| |
IPv6 and my current configuration discussion....My equipment: NVG589 and Netgear WNDR4500 (NVG589 ip pass through set up / WNDR4500 handles routing)
First of all I know that ATT current IPv6 can be a headache and I am no expert about it either. When I got on the power tier months ago some things with IPv6 did not fuction right on my network, so I just totally disabled it on both the modem and router. I did not want to take the time to mess with it.
Yesterday I decided to dive into it to see what I could get. I turned IPv6 back on for the 589 and then set the 4500 IPv6 to auto detect. It pulled an IPv6 address and some other info. Then i hit the web to run some of the tests. Just like months ago IPv6 websites time out but anything having to do with "Is your ISP ready" passed the tests.I know that most likely means that my network side is not correct with settings.
I start playing around with individual IPv6 settings in the router. Such as 6to4, manual, dhcp, and auto config. Still, being no expert, not everything would work right. Well.... my router has a IPv6 mode that is simply called Pass-through. I enabled it, but when enabled it just says that it is enabled and there is no other info displayed. No IPv6 adresses or anything.
But........ This allows everything to work. All IPv6 internet tests pass with all devices on my network (computers, phones, xboxs.....) All devices show having both IPv4 and IPv6 addresses from the IPv6 test site. Comcast speedtest now performs both Ipv4 and IPv6 speedtests.
Now to my concern..... I don't know what the pass-through is actually doing and if it is safe. I know there is concerns with IPv6 and firewalling as it does not work the same as nat for IPv4 (again no expert). The only info that Netgear gives as to the pass-through mode is this:
In pass-through mode, the router works as a Layer 2 Ethernet switch with two ports (LAN and WAN Ethernet ports) for IPv6 packets. The router does not process any IPv6 header packets.
I hope this all makes since to everyone. I just need some input as to use it this way or not. I don't have to have IPv6. Sometimes I just like learning new things.
Thanks!! |
|
 NormanSI gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
Asus RT-AC66U B1
Netgear FR114P
1 edit |
said by Insane Toad0:My equipment: NVG589 and Netgear WNDR4500 (NVG589 ip pass through set up / WNDR4500 handles routing)
... I don't know what the pass-through is actually doing and if it is safe. I know there is concerns with IPv6 and firewalling as it does not work the same as nat for IPv4 (again no expert). The only info that Netgear gives as to the pass-through mode is this:
In pass-through mode, the router works as a Layer 2 Ethernet switch with two ports (LAN and WAN Ethernet ports) for IPv6 packets. The router does not process any IPv6 header packets.
I hope this all makes since to everyone. I just need some input as to use it this way or not. I don't have to have IPv6. Sometimes I just like learning new things.
First, NAT is not a firewall. It is an IP address sharing scheme, required to mitigate the insufficient quantity of IPv4 IP addresses, and pretty much unnecessary for IPv6 IP addresses. Firewall for IPv6 would be, as with IPv4, stateful. It could be implemented in software on the computer, or in firmware on the router. Many will flash third party firmare on the router, something like Tomato, which has a configurable firewall. I have an ASUS RT-AC66U for which ASUS has released a firmware version which now includes an IPv6 firewall. 
IPv6 firewall.
|
|
| |
I don't understand all the technical side of things. I do know from some research that ATT uses 6rd for IPv6. There is no actual 6rd IPv6 mode on the WNDR4500. I just enabled the pass-through mode to see what would happen and now all the IPv6 tests from the test sites pass and I can access Ipv6 only websites. My computers also get IPv6 addresses and my xbox ones don't show on the console to have IPv6 addresses but online tests show IPv6 addresses.
I have seen many people try to get IPv6 working and having all these settings to configure. I can do it with one change and it works (never heard of it being done this way either). I'm just curious as to how it is actually working and is it actually working safely. |
|
 ortizdrThe One the Only
join:2014-01-15
North Richland Hills, TX |
I would think without a firewall protecting you that you are vulnerable. Now the question is, how many hackers are on ipv6? |
|
 mackey
Premium Member
join:2007-08-20 |
to Insane Toad0
Since the Netgear is in IPv6 pass-through mode you can consider it as not existing at all. This means the NVG589 is your IPv6 firewall assuming you have not shut that feature off.
