IPv6 tunnel using HE.net not working - no packages received

Hi there,

since my Internet Provider does not do IPv6 while using their shitty wifi router in bridge mode, I tried to use an IPv6 tunnel as described here.

Problem is, it doesn't work :frowning:

I can't get it receive any Packages:

So even from the router directly, IPv6 doesn't work (can't ping):

PING openwrt.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes

--- openwrt.org ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

EDIT: /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
#     list network 'WAN6' 

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

#added ipv6 tunnel test
config rule
        option name      'Allow-protocol-41'
        option src       'wan'
        option proto     '41'
        option target    'ACCEPT'

config rule
        option name      'Allow-protocol-59'
        option src       'wan'
        option proto     '59'
        option target    'ACCEPT'
        option extra     '-m length --length 40'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64' #EDIT 60-65
        option ip6class 'wan6' #ADDED
        option ifname 'eth1'


config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option proto '6in4'
        option username 'xxx'
        option peeraddr '216.66.80.30'
        option tunnelid '623404'
        option password 'xxx'
        option ip6addr '2001:470:1f0a:2f7::2/64'
        option mtu '1424'
        list ip6prefix '2001:470:1f0b:2f9::/64'

# config route6
#         option interface 'wan6'
#         option target '::/0'

So... where should I troubleshoot next?

firewall and 6in4 (network) config should be the only relevant files, my he.net tunnel (with a routed /48 prefix) is fine.

1 Like

Thx, I added network & firewall config files above...

I do not have a "route6" config section, and it works for me.

What are the messages on the logs, when you restart the interface?

2 Likes

Have you checked the system log ? Does the he.net 6in4 login succeed?

I haven't used 6in4 for a while, but the route6 seems extraneous to me.

Your firewall contains reference to non-existing WAN6, i think.

2 Likes

deleted route6 and removed WAN6

did a restart of wan6:

Fri Mar 12 14:53:24 2021 daemon.notice netifd: Interface 'wan6' is now down
Fri Mar 12 14:53:24 2021 daemon.notice netifd: Interface 'wan6' is setting up now
Fri Mar 12 14:53:24 2021 daemon.info dnsmasq[1993]: read /etc/hosts - 4 addresses
Fri Mar 12 14:53:24 2021 daemon.info dnsmasq[1993]: read /tmp/hosts/odhcpd - 0 addresses
Fri Mar 12 14:53:24 2021 daemon.info dnsmasq[1993]: read /tmp/hosts/dhcp.cfg01411c - 1 addresses
Fri Mar 12 14:53:24 2021 daemon.info dnsmasq-dhcp[1993]: read /etc/ethers - 0 addresses
Fri Mar 12 14:53:25 2021 daemon.notice netifd: Interface 'wan6' is now up
Fri Mar 12 14:53:25 2021 daemon.notice netifd: tunnel '6in4-wan6' link is up
Fri Mar 12 14:53:25 2021 daemon.info dnsmasq[1993]: read /etc/hosts - 4 addresses
Fri Mar 12 14:53:25 2021 daemon.info dnsmasq[1993]: read /tmp/hosts/odhcpd - 1 addresses
Fri Mar 12 14:53:25 2021 daemon.info dnsmasq[1993]: read /tmp/hosts/dhcp.cfg01411c - 1 addresses
Fri Mar 12 14:53:25 2021 daemon.info dnsmasq-dhcp[1993]: read /etc/ethers - 0 addresses
Fri Mar 12 14:53:25 2021 user.notice firewall: Reloading firewall due to ifup of wan6 (6in4-wan6)
Fri Mar 12 14:53:27 2021 user.notice 6in4-wan6: update 1/3: nochg 31.17.164.XXX
Fri Mar 12 14:53:27 2021 user.notice 6in4-wan6: updated

@TheLord , welcome to the community!

Is it working?

If not try to add/change on LAN:

        option ip6assign '64'
        option ip6class 'wan6'

Thanks a lot! :slight_smile:

sadly no - I tried and added this too. no change... still no RX packages in WAN6

BTW: I also updated the config files in the first post accordingly :wink:

Are the routes ok?

Do you allow HE to ping the IPv4 WAN interface?

See the "*Two important notes" section here: https://ipv6.he.net/certification/faq.php

yes, i tried it from my phone as well...

  • Please confirm that 6in4 and luci-proto-ipv6 are installed
  • At this point, I'd suggest manually sending a tunnel update via the HTTP/S API and see if it works
    • I've previously used the DDNS to update if I had an issue with the 6in4 update

But this leads me to believe that it worked... :thinking:

yes, both are installed:

root@OpenWrt:~# opkg list | grep 6in4
6in4 - 25-1
root@OpenWrt:~# opkg list | grep ipv6
luci-proto-ipv6 - git-21.069.16534-310f532-1

I also updated this manually via the link:

nochg 31.17.164.XXX 
  • I would advise running a ping/trace to one of your IPv6 addresses and check if you see any Protocol 41 packets on WAN by running this simultaneously:

tcpdump -vvn -i eth0.2 proto 41 and dst host 31.17.164.xxx

(To be clear, this 31.17.164.xxx IP is what you see on your WAN interface, correct?)

