Skip to content

Instantly share code, notes, and snippets.

@bgrewell
Last active October 4, 2024 08:01
Show Gist options
  • Save bgrewell/591b5ce8809f2bbf0b3999921cecef60 to your computer and use it in GitHub Desktop.
Save bgrewell/591b5ce8809f2bbf0b3999921cecef60 to your computer and use it in GitHub Desktop.
This gist describes how to setup a hurricane electric (TunnelBroker) IPv6 tunnel on a Ubiquiti Unifi Dream Machine Pro

Setup IPv6 Tunnel on Unifi Dream Machine Pro

Enable SSH

TODO

Configure To Dream Machine Over SSH

SSH to your UDM

ssh root@<udm ip address>
<enter the password you set when prompted>

Configure the IPv6 Tunnel - You get the addresses from the Tunnel Details page on TunnelBroker

ip tunnel add he-ipv6 mode sit remote <server ipv4 address> local <client ipv4 address> ttl 255
ip link set he-ipv6 up
ip addr add <client ipv6 address> dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

Test Connectivity from UDM

ping 2600::

Setup Address Allocation

TODO

@DJBenson
Copy link

I've managed to get this to work but how do you block inbound traffic to IPv6 devices?

By default, everything is open to the internet which is not safe.

I need to be able to block all inbound IPv6 traffic and selectively enable it for certain devices/ports.

@telnetdoogie
Copy link

telnetdoogie commented May 12, 2023

@DJBenson Glad you got it working!!

In your UDM/P/SE firewall, you should have some default "Internetv6 In" rules that allow traffic out, but only allow traffic in if it's a response to or related to the outbound traffic.

They should actually already be the default rules , so from top to bottom you'd have:

  • 'Allow Established / Related Sessions' - allows packets in which are a response to or related to outbound traffic
  • 'Drop Invalid State' - drops packets which have invalid state

And then you'll see some other default rules for "Internetv6 Local" which should look similar but are specific to traffic with a 'final destination' of the gateway itself.

These rules should be there by default.

If you're finding that your local network devices are open to the internet (by doing a port scan for example) then you would want to make sure you're running a cron job as mentioned in my writeup as well.

Because the he-ipv6 interface and tunnel aren't really "recognized" by the UDM/P/SE, none of the out-of-the-box firewall rules will apply (since it only applies them to your WAN interfaces - usually eth8 and eth9) Running the cron job will take all ipv6 rules that are applied to the actual WAN interface, and apply them to the he-ipv6 tunnel instead. Any changes made to firewall settings in the Unifi Network app, will re-write the firewall rules to the UDMP's WAN interface, and then the cron job will need to detect that and re-apply them over to the he-ipv6 interface again. The writeup I made describes how to test that firewall rules have been applied to the he-ipv6 interface correctly by running ip6tables-save | grep he-ipv6 - if that results in no output, then no firewall rules have been applied to that interface.

That was the whole reason I ended up creating the cron job, to ensure that you can create rules in the Unifi Network UI and they will be applied to the tunnel interface.

Once you've got the cron job setup, you should be able to change the rules or add new rules in the Unifi Network Firewall Rules UI (under Internetv6), and then those rules will be re-applied to the he-ipv6 interface when the cron job runs next (I run mine every minute)

(FYI I just made changes to configure-he-ipv6-chains.sh today which should work more completely on newer versions of the UDMP OS including UDMPSE)

@telnetdoogie
Copy link

...you can test ipv6 firewall blocking at ipv6scanner.com and entering your local machine's IPv6 address. All ports with the exception of the ones you've created ALLOW rules for should show as CLOSED or FILTERED

@DJBenson
Copy link

@telnetdoogie thanks for the detailed response.

I hadn’t realised that the script uses the WAN rules which explains why certain ports were open despite me seemingly not opening them. I have a port forward rule which allows ports 80 and 443 which for IPv4 is fine as it’s NAT and I control where the traffic lands but for IPv6 the ports are exposed to ALL devices it seems.

I’ll have a play with the rules and see if I can tighten them by adding IPv6 specific rules around my existing rules.

The most concerning for me was traffic being allowed from the internet to my UDM-SE.

Thanks again for this brilliant write up and your additional support.

@telnetdoogie
Copy link

telnetdoogie commented May 12, 2023

It doesn't do anything at all with ipv4 rules, those stay intact... you have to have separate rules on the UDM line for ipv6 and ipv4.
The script I have basically takes any ipv6-internet rules that are applied to your default WAN and applies them to the newly created interface. All ipv4 stuff is untouched.

