Cannot establish a working IPV6 set up (he.net 6in4 & CGNAT)

I cannot get 6in4 working to Hurricane Electric's TunnelBroker. Using OpenWrt 21.02.1 on a D-Link DIR-878 router.

I see WAN6 with the expected IPv6 and IPv6-PD addresses, but I don't see the Tx or Rx counters change from zero.

I used @trendy's commands to get this diagnostic info below. Thoughts? Thanks.

root@D-Link-DIR-878:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "5.4.154",
	"hostname": "D-Link-DIR-878",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "D-Link DIR-878 A1",
	"board_name": "dlink,dir-878-a1",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "ramips/mt7621",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd12:3c88:e7bc::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.253.1'
	option gateway '192.168.1.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option proto '6in4'
	option ipaddr 'my-public-ip-address'
	option peeraddr '209.51.161.14'
	option ip6addr '2001:470:1f06:f1::2/64'
	list ip6prefix '2001:470:1f07:f1::/64'
	list ip6prefix '2001:470:8c46::/48'
	option tunnelid '######'
	option username 'my-name'
	option password 'abcdef123456'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.253.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 state UP qlen 1000
    inet6 fe80::76da:daff:fe6d:4e71/64 scope link
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::76da:daff:fe6d:4e74/64 scope link
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:470:8c46::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 2001:470:1f07:f1::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fd12:3c88:e7bc::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::76da:daff:fe6d:4e71/64 scope link
       valid_lft forever preferred_lft forever
22: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::76da:daff:fe6d:4e72/64 scope link
       valid_lft forever preferred_lft forever
23: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::76da:daff:fe6d:4e73/64 scope link
       valid_lft forever preferred_lft forever
24: 6in4-wan6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 state UNKNOWN qlen 1000
    inet6 2001:470:1f06:f1::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::c637:efba/64 scope link
       valid_lft forever preferred_lft forever
27: ifb4wan: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
    inet6 fe80::6079:6fff:fe4b:de9/64 scope link
       valid_lft forever preferred_lft forever
default from 2001:470:1f06:f1::/64 dev 6in4-wan6  metric 1024
default from 2001:470:1f07:f1::/64 dev 6in4-wan6  metric 1024
default from 2001:470:8c46::/48 dev 6in4-wan6  metric 1024
2001:470:1f06:f1::/64 dev 6in4-wan6  metric 256
2001:470:1f07:f1::/64 dev br-lan  metric 256  expires 2755sec
2001:470:1f07:f1::/64 dev br-lan  metric 1024
unreachable 2001:470:1f07:f1::/64 dev lo  metric 2147483647
2001:470:8c46::/64 dev br-lan  metric 1024
2001:470:8c46::/60 dev br-lan  metric 256  expires 2755sec
unreachable 2001:470:8c46::/48 dev lo  metric 2147483647
fd12:3c88:e7bc::/64 dev br-lan  metric 1024
unreachable fd12:3c88:e7bc::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev wan  metric 256
fe80::/64 dev wlan1  metric 256
fe80::/64 dev 6in4-wan6  metric 256
fe80::/64 dev ifb4wan  metric 256
local ::1 dev lo table local  metric 0
anycast 2001:470:1f06:f1:: dev 6in4-wan6 table local  metric 0
local 2001:470:1f06:f1::2 dev 6in4-wan6 table local  metric 0
anycast 2001:470:1f07:f1:: dev br-lan table local  metric 0
local 2001:470:1f07:f1::1 dev br-lan table local  metric 0
anycast 2001:470:8c46:: dev br-lan table local  metric 0
local 2001:470:8c46::1 dev br-lan table local  metric 0
anycast fd12:3c88:e7bc:: dev br-lan table local  metric 0
local fd12:3c88:e7bc::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wan table local  metric 0
anycast fe80:: dev 6in4-wan6 table local  metric 0
anycast fe80:: dev wlan1 table local  metric 0
anycast fe80:: dev ifb4wan table local  metric 0
local fe80::c637:efba dev 6in4-wan6 table local  metric 0
local fe80::6079:6fff:fe4b:de9 dev ifb4wan table local  metric 0
local fe80::76da:daff:fe6d:4e71 dev eth0 table local  metric 0
local fe80::76da:daff:fe6d:4e71 dev br-lan table local  metric 0
local fe80::76da:daff:fe6d:4e72 dev wlan0 table local  metric 0
local fe80::76da:daff:fe6d:4e73 dev wlan1 table local  metric 0
local fe80::76da:daff:fe6d:4e74 dev wan table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256
multicast ff00::/8 dev wan table local  metric 256
multicast ff00::/8 dev wlan1 table local  metric 256
multicast ff00::/8 dev 6in4-wan6 table local  metric 256
multicast ff00::/8 dev ifb4wan table local  metric 256
0:	from all lookup local
32766:	from all lookup main
4200000000:	from 2001:470:1f07:f1::1/64 iif br-lan lookup unspec unreachable
4200000000:	from 2001:470:8c46::1/60 iif br-lan lookup unspec unreachable
4200000001:	from all iif lo lookup unspec 12
4200000007:	from all iif wan lookup unspec 12
4200000015:	from all iif br-lan lookup unspec 12
4200000024:	from all iif 6in4-wan6 lookup unspec 12
lrwxrwxrwx    1 root     root            16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Nov 13 02:32 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Nov 13 02:32 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root             0 Nov 13 02:32 resolv.conf.auto
==> /etc/resolv.conf <==

==> /tmp/resolv.conf <==

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
root@D-Link-DIR-878:~#

I think that you should remove the /64 prefix. As you have a /48 that can be properly delegated, it makes no sense to also define the undelegatable small /64 prefix.

