[00:54] mnathani: install? it was already included with my weechat-plugins package, so very easy :P [00:54] Loading was easy too: /python load /path/to/blah.py [00:55] Aaaaand that's all it took [00:55] I configured it a bit, set a static port number, a prefix, but otherwise nothing fancy and it worked right out of gthe box. [07:45] neat. i'll give it a shot when i have a sec to mess with it. (been chatting via ssh on my eyepahd) [09:18] *** novae has quit IRC (Ping timeout: 250 seconds) [09:21] *** novae has joined #arpnetworks [11:28] I am having issues with my he.net ipv6 tunnel configured on an Ubuntu box [11:29] I can ping6 google.com, but traceroute6 to the same host results in 0.654 ms !H 0.679 ms !H 0.708 ms !H [11:29] ipv6 forwarding is enabled [11:30] and I can traceroute to a machine using the ubuntu box as its ipv6 router [11:31] How can I determine if its a firewall issue or perhaps a misconfiguration? [11:35] hm that looks weird. do you have the full traceroute6 output? how far does it get before it stops? [11:38] meingtsla: >> http://pastebin.com/eWmehyqH [11:41] but ping6 works though, right? hmmm.... are you doing any udp blocking in ip6tables? [11:43] don't think so [11:44] ping6 does work [11:44] root@x61:~# ping6 -n google.com [11:44] mnathani: Just to check - disable ip6tables entirely [11:44] PING google.com(2404:6800:4002:802::1001) 56 data bytes [11:44] 64 bytes from 2404:6800:4002:802::1001: icmp_seq=1 ttl=50 time=346 ms [11:44] awfully high pings though [11:45] root@x61:~# ufw disable [11:45] Firewall stopped and disabled on system startup [11:46] brycec: I ran iptables -F and iptables -F -t nat [11:46] what about ip6tables [11:46] iptables is ipv4 [11:48] no dice [11:49] I flushed ip6tables rules also [11:49] this is one of the clients behind the ubuntu box >> 2001:470:1d:76e::2:2 [11:50] I can mtr to that IP [11:50] about 70ms [13:35] I think it might have something to do with the ubuntu box using a private IP that is not getting translated correctly through the NAT / ipv6 tunnel [14:01] *** novae has quit IRC (Ping timeout: 245 seconds) [14:05] What's a private IPv6 IP? link-local? [14:06] I mean my private ipv4 ip [14:06] *** novae has joined #arpnetworks [14:06] the packets go out, but get lost in translation on the way back is my theory [14:08] I must not have understood your original problem... Thought we were talking v6-v6 [14:09] he.net ipv6 tunnel [14:09] protocol 41, 6in4 [14:10] mnathani: if I can mtr to that v6 address, then your tunnel is good [14:10] Assuming that v6 address was on your end of the tunnel [14:10] Then the tunnel and its v4 underpinnings are working, packets in both directions. [14:10] that v6 was actually part of a routed /64 behind the tunnel [14:10] not sure why the traceroute6 was not working [14:11] As far as v6 clients behind the tunnel, they never see the tunnel packets themselves, so private IPs have no bearing. Your "LAN" for lack of a better description is pure IPv6, it's just the router that takes the pure v6 and stuffs it over a tunnel. [14:12] (pure IPv6/dualstack) [14:13] (That IP is still being mtr'd too, so tcpdump and you'll see the traffic from an a650 address) [14:15] 17:15:18.163599 IP6 vps3.cobryce.com > 2001:470:1d:76e::2:2: ICMP6, echo request, seq 59572, length 64 [14:16] Yep [14:16] 1. 2001:470:1d:76e::10:62 84.6% 14 0.3 0.3 0.3 0.3 0.0 [14:17] mtr back to you [14:17] http://sprunge.us/OTTB (it's wide, sorry) [14:17] http://pastebin.com/yMCrE9Gg [14:17] mnathani: so you're dropping 85% of your packets on your first hop alone? [14:18] down to 30% now [14:18] but yes [14:18] for some reason [14:18] mnathani: so that's an mtr running on ::2:2 right? [14:19] [root@compaq capture]# ping6 2001:470:1d:76e::10:62 [14:19] PING 2001:470:1d:76e::10:62(2001:470:1d:76e::10:62) 56 data bytes [14:19] 64 bytes from 2001:470:1d:76e::10:62: icmp_seq=1 ttl=64 time=0.175 ms [14:19] yes [14:22] mnathani: So why is ::10:62 the gateway for ::2:2? Based on my inbound mtr, :;2:2 