Forum - outside world only reachable after pinging gateway ?!?! :: SixXS

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Tuesday, 03 February 2009 18:36:25

hi, i just managed to get a working setup of my assigned subnet for my local network, for one machine at this time, actually. unfortunately after a very short time i loose the ability to reach the outside world. after pinging my sixxs ipv6 address it is working again. watch this

seaburg ~ # ping6 -I eth0 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes ^C --- ipv6.google.com ping statistics --- 24 packets transmitted, 0 received, 100% packet loss, time 23048ms seaburg ~ # ping6 -I eth0 2001:15c0:65ff:204::2 PING 2001:15c0:65ff:204::2(2001:15c0:65ff:204::2) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes 64 bytes from 2001:15c0:65ff:204::2: icmp_seq=1 ttl=64 time=2.57 ms 64 bytes from 2001:15c0:65ff:204::2: icmp_seq=2 ttl=64 time=0.253 ms 64 bytes from 2001:15c0:65ff:204::2: icmp_seq=3 ttl=64 time=0.280 ms 64 bytes from 2001:15c0:65ff:204::2: icmp_seq=4 ttl=64 time=0.249 ms ^C --- 2001:15c0:65ff:204::2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.249/0.838/2.572/1.001 ms seaburg ~ # ping6 -I eth0 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes 64 bytes from 2001:4860:0:1001::68: icmp_seq=1 ttl=56 time=162 ms 64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=56 time=212 ms 64 bytes from 2001:4860:0:1001::68: icmp_seq=3 ttl=56 time=211 ms 64 bytes from 2001:4860:0:1001::68: icmp_seq=4 ttl=56 time=199 ms ^C --- ipv6.google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 162.145/196.504/212.460/20.452 ms seaburg ~ #

what could be causing this? thanks in advance for the help && kind regards

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Tuesday, 03 February 2009 20:15:36

What kind of tunnel do you have? If it is ayiya, do you have the heartbeat enabled?

outside world only reachable after pinging gateway ?!?!

Jeroen Massar SixXS Staff

on Tuesday, 03 February 2009 20:42:08

See the FAQ - My tunnel goes down after some idletime. My tunnelendpoint also is a NAT/Connection Tracker

64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=56 time=212 ms

200+ ms to Google, I wonder how your routing goes as that is a lot of latency to that wellc connected place.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Tuesday, 03 February 2009 20:55:22

thanks for your replies. my tunnel is static. the latency to ipv6.google.com is now around 65 ms. the tunnel itself is still working, i did not state that in my initial post. only the connectivity from the local network computers is lost. i can still ping6 from my firewall. any ideas what could be causing this?

ahuemer@seaburg ~ % ping6 -c3 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes --- ipv6.google.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2014ms ahuemer@seaburg ~ % ssh wall ping6 -c 3 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes 64 bytes from 2001:4860:0:1001::68: icmp_seq=1 ttl=57 time=70.8 ms 64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=57 time=68.4 ms 64 bytes from 2001:4860:0:1001::68: icmp_seq=3 ttl=57 time=67.0 ms --- ipv6.google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 67.037/68.777/70.848/1.573 ms ahuemer@seaburg ~ % ping6 -c3 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes --- ipv6.google.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2009ms ahuemer@seaburg ~ % ping6 -c3 2001:15c0:65ff:204::2 PING 2001:15c0:65ff:204::2(2001:15c0:65ff:204::2) 56 data bytes 64 bytes from 2001:15c0:65ff:204::2: icmp_seq=1 ttl=64 time=2.57 ms 64 bytes from 2001:15c0:65ff:204::2: icmp_seq=2 ttl=64 time=0.230 ms 64 bytes from 2001:15c0:65ff:204::2: icmp_seq=3 ttl=64 time=0.190 ms --- 2001:15c0:65ff:204::2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 0.190/0.997/2.572/1.113 ms ahuemer@seaburg ~ % ping6 -c3 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes 64 bytes from 2001:4860:0:1001::68: icmp_seq=1 ttl=56 time=70.3 ms 64 bytes from 2001:4860:0:1001::68: icmp_seq=2 ttl=56 time=62.4 ms 64 bytes from 2001:4860:0:1001::68: icmp_seq=3 ttl=56 time=65.0 ms --- ipv6.google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 62.468/65.950/70.331/3.285 ms ahuemer@seaburg ~ %

seaburg is my workstation, wall is my firewall. 2001:15c0:65ff:204::2 is the address of the sixxs interface on my firewall.

outside world only reachable after pinging gateway ?!?!