By just adding the he-ipv6 interface / tunnel, you're creating a network tunnel on the unifi router that the unifi software knows nothing about, so no iptables are applied at all... it's just flapping in the wind. So you're correct in that JUST setting up the tunnel means there is no firewall in place at all for the ipv6 traffic coming into your network from that tunnel. Every ipv6 address on the network is exposed, wide open.

...Hence the creation of the script that applies rules to the new interface.

What the script does:

export ip6tables (specifically the ipv6 firewall rules) that have been applied to your actual WAN interface
modify the export to replace references to the WAN interface with references to the he-ipv6 interface
imports / restores the rules using the replacements

so it basically just 'switches out' your WAN interface's ipv6 rules to the he-ipv6 interface. (including forwards, blocks etc)

Then the reason there's a cron job to check every minute and re-apply if things have changed, is because when you go into the unifi user interface and make a change, the network application basically re-creates the firewall rules again... to the regular interface. So if the cron job detects that that has happened, it re-applies again to the tunnel.

It's a little hacky, but it works and allows you to still use the user interface to make rules that will apply to the tunnel. No need to mess with iptables or janky rules on the command-line. It also means that geo-ip blocking, forward etc will be applied to the tunnel.

@DJBenson
Copy link

mmm ok, then I need to work out why by default some ports are open.

@telnetdoogie
Copy link

telnetdoogie commented May 12, 2023

here's what the default firewall rules look like on a legit WAN interface (note I'm using ip6tables which ONLY shows the iptables defined for ipv6 traffic... iptables and ip6tables don't share the same entries.)

ip6tables-save | grep -i eth9
:UBIOS_WF_IFACE_ETH9 - [0:0]
-A UBIOS_WF_GROUP_1_SINGLE -m mark --mark 0x0/0x780000 -m dyn_random --prob-name "eth9-wf-group-1-single" -j MARK --set-xmark 0x380000/0x780000
-A UBIOS_WF_IFACE_ETH9 -j MARK --set-xmark 0x380000/0x780000
-A UBIOS_WF_IFACE_ETH9 -m mark ! --mark 0x0/0x780000 -j CONNMARK --save-mark --nfmask 0x780000 --ctmask 0x780000
-A UBIOS_WF_IFACE_ETH9 -j RETURN
-A UBIOS_WF_IN_WANS -i eth9 -j UBIOS_WF_IFACE_ETH9
-A UBIOS_FORWARD_IN_USER -i eth9 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_IN_USER
-A UBIOS_FORWARD_IN_USER -i eth9 -m comment --comment 00000001095216663482 -j UBIOS_WAN_IN_USER
-A UBIOS_FORWARD_OUT_USER -o eth9 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_OUT_USER
-A UBIOS_FORWARD_OUT_USER -o eth9 -m comment --comment 00000001095216663482 -j UBIOS_WAN_OUT_USER
-A UBIOS_FWD_IN_GEOIP_PRECHK -i eth9 -j UBIOS_IN_GEOIP
-A UBIOS_FWD_OUT_GEOIP_PRECHK -o eth9 -j UBIOS_OUT_GEOIP
-A UBIOS_INPUT_GEOIP_PRECHK -i eth9 -j UBIOS_IN_GEOIP
-A UBIOS_INPUT_USER_HOOK -i eth9 -m comment --comment 00000001095216663481 -j UBIOS_WAN_LOCAL_USER

and, without running any scripts, here's what rules are on the he-ipv6 interface when the tunnel is created:

ip6tables-save | grep -i he-ipv6

...yeah, nothing at all... so everything's wide open.

After the script is run, here's what they both look like again:

ip6tables-save | grep -i eth9

(nothing)

and for the tunnel interface:

