SOLVED: IPv6 Tunnel from HE and need Open Ports for Web Server

Discussion in 'Tomato Firmware' started by tc23emp, Apr 17, 2019.

  1. tc23emp

    tc23emp New Member Member

    EDIT: I feel like something is failing intermittently because it was working (reachable on multiple tests) for a little then stopped, and I don't think I changed anything even though I was in the admin web interface for the router.

    I am on FreshTomato 2019-1 on AC-68U (TM-AC1900) connecting fine to a Hurricane Electric 6in4 static tunnel. I can get 19/20 on ipv6-test website (with the 1 short for no PTR record). However, the IPv6 firewall seems to be an issue.

    I need port 80 and 443 to be open, and I am not sure why they're not. I am not sure what default routes are supposed to look like or maybe the firewall has a weird rule (by default on my setup). Yet, clearing all rules on ip6tables (ACCEPT all) doesn't help. I have a Debian machine with a IPv6 SLAAC address that I want to be reachable. I think this is supposed to be globally reachable even though it's inside my /64 with the router in front. I have this machine's MAC set to receive a static IPv4 address, and the IPv6 address seems to remain the same as well. I was using an addresss given by DHCPv6, but I turned that off. It has a link-local IPv6, which I don't think is usable even if only in the firewall settings. From inside the LAN, the web server is reachable over IPv6, so the router seems to be blocking access from outside.

    I may gotten a `curl -6` request to work maybe 1 time on a fluke, so it seems like the router firewall failed that one time or I happened to be changing something at the time, but I am not sure what it was. Most or all IPv6 website testers on web say its not reachable over IPv6.

    My router is pingable over IPv6. I can also reach SSH or the admin web interface (using alternate port) if I turn on remote access options.

    I can't post a link, and I may be changing my IPv6 while I try to fix this, but you can piece together the following for the URL. Host: tacden. TLD: net.

    I tried to post route and firewall output, but the site thought it had a link. The output will still show the IP 2001:470:1f06:ae3::9062:f334 but I am trying to make 2001:470:1f06:ae3::22 work. Look for pastefs pid/112369 if it helps. Any guidance will be appreciated.
     
    Last edited: Apr 17, 2019
  2. Sean B.

    Sean B. Network Guru Member

    You're using 6in4, meaning IPv6 encapsulated in IPv4. I believe you need to set the correct ( IPv4 ) iptables rules to allow forwarding for protocol 41, as well as enable "respond to ping" in the GUI.
     
    tc23emp likes this.
  3. tc23emp

    tc23emp New Member Member

    I discovered that if I connect to the router via SSH then ping6 my debian server, it opens a route / firewall hole temporarily for external machines to also use. So, for about 10 seconds, I can connect to the debian server completely over 80, 443, and ping / icmp from the outside world. I am not sure what to make of that.

    BTW, I tried the following, but it didn't get it going.
    For prot 41, WANPREROUTING and wanin rules I found on the tomato usb forum.
     
  4. snowman58

    snowman58 Network Newbie Member

  5. Sean B.

    Sean B. Network Guru Member

    I'm not sure exactly what you did in reference to "cleared all" ip6tables rules, but to allow all IPv6 traffic through to LAN clients for testing purposes you would use:

    Code:
    ip6tables -t filter -I FORWARD 1 -j ACCEPT
    Is the 6in4 IPv4 endpoint the vlan2, or a tun interface? And does it have a global IPv6 address ( IE: not just fe80: ) ?
     
    Last edited: Apr 18, 2019 at 3:41 PM
  6. tc23emp

    tc23emp New Member Member

    I used the router Port Forwarding -> Basic IPv6 page to add wanin (linked in the FILTER chain) rules which opened ports 80 and 443.

    I tried the rule:
    ip6tables -t filter -I FORWARD 1 -p tcp -d 2001:470:1f06:b08::2a46 --dport 80 -j ACCEPT
    and seperately:
    ip6tables -t filter -I FORWARD 1 -j ACCEPT

    They do help in the same way my wanin rules are needed for making ports like 80 and 443 open on the router IPv6 firewall, however I still need to `ping6 2001:470:1f06:b08::2a46` (for my debian machine) from the router on an SSH shell to make it temporarily reachable when traffic is hitting the router from the outside world.

    So, I guess I am missing some route from my router to my IPv6 machines. I used this guide to configure things through the interface:
    https://www.linksysinfo.org/index.php?threads/setting-up-ipv6-for-he-tunnelbroker.35297/ . So, I have a v6in4 interface, but I am not sure how it's linked up to br0, vlan1, or vlan2. I have my routes posted on https://www.pastefs.com/pid/112369

    I have the two checkboxes for IPv6 announcing set to off. This, is my dnsmasq custom config set via router interface.
    Code:
    port=0
    cache-size=0
    enable-ra
    dhcp-range=tag:br0,::100,::ffff,constructor:br0,64,1440m
    dhcp-option=tag:br0,option6:dns-server,fe80::221:ccff:fe67:e952
    
    I tried other configurations, but it didn't help. The DNS server is the debian machine, but I don't think that's relevant.

    Tunnelbroker says 2001:470:1f07:b08:: is my Routed Prefix. My Router LAN address is 2001:470:1f06:b08::1 and my Tunnel Client
    2001:470:1f06:b08::2 . I guess the bolded parts are supposed to be different.
     
    Last edited: Apr 18, 2019 at 10:27 PM
  7. snowman58

    snowman58 Network Newbie Member

    According to that your router LAN address is 2001:470:1f07:b08::1 NOT 2001:470:1f06:b08::1 , Yes they are supposed to be different.
     
    tc23emp likes this.
  8. tc23emp

    tc23emp New Member Member

    Thanks, snowman. I think everything is reachable now. I was unsure of which LAN address to use earlier, and I thought I had tried multiple ways including letting it be set to default (2001:470:1f07:b08::1). However, maybe something else wasn't fully configured at the time.
     
    snowman58 likes this.
  9. snowman58

    snowman58 Network Newbie Member

    Yes ping MUST be enabled, protocol 41 does not need to be forwarded because the tunnel is on the WAN interface.
     
  10. Sean B.

    Sean B. Network Guru Member

    Ah, that is what I was unsure of and asked in my next post. As I use native IPv6 rather than tunneling I wasn't sure if it was landing at the WAN interface itself or a tun interface created for it.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice