• March 28, 2024, 03:32:33 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: 636L with HE tunnel broker cannot ping IPv6  (Read 16967 times)

btarantina

  • Level 1 Member
  • *
  • Posts: 7
636L with HE tunnel broker cannot ping IPv6
« on: June 23, 2015, 09:03:00 PM »

I have a DIR-636L Hardware Version 1A, Firmware 1.04
I also have a tunnel set up through Hurricane Electric
I am on an AT&T UVerse network and my UVerse gateway is configured to put my 636L in DMZ-Plus mode and my 636L has a public IPv4 address.

I configured the IPv6 tunnel settings based on HE forum posts that have verified success with similar D-Link routers (with screenshots). I have a Windows box that is getting an IPv6 address from the router, but pinging from either the Windows box or the router tools fails.

Is there some setting could be blocking outgoing IPv6 by default? I've wiped my router settings and only added the IPv6 tunnel info and it doesn't work.

What am I missing?
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #1 on: June 24, 2015, 06:59:41 AM »

Link>Welcome!

  • What region are you located?

Internet Service Provider and Modem Configurations

I would presume that possibly your ISP modem maybe blocking IPv6 ping requests or somehow not allowing pings to come thru. We've known that ATT U-Verse DMZ Plus is not a full on DMZ and still limits some traffic.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

btarantina

  • Level 1 Member
  • *
  • Posts: 7
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #2 on: June 24, 2015, 07:52:03 AM »

I am east coast US. My closest tunnel broker router is in northern Virginia.
Logged

btarantina

  • Level 1 Member
  • *
  • Posts: 7
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #3 on: June 24, 2015, 07:57:38 AM »

I found this posting a few days ago and this is exactly how I configured my UVerse router:

https://forums.att.com/t5/Third-Party-Devices/How-to-Bridge-PACE-5031-NV-to-3rd-Party-Router/td-p/3612175

It's frustrating since others messages on that thread said that they followed the exact same steps on the exact same modem and they were able to hit their HE tunnels.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #4 on: June 24, 2015, 08:08:39 AM »

What routers are they using?

Do you have WAN Ping Respond feature under Advanced/Adv Networking by chance?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

btarantina

  • Level 1 Member
  • *
  • Posts: 7
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #5 on: June 24, 2015, 08:23:36 AM »

Yes, the 636L has that already enabled.

Do I need to enable either the "cascade router" option or the "add additional network" option on the Uverse gateway and list my 636L?
Logged

btarantina

  • Level 1 Member
  • *
  • Posts: 7
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #6 on: June 24, 2015, 08:42:00 AM »

If I go to a third-party site: 4or6.com both the ping and the traceroute (both UDP and ICMP) show that the client tunnel endpoint (listed on my tunnelbroker specs) is unreachable:

#ping6 -c 3 2001:470:7:35c::2
PING 2001:470:7:35c::2(2001:470:7:35c::2) 56 data bytes
From 2001:470:0:8c::2 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:470:0:8c::2 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:470:0:8c::2 icmp_seq=3 Destination unreachable: Address unreachable

--- 2001:470:7:35c::2 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms



#traceroute -6  -I 2001:470:7:35c::2
traceroute to 2001:470:7:35c::2 (2001:470:7:35c::2), 30 hops max, 80 byte packets
 1  2607:f2f8:1600::1 (2607:f2f8:1600::1)  3.119 ms  3.091 ms  3.088 ms
 2  2001:504:13::1a (2001:504:13::1a)  109.272 ms  109.278 ms  109.340 ms
 3  10ge14-1.core1.den1.he.net (2001:470:0:15d::1)  29.988 ms  29.994 ms  29.993 ms
 4  10ge5-5.core1.mci3.he.net (2001:470:0:240::2)  50.782 ms  51.187 ms  51.190 ms
 5  10ge1-4.core1.ash1.he.net (2001:470:0:30b::1)  67.340 ms  67.345 ms  67.344 ms
 6  tserv1.mia1.he.net (2001:470:0:8c::2)  72.895 ms  99.842 ms  99.843 ms
 7  tserv1.mia1.he.net (2001:470:0:8c::2)  117.901 ms !H  108.974 ms !H  112.502 ms !H
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #7 on: June 24, 2015, 08:47:49 AM »

I'm going to have another user review this and see if he can offer up some information and help here...
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #8 on: June 24, 2015, 10:13:17 AM »

Hi,

Quote
It's frustrating since others messages on that thread said that they followed the exact same steps on the exact same modem and they were able to hit their HE tunnels.

They didn't say it was a HE tunnel, they only mentioned "IPv6 tunnels". And there are tunnel types encapsulating IPv6 using UDP/IP (e.g. Teredo, TSP (Freenet6) or AYIYA (SixXS)), while HE tunnels directly encapsulate IPv6 inside IPv4 (proto-41). And maybe your Uverse gateway blocks proto-41 packets. In addition the public IPv4 address you use for the WAN interface of your DIR router must not change (e.g. after a new Internet connection setup) and be the one you registered with HE for use as your local IPv4 tunnel endpoint address.

