Skip to content

Instantly share code, notes, and snippets.

@bgrewell

bgrewell/udm-pro-he-ipv6-setup.md

Last active October 27, 2024 19:26
Show Gist options
  • Save bgrewell/591b5ce8809f2bbf0b3999921cecef60 to your computer and use it in GitHub Desktop.
Save bgrewell/591b5ce8809f2bbf0b3999921cecef60 to your computer and use it in GitHub Desktop.
Download ZIP
This gist describes how to setup a hurricane electric (TunnelBroker) IPv6 tunnel on a Ubiquiti Unifi Dream Machine Pro
Raw
udm-pro-he-ipv6-setup.md

Setup IPv6 Tunnel on Unifi Dream Machine Pro

Enable SSH

TODO

Configure To Dream Machine Over SSH

SSH to your UDM

ssh root@<udm ip address>
<enter the password you set when prompted>

Configure the IPv6 Tunnel - You get the addresses from the Tunnel Details page on TunnelBroker

ip tunnel add he-ipv6 mode sit remote <server ipv4 address> local <client ipv4 address> ttl 255
ip link set he-ipv6 up
ip addr add <client ipv6 address> dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr

Test Connectivity from UDM

ping 2600::

Setup Address Allocation

TODO

@telnetdoogie
Copy link

telnetdoogie commented May 12, 2023
edited
Loading

here's what the default firewall rules look like on a legit WAN interface (note I'm using ip6tables which ONLY shows the iptables defined for ipv6 traffic... iptables and ip6tables don't share the same entries.)

ip6tables-save | grep -i eth9
:UBIOS_WF_IFACE_ETH9 - [0:0]
-A UBIOS_WF_GROUP_1_SINGLE -m mark --mark 0x0/0x780000 -m dyn_random --prob-name "eth9-wf-group-1-single" -j MARK --set-xmark 0x380000/0x780000
-A UBIOS_WF_IFACE_ETH9 -j MARK --set-xmark 0x380000/0x780000
-A UBIOS_WF_IFACE_ETH9 -m mark ! --mark 0x0/0x780000 -j CONNMARK --save-mark --nfmask 0x780000 --ctmask 0x780000
-A UBIOS_WF_IFACE_ETH9 -j RETURN
-A UBIOS_WF_IN_WANS -i eth9 -j UBIOS_WF_IFACE_ETH9
-A UBIOS_FORWARD_IN_USER -i eth9 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_IN_USER
-A UBIOS_FORWARD_IN_USER -i eth9 -m comment --comment 00000001095216663482 -j UBIOS_WAN_IN_USER
-A UBIOS_FORWARD_OUT_USER -o eth9 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_OUT_USER
-A UBIOS_FORWARD_OUT_USER -o eth9 -m comment --comment 00000001095216663482 -j UBIOS_WAN_OUT_USER
-A UBIOS_FWD_IN_GEOIP_PRECHK -i eth9 -j UBIOS_IN_GEOIP
-A UBIOS_FWD_OUT_GEOIP_PRECHK -o eth9 -j UBIOS_OUT_GEOIP
-A UBIOS_INPUT_GEOIP_PRECHK -i eth9 -j UBIOS_IN_GEOIP
-A UBIOS_INPUT_USER_HOOK -i eth9 -m comment --comment 00000001095216663481 -j UBIOS_WAN_LOCAL_USER

and, without running any scripts, here's what rules are on the he-ipv6 interface when the tunnel is created:

ip6tables-save | grep -i he-ipv6

...yeah, nothing at all... so everything's wide open.