is routeable directly from ::2 (your endpoint) [14:24] Server IPv6 Address:2001:470:1c:76e::1/64 Client IPv6 Address:2001:470:1c:76e::2/64 [14:24] Routed /64:2001:470:1d:76e::/64 [14:25] 1c vs 1d [14:26] you mean 1d/1e? [14:26] nevermind ^ [14:26] Anyways, my question stands, my inbound mtr hits 2001:470:1c:76e::2 and then the destination [14:26] 2001:470:1d:76e::2:2 [14:27] There's no 2001:470:1d:76e::10:62 anywhere in the inbound mtr [14:27] So I presume you've set that as ::2:2's gateway, hence why its outbound mtr tries to route through it (badly) [14:28] Destination Next Hop Flags Metric Ref Use Iface [14:28] */0 2001:470:1d:76e::10:62 UG 1 10608 0 eth0 [14:28] 10:62 is the ubuntu box terminating the tunnel [14:29] that route is on 2:2 [14:29] So somehow inbound traffic skips that ubuntu box [14:30] well that box has 2 ips [14:30] it has :2001:470:1c:76e::2 on the tunnel end [14:30] It has both ::2:2 and ::10:62? [14:30] Oh okay [14:31] (I meant to write ::2, not ::2:2) [14:31] and 10:62 on th LAN end [14:31] The same subnet on two interfaces? [14:31] different subnets [14:31] 470:1c vs 470:1d [14:31] don't know why he.net chose such close /64s [14:32] Heh, okay I can see the picture clearly now [14:32] and fwiw I can mtr 2001:470:1d:76e::10:62 just fine too [14:35] I am using a bridge interface for ipv6, does that change anything? [14:38] Should be fine [14:38] And if it were an MTU issue, small pings should still be fine [14:38] * brycec strokes his beard [14:41] 23411.808529fe80::21d:72ff:fe8c:c519ff02::1:ff00:1ICMPv686Neighbor Solicitation for 2001:470:1d:76e::1 from 00:1d:72:8c:c5:19 [14:42] it got kinda squished there [14:44] http://pastebin.com/W512MDZj [14:44] I seem to be missing a next hop [14:44] Is x61 the ubuntu router? [14:44] it is [14:45] You do. [14:46] Gotta love when stuff works (or half-works) when it doesn't seem like it should work at all... [14:46] [root@compaq capture]# ping6 google.com [14:46] PING google.com(pd-in-x71.1e100.net) 56 data bytes [14:46] 64 bytes from pd-in-x71.1e100.net: icmp_seq=1 ttl=53 time=69.8 ms [14:46] 64 bytes from pd-in-x71.1e100.net: icmp_seq=2 ttl=53 time=70.1 ms [14:46] 64 bytes from pd-in-x71.1e100.net: icmp_seq=3 ttl=53 time=69.2 ms [14:46] I mean how can we explain that ^ [14:47] MAGIC [14:47] Clearly x61 put the packets on the wire, and somehow, by magic, HE slurped them up and routed them [14:48] Oh right, MAGIC == ICMP6 router solicitation [14:50] Your box was even doing an ND request │14:41:16 mnathani | 23411.808529fe80::21d:72ff:fe8c:c519ff02::1:ff00:1ICMPv686Neighbor Solicitation for 2001:470:1d:76e::1 from 00:1d:72:8c:c5:19 [14:50] Granted, you might think such a route would show in the kernel routing table... [15:52] finally!!! [15:52] root@x61:~# traceroute6 google.com [15:52] traceroute to google.com (2800:3f0:4002:801::1007) from 2001:470:1c:76e::2, 30 hops max, 24 byte packets [15:52] 1 mnathani-1.tunnel.tserv21.tor1.ipv6.he.net (2001:470:1c:76e::1) 13.642 ms 12.51 ms 12.374 ms [15:52] 2 ge2-5.core1.tor1.he.net (2001:470:0:c0::1) 12.204 ms 20.327 ms 9.21 ms [15:52] 3 2001:478:245:1::6 (2001:478:245:1::6) 10.333 ms 10.331 ms 11.015 ms [15:52] 4 2001:4860::1:0:28 (2001:4860::1:0:28) 11.455 ms 28.471 ms 15.783 ms [15:52] 5 2001:4860::8:0:4398 (2001:4860::8:0:4398) 23.643 ms 26.754 ms 23.326 ms [15:52] 6 2001:4860::8:0:6375 (2001:4860::8:0:6375) 30.327 ms 30.09 ms 29.767 ms [15:53] 7 2001:4860::1:0:9ff (2001:4860::1:0:9ff) 38.428 ms 31.84 ms 40.867 ms [15:53] 8 2001:4860::1:0:69e7 (2001:4860::1:0:69e7) 180.457 ms 186.376 ms 178.459 ms [15:53] 9 2001:4860::1:0:e (2001:4860::1:0:e) 208.799 ms 198.93 ms 197.848 ms [15:53] 10 2001:4860:0:1::d8 (2001:4860:0:1::d8) 199.453 ms 196.398 ms 199.431 ms [15:53] 11 2800:3f0:4002:801::4 (2800:3f0:4002:801::4) 197.8 ms 196.636 ms 195.845 ms [15:53] If only I had noticed and used the provided configuration from he.net directly [19:50] *** toeshred has quit IRC (Ping timeout: 245 seconds) [19:55] *** toeshred has joined #arpnetworks