6to4 - can't ping 192.88.99.1?

Discussion in 'Linux Networking' started by Arno Schuring, Jun 13, 2009.

  1. Hi all,

    Once again I'm trying to get connected to the IPv6 world, but I think
    I've now hit a problem with my ISP (or further upstream). But before I
    go bugging them about it, I figured I'd ask some experts.

    So here goes... I'm trying the default 6to4 approach:
    $ ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP6
    $ ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4

    But I can't reach any sites via IPv6. And I think it's because of this:

    [email protected]:~$ traceroute 192.88.99.1
    traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 60 byte packets
    1 gw.loos.site (172.22.21.1) 0.672 ms 1.513 ms 1.747 ms
    2 213.197.27.154 (213.197.27.154) 18.367 ms 19.254 ms 19.463 ms
    3 213.197.27.117 (213.197.27.117) 20.755 ms 21.175 ms 21.880 ms
    4 ge-0.2.0.core1.ams.bb.your.org (204.9.53.58) 22.959 ms 23.564 ms
    25.655 ms
    5 * * *
    6 * * *
    [...]


    But I don't know where to go from here. The last IP address belongs to a
    small registrar in Illinois, which doesn't really make sense to me, but
    I don't know how the 192.88.99.1 anycast addresses are maintained. Would
    it make sense for me to ask my ISP to verify their routing tables?


    Thanks for any help you can give me,

    Arno
     
    Arno Schuring, Jun 13, 2009
    #1
    1. Advertisements

  2. Arno Schuring

    Bit Twister Guest

    Try traceroute -I 192.88.99.1
     
    Bit Twister, Jun 14, 2009
    #2
    1. Advertisements

  3. Arno Schuring

    D. Stussy Guest

    Since you can traceroute toward it, your ISP obviously is getting a route
    via BGP. Therefore, it's presumedly reachable. I can't verify if the
    "your.org" 6to4 gateway is up because 192.88.99.0/24 is an anycast network
    and my routing points to another provider's gateway.

    As your first hop is in 172.16.0.0/12, you obviously have a NAT-box or
    router on your network. Are you certain that IPv6 packets aren't hitting
    your router? They may be IPv4 packets using protocol 41 (instead of TCP or
    UDP), and some consumer devices cannot handle protocol 41 properly - or
    need a DMZ'ed box to forward them through.
     
    D. Stussy, Jun 14, 2009
    #3
  4. Hello,

    Arno Schuring a écrit :
    What is $WANIP6 ?
    You skipped some steps :
    - Assign an IPv6 address within your 6to4 prefix to one of your box
    interfaces (it does not need to be the 6to4 interface).
    - Add a route to the whole 6to4 prefix 2002::/16 on the 6to4 interface.

    Actually these two steps can be merged in one operation, e.g. :

    Can you elaborate ? How did you test ? Any error messages ?
    Not necessarily. A 6to4 relay router may ignore anything but 6to4
    traffic (IPv4 protocol 41).
    Huh ? Your.org is a hosting company which is known to operate a 6to4
    relay router. This seems to be their POP in the Netherlands.

    From the private address in your first hop it appears that you may be
    using some NAT. If so, make sure that :
    - your NAT device can handle 6in4/6to4 (IPv4 protocol 41) traffic ;
    - the NAT device forwards incoming 6to4 traffic from the outside to your
    box (6to4 routing is asymmetric, so the IPv4 source address of a reply
    may be different from the IPv4 destination address of the request and
    simple masquerding won't handle this case) ;
    - you use the 6to4 prefix derived from the public IPv4 address of the
    NAT device, not from the private address of your box.
     
    Pascal Hambourg, Jun 14, 2009
    #4
  5. Hi all,

    thanks for the replies. I realize I've not been as detailed as I should
    have been, so please forgive me if I'm being too verbose now :)

    No change, even if I do this from the router:

    # traceroute -I 192.88.99.1
    traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 38 byte packets
    1 213.197.27.154 (213.197.27.154) 13.823 ms 24.154 ms 6.344 ms
    2 213.197.27.117 (213.197.27.117) 7.070 ms 6.704 ms 6.826 ms
    3 ge-0.2.0.core1.ams.bb.your.org (204.9.53.58) 7.599 ms 7.298 ms
    7.050 ms
    4 * * *
    5 * * *


    Yes I know. Because I couldn't reach the 6to4 gateway via ipv4, I
    immediately jumped to the conclusion that giving the detailed IPv6
    configuration was irrelevant.

    So here is the IPv6-up script:
    WANIP6=
    while [ -z "$WANIP6" ] ; do
    sleep 8
    WANIP6=$(ip -4 addr show dev vlan1 | awk '/inet/ {print $2}' | cut -d/
    -f1)
    done

    V6PREFIX=$(printf '2002:%02x%02x:%02x%02x' $(echo $WANIP6 | tr . ' '))
    ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP6
    ip link set tun6to4 mtu 1280
    ip link set tun6to4 up
    ip addr add $V6PREFIX:0::1/16 dev tun6to4
    ip addr add $V6PREFIX:1::1/64 dev br0
    ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding


    Side note: is there a reason why this route should be added even when I
    have a 2000::/3 route already defined?
    No errors, just timeouts:

    [email protected]:~$ ping6 -c3 www.kame.net
    PING www.kame.net(orange.kame.net) 56 data bytes

    --- www.kame.net ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 1999ms

    [email protected]:~$ traceroute6 www.kame.net
    traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops
    max, 80 byte packets
    1 2002:d594:e6a3:1::1 (2002:d594:e6a3:1::1) 0.919 ms 1.003 ms 1.087 ms
    2 * * *

    - opening a browser to http://whatismyipv6.net : times out, then
    redirects to the ipv4 site which says "Your IP is 213.148.230.163"

    Hmm... that's too bad. So I have no way to confirm either the validity
    of my ISP's routes, or test the reachability of the 6to4 gateway?

    Ah. Didn't know that. I based my comment solely on the whois information:

    [email protected]:~$ whois 204.9.53.58

    OrgName: YOUR.ORG, INC.
    OrgID: YOURO
    Address: 840 W Lake St #406
    City: Roselle
    StateProv: IL
    PostalCode: 60172
    Country: US
    [...]
    See below.

    There are two boxes, to be exact. One is my modem (Emiment EM4206),
    which is configured in bridged mode so it really only should be doing
    modem-y things and not be dropping packets.

    The router is a Linksys wrt54 with DD-WRT firmware installed. I already
    know that (out-of-the-box) it has issues with IPv6 but I believe I've
    overcome them. One problem that is still present is that the default
    firmware image has no ipv6-tools (no ip6tables executable or kernel
    module, no ping6 or traceroute6) so I'm a little constrained in the
    tests I can do.

    Here's the revelant info from my configuration (on the router):

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    [ ACCEPT lines skipped ]
    DROP udp -- anywhere anywhere udp dpt:route
    ACCEPT ipv6 -- anywhere anywhere
    DROP icmp -- anywhere anywhere
    [ lines skipped ]
    DROP 0 -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT ipv6 -- anywhere anywhere
    [ lines skipped ]
    DROP 0 -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    [ empty ]

    # ip -s ad
    6: vlan1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:1d:7e:c6:9c:23 brd ff:ff:ff:ff:ff:ff
    inet 213.148.230.163/24 brd 213.148.230.255 scope global vlan1
    inet6 fe80::21d:7eff:fec6:9c23/64 scope link
    7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:1d:7e:c6:9c:22 brd ff:ff:ff:ff:ff:ff
    inet 172.22.21.1/24 brd 172.22.21.255 scope global br0
    inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
    inet6 2002:d594:e6a3:1::1/64 scope global
    inet6 fe80::21d:7eff:fec6:9c22/64 scope link
    9: [email protected]: <NOARP,UP> mtu 1280 qdisc noqueue
    link/sit 213.148.230.163 brd 0.0.0.0
    inet6 ::213.148.230.163/128 scope global
    inet6 2002:d594:e6a3::1/16 scope global