Jeroen Massar SixXS Staff

on Tuesday, 03 February 2009 21:04:52

The connection tracking portion of your 'firewall', as when it doesn't find any packets going in/outbound anymore for a while it will loose the connection entry in its tracking tables and start blocking packets, until you send a packet outbound as then there is a valid entry in the table again. See the FAQ item.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Tuesday, 03 February 2009 21:51:17

thanks for your reply. i checked the FAQ. unfortunately i did not find anything that helped me. which item are referring to? thanks.

outside world only reachable after pinging gateway ?!?!

Jeroen Massar SixXS Staff

on Tuesday, 03 February 2009 21:53:08

From the message above: See the FAQ - My tunnel goes down after some idletime. My tunnelendpoint also is a NAT/Connection Tracker

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Wednesday, 04 February 2009 12:54:12

i went through this FAQ entry and found out that the first way

iptables -t nat -A POSTROUTING --proto ! 41 -o [Your IPv4 Interface] -j MASQUERADE

works for me. the second way

iptables -t raw -A PREROUTING --proto 41 -j NOTRACK

does NOT, although i have NOTRACK support. now i wonder why this could be the case. any ideas? my existing iptables setup is nothing uncommon. i can post the obfuscated rules if that's necessary.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Wednesday, 04 February 2009 13:05:30

ok, my last post was too early. it does actually NOT work with the first rule. without pinging the outside ipv6 address i loose connectivity. what's wrong here?

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Wednesday, 04 February 2009 19:59:36

Can you post your iptables and ip6tables rules?

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Wednesday, 04 February 2009 22:26:07

# iptables -t filter -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5800 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5500:5519 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4665 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4672 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:12413 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2234 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:222 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:70 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1099 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2000 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4080 state NEW ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5800 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5500:5519 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4665 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4672 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:12413 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2234 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 state NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5901 state NEW ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state INVALID,NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW ACCEPT all -- 192.168.0.1 0.0.0.0/0 state INVALID,NEW ACCEPT all -- 172.17.118.95 0.0.0.0/0 state INVALID,NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW # iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpts:6881:6889 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpts:6881:6889 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:4662 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:4662 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5900 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5900 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5800 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5800 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpts:5500:5519 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpts:5500:5519 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:4665 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:4665 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:4672 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:4672 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:12413 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:12413 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:2234 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:2234 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:3389 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:3389 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:3389 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:3389 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5902 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5902 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5901 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5901 to:192.168.0.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpts:6881:6889 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:4662 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5900 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5800 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpts:5500:5519 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:2234 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:3389 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5902 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5901 to:192.168.0.1 MASQUERADE !41 -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -t mangle -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK !tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff Chain OUTPUT (policy ACCEPT) target prot opt source destination MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK !tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff Chain POSTROUTING (policy ACCEPT) target prot opt source destination # iptables -t raw -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #

i do not have ip6tables right now. thanks for your time.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Wednesday, 04 February 2009 23:49:49

Nice set of rules you have there. Try adding: iptables -A INPUT -i <wan.interface> -p ipv6 -s <your sixxs ipv4 endpoint>/32 -j ACCEPT to your INPUT chain.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Thursday, 05 February 2009 10:55:57

thanks for your reply, but this does not work either. in case my sixxs ipv4 endpoint is my outside ipv4 address from the ISP.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Friday, 06 February 2009 06:51:58

hi all, i'm intrested in this thread too. i habe the same problem. - i can ping6 my gateway from internal network - i can ping6 from my gateway to ipv6.google.com - but i CAN'T ping6 to google through my gateway unless i pinged my gateway i'm using radvd to publish my subnet through the internal interface. this works fine i think... but the hosts take the link-local address of my gateway as the default route and not my ipv6-subnet address of the internal interface of my gateway. anybody knows this is correct? when i reach office i will try out the 2 iptables rules reg. conntrack and will let you know. cheers, chris

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Friday, 06 February 2009 08:30:33

With the sixxs ipv4 endpoint I meant the address from the other side of the tunnel, not your own. But maybe you should also take a look at the radvd config that was posted by Christoph.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Friday, 06 February 2009 10:10:03

i am sorry, but i still don't get which address you mean. you were talking about a ipv4 address, but in the next post of the tunnel endpoint address on the sixxs side, but this is an ipv6 address. please, take the time and describe further which address we are talking about. i tried that radvd config with my subnet prefix. nothing changed so far.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Friday, 06 February 2009 12:21:15

hi, ipv4-pings should not be your problem. i think if you would drop icmp's from the ipv4-entpoint at sixxs you should not be able to ping6 ipv6.google.com from your gateway. changes of radvd.conf will take a while... (radvd-)default life-time of dynamic v6-addresses is 30 days. well you will *not* have to wait for 30 days to see any changes. but this might take some hours. ich changed my config (without effect) yesterday at about 16.00 CET. tomorrow morning (7.00 CET) everything works fine... i located this problem *only* with dynamic configuration. fix-configured hosts did not loose connection. cheers, chris

