Debian, 6rd tunnel, and connection troubles

Posted by Chris B on Server Fault See other posts from Server Fault or by Chris B
Published on 2012-06-28T01:34:35Z Indexed on 2012/06/28 3:17 UTC
Read the original article Hit count: 741

Filed under:
|
|
|
|

Long story short I am having issues with IPv6 using a 6rd tunnel with my ISP, charter business. They offer a 6rd tunnel that I think I have properly set up, but the server doesn’t reply to every ipv6 request. When the server has the network interfaces idle with no traffic for about 10 minutes, then IPv6 stops accepting inbound connections. to re-allow it, I must go into the server, and make it do a outbound ipv6 connection (normally a ping) to start it back up. Whats weird though i that if I run iptraf when its not working, it still shows a inbound ipv6 packet… the server is just not replying, and I can’t figure out why. Also, if I try to access my server over IPv6 from a house about 1 mile away on the same ISP, it is never able to connect. it always times out, but again the iptraf shows a ipv6 inbound packet. Again, it just does not reply. To test if my server is accessible through IPv6 I always have to use my vzw 4g phone (they use IPv6) or ipv6proxy dot net.

Here is all of the configuration information my ISP gives on there tunnel server:

6rd Prefix = 2602:100::/32
Border Relay Address = 68.114.165.1
6rd prefix length = 32
IPv4 mask length = 0

Here is my /etc/network/interfaces for ipv6 (used x's to block real addresses)

auto charterv6 iface charterv6 inet6 v4tunnel
        address 2602:100:189f:xxxx::1
        netmask 32
        ttl 64
        gateway ::68.114.165.1
        endpoint 68.114.165.1
        local 24.159.218.xxx
        up ip link set mtu 1280 dev charterv6

here is my iptables config

filter
:INPUT DROP [0:0]
:fail2ban-ssh – [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:hold – [0:0]
-A INPUT -p tcp -m tcp —dport 22 -j fail2ban-ssh
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT —dports 80,443,25,465,110,995,143,993,587,465,22
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp —dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp —dport 5900:5910 -j ACCEPT
-A fail2ban-ssh -j RETURN
-A INPUT -p icmp -j ACCEPT
COMMIT

and last here is my ip6tables firewall config

filter
:INPUT DROP [1653:339023]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [60141:13757903]
:hold – [0:0]
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport —dports 80,443,25,465,110,995,143,993,587,465,22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp —dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp —dport 5900:5910 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
COMMIT

So Summary:

1.iptraf always shows IPv6 traffic, so its always making it to the server

2.server stops replying on ipv6 after no traffic for awhile (10 minutesish) until a outbound connection is made, then the process repeats.

3.server is NEVER accessable vi same ISP (yet iptraf still shows ipv6 request)

Notes: When I try to access it from the same ISP from across town, even with iptables and ip6tables allowing ALL inbound traffic, this is what iptraf shows.

IPv6 (92 bytes) from 97.92.18.xxx to 24.159.218.xxx on eth0
ICMP dest unrch (port) (120 bytes) from 24.159.218.xxx to 97.92.18.xxx on eth1

its strange, like its trying to forward to LAN? (eth1 is LAN, eth0 is WAN) even with the IPv6 address being set in the hosts file to the servers domain name. With iptables set up normally with the above configurations it only says this:

IPv6 (100 bytes) from 97.92.18.xxx to 24.159.218.xxx on eth0

Im REALLY stuck on this, and any help would be GREATLY appreciated.

© Server Fault or respective owner

Related posts about networking

Related posts about debian