    # ip -s ro
    172.22.21.0/24 dev br0 proto kernel scope link src 172.22.21.1
    213.148.230.0/24 dev vlan1 proto kernel scope link src 213.148.230.163
    169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
    127.0.0.0/8 dev lo scope link
    default via 213.148.230.1 dev vlan1
    # ip -6 -s ro
    ::/96 via :: dev tun6to4 metric 256 mtu 1280 advmss 1220
    2002:d594:e6a3:1::/64 dev br0 metric 256 mtu 1500 advmss 1440
    2002::/16 dev tun6to4 metric 256 mtu 1280 advmss 1220
    2000::/3 via ::192.88.99.1 dev tun6to4 metric 1024 mtu 1280 advmss 1220
    [ fe80:: and ff00:: routes skipped ]


    # cat /tmp/radvd.conf
    interface br0 {
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    AdvLinkMTU 1280;
    AdvSendAdvert on;
    prefix 0:0:0:1::/64 {
    AdvOnLink on;
    AdvAutonomous on;
    AdvValidLifetime 7200;
    AdvPreferredLifetime 300;
    Base6to4Interface vlan1;
    AdvRouterAddr on;
    };
    };
    # cat /proc/sys/net/ipv6/conf/all/forwarding
    1


    Many thanks for making it to the end of this mail,
    Arno
     
    Arno Schuring, Jun 14, 2009
    #5
  6. Arno Schuring a écrit :
    Yes : reach directly other 6to4 networks. By the way I tested this and
    it seems to work, so your overall 6to4 setup seems fine : if I ping your
    router's 6to4 address from my 6to4 address, I get a (direct) reply.
    However if I ping from my native IPv6 address, I get no reply.
    Note that from my experience, www.kame.net appears to be one of the few
    sites which is unfortunately not reachable using 6to4. However from the
    lack of reply at the second hop, it seems that your were correct about
    the faulty 6to4 relay or routing.
    Maybe try to ping the IPv6 anycast address of the 6to4 relay,
    2002:c058:6301::.
    Note that this rule is not necessary, as the hosts on your LAN don't use
    6in4 encapsulation.
     
    Pascal Hambourg, Jun 14, 2009
    #6
  7. Wow, that's very valuable information. Thanks for testing!
    Do you have a suggestion as to which address to use when testing IPv6
    (6to4) connectivity?
    Sadly, no luck:

    [email protected]:~$ ping6 -c3 2002:c058:6301::
    PING 2002:c058:6301::(2002:c058:6301::) 56 data bytes

    --- 2002:c058:6301:: ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2015ms


    Ah yes, that makes sense. I added it manually just to be sure I covered
    all the angles, glad to know it isn't necessary.

    Thanks for your help. I'll take this to my ISP and see if they are
    willing/able to help me out.


    Thanks to all,
    Arno
     
    Arno Schuring, Jun 14, 2009
    #7
  8. Arno Schuring a écrit :
    whatismyipv6.net seems to work fine with 6to4 (when the relay works).
    See <http://www.6to4.your.org/> too. I remember that Your.org's 6to4
    relay router once had a firewall issue which was quicky solved thanks to
    a cooperation between my ISP and Your.org.
     
    Pascal Hambourg, Jun 14, 2009
    #8
  9. Arno Schuring

    Bit Twister Guest

    How odd.