After the script is run, here's what they both look like again:

ip6tables-save | grep -i eth9

(nothing)

and for the tunnel interface:

ip6tables-save | grep -i he-ipv6
:UBIOS_WF_IFACE_HE-IPV6 - [0:0]
-A UBIOS_WF_GROUP_1_SINGLE -m mark --mark 0x0/0x780000 -m dyn_random --prob-name "he-ipv6-wf-group-1-single" -j MARK --set-xmark 0x380000/0x780000
-A UBIOS_WF_IFACE_HE-IPV6 -j MARK --set-xmark 0x380000/0x780000
-A UBIOS_WF_IFACE_HE-IPV6 -m mark ! --mark 0x0/0x780000 -j CONNMARK --save-mark --nfmask 0x780000 --ctmask 0x780000
-A UBIOS_WF_IFACE_HE-IPV6 -j RETURN
-A UBIOS_WF_IN_WANS -i he-ipv6 -j UBIOS_WF_IFACE_HE-IPV6
-A UBIOS_FORWARD_IN_USER -i he-ipv6 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_IN_USER
-A UBIOS_FORWARD_IN_USER -i he-ipv6 -m comment --comment 00000001095216663482 -j UBIOS_WAN_IN_USER
-A UBIOS_FORWARD_OUT_USER -o he-ipv6 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_OUT_USER
-A UBIOS_FORWARD_OUT_USER -o he-ipv6 -m comment --comment 00000001095216663482 -j UBIOS_WAN_OUT_USER
-A UBIOS_FWD_IN_GEOIP_PRECHK -i he-ipv6 -j UBIOS_IN_GEOIP
-A UBIOS_FWD_OUT_GEOIP_PRECHK -o he-ipv6 -j UBIOS_OUT_GEOIP
-A UBIOS_INPUT_GEOIP_PRECHK -i he-ipv6 -j UBIOS_IN_GEOIP
-A UBIOS_INPUT_USER_HOOK -i he-ipv6 -m comment --comment 00000001095216663481 -j UBIOS_WAN_LOCAL_USER

So they're effectively transposed (since there's no ipv6 on the default WAN interface we just 'borrow' the rules from that and shift them over.

@telnetdoogie
Copy link

So, if you want ANY firewall rules to be applied to your ipv6 tunnel, you have to do a few things: run the configure-he-ipv6-chains.sh script, AND in order to ensure the rules survive when changes are made via the user interface, setup the cron job that checks for changes and re-applies the rules.
And in order to make sure things (including the cron job) persist beyond a reboot, you'll need to use the on-boot.d scripts

Once those are all running, you can just make firewall rules and changes as you normally would in the user interface, and then wait up to 1 minute for them to be applied to the tunnel.

@DJBenson
Copy link

Yep all of that is done and seemingly working, but I've just run nmap from my vps and got this (this is the IPv6 of my UDM-SE);

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
25/tcp filtered smtp
80/tcp open http
443/tcp open ssl/https
465/tcp filtered smtps
6789/tcp open ibm-db2-admin?
7443/tcp open ssl/oracleas-https?
8080/tcp open http-proxy
8443/tcp open ssl/https-alt

None of these have been proactively opened by me.

image

@DJBenson
Copy link

DJBenson commented May 12, 2023
edited
Loading 

root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i eth9
:UBIOS_WF_IFACE_ETH9 - [0:0]
-A UBIOS_WF_IFACE_ETH9 -j MARK --set-xmark 0x1c0000/0x7e0000
-A UBIOS_WF_IFACE_ETH9 -m mark ! --mark 0x0/0x7e0000 -j CONNMARK --save-mark --nfmask 0x7e0000 --ctmask 0x7e0000
-A UBIOS_WF_IFACE_ETH9 -j RETURN
-A UBIOS_WF_IN_WANS -i he-ipv6 -j UBIOS_WF_IFACE_ETH9

root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i he-ipv6
root@Dream-Machine-Special-Edition:/data/ipv6#

Something looks wrong here.