/M |
|
| |
said by mackey:Since the Netgear is in IPv6 pass-through mode you can consider it as not existing at all. This means the NVG589 is your IPv6 firewall assuming you have not shut that feature off. Thanks for the input. There is nothing listed in the 589 settings specific to a firewall for just IPv6. Do you know exactly what the 589 has in the firewall settings to turn on the SPI firewall? Though turning it on may mess with the ip-passthrough to my router. But I'll try any experiment to see what happens? |
|
ortizdrThe One the Only
join:2014-01-15
North Richland Hills, TX |
ortizdr
Member
2014-Apr-20 12:25 am
I believe its called ipv6 acl. |
|
 rolandeCertifiable
MVM,
join:2002-05-24
Dallas, TX
Cisco Meraki MR42
1 recommendation |
to ortizdr
said by ortizdr:I would think without a firewall protecting you that you are vulnerable. Now the question is, how many hackers are on ipv6? The answer is pretty much all of them. IPv6 is the easiest back door into most people's systems if they have not implemented appropriate security controls. I would not risk enabling IPv6 on anything until I had a properly configured stateful firewall in front of it. |
|
rolande
2 recommendations |
to Insane Toad0
said by Insane Toad0:Well.... my router has a IPv6 mode that is simply called Pass-through. I enabled it, but when enabled it just says that it is enabled and there is no other info displayed. No IPv6 adresses or anything. Pass-through is simply ethernet bridging/switching. Your router is not routing or participating in IPv6. It is just forwarding the IPv6 packets along to a device that is aware and participating in IPv6 routing (your RG). said by Insane Toad0:Now to my concern..... I don't know what the pass-through is actually doing and if it is safe. I know there is concerns with IPv6 and firewalling as it does not work the same as nat for IPv4 (again no expert). The only info that Netgear gives as to the pass-through mode is this:
In pass-through mode, the router works as a Layer 2 Ethernet switch with two ports (LAN and WAN Ethernet ports) for IPv6 packets. The router does not process any IPv6 header packets. From the perspective of your Netgear it is safe. The assumption, though, is that your AT&T provided RG is providing actual IPv6 firewall security or not for your home network. My understanding is that the IPv6 security control on the RG is very limited. AT&T has forced their hardware vendors (Pace and Motorola) to revisit the entire security stack for IPv6. I have not heard the latest status on IPv6 rollout but it was on hold for some time due to this very issue. There were stability problems and security problems discovered that were too big to not respond to. At this point, you can not delegate or participate in IPv6 routing with your own router behind the AT&T RG. So you are stuck with whatever AT&T is providing for security, unless you really want to NAT your IPv6 traffic and run your own firewall/router. (ewwwww!!) The alternative is to manage an IPv6 software firewall on each of your internal clients which I don't have the time or patience for. For now, I've decided to disable it completely until things improve with the firmware on the RG. I'm really hoping they start providing IPv6 delegation or "DMZ" config options soon. They are handing you an entire /60 of address space via the 6rd tunnel. That is 16 unique /64 networks to do with as you please. Today you can only use a single /64 out of the 16 assigned because of the current firmware limitations. A simple delegation feature would be nice to let you route the other 15 networks behind your own router. |
|
 Kett2000
Premium Member
join:2002-04-23
Lilburn, GA
1 recommendation |
Kett2000
Premium Member
2014-Apr-20 1:27 pm
It appears At&t has started testing prefix delegation with U-Verse (at least it my area). My router shows that it has been assigned a /64 prefix via DHCP-PD. |
|
rolandeCertifiable
MVM,
join:2002-05-24
Dallas, TX ARRIS BGW210-700
Cisco Meraki MR42
|
said by Kett2000:It appears At&t has started testing prefix delegation with U-Verse (at least it my area).