A second issue may be the IPv6 firewall on your DIR-636L: If it is disabled, all IPv6 traffic is blocked. If you enable it you have to explicitely configure a rule that allows all IPv6 traffic out from your LAN to WAN.

Hence try the following configuration of your IPv6 firewall:

Switch the IPv6 firewall on by selecting "Turn IPv6 Filtering ON and ALLOW rules listed". Then specify the following single rule:

  • Check the checkbox for the first rule
  • Name that rule whatever your like, e.g. AllowAllOut
  • Schedule: Always
  • Source Interface: LAN
  • Source IP Address Range: either ::/0 or ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff or :: (denoting "any"), depends on what it expects and accepts
  • Protocol: Any
  • Dest Interface: WAN
  • Dest IP Address Range: either ::/0 or ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff or :: (denoting "any"), depends on what it expects and accepts
  • Port Range: not changeable, if Protocol=Any was selected

Optionally you may "Enable IPv6 Simple Security".

Quote
If I go to a third-party site: 4or6.com both the ping and the traceroute (both UDP and ICMP) show that the client tunnel endpoint (listed on my tunnelbroker specs) is unreachable:

If I do a ping6 or traceroute6 from my site I get the same result. I get an ICMPv6 type 1 (=destination unreachable), code 3 (address unreachable) sent back to me from 2001:470:0:8c::2 (tserv1.mia1.he.net). This indicates that tserv1 does not know how to route to your address 2001:470:7:35c::2, probably because no 6in4 tunnel exists. Are you sure, the global IPv4 address assigned to your DIR's WAN interface is the same as the one you registered at HE?

PT
« Last Edit: June 24, 2015, 12:00:44 PM by PacketTracer »
Logged

btarantina

  • Level 1 Member
  • *
  • Posts: 7
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #9 on: June 24, 2015, 01:33:38 PM »

I verified my HE tunnel settings and the IPv4 endpoint addresses match and my IPv4 address is static.

My IPv6 firewall was indeed off and I followed your instructions and added the rule... no change...

I am in the process of contacting SixXS to see about setting up a different type of tunnel... I only have options for 6in4, 6to4 and 6rd...hopefully one of the other ones will succeed.
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #10 on: June 24, 2015, 02:33:33 PM »

You can use 6to4 ad hoc without any provider support! And since it also uses proto-41 encapsulation, it would be a good test if your Uverse gateway blocks proto-41 packets. But you will depend on freely usable 6to4 relays reachable via the well known anycast address 192.88.99.1. And this is the reason why 6to4 is known to be not the best solution (just a bit better than Teredo as a last resort) and why using the 6to4 anycast address was deprecated recently (RFC7526). 6rd is derived from 6to4 with the difference that the 6to4 relay is operated by your ISP (hence he must support it) and is reachable via some ip address specific to your ISP (and which must be entered to the 6rd configuration of your router).

With SixXS a "6in4-static" tunnel is the only choice supported by your DIR router.  But it only works if you have a static global IPv4 address assigned to your router's WAN interface. And you luckily have one! Hence for you the following is informational only about the other tunnel types available via SixXS.

If your global WAN IPv4 address changes periodically (as is a bad practice with many ISPs here in Germany, who disconnect their customers once a day and assign new addresses after a reconnect), with SixXS you would have to use a "6in4-heartbeat" tunnel. But this only works if your router supports the heartbeat protocol, unfortunately D-LINK routers don't.

If your global WAN IP address is not static and your router doesn't support heartbeat protocol, as a last resort you could use an AYIYA tunnel which terminates at a client behind your NAT router. Hence only this client can use IPv6. Or you use some second router (e.g. this inexpensive one) operated with OpenWRT which terminates the AYIYA tunnel and, being configured as an IPv6 router with an ip6tables firewall, provides IPv6 for the LAN (see here). This was a working solution for me some time ago when I used a D-LINK router without an integrated IPv6 firewall.

With SixXS you must be careful to request the correct tunnel type from the very beginning (in your case: 6in4-static). Changing tunnel type later costs some virtual money called "ISK" and you only can do the change if you have a high enough ISK level. Otherwise you have to "earn" ISK up to the needed amount by running the tunnel with the wrong tunnel type for some weeks.   
« Last Edit: June 24, 2015, 03:23:45 PM by PacketTracer »
Logged

btarantina

  • Level 1 Member
  • *
  • Posts: 7
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #11 on: June 29, 2015, 12:52:29 PM »

Negative. Uverse blocks all IPv6 coming out of the gateway. I'm considering waiting a couple of months until my service contract is up and switching providers.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: 636L with HE tunnel broker cannot ping IPv6
« Reply #12 on: July 22, 2015, 10:45:46 AM »

Ant status on this?  ???
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.