The rules briefly show against the he-ipv6 interface but then disappear. I can force them to reappear by triggering the cronjob but then again they disappear within seconds.

root@Dream-Machine-Special-Edition:/data/cronjobs# /data/ipv6/configure-he-ipv6-chains.sh | /usr/bin/logger
root@Dream-Machine-Special-Edition:/data/cronjobs# ip6tables-save | grep -i he-ipv6
-A UBIOS_WF_PRE_JUMP -i he-ipv6 -j RETURN
-A UBIOS_FORWARD_IN_USER -i he-ipv6 -m comment --comment 00000001095216663483 -j UBIOS_WAN_IN_USER
-A UBIOS_FORWARD_OUT_USER -o he-ipv6 -m comment --comment 00000001095216663483 -j UBIOS_WAN_OUT_USER
-A UBIOS_FWD_IN_GEOIP_PRECHK -i he-ipv6 -j UBIOS_IN_GEOIP
-A UBIOS_FWD_OUT_GEOIP_PRECHK -o he-ipv6 -j UBIOS_OUT_GEOIP
-A UBIOS_INPUT_GEOIP_PRECHK -i he-ipv6 -j UBIOS_IN_GEOIP
-A UBIOS_INPUT_USER_HOOK -i he-ipv6 -m comment --comment 00000001095216663482 -j UBIOS_WAN_LOCAL_USER
root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i he-ipv6
root@Dream-Machine-Special-Edition:/data/ipv6#

@telnetdoogie
Copy link

Try adding a “drop all” internet v6 in rule and a “drop all” internet v6 local rule, both at the bottom, and see if that helps or changes anything
(You’ll have to wait 1 minute for the cron job to apply the rule after it’s entered)

@telnetdoogie
Copy link

telnetdoogie commented May 12, 2023
edited
Loading

Also, get the updated version of the script. I modified it tonight since I saw that 3.0 OS changed some things.

They added some uppercase definitions so I had to change the script to take care of those as well.

@telnetdoogie
Copy link

The rules will disappear anytime you change things in the UniFi interface. Not just firewall rules. It’s not EVERYTHING but many things in the UI trigger the iptables rewrite.

@telnetdoogie
Copy link

Yeah it’s odd because it appears you have no rules in iptables at all… maybe reboot too

@DJBenson
Copy link

The rules will disappear anytime you change things in the UniFi interface. Not just firewall rules. It’s not EVERYTHING but many things in the UI trigger the iptables rewrite.

I'm making no changes in the UI based on my understanding the rules may be dropped.

Thanks for your patience with this - really appreciate it. Will try the updated scripts.

@telnetdoogie
Copy link

There may be something on the SE that is updating those iptables as well that’s different from the UDMP… I’d be interested if that’s the case

@DJBenson
Copy link

DJBenson commented May 12, 2023
edited
Loading

No cigar. Updated the script, rebooted, IPv6 interface comes up (confirmed by being able to ping 2600::) but the he-ipv6 rules are blank.

EDIT: with the new script, forcing the rules to update doesn't work - the he-ipv6 interface is not updated now. Reverted to the old version and the rules are applied once again (but wiped soon after).

@DJBenson
Copy link

There may be something on the SE that is updating those iptables as well that’s different from the UDMP… I’d be interested if that’s the case

Something is definitely overwriting the rules - I just wouldn't know where to start looking for it.

In the above (sorry if I'm mansplaining) I force applied the rules, checked the he-ipv6 interface and the rules were applied and then within seconds they had gone again.

@DJBenson
Copy link

I saw these errors in the logs, not sure if they are relevant;

root@Dream-Machine-Special-Edition:/data/ipv6# ./enable-he-ipv6.sh
add tunnel "sit0" failed: No buffer space available
RTNETLINK answers: File exists
RTNETLINK answers: File exists
<14>May 12 09:56:54 enable-he-ipv6: HE-IPV6 enabled

I updated a couple of my comments above.

Do you want me to take this over to your repo to continue this discussion?

@DJBenson
Copy link

DJBenson commented May 12, 2023
edited
Loading

I think I may be onto something, I use a PPPoE connection to connect to my ISP - I was looking over all the configured interfaces and running the iptables6 command and the only one which resulted in anything like what you posted was the ppp0 interface. Could it be I need to scrape the rules from that interface rather than eth9?

