From owner-freebsd-net@FreeBSD.ORG Sun Apr 17 14:30:45 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D10E0106564A for ; Sun, 17 Apr 2011 14:30:45 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 569708FC23 for ; Sun, 17 Apr 2011 14:30:45 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (89.112.15.178.pppoe.eltel.net [89.112.15.178]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 6B2434AC42 for ; Sun, 17 Apr 2011 18:30:43 +0400 (MSD) Date: Sun, 17 Apr 2011 18:30:34 +0400 From: Lev Serebryakov Organization: FreeBSD X-Priority: 3 (Normal) Message-ID: <1666528527.20110417183034@serebryakov.spb.ru> To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Subject: IPv6 tunnel from Hurricane Electric: very strange behavior of incoming traffic -- it works only if tcpdump is running on outer (IPv4) interface X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lev@FreeBSD.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Apr 2011 14:30:45 -0000 Hello, Freebsd-net. I'm setting up IPv6 tunnel to Hurricane Electrict for first time. I've encountered very strange behavior of incoming traffic: everything works only if tcpdump is running on external (IPv4) interface. Here are details. I've created tunnel as usual: # ifconfig gif0 create # ifconfig gif0 tunnel 89.112.xx.xx 64.71.xx.xx # ifconfig gif0 inet6 2001:470:hhhh:hhhh::2 2001:470:hhhh:hhhh::1 prefixlen= 128 # route -n add -inet6 default 2001:470:hhhh:hhhh::2 # ifconfig gif0 up # route -n add -inet6 default 2001:470:hhhh:hhhh::2 Added "allowed" rules for icmpv6 input/output to my ipfw firewall. After that I could ping6 any "outside" IPv6 address -- not only HE one, but, for example, my IPv6-enabled host at Hetzner ISP. So far, so good. When I'm trying to ping 2001:470:hhhh:hhhh::2 from outside I didn't get any reply. Ok, my first thought is ``I've messed up firewall configuration''. I'm trying # tcpdump -ni gif0 NOTHING is coming in from outside. Complete silence. Then I try # tcpdump -ni ng0 host 64.71.xx.xx Where "ng0" is my interface with real external IP (my PPPoE connection to IPv4-only ISP). This command shows 5-7 ICMPv6 Echo requests (wrapped into IPv4, of course), and AFTER that my host starts to reply! tcpdump on ng0 shows both requests and replies (tunneled), tcpdump on gif0 shows "pure" requests and replies, "external" host (with ping6 running) sees replies too, everything works. When I stop tcpdump on ng0, it continues to work for about 4-5 minutes, and after that silence again till I run tcpdump again! What do I do wrong? Here is my interface: # ifconfig gif0 gif0: flags=3D8051 metric 0 mtu 1280 tunnel inet 89.112.xx.xx --> 64.71.xx.xx inet6 2001:470:hhhh:hhhh::2 --> 2001:470:hhhh:hhhh::1 prefixlen 128 nd6 options=3D3 options=3D1 Here is my routing: # netstat -rn -f inet6 Internet6: Destination Gateway Flags = Netif Expire default 2001:470:hhhh:hhhh::2 UGS = gif0 ::1 ::1 UH = lo0 2001:470:hhhh:hhhh::1 2001:470:hhhh:hhhh::2 UH = gif0 fe80::%lo0/64 link#8 U = lo0 fe80::1%lo0 link#8 UHS = lo0 ff01::%lo0/32 fe80::1%lo0 U = lo0 ff01::%gif0/32 2001:470:hhhh:hhhh::2 U = gif0 ff02::%lo0/32 fe80::1%lo0 U = lo0 ff02::%gif0/32 2001:470:hhhh:hhhh::2 U = gif0 And here is my ipfw IPv6-related rules: 00600 0 0 allow ipv6-icmp from :: to ff02::/16 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,1= 35,136 01000 3248938 2654059165 skipto 2000 ip from any to any in 01010 3225982 2652423541 skipto 3000 ip from any to any out 02000 ..... other internal and external interfaces 02040 23 9089 skipto 15000 ip6 from any to any via gif0 02999 0 0 deny ip from any to any 03000 ..... other internal and external interfaces 03040 26 2418 skipto 16000 ip6 from any to any via gif0 03999 0 0 deny ip from any to any ..... 15000 0 0 check-state 15010 0 0 allow ipv6-icmp from any to me keep-state 15020 0 0 allow ipv6-icmp from any to 2001:470:hhhh:hhhh::/6= 4 ip6 icmp6types 1,2,3,4,128,129 keep-state 15999 0 0 skipto 30000 ip from any to any 16000 0 0 deny ip6 from not 2001:470:hhhh:hhhh::2,2001:470:h= hhh:hhhh::/64 to any 16990 0 0 allow ipv6-icmp from any to any keep-state 16999 49 11507 allow ip6 from any to any keep-state 30000 0 0 allow tcp from any to me dst-port 22,80 setup keep= -state 30010 20 824 allow tcp from any to me dst-port 53 setup keep-st= ate 30020 26 1632 allow udp from any to me dst-port 53 keep-state 39000 18 1152 allow icmp from any to me keep-state 39999 22957 1526424 deny ip from any to any --=20 // Black Lion AKA Lev Serebryakov