ip6tables-save | grep -i he-ipv6
:UBIOS_WF_IFACE_HE-IPV6 - [0:0]
-A UBIOS_WF_GROUP_1_SINGLE -m mark --mark 0x0/0x780000 -m dyn_random --prob-name "he-ipv6-wf-group-1-single" -j MARK --set-xmark 0x380000/0x780000
-A UBIOS_WF_IFACE_HE-IPV6 -j MARK --set-xmark 0x380000/0x780000
-A UBIOS_WF_IFACE_HE-IPV6 -m mark ! --mark 0x0/0x780000 -j CONNMARK --save-mark --nfmask 0x780000 --ctmask 0x780000
-A UBIOS_WF_IFACE_HE-IPV6 -j RETURN
-A UBIOS_WF_IN_WANS -i he-ipv6 -j UBIOS_WF_IFACE_HE-IPV6
-A UBIOS_FORWARD_IN_USER -i he-ipv6 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_IN_USER
-A UBIOS_FORWARD_IN_USER -i he-ipv6 -m comment --comment 00000001095216663482 -j UBIOS_WAN_IN_USER
-A UBIOS_FORWARD_OUT_USER -o he-ipv6 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_OUT_USER
-A UBIOS_FORWARD_OUT_USER -o he-ipv6 -m comment --comment 00000001095216663482 -j UBIOS_WAN_OUT_USER
-A UBIOS_FWD_IN_GEOIP_PRECHK -i he-ipv6 -j UBIOS_IN_GEOIP
-A UBIOS_FWD_OUT_GEOIP_PRECHK -o he-ipv6 -j UBIOS_OUT_GEOIP
-A UBIOS_INPUT_GEOIP_PRECHK -i he-ipv6 -j UBIOS_IN_GEOIP
-A UBIOS_INPUT_USER_HOOK -i he-ipv6 -m comment --comment 00000001095216663481 -j UBIOS_WAN_LOCAL_USER

So they're effectively transposed (since there's no ipv6 on the default WAN interface we just 'borrow' the rules from that and shift them over.

@telnetdoogie
Copy link

So, if you want ANY firewall rules to be applied to your ipv6 tunnel, you have to do a few things: run the configure-he-ipv6-chains.sh script, AND in order to ensure the rules survive when changes are made via the user interface, setup the cron job that checks for changes and re-applies the rules.
And in order to make sure things (including the cron job) persist beyond a reboot, you'll need to use the on-boot.d scripts

Once those are all running, you can just make firewall rules and changes as you normally would in the user interface, and then wait up to 1 minute for them to be applied to the tunnel.

@DJBenson
Copy link

Yep all of that is done and seemingly working, but I've just run nmap from my vps and got this (this is the IPv6 of my UDM-SE);

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
25/tcp filtered smtp
80/tcp open http
443/tcp open ssl/https
465/tcp filtered smtps
6789/tcp open ibm-db2-admin?
7443/tcp open ssl/oracleas-https?
8080/tcp open http-proxy
8443/tcp open ssl/https-alt

None of these have been proactively opened by me.

image

@DJBenson
Copy link

DJBenson commented May 12, 2023

root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i eth9
:UBIOS_WF_IFACE_ETH9 - [0:0]
-A UBIOS_WF_IFACE_ETH9 -j MARK --set-xmark 0x1c0000/0x7e0000
-A UBIOS_WF_IFACE_ETH9 -m mark ! --mark 0x0/0x7e0000 -j CONNMARK --save-mark --nfmask 0x7e0000 --ctmask 0x7e0000
-A UBIOS_WF_IFACE_ETH9 -j RETURN
-A UBIOS_WF_IN_WANS -i he-ipv6 -j UBIOS_WF_IFACE_ETH9
root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i he-ipv6
root@Dream-Machine-Special-Edition:/data/ipv6#

Something looks wrong here.

The rules briefly show against the he-ipv6 interface but then disappear. I can force them to reappear by triggering the cronjob but then again they disappear within seconds.

root@Dream-Machine-Special-Edition:/data/cronjobs# /data/ipv6/configure-he-ipv6-chains.sh | /usr/bin/logger
root@Dream-Machine-Special-Edition:/data/cronjobs# ip6tables-save | grep -i he-ipv6
-A UBIOS_WF_PRE_JUMP -i he-ipv6 -j RETURN
-A UBIOS_FORWARD_IN_USER -i he-ipv6 -m comment --comment 00000001095216663483 -j UBIOS_WAN_IN_USER
-A UBIOS_FORWARD_OUT_USER -o he-ipv6 -m comment --comment 00000001095216663483 -j UBIOS_WAN_OUT_USER
-A UBIOS_FWD_IN_GEOIP_PRECHK -i he-ipv6 -j UBIOS_IN_GEOIP
-A UBIOS_FWD_OUT_GEOIP_PRECHK -o he-ipv6 -j UBIOS_OUT_GEOIP
-A UBIOS_INPUT_GEOIP_PRECHK -i he-ipv6 -j UBIOS_IN_GEOIP
-A UBIOS_INPUT_USER_HOOK -i he-ipv6 -m comment --comment 00000001095216663482 -j UBIOS_WAN_LOCAL_USER
root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i he-ipv6
root@Dream-Machine-Special-Edition:/data/ipv6#

@telnetdoogie
Copy link

Try adding a “drop all” internet v6 in rule and a “drop all” internet v6 local rule, both at the bottom, and see if that helps or changes anything
(You’ll have to wait 1 minute for the cron job to apply the rule after it’s entered)

@telnetdoogie
Copy link

telnetdoogie commented May 12, 2023

Also, get the updated version of the script. I modified it tonight since I saw that 3.0 OS changed some things.

They added some uppercase definitions so I had to change the script to take care of those as well.

@telnetdoogie
Copy link

The rules will disappear anytime you change things in the UniFi interface. Not just firewall rules. It’s not EVERYTHING but many things in the UI trigger the iptables rewrite.

@telnetdoogie
Copy link

Yeah it’s odd because it appears you have no rules in iptables at all… maybe reboot too

@DJBenson
Copy link

The rules will disappear anytime you change things in the UniFi interface. Not just firewall rules. It’s not EVERYTHING but many things in the UI trigger the iptables rewrite.

I'm making no changes in the UI based on my understanding the rules may be dropped.

Thanks for your patience with this - really appreciate it. Will try the updated scripts.

@telnetdoogie
Copy link

There may be something on the SE that is updating those iptables as well that’s different from the UDMP… I’d be interested if that’s the case

@DJBenson
Copy link

DJBenson commented May 12, 2023

No cigar. Updated the script, rebooted, IPv6 interface comes up (confirmed by being able to ping 2600::) but the he-ipv6 rules are blank.

EDIT: with the new script, forcing the rules to update doesn't work - the he-ipv6 interface is not updated now. Reverted to the old version and the rules are applied once again (but wiped soon after).

@DJBenson
Copy link

There may be something on the SE that is updating those iptables as well that’s different from the UDMP… I’d be interested if that’s the case

Something is definitely overwriting the rules - I just wouldn't know where to start looking for it.

In the above (sorry if I'm mansplaining) I force applied the rules, checked the he-ipv6 interface and the rules were applied and then within seconds they had gone again.

@DJBenson
Copy link

I saw these errors in the logs, not sure if they are relevant;

root@Dream-Machine-Special-Edition:/data/ipv6# ./enable-he-ipv6.sh
add tunnel "sit0" failed: No buffer space available
RTNETLINK answers: File exists
RTNETLINK answers: File exists
<14>May 12 09:56:54 enable-he-ipv6: HE-IPV6 enabled

I updated a couple of my comments above.

Do you want me to take this over to your repo to continue this discussion?

@DJBenson
Copy link

DJBenson commented May 12, 2023

I think I may be onto something, I use a PPPoE connection to connect to my ISP - I was looking over all the configured interfaces and running the iptables6 command and the only one which resulted in anything like what you posted was the ppp0 interface. Could it be I need to scrape the rules from that interface rather than eth9?

Rules below for comparison;

eth9

root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i eth9
:UBIOS_WF_IFACE_ETH9 - [0:0]
-A UBIOS_WF_IFACE_ETH9 -j MARK --set-xmark 0x1c0000/0x7e0000
-A UBIOS_WF_IFACE_ETH9 -m mark ! --mark 0x0/0x7e0000 -j CONNMARK --save-mark --nfmask 0x7e0000 --ctmask 0x7e0000
-A UBIOS_WF_IFACE_ETH9 -j RETURN
-A UBIOS_WF_IN_WANS -i he-ipv6 -j UBIOS_WF_IFACE_ETH9

ppp0

root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i ppp0
-A UBIOS_WF_PRE_JUMP -i ppp0 -j RETURN
:UBIOS_WF_IFACE_PPP0 - [0:0]
-A UBIOS_FORWARD_TCPMSS -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1432
-A UBIOS_FORWARD_TCPMSS -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1432
-A UBIOS_WF_GROUP_1_SINGLE -m mark --mark 0x0/0x7e0000 -m dyn_random --prob-name "ppp0-wf-group-1-single" -j MARK --set-xmark 0x1a0000/0x7e0000
-A UBIOS_WF_IFACE_PPP0 -j MARK --set-xmark 0x1a0000/0x7e0000
-A UBIOS_WF_IFACE_PPP0 -m mark ! --mark 0x0/0x7e0000 -j CONNMARK --save-mark --nfmask 0x7e0000 --ctmask 0x7e0000
-A UBIOS_WF_IFACE_PPP0 -j RETURN
-A UBIOS_WF_IN_WANS -i ppp0 -j UBIOS_WF_IFACE_PPP0
-A UBIOS_FORWARD_IN_USER -i ppp0 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_IN_USER
-A UBIOS_FORWARD_IN_USER -i ppp0 -m comment --comment 00000001095216663482 -j UBIOS_WAN_IN_USER
-A UBIOS_FORWARD_OUT_USER -o ppp0 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_OUT_USER
-A UBIOS_FORWARD_OUT_USER -o ppp0 -m comment --comment 00000001095216663482 -j UBIOS_WAN_OUT_USER
-A UBIOS_FWD_IN_GEOIP_PRECHK -i ppp0 -j UBIOS_IN_GEOIP
-A UBIOS_FWD_OUT_GEOIP_PRECHK -o ppp0 -j UBIOS_OUT_GEOIP
-A UBIOS_INPUT_GEOIP_PRECHK -i ppp0 -j UBIOS_IN_GEOIP
-A UBIOS_INPUT_USER_HOOK -i ppp0 -m comment --comment 00000001095216663481 -j UBIOS_WAN_LOCAL_USER

Should have said this is the "old" version of the script - the new version doesn't correctly detect the ppp0 interface as it's prefixed with a number;

root@Dream-Machine-Special-Edition:/data/ipv6# WAN_IFACE=$(ip route get 8.8.8.8 | awk '{ printf $5 }')
root@Dream-Machine-Special-Edition:/data/ipv6# echo $WAN_IFACE
201.ppp0

@DJBenson
Copy link

It looks like something is failing causing the firewall rules to be re-applied;

2023-05-12T11:59:17+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:18+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:19+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:21+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:22+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:24+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:25+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:27+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:28+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:30+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:31+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:33+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:34+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:36+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:37+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:38+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:40+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:42+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:43+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:45+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:46+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:47+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:49+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Trying to migrate config due to inconsistency (invalid config .versionDetail: must be between 9 and 9: .interfaces) to resolve following issue: invalid config: configuration syntax is invalid: IDSIPSSignaturesMode must be an object: .services.idsIps.signatures
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Starting config .versionFormat 'v2' migration for /tmp/udapi-fastapply-82b6_d6fc_82b7_c253.cfg.tmp
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/filter from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/filter from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/mangle from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/mangle from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/mangle from 3 to 4
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/nat from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/nat from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/pbr from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/pbr from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/pbr from 3 to 4
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.interfaces from 8 to 9
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.qos/ip from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.routes/ospf from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.routes/ospf/areas from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/ddns from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/dnsForwarder from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/idsIps from 1 to 2
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/igmpSnooping from 1 to 2
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/l2tpServer from 1 to 2
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/wanFailover from 4 to 5
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.system from 1 to 2
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.system from 2 to 3
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.system from 3 to 4
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/ipsec/site-to-site from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/ipsec/site-to-site from 2 to 3
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/openvpn/peers from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/openvpn/peers from 2 to 3
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/openvpn/peers from 3 to 4
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.qos from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/openvpn/raws from 2 to 3
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/clients from 0 to 1
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/clients from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/site-to-sites from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/site-to-sites from 2 to 3
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/servers from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/dohProxy from 0 to 1
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/stunnel from 0 to 1
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.routes/access-lists from 0 to 1
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Finished config .versionFormat 'v2' migration of /tmp/udapi-fastapply-82b6_d6fc_82b7_c253.cfg.tmp
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrated config is valid
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service: vvv Apply new configuration
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                    [interfaces]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                 [routes/static]: disabling
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                   [routes/ospf]: disabling
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                   [peripherals]: disabling
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                        [system]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 246 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *      [services/radius-profiles]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                      [services]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-redirector-service:         +(services):    Keep running service redirector
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-arp-inspection-service:     +(services):    Keep stopped service arpInspection
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_IoT_br100_192-168-100-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Security_br101_192-168-101-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Guest_br102_192-168-102-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Management_br103_192-168-103-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Default_br0_192-168-1-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Default_br0_192-168-1-0-24_IPV6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Management_br103_192-168-103-0-24_IPV6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dns-forwarder-service:      +(services):    Keep running service dnsForwarder
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dpi-service:                +(services): Restart running service dpi
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-geoip-filtering-service:    +(services):    Keep running service geoipFiltering
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-ids-ips-service:            +(services):    Keep running service idsIps
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-igmp-snooping-snoopd:       +(services):    Keep running service igmpSnooping
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-l2tp-server:                +(services):    Keep running service l2tpServer
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-lldp:                       +(services):    Keep running service lldp
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-mdns-service:               +(services):    Keep running service mdns
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-ntp-client-timesyncd:       +(services):    Keep running service ntpClient
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-radius-server-service:      +(services):    Keep running service radiusServer
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-system-log-syslog-ng:       +(services):    Keep stopped service systemLog
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-unifi-network:              +(services):    Keep running service unifiNetwork
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-utm-service:                +(services):    Keep running service utm
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-wan-failover:               +(services):    Keep running service wanFailover
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-wifiman:                    +(services):    Keep running service wifiman
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                 [firewall/sets]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                  [firewall/nat]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *               [firewall/filter]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *               [firewall/mangle]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                           [qos]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                         [vlans]: disabling
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *        [bridge-firewall/broute]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *           [bridge-firewall/nat]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service: ^^^ Apply new configuration done
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: process: Got process exit event for process redirector
2023-05-12T11:59:55+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 246 nexthops for route ::/0 dev he-ipv6

@telnetdoogie
Copy link

Yeah let's open an issue, if you don't mind posting your logs etc here

@RoxyBoxxy
Copy link

Does anybody have any wired issues using this?, everytime i use it some websites load and some just dont connect like if i enable this and put ipv6 on my pc tunnelbroker.com will not load but some websites do get a ipv6 connection, i have tried lowering the ttl and mtu but still same issue, doing a ping -6 google.com loses some packets also

@telnetdoogie
Copy link

telnetdoogie commented Jun 5, 2023

Does anybody have any wired issues using this?

You doing any load balancing?

To narrow things down I'd start with the ping packet loss... are you perhaps having an issue with connectivity to tunnelbroker?
ipv6 aside for now, do you have any packet loss on ipv4?

Try PacketLossTest.com - I usually run the "1080P Game Stream" approximation to really exercise things.

You could also test and look for [ipv4] packet loss between your router and the HE <server ipv4 address> in your config.

@RoxyBoxxy
Copy link

RoxyBoxxy commented Jun 5, 2023

Does anybody have any wired issues using this?

You doing any load balancing?

To narrow things down I'd start with the ping packet loss... are you perhaps having an issue with connectivity to tunnelbroker? ipv6 aside for now, do you have any packet loss on ipv4?

Try PacketLossTest.com - I usually run the "1080P Game Stream" approximation to really exercise things.

I dont do any load balancing this is my ping from my udm, i have 0% packet loss on ipv4

PING google.com(lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e)) 56 data bytes
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=1 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=2 ttl=120 time=14.5 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=3 ttl=120 time=58.2 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=4 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=5 ttl=120 time=14.7 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=6 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=7 ttl=120 time=14.2 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=8 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=9 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=10 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=12 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=13 ttl=120 time=14.6 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=14 ttl=120 time=58.7 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=15 ttl=120 time=14.6 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=16 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=17 ttl=120 time=88.2 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=18 ttl=120 time=14.6 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=19 ttl=120 time=14.0 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=20 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=21 ttl=120 time=14.5 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=22 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=23 ttl=120 time=13.9 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=24 ttl=120 time=15.0 ms
^C
--- google.com ping statistics ---
24 packets transmitted, 23 received, 4.16667% packet loss, time 23035ms
rtt min/avg/max/mdev = 13.914/21.442/88.213/18.864 ms

@telnetdoogie
Copy link

@RoxyBoxxy which tunnel server are you currently using?

@RoxyBoxxy
Copy link

UK London 216.66.88.98

@RoxyBoxxy
Copy link

RoxyBoxxy commented Jun 6, 2023

Okay so i found a fix, this is what i did

Set the he-ipv6 mtu to 1422

ip link set mtu 1422 dev he-ipv6

Delete the route to br0

ip route del <HE IPv6 client address>/64 dev br0

Then re added it using this

ip route add <HE IPv6 client address>/64 dev br0 mtu 1280

http://test-ipv6.com/index.html.en_US gives me 10/10

for some reason the udm set a route with a metric of 256 but the default for the default is 1024 so large packets failed

This is before

<HE IPv6 client address>/64 dev br0 proto kernel metric 256 pref medium
default dev he-ipv6 metric 1024 mtu 1422 pref medium

@telnetdoogie
Copy link

Glad you got that figured out and thanks for sharing!! Are you using pppoe for your WAN?

@RoxyBoxxy
Copy link

Yes i am using ppp0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment