IPv6 tunnel from Hurricane Electric: very strange behavior of
incoming traffic -- it works only if tcpdump is running on
outer (IPv4) interface
Lev Serebryakov
lev at FreeBSD.org
Sun Apr 17 14:30:45 UTC 2011
Hello, Freebsd-net.
I'm setting up IPv6 tunnel to Hurricane Electrict for first time.
I've encountered very strange behavior of incoming traffic: everything
works only if tcpdump is running on external (IPv4) interface.
Here are details.
I've created tunnel as usual:
# ifconfig gif0 create
# ifconfig gif0 tunnel 89.112.xx.xx 64.71.xx.xx
# ifconfig gif0 inet6 2001:470:hhhh:hhhh::2 2001:470:hhhh:hhhh::1 prefixlen 128
# route -n add -inet6 default 2001:470:hhhh:hhhh::2
# ifconfig gif0 up
# route -n add -inet6 default 2001:470:hhhh:hhhh::2
Added "allowed" rules for icmpv6 input/output to my ipfw firewall.
After that I could ping6 any "outside" IPv6 address -- not only HE
one, but, for example, my IPv6-enabled host at Hetzner ISP. So far, so
good.
When I'm trying to ping 2001:470:hhhh:hhhh::2 from outside I didn't
get any reply. Ok, my first thought is ``I've messed up firewall
configuration''. I'm trying
# tcpdump -ni gif0
NOTHING is coming in from outside. Complete silence.
Then I try
# tcpdump -ni ng0 host 64.71.xx.xx
Where "ng0" is my interface with real external IP (my PPPoE
connection to IPv4-only ISP).
This command shows 5-7 ICMPv6 Echo requests (wrapped into IPv4, of
course), and AFTER that my host starts to reply! tcpdump on ng0 shows
both requests and replies (tunneled), tcpdump on gif0 shows "pure"
requests and replies, "external" host (with ping6 running) sees
replies too, everything works.
When I stop tcpdump on ng0, it continues to work for about 4-5
minutes, and after that silence again till I run tcpdump again!
What do I do wrong?
Here is my interface:
# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 89.112.xx.xx --> 64.71.xx.xx
inet6 2001:470:hhhh:hhhh::2 --> 2001:470:hhhh:hhhh::1 prefixlen 128
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
options=1<ACCEPT_REV_ETHIP_VER>
Here is my routing:
# netstat -rn -f inet6
Internet6:
Destination Gateway Flags Netif Expire
default 2001:470:hhhh:hhhh::2 UGS gif0
::1 ::1 UH lo0
2001:470:hhhh:hhhh::1 2001:470:hhhh:hhhh::2 UH gif0
fe80::%lo0/64 link#8 U lo0
fe80::1%lo0 link#8 UHS lo0
ff01::%lo0/32 fe80::1%lo0 U lo0
ff01::%gif0/32 2001:470:hhhh:hhhh::2 U gif0
ff02::%lo0/32 fe80::1%lo0 U lo0
ff02::%gif0/32 2001:470:hhhh:hhhh::2 U gif0
And here is my ipfw IPv6-related rules:
00600 0 0 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01000 3248938 2654059165 skipto 2000 ip from any to any in
01010 3225982 2652423541 skipto 3000 ip from any to any out
02000 ..... other internal and external interfaces
02040 23 9089 skipto 15000 ip6 from any to any via gif0
02999 0 0 deny ip from any to any
03000 ..... other internal and external interfaces
03040 26 2418 skipto 16000 ip6 from any to any via gif0
03999 0 0 deny ip from any to any
.....
15000 0 0 check-state
15010 0 0 allow ipv6-icmp from any to me keep-state
15020 0 0 allow ipv6-icmp from any to 2001:470:hhhh:hhhh::/64 ip6 icmp6types 1,2,3,4,128,129 keep-state
15999 0 0 skipto 30000 ip from any to any
16000 0 0 deny ip6 from not 2001:470:hhhh:hhhh::2,2001:470:hhhh:hhhh::/64 to any
16990 0 0 allow ipv6-icmp from any to any keep-state
16999 49 11507 allow ip6 from any to any keep-state
30000 0 0 allow tcp from any to me dst-port 22,80 setup keep-state
30010 20 824 allow tcp from any to me dst-port 53 setup keep-state
30020 26 1632 allow udp from any to me dst-port 53 keep-state
39000 18 1152 allow icmp from any to me keep-state
39999 22957 1526424 deny ip from any to any
--
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>
More information about the freebsd-net
mailing list