|
IPv6 tunnel down after enabling UPnP for Xbox 360
![[fi]](/s/countries/fi.gif) Shadow Hawkins on Wednesday, 25 January 2012 10:31:13
Before enabling UPnP I had my IPv6 tunnel working with AYIYA (via AICCU) without problems. I tried to get Xbox Live connectivity to work through my network setup so I installed linux-igd package and configured it to use following configuration (like instructed at http://shorewall.net/UPnP.html) in /etc/upnpd.conf:
create_forward_rule = yes
forward_chain_name = forwardUPnP
prerouting_chain_name = UPnP
/etc/default/linux-igd:
EXTIFACE=eth0
INTIFACE=eth1
ALLOW_MULTICAST=yes
/etc/shorewall/rules:
allowinUPnP loc $FW
forwardUPnP net loc
How ever this didn't work so I created DNAT rules in /etc/shorewall/rules:
DNAT net loc:192.168.1.2 udp 88
DNAT net loc:192.168.1.2 tcp 88
DNAT net loc:192.168.1.2 udp 3074
DNAT net loc:192.168.1.2 tcp 3074
This enabled Xbox Live connectivity so but disabled my IPv6 for some reason. I removed the linux-igd package with sudo aptitude purge linux-igd and restarted my server but the IPv6 connectivity didn't come back.
I have tried resynching clocks with sudo /etc/init.d/ntp restart and I have tried to restart aiccu with sudo /etc/init.d/aiccu restart.
sudo aiccu test outputs (with verbose true in /etc/aiccu.conf):
Tunnel Information for T2612:
POP Id : fihel01
IPv6 Local : 2001:14b8:100:2b::2/64
IPv6 Remote : 2001:14b8:100:2b::1/64
Tunnel Type : ayiya
Adminstate : enabled
Userstate : enabled
sudo aiccu version: AICCU 2007.01.15-console-linux by Jeroen Massar (installed from the Ubuntu-server repo).
Pinging to the tunnel end point gives 100% packet loss:
ping6 2001:14b8:100:2b::1
PING 2001:14b8:100:2b::1(2001:14b8:100:2b::1) 56 data bytes
--- 2001:14b8:100:2b::1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4032ms
but pinging my endpoint works as expected:
ping6 2001:14b8:100:2b::2
PING 2001:14b8:100:2b::2(2001:14b8:100:2b::2) 56 data bytes
64 bytes from 2001:14b8:100:2b::2: icmp_seq=1 ttl=64 time=0.029 ms
64 bytes from 2001:14b8:100:2b::2: icmp_seq=2 ttl=64 time=0.031 ms
64 bytes from 2001:14b8:100:2b::2: icmp_seq=3 ttl=64 time=0.030 ms
64 bytes from 2001:14b8:100:2b::2: icmp_seq=4 ttl=64 time=0.036 ms
--- 2001:14b8:100:2b::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 0.029/0.031/0.036/0.006 ms
uname -a:Linux rootzero 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 i686 GNU/Linux
lsb_release -a:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Codename: lucid
My Ubuntu machine acts as a gateway/firewall between other computers in the network. Connection from the Xbox to the internet works like this for example:
Xbox -> WLAN Access Point -> 1GB Router -> Ubuntu gateway eth1 -> Ubuntu gateway eth0 -> VDSL -> Internet
ifconfig:
eth0 Link encap:Ethernet HWaddr <censored>
inet addr:84.248.94.185 Bcast:84.248.95.255 Mask:255.255.224.0
inet6 addr: 2001:14b8:124::1/64 Scope:Global
inet6 addr: fe80::21d:60ff:fe55:cfa5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2079963 errors:0 dropped:0 overruns:0 frame:0
TX packets:2421788 errors:0 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:1000
RX bytes:404472828 (404.4 MB) TX bytes:1054163407 (1.0 GB)
eth1 Link encap:Ethernet HWaddr <censored>
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::207:e9ff:fe0e:a1c6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2437274 errors:0 dropped:0 overruns:0 frame:0
TX packets:1649234 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1056698909 (1.0 GB) TX bytes:370202667 (370.2 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11128 errors:0 dropped:0 overruns:0 frame:0
TX packets:11128 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1721859 (1.7 MB) TX bytes:1721859 (1.7 MB)
sixxs Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: 2001:14b8:100:2b::2/64 Scope:Global
inet6 addr: fe80::14b8:100:2b:2/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1428 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:260 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:20968 (20.9 KB)
sudo route -v -n:
PoP IPv6 traceroute traceroute 2001:14b8:100:2b::1:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
84.248.64.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth1
0.0.0.0 84.248.64.1 0.0.0.0 UG 100 0 0 eth0
sudo iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW,UNTRACKED
net2fw all -- anywhere anywhere
loc2fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain FORWARD (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW,UNTRACKED
net2loc all -- anywhere anywhere
loc2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain Drop (2 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Reject (5 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain allowinUPnP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:1900
ACCEPT tcp -- anywhere anywhere tcp dpt:49152
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere base-address.mcast.net/4
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (2 references)
target prot opt source destination
Chain forwardUPnP (1 references)
target prot opt source destination
Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain fw2net (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT ipv6 -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
allowinUPnP !ipv6 -- anywhere anywhere
Reject all -- anywhere anywhere
reject all -- anywhere anywhere [goto]
Chain loc2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `Shorewall:logflags:DROP:'