My router shows that it has been assigned a /64 prefix via DHCP-PD. I don't think that it is doing what you think it is doing. It is showing the same global /64 prefix that is showing on your RG. You've just enabled the DHCP process on your router and it has automatically discovered the same assigned prefix through neighbor discovery. That is not prefix delegation. At least not based on what is showing on the config console. If it was selecting one of the other 15 prefixes from the Global prefix range and you could ping6 from a host behind your router to the RG on it's locally assigned network interface, then I would believe it. |
|
Kett2000
Premium Member
join:2002-04-23
Lilburn, GA
3 edits
1 recommendation |
to Insane Toad0
said by rolande:said by Kett2000:It appears At&t has started testing prefix delegation with U-Verse (at least it my area).
My router shows that it has been assigned a /64 prefix via DHCP-PD. I don't think that it is doing what you think it is doing. It is showing the same global /64 prefix that is showing on your RG. You've just enabled the DHCP process on your router and it has automatically discovered the same assigned prefix through neighbor discovery. That is not prefix delegation. At least not based on what is showing on the config console. If it was selecting one of the other 15 prefixes from the Global prefix range and you could ping6 from a host behind your router to the RG on it's locally assigned network interface, then I would believe it. Is this what you are looking for? Note on the previous pictures I tried to mask as much of the IPv6 address as possible to prevent someone from identifying my exact prefix. It seems that masking too much information can cause confusion.  |
|
mackey
Premium Member
join:2007-08-20 |
mackey
Premium Member
2014-Apr-20 4:14 pm
Yup, you're rockin' the DHCP-PD! The NVG589 has ...:c5f0::/64 for locally connected clients and the RV082 pulled ...:c5ff::/64 for redistribution.
/M |
|
Kett2000
Premium Member
join:2002-04-23
Lilburn, GA |
Kett2000
Premium Member
2014-Apr-20 4:32 pm
said by mackey:Yup, you're rockin' the DHCP-PD! The NVG589 has ...:c5f0::/64 for locally connected clients and the RV082 pulled ...:c5ff::/64 for redistribution.
/M Great news! Thank you for confirming that the RV082 is working with DHCP-PD. |
|
| |
Thanks for all the input everybody. It is appreciated!! |
|
rolandeCertifiable
MVM,
join:2002-05-24
Dallas, TX ARRIS BGW210-700
Cisco Meraki MR42
2 recommendations |
to Kett2000
Not sure how I missed the update to this thread. I must have been asleep, when I clicked through. That is great news! I assume you are able to ping6 ipv6.google.com, as well and actually browse to content via IPv6? Now you've piqued my curiousity and I'm going to probably be burning untold time getting my IPv6 config back operational on my Cisco 3825. I've never configured a functional DHCP-PD setup on Cisco IOS. I'm hoping it is brain-dead easy without a million options. I'll post back my results. |
|
Kett2000
Premium Member
join:2002-04-23
Lilburn, GA
1 recommendation |
Kett2000
Premium Member
2014-May-13 1:36 pm
Yes, I am able to ping6 ipv6.google.com and browse the web via IPv6 as well. My pc at the moment is down so I'm not able to access it remotely to post some results, but I'll fire up the computer when I get home and post the results here.
What is the model of the Cisco network device that you are using for your U-Verse setup? |
|
rolandeCertifiable
MVM,
join:2002-05-24
Dallas, TX ARRIS BGW210-700
Cisco Meraki MR42
2 recommendations |
said by Kett2000:What is the model of the Cisco network device that you are using for your U-Verse setup? I have a Cisco 3825 sitting behind my NVG589 in IP Passthrough mode along with a few other toys. 
|
|
rolande
2 recommendations |
Okay, I just played around with the IOS configuration on my router and discovered that the NVG589 will only delegate a single /64 out of the /60 range to one downstream DHCP-PD client. I have 3 VLAN interfaces behind my router and I really wanted to assign a separate /64 to each interface. I'm not seeing a way to do that, at this point. I tried using the 'ipv6 dhcp client pd hint' feature to request (prefix)8::/61 but it appears the NVG589 ignores that option and hands out what it wants to.
