Loss.
Shadow Hawkins on Wednesday, 18 October 2006 10:25:29
hello, ive just set up a ipv6 tunnel from a linksys router and all looks fine i had a few problems with nat but thats all fixed now and my tunnel looks stable. the problem is why on the website am i showing over 50% loss sometimes its near 70% loss. when i try to ping the pop via ipv6 i get 14~20ms and 0% loss why from the pop to me is it reporting loss ?
am i being very sill and forgetting something ?
hope you can help
Loss.
Shadow Hawkins on Wednesday, 18 October 2006 11:14:07
I have the same problem.
Last Alive 2006-10-18 11:08:40
Last Dead 2006-10-17 20:08:52
State Heartbeat (automatically enabled on the fly)
Text is showing, that i'm alive, but the graphics are showing 75% loss and peaks about my ping. Sometimes 0ms 100% loss, sometimes 40ms and 75% loss.
Is there something not working?
Loss.
Shadow Hawkins on Wednesday, 18 October 2006 16:01:00
ah, i have allowed icmp into my router and added them to my QOS setup so they get priority. this seems to have helped a lot still getting around 50-80ms ping times from pop to me but from me to pop is only 14~20ms.. oh well thats just crazy .. might look into it more another time.
Loss.
Carmen Sandiego on Wednesday, 18 October 2006 19:15:14
What happens when you ping6 something for a couple of hours? If this is the same as I'm experiencing, the ping traffic will reduce the measured packet loss to 0% or thereabouts.
Loss.
Shadow Hawkins on Thursday, 19 October 2006 14:31:39
hmm ok i run in a screen seesion now a ping6 to www.ipv6.org and oh wonder, the graphs of sixxs are correct now....
Loss.
Jeroen Massar on Thursday, 19 October 2006 18:09:24
You could also have read the FAQ which describes exactly this problem. No state in your NAT/conntracking thing, no packets coming in anymore.
Loss.
Carmen Sandiego on Thursday, 19 October 2006 18:51:53
In my case, that FAQ doesn't apply. The FAQ describes how to set up a Linux or BSD router, while I have a hardware router (Linksys WRT54G). The tunnel endpoint is set up as the DMZ host, which would disable any connection tracking.
Loss.
Jeroen Massar on Thursday, 19 October 2006 19:05:47
A Linksys WRTG54G runs Linux (or newer ones VxWorks), both though have the problem of keeping state. Note that it is not a router but a NAT box.
Solution: configure that NAT box or remove it from your network setup.
The second option is mostly not done. The first option is easy though, upgrading it to dd-wrt or openwrt will allow you to fix this as then you have access to the Linux running inside it.
Another solution that will work: using AYIYA, as that has a builtin heartbeat mechanism that causes the state to be updated and thus kept.
The tunnel endpoint is set up as the DMZ host, which would disable any connection tracking.
It should but it doesn't. When the box is acting as a NAT it will track *everything* unless specifically told not to do that.
And of course above all the best solution: Upgrade the linksys to dd-wrt or openwrt and terminate the IPv6 tunnel on the router (now it becomes a router as it will route IPv6, for IPv4 it is still only a silly NAT box)
Loss.
Shadow Hawkins on Monday, 06 November 2006 13:59:00
i'm very sorry, but i still have problems... :(
my firewall rules are looking like this (openwrt box):
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
iptables -A INPUT -p 41 -i $WAN -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
# allow
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING --protocol \! 41 -o $WAN -j MASQUERADE
Posting is only allowed when you are logged in. |