Can't reache some Sites ... but
Shadow Hawkins on Saturday, 21 May 2011 00:49:17
The testsite : test-ipv6.com shows:
"10/10fr Ihre IPv4 Stabilitt und Bereitschaft, wenn Inhalte via IPv4 und IPv6 verfgbar sind
10/10fr Ihre IPv6 Stabilitt und Bereitschaft, wenn Inhalte nur via IPv6 verfgbar sind"
So everything should be ok ... but I can't reache some big IPv6-Sites (google)
"Fehler: Server nicht gefunden
Der Server unter ipv6.google.com konnte nicht gefunden werden."
The routers says:
Verbunden seit 21.05.2011 00:34 Uhr
Globale IPv6 Adresse der FRITZ!Box 2001:xxxx:xxxx:xxxx::2/64
Globale IPv6 Adresse bezogen ber Tunneleinstellung
Gltigkeit der globalen IPv6-Adresse 4294967295 s /4294967295s
IPv6-MTU 1280
Globales IPv6-Prfix 2001:xxxx:xxxx::/48
Gltigkeit des globalen IPv6-Prfixes 4294967295 s /4294967295s
Erster IPv6 DNS-Server
Zweiter IPv6 DNS-Server
So I guess that there is no IPv6-DNS? Is this a problem of the router or something about the Tunnel?
regards
Can't reache some Sites ... but
Jeroen Massar on Saturday, 21 May 2011 11:18:39 So I guess that there is no IPv6-DNS?
There are two levels of IPv6: transport and queries
IPv6 DNS Transport, or as it is mentioned above "IPv6 DNS" means that the queries for the hostname are send as IPv6 packets to an IPv6-enabled DNS server.
IPv6 DNS Queries, means that either IPv4 or IPv6 packets are sent to a DNS server containing queries for AAAA (IPv6) records.
The setting above is the first, transport, you don't need this, as one can send IPv6 DNS queries over both an IPv4 or IPv6 transport.
Thus what you want to check if your DNS server properly allows AAAA queries.
If you have windows, use start->Run and type "nslookup" (without quotes) and then you'll get a dosbox where you can type "set q=aaaa" and then "ipv6.google.com" the output will look somewhat like this:
Default Server: eternity.ch.unfix.org
Address: 198.18.99.41
As you can see my DNS server uses an IPv4 transport but the IPv6 Query works just fine. You might get back different AAAA btw as google has different regions for that.
set q=aaaa ipv6.google.com Server: eternity.ch.unfix.org
Address: 198.18.99.41
Non-authoritative answer:
ipv6.google.com canonical name = ipv6.l.google.com
ipv6.l.google.com AAAA IPv6 address = 2a00:1450:8005::68
Can't reache some Sites ... but
Shadow Hawkins on Saturday, 21 May 2011 15:25:04
Ok!
Thx I think I can see the Problem here:
I have SonicWall-VPN-Client here on that machine! So if this is connected nslookup says:
Standardserver: w2.wedia.local
Address: 10.10.10.1
set q=aaaa ipv6.google.com Server: w2.wedia.local
Address: 10.10.10.1
Nicht autorisierende Antwort:
Name: ipv6.l.google.com
Address: 2a00:1450:4008:c00::93
Aliases: ipv6.google.com
wedia.local is the Server2008 where the VPN goes to! THAN I can't call google via IPv6!
if I disconnect that the nslookup says:
Standardserver: fritz.box
Address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
set q=aaaa ipv6.google.com Server: fritz.box
Address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Nicht autorisierende Antwort:
Name: ipv6.l.google.com
Address: 2a00:1450:8005::63
Aliases: ipv6.google.com
THAN all the sites are comming up fine! So what can I do here to make the FritzBox the "standard" even if the VPN is up?
regards Sven
Can't reache some Sites ... but
Jeroen Massar on Saturday, 21 May 2011 15:57:26 wedia.local is the Server2008 where the VPN goes to! THAN I can't call google via IPv6!
It gives back an IPv6 address, thus actually, it should still work.
As the lookup succeeds, try, with the VPN active, to do a 'traceroute ipv6.google.com' that should still work.
THAN all the sites are comming up fine! So what can I do here to make the FritzBox the "standard" even if the VPN is up?
The joys of split-DNS. You won't be able to do much here, as you need the VPN version of DNS to reach the domainnames that are defined on the VPN.
The solution I employ for these cases is terminate the VPN on the router and use unbound to forward the DNS queries to the right place.
Can't reache some Sites ... but
Shadow Hawkins on Saturday, 21 May 2011 18:25:33
Ok... I think I have to explain the situation better:
The Router makes the Internet-Connection (IPv4 only) AND at the Router is an internal SixXS-Client ... so the Router makes the tunnel.
All PC's get their IP-config (IPv4 and IPv6) from the router
on my main PC is a SOFTWARE-VPN-Client. There is a virtual NIC named "SonicWALL VPN Connection" from there only IPv4 is available!
The Problem is now that the VPN-NIC is "Standard" for nslookup if the VPN is enabled! Even if I get IPv6-Adresse I can't connect!
If I disable the Software VPN all is fine!
regards
Can't reache some Sites ... but
Jeroen Massar on Saturday, 21 May 2011 19:51:18
I understood/stand your situation quite well it is a very common setup.
The Problem is now that the VPN-NIC is "Standard" for nslookup if the VPN is enabled! Even if I get IPv6-Adresse I can't connect!
DNS != routing
And your output showed that DNS works fine, the question is if routing has become affected.
As such, the questions become:
- What does your IPv4 and IPv6 routing tables look like before and after the VPN has been setup ("netstat -rn" and "netsh int ipv6 show routes")
- Is the IPv6 connectivity still working at all?
- Can you traceroute6 to anything, eg try a random: traceroute 2001:db8::1
- Does the VPN start a firewall of sorts?
- Does the VPN play with packets?
Can't reache some Sites ... but
Shadow Hawkins on Saturday, 21 May 2011 22:17:26
Ok ... so let's go ;)
Is it save to post the IPv4/IPv6-Tables? I guess they will not help if I "x" all the data? All my IP is static!
But I can show you the difference between VPN on/off via PING
Ping ipv6.google.com with VPN off:
C:\Windows\system32>ping ipv6.google.com
Ping wird ausgefhrt fr ipv6.l.google.com [2a00:1450:8005::68] mit 32 Bytes Dat
en:
Antwort von 2a00:1450:8005::68: Zeit=25ms
Antwort von 2a00:1450:8005::68: Zeit=25ms
Antwort von 2a00:1450:8005::68: Zeit=23ms
Antwort von 2a00:1450:8005::68: Zeit=24ms
Ping-Statistik fr 2a00:1450:8005::68:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 23ms, Maximum = 25ms, Mittelwert = 24ms
Ping ipv6.google.com with VPN on:
C:\Windows\system32>ping ipv6.google.com
Ping-Anforderung konnte Host "ipv6.google.com" nicht finden. berprfen Sie den
Namen, und versuchen Sie es erneut.
As you can see PING can't find the adresse ... so this is DNS-Problem and NOT Routing!
Also I can PING google while VPN is ON using the ipv6-adresse [2a00:1450:8005::68]... so the routing should be ok ...
regards
Can't reache some Sites ... but
Jeroen Massar on Monday, 23 May 2011 10:48:49
If you can still ping the IP then indeed routing is not the issue, DNS it must be. Thus the only question then, as nslookup seems to work, what kind of trickery your VPN software does as it looks like it messes with DNS lookups.
One thing you could look at now is 'ipconfig /all' and see what nameservers are listed and possibly in what order they get used.
Posting is only allowed when you are logged in. |