But, the good news is that I did get DHCP-PD working and I am getting the f::/64 subnet delegated and I am able to assign it to one of my interfaces. That is definitely a big step forward. I may finally be able to use IPv6 behind my router after months and months of waiting for a fix. |
|
rolande
2 recommendations |
And it works... Hallelujah! quote:
r961-1#ping www.google.com
Translating "www.google.com"...domain server (8.8.8.8) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2607:F8B0:4000:803::1014, timeout is 2 seconds:
Packet sent with a source address of xxxx:xxx:xxxx:xxxF::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
|
|
Kett2000
Premium Member
join:2002-04-23
Lilburn, GA
1 recommendation |
to rolande
That's an impressive setup and congrats on getting IPv6 working behind your router! I was able to ping6 ipv6.google.com before, but just trying it now all ICMP packets appear to be dropped after hop 3... |---------------------------------------------------------------------------------- --------| | WinMTR statistics | | Host - % | Sent | Recv | Best | Avrg | Wrst | Last | |------------------------------------------------|------|------|------|------|------|------| | 2602:306:3687:c5ff:b2fa:ebff:fe7c:4de0 - 0 | 4 | 4 | 0 | 0 | 2 | 0 | | 2602:306:3687:c5f0::1 - 0 | 4 | 4 | 1 | 1 | 1 | 1 | | 2602:300:c533:1510::5 - 0 | 4 | 4 | 21 | 21 | 21 | 21 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | | Request timed out. - 100 | 1 | 0 | 0 | 0 | 0 | 0 | |________________________________________________|______|______|______|______|______|______| WinMTR v1.00 GPLv2 (original by Appnor MSP - Fully Managed Hosting & Cloud Provider) Here's a screenshot though showing I am able to browse content over IPv6 (shown above). |
|
rolandeCertifiable
MVM,
join:2002-05-24
Dallas, TX ARRIS BGW210-700
Cisco Meraki MR42
1 edit
1 recommendation |
said by Kett2000:That's an impressive setup! Thanks! It is a continual work in progress. I need to move all my stuff over to my Gig PoE switch and get my 2nd access point installed to improve my wireless signal coverage, not to mention a new wireless access point that has 5GHz 802.11n support. My problem is that things just work, so I tend to let it go and ignore it. At least I got my Macbook working... quote:
macbook:~ user$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) xxxx:xxx:xxxx:xxxf:7ca5:edf1:d6a1:b8d0 --> 2607:f8b0:4000:803::1007
16 bytes from 2607:f8b0:4000:803::1007, icmp_seq=0 hlim=55 time=22.564 ms
16 bytes from 2607:f8b0:4000:803::1007, icmp_seq=1 hlim=55 time=23.486 ms
16 bytes from 2607:f8b0:4000:803::1007, icmp_seq=2 hlim=55 time=23.470 ms
16 bytes from 2607:f8b0:4000:803::1007, icmp_seq=3 hlim=55 time=23.254 ms
16 bytes from 2607:f8b0:4000:803::1007, icmp_seq=4 hlim=55 time=23.209 ms
^C
--- ipv6.l.google.com ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 22.564/23.197/23.486/0.335 ms
macbook:~ user$ traceroute6 -I ipv6.google.com
traceroute6 to ipv6.l.google.com (2607:f8b0:4000:803::1003) from xxxx:xxx:xxxx:xxxf:7ca5:edf1:d6a1:b8d0, 64 hops max, 16 byte packets
1 xxxx:xxx:xxxx:xxxf::1 0.733 ms 0.635 ms 0.609 ms
2 xxxx:xxx:xxxx:xxx0::1 1.763 ms 1.800 ms 1.463 ms
3 2602:300:c533:1510::2 21.138 ms * 20.853 ms
4 dlstx405me3.ipv6.att.net 22.706 ms 22.091 ms 21.663 ms
5 * * *
6 2001:4860::1:0:dd7 23.739 ms 22.892 ms 22.612 ms
7 2001:4860:0:1::22f 22.233 ms 23.235 ms 22.697 ms
8 dfw06s27-in-x03.1e100.net 22.272 ms 22.212 ms 22.236 ms
|
|
Kett2000
Premium Member
join:2002-04-23
Lilburn, GA
1 recommendation |
Kett2000
Premium Member
2014-May-14 3:53 pm
Here's the ping6 and traceroute to google.com. Kaspersky Antivirus was blocking it for some reason and I had to uninstall it to get ping6 and traceroute to work over IPv6.