    $ traceroute -I 192.88.99.1
    traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 60 byte packets
    1 gateway.home.test (192.168.1.1) 0.727 ms 0.835 ms 1.258 ms
    2 L100.DLLSTX-VFTTP-33.verizon-gni.net (71.170.124.1) 8.402 ms 9.758 ms 9.885 ms
    3 P11-1.DLLSTX-LCR-03.verizon-gni.net (130.81.58.104) 12.171 ms 12.32 12.384 ms
    4 so-5-1-0-0.DFW01-BB-RTR1.verizon-gni.net (130.81.29.180) 14.414 14.467 14.660 ms
    5 so-6-0-0-0.DFW80-PEER-RTR1-re1.verizon-gni.net (130.81.17.173) 42.159 17.202 44.187 ms
    6 gige-g2-7.core1.dal1.he.net (64.62.205.49) 39.389 ms 40.988 ms 43.220 ms
    7 10gigabitethernet5-2.core1.ash1.he.net (72.52.92.62) 53.272 47.801 49.659 ms
    8 192.88.99.1 (192.88.99.1) 54.309 ms 49.032 ms 51.196 ms
     
    Bit Twister, Jun 14, 2009
    #9
  10. Bit Twister a écrit :
    What's odd ?
    So what ?
     
    Pascal Hambourg, Jun 14, 2009
    #10
  11. I want to thank you again for your help. Indeed, it took only a single
    mail to your.org to get this issue fixed.


    Incidentally, I have no issues reaching www.kame.net:

    [email protected]:~$ traceroute6 www.kame.net
    traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops
    max, 80 byte packets
    1 2002:d594:e6a3:1::1 (2002:d594:e6a3:1::1) 0.412 ms 0.961 ms 1.043 ms
    2 2002:c058:6301:: (2002:c058:6301::) 28.015 ms 28.956 ms 29.902 ms
    3 stf.ge-0.0.0-33.core1.ams.bb6.your.org (2001:4978:2:410::ffff)
    31.593 ms 32.498 ms 35.421 ms
    4 ams-ix.he.net (2001:7f8:1::a500:6939:1) 41.483 ms 42.298 ms 43.505 ms
    [...]
    15 orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085) 285.262 ms
    286.495 ms 287.664 ms


    Many thanks,
    Arno
     
    Arno Schuring, Jun 15, 2009
    #11
  12. Arno Schuring a écrit :
    Good news. Did they explain what the problem was ?
    Indeed it also works for me now. So this connectivity issue with 6to4
    addresses was solved too. Another good news.
     
    Pascal Hambourg, Jun 15, 2009
    #12
  13. It's been *my* experience that www.kame.net is _the_ most reliably
    reachable site by 6to4. Getting the turtle to dance is pretty much the
    standard test that IPv6 works.
     
    Allen Kistler, Jun 15, 2009
    #13
  14. Arno Schuring

    thangecp Guest




    Hello
    Do you fix this error ? I am having same.
    Please share to me your solution
    Thank you
     
    thangecp, Nov 13, 2014
    #14
  15. Arno Schuring

    thangecp Guest




    Hello
    Now i am having a ubuntu conputer with IPv4 Private 192.168.12.38 (This connect with router has IPv4 Public : 112.171.23.96 )

    I configured 6to4 like this :
    /sbin/ip tunnel add tun6to4 mode sit remote any local 192.168.12.38
    /sbin/ip link set dev tun6to4 up
    /sbin/ip -6 addr add 2002:70ab:1760::1/16 dev tun6to4
    /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1

    But it can not ping6 to ipv6.google.com . I saw it is same problem with Armo.

    Please help me.
    Thank you
    Victor
     
    thangecp, Nov 13, 2014
    #15
  16. Arno Schuring

    Jorgen Grahn Guest

    Can you ping the other endpoint, then? And what errors do you get?

    For what it's worth, I have my tunnel in /etc/network/interfaces
    instead, and it looks like this (addresses hidden for paranoia reasons):

    iface he6 inet6 v4tunnel
    address $my_ipv6_addr
    gateway $their_ipv6_addr
    netmask 64
    local $my_static_ipv4_addr
    endpoint $their_tunnel_endpoint_ipv4
    ttl 63

    Works nicely. That's on Debian Stable; I guess Ubuntu has this
    configuration as well.

    /Jorgen
     
    Jorgen Grahn, Nov 13, 2014
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.