ping working, HTTP (etc.) SYN packet not answered on 6in4 tunnel
Shadow Hawkins on Monday, 27 December 2010 23:57:22
Tag [/code] is not closed
ping working, HTTP (etc.) SYN packet not answered on 6in4 tunnel
Shadow Hawkins on Wednesday, 29 December 2010 15:35:10
Your ip6tables output is not very clear, as it does not show from which interface the traffic is being accepted. In/out is different than source/destination. Please add '-v' to the command and you will see more clearly the rules.
1)
First guess: traffic is being accepted from the wrong interface, and the incoming traffic from the 6in4 tunnel gets pushed to the default DROP rule.
2)
Is your box acting as endpoint without routing? Or is it supposed to act as router for your home network? If it is a router, then the key chain is FORWARD, not INPUT. (Based on your networks, I guess it is a router.)
Please find below the ip6tables output from my OpenWrt box with a static 6in4 tunnel. It routes the IPv6 traffic just nicely.
You can find the ip6tables rules and reasoning for each rule here:
https://www.sixxs.net/forum/?msg=setup-3135937
Basically, IPv6 ICMP traffic is accepted from everywhere, but regarding the normal forward traffic: everything from LAN is forwarded, but from tunnel only the RELATED,ESTABLISHED traffic is forwarded. Additionally, some ports are then explicitly forwarded for certain applications.
root@OpenWrt:~# ip6tables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2171 187K ACCEPT ipv6-icmp any any anywhere anywhere
0 0 ACCEPT all lo any anywhere anywhere
0 0 ACCEPT all br-lan any anywhere anywhere
0 0 DROP all any any anywhere anywhere rt type:0
0 0 ACCEPT all any any fe80::/10 anywhere
0 0 ACCEPT all any any ff00::/8 anywhere
0 0 DROP tcp any any anywhere anywhere tcp dpts:1:1024
0 0 DROP udp any any anywhere anywhere udp dpts:1:1024
0 0 LOG all any any anywhere anywhere LOG level warning
Chain FORWARD (policy DROP 16 packets, 1280 bytes)
pkts bytes target prot opt in out source destination
1204 83243 ACCEPT ipv6-icmp any any anywhere anywhere
0 0 DROP all any any anywhere anywhere rt type:0
6280 1464K ACCEPT all br-lan any anywhere anywhere
5766 3492K ACCEPT all any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp any any anywhere anywhere tcp dpt:18622
0 0 ACCEPT udp any any anywhere anywhere udp dpt:18622
6 504 ACCEPT tcp any any anywhere anywhere tcp dpt:49001
2383 367K ACCEPT udp any any anywhere anywhere udp dpt:49001
16 1280 LOG all any any anywhere anywhere LOG level warning
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4688 489K ACCEPT ipv6-icmp any any anywhere anywhere
0 0 ACCEPT all any lo anywhere anywhere
0 0 ACCEPT all any 6in4-sixxs anywhere anywhere
0 0 ACCEPT all any br-lan anywhere anywhere
0 0 DROP all any any anywhere anywhere rt type:0
0 0 ACCEPT all any any fe80::/10 anywhere
0 0 ACCEPT all any any ff00::/8 anywhere
0 0 LOG all any any anywhere anywhere LOG level warning
root@OpenWrt:~#
ping working, HTTP (etc.) SYN packet not answered on 6in4 tunnel
Shadow Hawkins on Tuesday, 28 December 2010 15:18:56
I've added ip6tables -L -v output below.
Re. 1) I see no packets being dropped or rejected.
Re. 2) Currently I've only configured my router as an endpoint. Do I need to configure my assigned subnet to test IPv6 connections from the router?
I tried setting all three chains (INPUT, FORWARD, OUTPUT) to ACCEPT, but still no response.
mro@spider:~$ sudo /sbin/ip6tables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all lo any anywhere anywhere
742 71804 ACCEPT ipv6-icmp any any anywhere anywhere
0 0 ACCEPT all any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all any any anywhere anywhere state INVALID
0 0 in-new all any any anywhere anywhere state NEW
0 0 LOG all any any anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[INPUT6]: '
0 0 REJECT all any any anywhere anywhere reject-with icmp6-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all any any anywhere anywhere reject-with icmp6-port-unreachable
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
626 65260 ACCEPT all any any anywhere anywhere
Chain in-new (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp any any anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
ping working, HTTP (etc.) SYN packet not answered on 6in4 tunnel
Shadow Hawkins on Tuesday, 28 December 2010 14:59:08
Try assigning an address to your eth0 interface
ping working, HTTP (etc.) SYN packet not answered on 6in4 tunnel
Shadow Hawkins on Wednesday, 29 December 2010 00:20:34
Do you mean I should assign an IPv6 address (from my subnet) to my public-facing interface? As there's no direct IPv6 (only IPv4 encapsulated) traffic there i don't see how that would help. But please enlighten me.
BTW, here's the unanswered HTTP SYN packet captured on my public interface:
90.184.225.194 > 90.185.0.134: IP6 (hlim 64, next-header TCP (6) payload length: 40) 2a02:980:1000:e::2.48792 > 2a00:1450:8003::93.80: Flags [S], cksum 0x0619 (correct), seq 246666467, win 3660, options [mss 1220,sackOK,TS val 43683066 ecr 0,nop,wscale 6], length 0
That seems correct to me. IPv4 public IF -> PoP, IPv6 source -> destination.
ping working, HTTP (etc.) SYN packet not answered on 6in4 tunnel
Shadow Hawkins on Wednesday, 29 December 2010 09:54:30
I'm having the same problem with ping and traceroute working but everything else failing on my tunnel. And I'm also on dkcph02 (Fullrate) - perhaps it's a problem with the POP?
I've opened a ticket on the issue..
(Thanks to Hannu Nyman for pointing out that we're not alone in experiencing this issue)
ping working, HTTP (etc.) SYN packet not answered on 6in4 tunnel
Shadow Hawkins on Friday, 21 January 2011 12:51:11
Morten, this was fixed again. Indeed it was an error on the POPs side: https://www.sixxs.net/tickets/?msg=tickets-3286513
My tunnel has been working fine the last couple of days.
You should probably check your routing. Also, running tcpdump/wireshark on your external interface can help you a lot.
ping working, HTTP (etc.) SYN packet not answered on 6in4 tunnel
Shadow Hawkins on Friday, 21 January 2011 15:15:50
Yes, thank you. It's indeed working again, just switched from my HE tunnel back to SixXS.
Posting is only allowed when you are logged in. |