Allow protocol 41 in firewall, as suggested in

Ps. Does system log show succesful handshake with he.net?

If the handshake / connection update with he.net goes ok, you will see something like this:
(I have named the interface as "henet" instead of "wan6")

root@router1:~# ifup henet

root@router1:~# logread | grep 6in4
Sat Nov 13 09:39:08 2021 daemon.notice netifd: tunnel '6in4-henet' link is up
Sat Nov 13 09:39:08 2021 user.notice firewall: Reloading firewall due to ifup of henet (6in4-henet)
Sat Nov 13 09:39:09 2021 user.notice nlbwmon: Reloading nlbwmon due to ifup of henet (6in4-henet)
Sat Nov 13 09:39:10 2021 user.notice 6in4-henet: update 1/3: nochg 87.92.xxx.xxx
Sat Nov 13 09:39:10 2021 user.notice 6in4-henet: updated
root@router1:~# ifconfig
6in4-henet Link encap:IPv6-in-IPv4
          inet6 addr: fe80::575c:b8eb/64 Scope:Link
          inet6 addr: 2001:470:27:95d::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1424  Metric:1
          RX packets:94 errors:0 dropped:0 overruns:0 frame:0
          TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:259106 (253.0 KiB)  TX bytes:20235 (19.7 KiB)
1 Like

Additional note: with a normal IPv4 upstream connection, you do not usually need to define your "public IP" here.

Not working (that is, ping6 ipv6.google.com does not ever respond, either from the router or my laptop). But many new clues:

  1. The big one. I should have mentioned that I have a Calix fiber optical network termination (ONT) that uses CGNAT. I read elsewhere that this means 6in4 just won't work. True? Does that sink this ship? :slight_smile:
  2. That said, I do get an acknowledgement from the he.net server:
    logread | grep 6in4
    Sat Nov 13 07:33:43 2021 daemon.notice netifd: tunnel '6in4-wan6' link is up
    Sat Nov 13 07:33:48 2021 daemon.notice netifd: tunnel '6in4-wan6' link is down
    Sat Nov 13 07:33:48 2021 user.notice 6in4-wan6: update 1/3: timeout
    Sat Nov 13 07:33:49 2021 daemon.notice netifd: tunnel '6in4-wan6' link is up
    Sat Nov 13 07:33:50 2021 user.notice firewall: Reloading firewall due to ifup of wan6 (6in4-wan6)
    Sat Nov 13 07:33:54 2021 user.notice 6in4-wan6: update 1/3: Failed to send request: Operation not permitted
    Sat Nov 13 07:33:58 2021 user.notice 6in4-wan6: update 2/3: Failed to send request: Operation not permitted
    Sat Nov 13 07:44:39 2021 user.notice 6in4-wan6: update 2/3: nochg 198.X.X.X
    Sat Nov 13 07:44:39 2021 user.notice 6in4-wan6: updated
    Sat Nov 13 07:44:43 2021 user.notice 6in4-wan6: update 3/3: nochg 198.X.X.X
    Sat Nov 13 07:44:43 2021 user.notice 6in4-wan6: updated
    
  3. ifconfig shows the expected address, but no traffic...
     6in4-wan6 Link encap:IPv6-in-IPv4
           inet6 addr: 2001:XXX:XXXX:f1::2/64 Scope:Global
           inet6 addr: fe80::c0a8:fd01/64 Scope:Link
           UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
           RX packets:4 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1418 errors:14 dropped:0 overruns:0 carrier:12
           collisions:0 txqueuelen:1000
           RX bytes:320 (320.0 B)  TX bytes:109478 (106.9 KiB)
    
  4. I did not change from the default 21.02 firewall rules. Would I need a rule to let protocol 41 in?

I think so (and said so, above).

Otherwise the incoming packets may be blocked, as they are unexpected and have not been initiated inside. (not RELATED,ESTABLISHED)

Not quite sure.
Sounds like that GCNAT would block the incoming 6in4 traffic, as you can't cause a port-forward (or corresponding) to get created.

The first contact likely succeeds as the conversation has been initiated by you. But once that timeouts and the connection gets closed, the ISP routing does not know what to do for the next incoming uninvited packet.

1 Like

6in4 requires a public IP, so this is not an option for clients behind CGNAT.
You can deploy IPv6 over VPN from a VPS for about $5/month.

4 Likes

Yeah. I think that puts the final nail in the coffin. I cannot ping my external IPv4 address - it's likely shared with multiple other customers of my ISP.

So, the answer is "No 6in4 for people on CGNAT". Thanks for all the troubleshooting techniques!

PS My next note will be to my ISP, asking them to think about providing native IPv6...

3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.