Rules below for comparison;

eth9

root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i eth9
:UBIOS_WF_IFACE_ETH9 - [0:0]
-A UBIOS_WF_IFACE_ETH9 -j MARK --set-xmark 0x1c0000/0x7e0000
-A UBIOS_WF_IFACE_ETH9 -m mark ! --mark 0x0/0x7e0000 -j CONNMARK --save-mark --nfmask 0x7e0000 --ctmask 0x7e0000
-A UBIOS_WF_IFACE_ETH9 -j RETURN
-A UBIOS_WF_IN_WANS -i he-ipv6 -j UBIOS_WF_IFACE_ETH9

ppp0

root@Dream-Machine-Special-Edition:/data/ipv6# ip6tables-save | grep -i ppp0
-A UBIOS_WF_PRE_JUMP -i ppp0 -j RETURN
:UBIOS_WF_IFACE_PPP0 - [0:0]
-A UBIOS_FORWARD_TCPMSS -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1432
-A UBIOS_FORWARD_TCPMSS -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1432
-A UBIOS_WF_GROUP_1_SINGLE -m mark --mark 0x0/0x7e0000 -m dyn_random --prob-name "ppp0-wf-group-1-single" -j MARK --set-xmark 0x1a0000/0x7e0000
-A UBIOS_WF_IFACE_PPP0 -j MARK --set-xmark 0x1a0000/0x7e0000
-A UBIOS_WF_IFACE_PPP0 -m mark ! --mark 0x0/0x7e0000 -j CONNMARK --save-mark --nfmask 0x7e0000 --ctmask 0x7e0000
-A UBIOS_WF_IFACE_PPP0 -j RETURN
-A UBIOS_WF_IN_WANS -i ppp0 -j UBIOS_WF_IFACE_PPP0
-A UBIOS_FORWARD_IN_USER -i ppp0 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_IN_USER
-A UBIOS_FORWARD_IN_USER -i ppp0 -m comment --comment 00000001095216663482 -j UBIOS_WAN_IN_USER
-A UBIOS_FORWARD_OUT_USER -o ppp0 -m comment --comment 00000001095216663481 -j UBIOS_WAN_PF_OUT_USER
-A UBIOS_FORWARD_OUT_USER -o ppp0 -m comment --comment 00000001095216663482 -j UBIOS_WAN_OUT_USER
-A UBIOS_FWD_IN_GEOIP_PRECHK -i ppp0 -j UBIOS_IN_GEOIP
-A UBIOS_FWD_OUT_GEOIP_PRECHK -o ppp0 -j UBIOS_OUT_GEOIP
-A UBIOS_INPUT_GEOIP_PRECHK -i ppp0 -j UBIOS_IN_GEOIP
-A UBIOS_INPUT_USER_HOOK -i ppp0 -m comment --comment 00000001095216663481 -j UBIOS_WAN_LOCAL_USER

Should have said this is the "old" version of the script - the new version doesn't correctly detect the ppp0 interface as it's prefixed with a number;

root@Dream-Machine-Special-Edition:/data/ipv6# WAN_IFACE=$(ip route get 8.8.8.8 | awk '{ printf $5 }')
root@Dream-Machine-Special-Edition:/data/ipv6# echo $WAN_IFACE
201.ppp0

@DJBenson
Copy link

It looks like something is failing causing the firewall rules to be re-applied;