  • Also, I would try doing a ping6 from the OpenWrt router
1 Like

I tried this (I think). While running one session with tcpdump:

root@OpenWrt:~# tcpdump -vvn -i eth0 proto 41
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:44:45.054871 IP (tos 0x0, ttl 64, id 7049, offset 0, flags [DF], proto IPv6 (41), length 124)
    31.17.164.XXX > 216.66.80.30: IP6 (flowlabel 0xb7a57, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:470:1f0b:2f9::1 > 2a03:b0c0:3:d0::1af1:1: [icmp6 sum ok] ICMP6, echo request, seq 0
15:44:46.056063 IP (tos 0x0, ttl 64, id 7112, offset 0, flags [DF], proto IPv6 (41), length 124)
    31.17.164.XXX > 216.66.80.30: IP6 (flowlabel 0xb7a57, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:470:1f0b:2f9::1 > 2a03:b0c0:3:d0::1af1:1: [icmp6 sum ok] ICMP6, echo request, seq 1
15:44:47.056399 IP (tos 0x0, ttl 64, id 7168, offset 0, flags [DF], proto IPv6 (41), length 124)
    31.17.164.XXX > 216.66.80.30: IP6 (flowlabel 0xb7a57, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:470:1f0b:2f9::1 > 2a03:b0c0:3:d0::1af1:1: [icmp6 sum ok] ICMP6, echo request, seq 2
15:44:48.056720 IP (tos 0x0, ttl 64, id 7238, offset 0, flags [DF], proto IPv6 (41), length 124)
    31.17.164.XXX > 216.66.80.30: IP6 (flowlabel 0xb7a57, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:470:1f0b:2f9::1 > 2a03:b0c0:3:d0::1af1:1: [icmp6 sum ok] ICMP6, echo request, seq 3
15:44:49.057033 IP (tos 0x0, ttl 64, id 7315, offset 0, flags [DF], proto IPv6 (41), length 124)
    31.17.164.XXX > 216.66.80.30: IP6 (flowlabel 0xb7a57, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:470:1f0b:2f9::1 > 2a03:b0c0:3:d0::1af1:1: [icmp6 sum ok] ICMP6, echo request, seq 4

and simultaniously ping6 various ip directly from OpenWRT

PING openwrt.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes

--- openwrt.org ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

you can see the packages here... but it seems there is no answer

what I tried also is:

  • deactivating the firewall temporarily -> no result, can't receive any ipv6 packages (sending works)
  • resetting and starting from scratch -> no result, can't receive any ipv6 packages (sending works)
    There is something "odd", the guide talks about modifing wan6, which my router doesn't have - so I created it.. can it be, that there is some config, I have to create also?

Ummmm...

  • We don't even see inbound traffic, no need to test firewall at this time

Hurricane calls it henet in their instructions - the name doesn't matter (the correct config does). wan6 on most default confgs is a DHCPv6 client attached to @wan anyways, most people just edit it in the case of no ISP-based IPv6 connectivity, such as yours.

If after running tcpdump as requested we see nothing:

  • We'll need to verify if your ISP blocks IP Protocol No. 41

EDIT: I did a traceroute6 to you, it stops at your tunnel server

  • Can you ping the tunnel server IP ping 216.66.80.30?
2 Likes
C:\Users\TheLord>ping 2001:470:1f0b:2f9::1

Ping wird ausgef├╝hrt f├╝r 2001:470:1f0b:2f9::1 mit 32 Bytes Daten:
Antwort von 2001:470:1f0b:2f9::1: Zeit<1ms
Antwort von 2001:470:1f0b:2f9::1: Zeit<1ms

Ping-Statistik f├╝r 2001:470:1f0b:2f9::1:
    Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0
    (0% Verlust),
root@OpenWrt:~# ping 216.66.80.30
PING 216.66.80.30 (216.66.80.30): 56 data bytes
64 bytes from 216.66.80.30: seq=0 ttl=58 time=34.601 ms
64 bytes from 216.66.80.30: seq=1 ttl=58 time=24.500 ms

I can't find anything - Don't think so. ISP is Vodafone Cable Germany with my fancy modem in bridge mode => IPv4 only

???

You ran this from a neighbor's connection or your mobile device, correct?

Again:

Bitte testen Sie von einem anderen Ort.

  • We need to verify this for certain
  • We also need to verify your HE settings on the Tunnelbroker site
    • Verify you can set the IP on the Tunnelbroker page and have success - this will indicate Tunnelbroker succeeded in pinging:

screen104

1 Like

btw if you are behind CGNAT 6in4 won't work. do you see same 31.17.xxx.xxx ip from luci interface?

1 Like

Sorry. Now from "outside"

C:\Users\TheLord>ping 2001:470:1f0b:2f9::1

Ping wird ausgef├╝hrt f├╝r 2001:470:1f0b:2f9::1 mit 32 Bytes Daten:
Zeit├╝berschreitung der Anforderung.
Zeit├╝berschreitung der Anforderung.
Zeit├╝berschreitung der Anforderung.
Zeit├╝berschreitung der Anforderung.

Ping-Statistik f├╝r 2001:470:1f0b:2f9::1:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
    (100% Verlust),