14b8:100:2b::1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4032ms
but pinging my endpoint works as expected:
ping6 2001:14b8:100:2b::2
PING 2001:14b8:100:2b::2(2001:14b8:100:2b::2) 56 data bytes
64 bytes from 2001:14b8:100:2b::2: icmp_seq=1 ttl=64 time=0.029 ms
64 bytes from 2001:14b8:100:2b::2: icmp_seq=2 ttl=64 time=0.031 ms
64 bytes from 2001:14b8:100:2b::2: icmp_seq=3 ttl=64 time=0.030 ms
64 bytes from 2001:14b8:100:2b::2: icmp_seq=4 ttl=64 time=0.036 ms
--- 2001:14b8:100:2b::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 0.029/0.031/0.036/0.006 ms
uname -a:
Linux rootzero 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686 GNU/Linux
lsb_release -a:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Codename: lucid
My Ubuntu machine acts as a gateway/firewall between other computers in the network. Connection from the Xbox to the internet works like this for example:
Xbox -> WLAN Access Point -> 1GB Router -> Ubuntu gateway eth1 -> Ubuntu gateway eth0 -> VDSL -> Internet
ifconfig:
eth0 Link encap:Ethernet HWaddr <censored>
inet addr:84.248.94.185 Bcast:84.248.95.255 Mask:255.255.224.0
inet6 addr: 2001:14b8:124::1/64 Scope:Global
inet6 addr: fe80::21d:60ff:fe55:cfa5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2079963 errors:0 dropped:0 overruns:0 frame:0
TX packets:2421788 errors:0 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:1000
RX bytes:404472828 (404.4 MB) TX bytes:1054163407 (1.0 GB)
eth1 Link encap:Ethernet HWaddr <censored>
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::207:e9ff:fe0e:a1c6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2437274 errors:0 dropped:0 overruns:0 frame:0
TX packets:1649234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1056698909 (1.0 GB) TX bytes:370202667 (370.2 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11128 errors:0 dropped:0 overruns:0 frame:0
TX packets:11128 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1721859 (1.7 MB) TX bytes:1721859 (1.7 MB)
sixxs Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: 2001:14b8:100:2b::2/64 Scope:Global
inet6 addr: fe80::14b8:100:2b:2/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1428 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:260 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:20968 (20.9 KB)
sudo route -v -n:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
84.248.64.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth1
0.0.0.0 84.248.64.1 0.0.0.0 UG 100 0 0 eth0
sudo iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW,UNTRACKED
net2fw all -- anywhere anywhere
loc2fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain FORWARD (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW,UNTRACKED
net2loc all -- anywhere anywhere
loc2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain Drop (2 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Reject (5 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain allowinUPnP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:1900
ACCEPT tcp -- anywhere anywhere tcp dpt:49152
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere base-address.mcast.net/4
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (2 references)
target prot opt source destination
Chain forwardUPnP (1 references)
target prot opt source destination
Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain fw2net (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT ipv6 -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
allowinUPnP !ipv6 -- anywhere anywhere
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `Shorewall:logflags:DROP:'
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT ipv6 -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT ipv6 -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:37567
ACCEPT tcp -- anywhere anywhere tcp dpt:37568
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwardUPnP !ipv6 -- anywhere anywhere
ACCEPT udp -- anywhere 192.168.1.2 udp dpt:kerberos
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:kerberos
ACCEPT udp -- anywhere 192.168.1.2 udp dpt:3074
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:3074
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain reject (12 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0 anywhere
LOG all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
LOG all -- base-address.mcast.net/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- base-address.mcast.net/4 anywhere
Chain tcpflags (2 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
PoP IPv4 traceroute traceroute 62.78.96.38:
traceroute to 62.78.96.38 (62.78.96.38), 30 hops max, 60 byte packets
1 dsl-hkibrasgw4-fe40dc00-1.dhcp.inet.fi (80.220.64.1) 19.833 ms 19.984 ms 20.273 ms
2 hkicredger02-e-7-2.datanet.tele.fi (141.208.206.5) 20.243 ms 20.417 ms 20.386 ms
3 hkicore2-o-5-0-0-0.datanet.tele.fi (141.208.25.61) 20.558 ms 20.733 ms 20.701 ms
4 hkiasbr2-s0-0-0.datanet.tele.fi (141.208.8.14) 20.260 ms 20.229 ms 20.401 ms
5 dna.ficix2.ficix.fi (193.110.224.20) 53.187 ms 20.546 ms 20.516 ms
6 hel1-tr2.dnaip.fi (62.78.107.98) 22.882 ms lah1-tr1.dnaip.fi (62.78.107.27) 21.342 ms hel1-tr2.dnaip.fi (62.78.107.98) 22.919 ms
7 lah1-tr1.dnaip.fi (62.78.107.27) 22.884 ms lah2-er70.dnaip.fi (62.78.108.175) 22.646 ms 22.819 ms
8 lah2-er70.dnaip.fi (62.78.108.175) 22.784 ms fihel01.sixxs.net (62.78.96.38) 21.732 ms 21.925 ms
PoP IPv6 traceroute traceroute 2001:14b8:100:2b::1:
traceroute to 2001:14b8:100:2b::1 (2001:14b8:100:2b::1), 30 hops max, 80 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
I've run out of ideas what could be wrong.
IPv6 tunnel down after enabling UPnP for Xbox 360
The ticket system is not a helpdesk. One can use the forums if you require assistence in configuring your sytem though.
State change: user
The state of this ticket has been changed to user
IPv6 tunnel down after enabling UPnP for Xbox 360
Shadow Hawkins on Wednesday, 25 January 2012 13:13:22
Changing tunnel type from AYIYA -> 6in4 static tunnel worked for my issue.
IPv6 tunnel down after enabling UPnP for Xbox 360
Which makes perfect sense as your firewall rule does not allow AYIYA anywhere to be passed.
|
![[ch]](/s/countries/ch.gif)
on Tuesday, 24 January 2012 21:59:44
Posting is only allowed when you are