C:\Users\kettan.BIVEK>ping google.com -n 50000
Pinging google.com [2607:f8b0:4002:c01::65] with 32 bytes of data:
Reply from 2607:f8b0:4002:c01::65: time=83ms
Reply from 2607:f8b0:4002:c01::65: time=84ms
Reply from 2607:f8b0:4002:c01::65: time=84ms
Reply from 2607:f8b0:4002:c01::65: time=84ms
Reply from 2607:f8b0:4002:c01::65: time=83ms
Reply from 2607:f8b0:4002:c01::65: time=84ms
Reply from 2607:f8b0:4002:c01::65: time=83ms
Reply from 2607:f8b0:4002:c01::65: time=84ms
Reply from 2607:f8b0:4002:c01::65: time=84ms
Reply from 2607:f8b0:4002:c01::65: time=83ms
Reply from 2607:f8b0:4002:c01::65: time=83ms
Reply from 2607:f8b0:4002:c01::65: time=82ms
Ping statistics for 2607:f8b0:4002:c01::65:
Packets: Sent = 12, Received = 12, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 82ms, Maximum = 84ms, Average = 83ms
|---------------------------------------------------------------------------------- --------|
| WinMTR statistics |
| Host - % | Sent | Recv | Best | Avrg | Wrst | Last |
|------------------------------------------------|------|------|------|------|------|------|
| 2602:306:3687:c5ff:b2fa:ebff:fe7c:4de0 - 0 | 9 | 9 | 0 | 0 | 0 | 0 |
| 2602:306:3687:c5f0::1 - 0 | 9 | 9 | 0 | 0 | 1 | 0 |
| 2602:300:c533:1510::5 - 0 | 9 | 9 | 20 | 21 | 22 | 21 |
| sj2ca405me3.ipv6.att.net - 0 | 9 | 9 | 23 | 74 | 130 | 101 |
| Request timed out. - 100 | 2 | 0 | 0 | 0 | 0 | 0 |
| 2001:4860::1:0:7ea - 0 | 8 | 8 | 25 | 27 | 39 | 25 |
| 2001:4860::8:0:2cb6 - 0 | 8 | 8 | 25 | 26 | 36 | 36 |
| 2001:4860::8:0:3426 - 0 | 8 | 8 | 71 | 72 | 74 | 72 |
| 2001:4860::8:0:2c9d - 0 | 8 | 8 | 65 | 65 | 68 | 66 |
| 2001:4860::8:0:52bb - 0 | 8 | 8 | 83 | 83 | 84 | 83 |
| 2001:4860::2:0:a7 - 0 | 8 | 8 | 83 | 83 | 84 | 83 |
| Request timed out. - 100 | 2 | 0 | 0 | 0 | 0 | 0 |
| yh-in-x65.1e100.net - 0 | 8 | 8 | 82 | 83 | 84 | 83 |
|________________________________________________|______|______|______|______|______|______|
WinMTR v1.00 GPLv2 (original by Appnor MSP - Fully Managed Hosting & Cloud Provider) |
|