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Friday, 06 February 2009 08:08:38

i was al little bit too fast with my post... sorry for that. works for me now. the last thing i changed was radvd yesterdy in the evening. radvd-config before changes was simple like that:

interface eth0 { AdvSendAdvert on; prefix acdc:beef:dad:dead::/64 { AdvOnLink on; AdvAutonomous on; }; };

now it is:

interface eth0 { IgnoreIfMissing on; AdvDefaultLifetime 3600; AdvDefaultPreference high; AdvSendAdvert on; prefix acdc:beef:dad:dead::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; AdvValidLifetime 3600; AdvPreferredLifetime 3600; }; };

and tomorrow morning everything works fine. all systems i tested are able to ping6 google and get response without pinging the gateway before. so for me it was radvd-misconfiguration. i have no(!) ipv6-related rules in my v4-firewall expect allowing pings to my v4-address from the other tunnel endpoint... cheers chris

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Saturday, 07 February 2009 02:27:09

it still does not work for me. i am running the same radvd configuration as suggested. my iptables rules are already here in the thread. what else can i do?

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Sunday, 08 February 2009 20:20:37

hey just wanted to let you know that you're not alone and i have had this exact same problem on one of my machines for the last couple weeks, and it has driven me crazy. my problem is slightly different from yours (making it less serious) as the machine that is having problems is actually 3 hops from the sixxs tunnel, and can't get out anywhere until pinging its gateway (the box 2 hops from the tunnel). it has really puzzled me as it used to work fine, and broke about the same time i used the gui to configure the ip address of the interface (Using CentOS 5.2). i usually edit the files by hand, so i don't know if configuring the ip using the gui changed anything else. it would seem like a nat issue, but i have another (almost) identically configured machine in the same place on the network that does not have this issue. i just read this thread, so i haven't had a chance to try the thing mentioned here. i'm hoping some of the things mentioned will fix it.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Monday, 09 February 2009 16:09:33

Are you using realtek network cards? Apparently there is a bug in the driver that causes it to ignore multicast traffic (i.e. your router trying to get the MAC address of the system you are on). It works fine if you have just done a ping since your router would know your MAC address. One description here

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Monday, 09 February 2009 21:05:20

thanks for your thoughts. no, i am using a intel 80003ES2LAN on the client, and a adaptec ANA620xx/ANA69011A on the server.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Tuesday, 10 February 2009 16:14:21

that's weird, it seems your problem is so similar, but i wouldn't expect it with those brands. i ran tcpdump on both interfaces and noticed that the "neighbor solicitation" messages were being sent by the firewall were not being received at all by some machines. am i correct that your firewall is also not able to ping the computer on your internal network, until that computer has pinged your firewall? one method i used to fix the problem, though not the best method possible, was to add a permanent entry in the neighbor table of the firewall. now the firewall no longer needs to send the "neighbor solicitation" requests (that my network card driver on the internal machine was ignoring) to get the other computer's mac address. for example... box with problem has IP 2001:db8:108::2, and mac aa:bb:cc:11:22:33 so on my firewall i ran the command: ip neighbor change to 2001:db8:108::2 dev eth1 lladdr aa:bb:cc:11:22:33 nud permanent now the machine on the internal network (2001:db8:108::2) is able to access remote sites without first pinging its gateway.

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Tuesday, 10 February 2009 21:14:00

the situation is even getting worse. i had to reboot my firewall and now i cannot reach even the ipv6 interfaces of my firewall. i don't get it. here is some info: iptables rules:

# iptables -t mangle -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK !tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff Chain OUTPUT (policy ACCEPT) target prot opt source destination MARK icmp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK !tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff MARK tcp -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x3/0xffffffff Chain POSTROUTING (policy ACCEPT) target prot opt source destination #

# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpts:6881:6889 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpts:6881:6889 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:4662 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:4662 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5900 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5900 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5800 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5800 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpts:5500:5519 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpts:5500:5519 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:4665 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:4665 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:4672 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:4672 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:12413 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:12413 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:2234 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:2234 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:3389 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:3389 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 83.65.26.208 udp dpt:3389 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:3389 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5902 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5902 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 83.65.26.208 tcp dpt:5901 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:5901 to:192.168.0.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpts:6881:6889 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:4662 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5900 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5800 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpts:5500:5519 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:2234 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:3389 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5902 to:192.168.0.1 SNAT tcp -- 192.168.0.0/24 192.168.0.2 tcp dpt:5901 to:192.168.0.1 MASQUERADE !41 -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination #

# iptables -t raw -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #

# ip6tables -t filter -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #

ip6tables rules:

# ip6tables -t mangle -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination #

# ip6tables -t raw -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #

ipv4 routes on firewall:

# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.25.46.23 * 255.255.255.255 UH 0 0 0 ppp0 10.0.0.138 172.17.118.1 255.255.255.255 UGH 0 0 0 eth0 10.0.0.138 172.17.118.1 255.255.255.254 UG 2 0 0 eth0 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 172.17.118.0 * 255.255.255.0 U 2 0 0 eth0 loopback wall.home 255.0.0.0 UG 0 0 0 lo default 172.25.46.23 0.0.0.0 UG 0 0 0 ppp0 default 172.17.118.1 0.0.0.0 UG 2 0 0 eth0 #

ipv6 routes on firewall:

# route -6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If ::/96 :: Un 256 0 0 sixxs 2001:15c0:65ff:204::/64 :: U 256 0 1 sixxs 2001:15c0:66e4::1/128 :: U 256 0 0 eth1 fe80::/64 :: U 256 0 0 eth0 fe80::/64 :: U 256 0 0 eth1 fe80::/64 :: U 256 0 0 sixxs ::/0 2001:15c0:65ff:204::1 UG 1024 0 5317 sixxs ::/0 :: !n -1 1 5439 lo ::1/128 :: Un 0 3 20 lo ::83.65.26.208/128 :: Un 0 1 0 lo ::127.0.0.1/128 :: Un 0 1 0 lo ::172.17.118.95/128 :: Un 0 1 0 lo ::192.168.0.1/128 :: Un 0 1 0 lo 2001:15c0:65ff:204::2/128 :: Un 0 1 595 lo 2001:15c0:66e4::1/128 :: Un 0 1 0 lo fe80::200:d1ff:feed:daf9/128 :: Un 0 1 0 lo fe80::200:d1ff:feed:dafa/128 :: Un 0 1 38 lo ff00::/8 :: U 256 0 0 eth0 ff00::/8 :: U 256 0 0 eth1 ff00::/8 :: U 256 0 0 sixxs ::/0 :: !n -1 1 5439 lo #

ip's on firewall:

# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:00:d1:ed:da:f9 brd ff:ff:ff:ff:ff:ff inet 172.17.118.95/24 brd 172.17.118.255 scope global eth0 inet6 fe80::200:d1ff:feed:daf9/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:00:d1:ed:da:fa brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 inet6 2001:15c0:66e4::1/128 scope global valid_lft forever preferred_lft forever inet6 fe80::200:d1ff:feed:dafa/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:00:d1:ed:da:fb brd ff:ff:ff:ff:ff:ff 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:00:d1:ed:da:fc brd ff:ff:ff:ff:ff:ff 6: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN link/ether ae:05:f8:c6:24:03 brd ff:ff:ff:ff:ff:ff 7: teql0: <NOARP> mtu 1500 qdisc noop state DOWN qlen 100 link/void 8: sit0: <NOARP> mtu 1480 qdisc noop state DOWN link/sit 0.0.0.0 brd 0.0.0.0 9: ip6tnl0: <NOARP> mtu 1460 qdisc noop state DOWN link/tunnel6 :: brd :: 10: wmaster0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ieee802.11 00:04:e2:80:ee:66 brd ff:ff:ff:ff:ff:ff 11: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:04:e2:80:ee:66 brd ff:ff:ff:ff:ff:ff 12: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp inet 83.65.26.208 peer 172.25.46.23/32 scope global ppp0 13: sixxs: <NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN link/sit 0.0.0.0 brd 0.0.0.0 inet6 2001:15c0:65ff:204::2/64 scope global valid_lft forever preferred_lft forever inet6 ::83.65.26.208/96 scope global valid_lft forever preferred_lft forever inet6 ::192.168.0.1/96 scope global valid_lft forever preferred_lft forever inet6 ::172.17.118.95/96 scope global valid_lft forever preferred_lft forever inet6 ::127.0.0.1/96 scope host valid_lft forever preferred_lft forever #

ip's on client:

ipv4 routes on the client:

# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 2 0 0 eth0 192.168.206.0 * 255.255.255.0 U 0 0 0 vmnet8 loopback seaburg.home 255.0.0.0 UG 0 0 0 lo default wall 0.0.0.0 UG 2 0 0 eth0 #

ipv6 routes on client:

# route -6 Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If ::1/128 :: Un 0 3 25 lo 2001:15c0:66e4:0:2e0:81ff:feb0:83fa/128 :: Un 0 1 0 lo 2001:15c0:66e4::/64 :: UAe 256 0 0 eth0 fe80::250:56ff:fec0:8/128 :: Un 0 1 0 lo fe80::2e0:81ff:feb0:83fa/128 :: Un 0 1 0 lo fe80::/64 :: U 256 0 0 vmnet8 fe80::/64 :: U 256 0 0 eth0 ff00::/8 :: U 256 0 0 vmnet8 ff00::/8 :: U 256 0 0 eth0 ::/0 fe80::200:d1ff:feed:dafa UGDAe 1024 0 7 eth0 ::/0 :: !n -1 1 22 lo #

pinging on the client:

# ping6 -I eth0 -c3 fe80::200:d1ff:feed:dafa PING fe80::200:d1ff:feed:dafa(fe80::200:d1ff:feed:dafa) from fe80::2e0:81ff:feb0:83fa eth0: 56 data bytes 64 bytes from fe80::200:d1ff:feed:dafa: icmp_seq=1 ttl=64 time=0.343 ms 64 bytes from fe80::200:d1ff:feed:dafa: icmp_seq=2 ttl=64 time=0.236 ms 64 bytes from fe80::200:d1ff:feed:dafa: icmp_seq=3 ttl=64 time=0.277 ms --- fe80::200:d1ff:feed:dafa ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2005ms rtt min/avg/max/mdev = 0.236/0.285/0.343/0.046 ms # ping6 -I eth0 -c3 2001:15c0:65ff:204::2 PING 2001:15c0:65ff:204::2(2001:15c0:65ff:204::2) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes --- 2001:15c0:65ff:204::2 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2015ms # ping6 -I eth0 -c3 fe80::200:d1ff:feed:daf9 PING fe80::200:d1ff:feed:daf9(fe80::200:d1ff:feed:daf9) from fe80::2e0:81ff:feb0:83fa eth0: 56 data bytes From fe80::2e0:81ff:feb0:83fa icmp_seq=1 Destination unreachable: Address unreachable From fe80::2e0:81ff:feb0:83fa icmp_seq=2 Destination unreachable: Address unreachable From fe80::2e0:81ff:feb0:83fa icmp_seq=3 Destination unreachable: Address unreachable --- fe80::200:d1ff:feed:daf9 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2016ms # ping6 -I eth0 -c3 ipv6.google.com PING ipv6.google.com(2001:4860:0:1001::68) from 2001:15c0:66e4:0:2e0:81ff:feb0:83fa eth0: 56 data bytes --- ipv6.google.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2015ms #

what the hell prevents my from enjoying the pleasures of ipv6?

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Tuesday, 10 February 2009 22:18:57

inet6 2001:15c0:66e4::1/128 scope global

Well at least one problem is that the IP on eth1 on the firewall is in a /128 subnet instead of /64, so that is preventing it from communicating with the public IP on the client. I'm not sure why that would cause this line to fail:

# ping6 -I eth0 -c3 fe80::200:d1ff:feed:daf9

But that would cause your ping to ipv6.google.com to fail since there is no route back to the client...

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Tuesday, 10 February 2009 22:30:22

of course the reason you can't ping fe80::200:d1ff:feed:daf9 from the client is because that is a link local ip address, and it is not forwarded by the firewall. eth0 on the client can ping eth1 on the firewall, but not eth0

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Thursday, 12 February 2009 00:08:55

wow. that seems to have done the trick!!! it was my fault that the address of eth1 hat a mask of 128. since i set it to 64 everything seems to work. i do not even need to have one of the rules described in the faq. can that be possible?

outside world only reachable after pinging gateway ?!?!

Shadow Hawkins on Thursday, 12 February 2009 00:35:36

i'm not certain, as i've never set up a tunnel behind nat before. from the iptables rules you posted before, it looks like you already added one of those rules....

MASQUERADE !41 -- 0.0.0.0/0 0.0.0.0/0

that rule is only needed for the endpoint of the tunnel (that is the only time proto 41 packets are used, the rest are normal ipv6 packets) even then, it could work for a while before it stops working. i recall recently reading a post from someone whose tunnel worked for months without that type of rule, and then suddenly stopped.

Please note Posting is only allowed when you are logged in.