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT ipv6 -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT ipv6 -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:37567
ACCEPT tcp -- anywhere anywhere tcp dpt:37568
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwardUPnP !ipv6 -- anywhere anywhere
ACCEPT udp -- anywhere 192.168.1.2 udp dpt:kerberos
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:kerberos
ACCEPT udp -- anywhere 192.168.1.2 udp dpt:3074
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:3074
Drop all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain reject (12 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
RETURN all -- 0.0.0.0 anywhere
LOG all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
LOG all -- base-address.mcast.net/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- base-address.mcast.net/4 anywhere
Chain tcpflags (2 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
PoP IPv4 traceroute traceroute 62.78.96.38:
[code}
traceroute to 62.78.96.38 (62.78.96.38), 30 hops max, 60 byte packets
1 dsl-hkibrasgw4-fe40dc00-1.dhcp.inet.fi (80.220.64.1) 19.833 ms 19.984 ms 20.273 ms
2 hkicredger02-e-7-2.datanet.tele.fi (141.208.206.5) 20.243 ms 20.417 ms 20.386 ms
3 hkicore2-o-5-0-0-0.datanet.tele.fi (141.208.25.61) 20.558 ms 20.733 ms 20.701 ms
4 hkiasbr2-s0-0-0.datanet.tele.fi (141.208.8.14) 20.260 ms 20.229 ms 20.401 ms
5 dna.ficix2.ficix.fi (193.110.224.20) 53.187 ms 20.546 ms 20.516 ms
6 hel1-tr2.dnaip.fi (62.78.107.98) 22.882 ms lah1-tr1.dnaip.fi (62.78.107.27) 21.342 ms hel1-tr2.dnaip.fi (62.78.107.98) 22.919 ms
7 lah1-tr1.dnaip.fi (62.78.107.27) 22.884 ms lah2-er70.dnaip.fi (62.78.108.175) 22.646 ms 22.819 ms
8 lah2-er70.dnaip.fi (62.78.108.175) 22.784 ms fihel01.sixxs.net (62.78.96.38) 21.732 ms 21.925 ms
traceroute to 2001:14b8:100:2b::1 (2001:14b8:100:2b::1), 30 hops max, 80 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
I've run out of ideas what could be wrong.
IPv6 tunnel down after enabling UPnP for Xbox 360
sudo iptables -L: Chain INPUT (policy DROP) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW,UNTRACKED
You might want to start with an empty firewall, as that likely shows that that is the cause of your issues.
Though first you could simply put LOG targets at specific locations to see what is being dropped.
And of course look at "iptables -v --list -n" the -v causes verbose output and counters, this should show which rule is causing packets to be dropped. As your default policy is DROP though everything that does not pass will be gone.
You have a lot of state in your firewall, see the NAT / Connection tracker FAQ item for details about that.
I've run out of ideas what could be wrong.
Too many wrong firewall rules is likely the cause and most of them do not make any sense to have, eg you are apparently accepting protocol 41 (ipv6) towards your host, but you are using AYIYA.
It is always very interesting to see that people firewall their network but actually do not understand what they are firewalling in the first place and thus make big gaping holes in it while being too uptight over too many other things.
Also note that there is a firewall on both IPv4 (iptables) and IPv6 (ip6tables).
Lastly, there is a handy tool mentioned in the Reporting Problems Checklist called 'tcpdump' but one can also use 'wireshark' that allows you to see which packets are going where.
Good luck in debugging your extreme firewall ;)
IPv6 tunnel down after enabling UPnP for Xbox 360
Shadow Hawkins on Wednesday, 25 January 2012 12:59:56
Yes I tried enabling all protocol 41 traffic and disabling all UPnP forwarding for protocol 41 and that is reflected in the firewall rules. I also enabled NOTRACK for ipv6 like instructed in that NAT / Connection tracker FAQ like you suggested as well, which is also reflected in those rules.
Changing my tunnel type from AYIYA -> 6in4 static seemed to work for my issue. Maybe I still need to dig through some of those firewall rules, though.
IPv6 tunnel down after enabling UPnP for Xbox 360
Changing my tunnel type from AYIYA -> 6in4 static seemed to work for my issue
Because you where not allowing port 5072 anywhere in your firewall, but for some reason you had proto-41 wide open.
Still if you have the same order of rules as above it will fail when your connection goes idle, unless you put the NOTRACK at the right spot.
IPv6 tunnel down after enabling UPnP for Xbox 360
Shadow Hawkins on Sunday, 12 February 2012 18:15:01
I don't know if my connection "went idle" now but the tunnel end point 2001:14b8:100:2b::1 stopped responding to ping now ( Destination unreachable: Address unreachable). Also traceroute ends to my end:
traceroute6 2001:14b8:100:2b::1
traceroute to 2001:14b8:100:2b::1 (2001:14b8:100:2b::1), 30 hops max, 80 byte packets
1 cl-44.hel-01.fi.sixxs.net (2001:14b8:100:2b::2) 0.034 ms !H 0.013 ms !H 0.012 ms !H
I don't know where the NOTRACK should be, but it has been here all the time:
sudo iptables -t raw -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
net_notrk all -- anywhere anywhere
loc_notrk all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain loc_notrk (1 references)
target prot opt source destination
NOTRACK ipv6 -- anywhere anywhere
Chain net_notrk (1 references)
target prot opt source destination
NOTRACK ipv6 -- anywhere anywhere
IPv6 tunnel down after enabling UPnP for Xbox 360
The NOTRACK is only one piece of the puzzle. If you cannot ping the remote endpoint while initiating the sending then there is something else wrong.
|
![[ch]](/s/countries/ch.gif)
on Wednesday, 25 January 2012 10:42:29
Posting is only allowed when you are