2023-05-12T11:59:17+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:18+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:19+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:21+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:22+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:24+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:25+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:27+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:28+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:30+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:31+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:33+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:34+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:36+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:37+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:38+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:40+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:42+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:43+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:45+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:46+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:47+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:49+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Trying to migrate config due to inconsistency (invalid config .versionDetail: must be between 9 and 9: .interfaces) to resolve following issue: invalid config: configuration syntax is invalid: IDSIPSSignaturesMode must be an object: .services.idsIps.signatures
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Starting config .versionFormat 'v2' migration for /tmp/udapi-fastapply-82b6_d6fc_82b7_c253.cfg.tmp
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/filter from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/filter from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/mangle from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/mangle from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/mangle from 3 to 4
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/nat from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/nat from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/pbr from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/pbr from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.firewall/pbr from 3 to 4
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.interfaces from 8 to 9
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.qos/ip from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.routes/ospf from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.routes/ospf/areas from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/ddns from 1 to 2
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/dnsForwarder from 2 to 3
2023-05-12T11:59:51+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/idsIps from 1 to 2
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/igmpSnooping from 1 to 2
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/l2tpServer from 1 to 2
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/wanFailover from 4 to 5
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.system from 1 to 2
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.system from 2 to 3
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.system from 3 to 4
2023-05-12T11:59:52+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/ipsec/site-to-site from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/ipsec/site-to-site from 2 to 3
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/openvpn/peers from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/openvpn/peers from 2 to 3
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/openvpn/peers from 3 to 4
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.qos from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/openvpn/raws from 2 to 3
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/clients from 0 to 1
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/clients from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/site-to-sites from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/site-to-sites from 2 to 3
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.vpn/wireguard/servers from 1 to 2
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/dohProxy from 0 to 1
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.services/stunnel from 0 to 1
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrating config .versionDetail.routes/access-lists from 0 to 1
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Finished config .versionFormat 'v2' migration of /tmp/udapi-fastapply-82b6_d6fc_82b7_c253.cfg.tmp
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: config-migrate-helper: Migrated config is valid
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service: vvv Apply new configuration
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                    [interfaces]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                 [routes/static]: disabling
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                   [routes/ospf]: disabling
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                   [peripherals]: disabling
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                        [system]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 245 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 246 nexthops for route ::/0 dev he-ipv6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *      [services/radius-profiles]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                      [services]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-redirector-service:         +(services):    Keep running service redirector
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-arp-inspection-service:     +(services):    Keep stopped service arpInspection
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_IoT_br100_192-168-100-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Security_br101_192-168-101-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Guest_br102_192-168-102-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Management_br103_192-168-103-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Default_br0_192-168-1-0-24
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Default_br0_192-168-1-0-24_IPV6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dhcp-server-service:        +(services):    Keep running service dhcpServers-net_Management_br103_192-168-103-0-24_IPV6
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dns-forwarder-service:      +(services):    Keep running service dnsForwarder
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-dpi-service:                +(services): Restart running service dpi
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-geoip-filtering-service:    +(services):    Keep running service geoipFiltering
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-ids-ips-service:            +(services):    Keep running service idsIps
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-igmp-snooping-snoopd:       +(services):    Keep running service igmpSnooping
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-l2tp-server:                +(services):    Keep running service l2tpServer
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-lldp:                       +(services):    Keep running service lldp
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-mdns-service:               +(services):    Keep running service mdns
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-ntp-client-timesyncd:       +(services):    Keep running service ntpClient
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-radius-server-service:      +(services):    Keep running service radiusServer
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-system-log-syslog-ng:       +(services):    Keep stopped service systemLog
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-unifi-network:              +(services):    Keep running service unifiNetwork
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-utm-service:                +(services):    Keep running service utm
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-wan-failover:               +(services):    Keep running service wanFailover
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: svc-wifiman:                    +(services):    Keep running service wifiman
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                 [firewall/sets]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                  [firewall/nat]: configuring
2023-05-12T11:59:53+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *               [firewall/filter]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *               [firewall/mangle]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                           [qos]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *                         [vlans]: disabling
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *        [bridge-firewall/broute]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service:  *           [bridge-firewall/nat]: configuring
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: service: ^^^ Apply new configuration done
2023-05-12T11:59:54+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: process: Got process exit event for process redirector
2023-05-12T11:59:55+01:00 Dream-Machine-Special-Edition ubios-udapi-server[1333]: netlink: Multipath routes not supported, got 246 nexthops for route ::/0 dev he-ipv6

@telnetdoogie
Copy link

Yeah let's open an issue, if you don't mind posting your logs etc here

@RoxyBoxxy
Copy link

Does anybody have any wired issues using this?, everytime i use it some websites load and some just dont connect like if i enable this and put ipv6 on my pc tunnelbroker.com will not load but some websites do get a ipv6 connection, i have tried lowering the ttl and mtu but still same issue, doing a ping -6 google.com loses some packets also

@telnetdoogie
Copy link

telnetdoogie commented Jun 5, 2023
edited
Loading

Does anybody have any wired issues using this?

You doing any load balancing?

To narrow things down I'd start with the ping packet loss... are you perhaps having an issue with connectivity to tunnelbroker?
ipv6 aside for now, do you have any packet loss on ipv4?

Try PacketLossTest.com - I usually run the "1080P Game Stream" approximation to really exercise things.

You could also test and look for [ipv4] packet loss between your router and the HE <server ipv4 address> in your config.

@RoxyBoxxy
Copy link

RoxyBoxxy commented Jun 5, 2023
edited
Loading

Does anybody have any wired issues using this?

You doing any load balancing?

To narrow things down I'd start with the ping packet loss... are you perhaps having an issue with connectivity to tunnelbroker? ipv6 aside for now, do you have any packet loss on ipv4?

Try PacketLossTest.com - I usually run the "1080P Game Stream" approximation to really exercise things.

I dont do any load balancing this is my ping from my udm, i have 0% packet loss on ipv4

PING google.com(lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e)) 56 data bytes
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=1 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=2 ttl=120 time=14.5 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=3 ttl=120 time=58.2 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=4 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=5 ttl=120 time=14.7 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=6 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=7 ttl=120 time=14.2 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=8 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=9 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=10 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=12 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=13 ttl=120 time=14.6 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=14 ttl=120 time=58.7 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=15 ttl=120 time=14.6 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=16 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=17 ttl=120 time=88.2 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=18 ttl=120 time=14.6 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=19 ttl=120 time=14.0 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=20 ttl=120 time=14.4 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=21 ttl=120 time=14.5 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=22 ttl=120 time=14.3 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=23 ttl=120 time=13.9 ms
64 bytes from lhr25s33-in-x0e.1e100.net (2a00:1450:4009:81f::200e): icmp_seq=24 ttl=120 time=15.0 ms
^C
--- google.com ping statistics ---
24 packets transmitted, 23 received, 4.16667% packet loss, time 23035ms
rtt min/avg/max/mdev = 13.914/21.442/88.213/18.864 ms

@telnetdoogie
Copy link

@RoxyBoxxy which tunnel server are you currently using?

@RoxyBoxxy
Copy link

UK London 216.66.88.98

@RoxyBoxxy
Copy link

RoxyBoxxy commented Jun 6, 2023
edited
Loading

Okay so i found a fix, this is what i did

Set the he-ipv6 mtu to 1422

ip link set mtu 1422 dev he-ipv6

Delete the route to br0

ip route del <HE IPv6 client address>/64 dev br0

Then re added it using this

ip route add <HE IPv6 client address>/64 dev br0 mtu 1280

http://test-ipv6.com/index.html.en_US gives me 10/10

for some reason the udm set a route with a metric of 256 but the default for the default is 1024 so large packets failed

This is before

<HE IPv6 client address>/64 dev br0 proto kernel metric 256 pref medium
default dev he-ipv6 metric 1024 mtu 1422 pref medium

@telnetdoogie
Copy link

Glad you got that figured out and thanks for sharing!! Are you using pppoe for your WAN?

@RoxyBoxxy
Copy link

Yes i am using ppp0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment