dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
869
share rss forum feed


johndandison

join:2001-11-22
Charlotte, NC

Router can ping IPv6 on internet, but not PCs behind it

Hi all

Hoping someone can lend me a hand. I've been fighting this all afternoon. It appears my ISP (TWC) has given me an IPv6 address that I think is public:

2606:a000:dfc0:2a:ecdc:fbb6:1687:1265

I have a Netgear SRX5308 & a Windows Server 2012 R2 running DHCP & DHCPv6. I started stateful, by having a v6 scope, then deleted the scope to run stateless.

I used a website to generate a prefix for my network, I chose fd66:a551:f279:14a7. My devices will get addresses with or without a scope in the Windows DHCPv6 server. I'm using that DHCPv6 server to set my DNS servers and domain name. Those appear to get assigned properly as well, using the Managed RA or Other RA, depending on stateful/stateless.

I've given the router an address of fd66:a551:f279:14a7::1 with a prefix length of 64.

I setup the RA on the Netgear to Other or Managed (depending on stateless/stateful with Windows DHCPv6). I set the advertised prefixes to fd66:a551:f279:14a7::/64, but can't seem to get connectivity to devices behind the firewall. DNS appears to work, because my DNS server will resolve IPv6 addresses (it's set to only look at the root hints, not my ISP), but I can't ping ipv6.google.com from PCs in my network. They can ping each other (with DNS name resolution) correctly, but nothing on the internet.

If I go into the diagnostics on the Netgear router and try to ping or trace ipv6.google.com, I get responses, so now I guess it's some sort of routing issue internal to my network, but I'm just not well versed in IPv6 enough to know.

Thanks for anything you can provide!


Cabal
Premium
join:2007-01-21
You need to set up DHCPv6-PD. Your internal network should be getting a prefix in that 2606:x range.
--
If you can't open it, you don't own it.


johndandison

join:2001-11-22
Charlotte, NC
So I tried that, but it doesn't appear my router will let me set that up from the ISP. If I set the WAN DHCPv6 to stateless, it'll let me pick PD, but then I don't get an address from TWC. If I pick stateful DHCPv6 from TWC, I don't get the option for PD, unless I'm just doing it wrong. The address the router shows is 2606:a000:dfc0:2a:ecdc:fbb6:1687:1265/64 - how many octets can I go back? Any?
--
»johndandison.com

quesix

join:2005-12-19
Cary, IL

4 edits
reply to johndandison
DHCPv6 only assigned a single address ::/128 with a ::/64 mask. DHCP-PD assignment goes on your LAN interface with a whole ::/64 block minimum. The first ::/64 of DHCP-PD assigned ::/60 for example may be used. Most consumer routers only care about the 1st ::/64, assigning it based on MAC address not ::1/64 (of course using RA this isn't an issue as hosts/server get the address by SLAAC, "other config flag" refers to DHCPv6 server used to send IPv6 DNS server info to hosts, vs managed for addresses too). You may need to update/change firewall/router to get working DHCPv6+DHCP-PD support which is lacking/fails in all but newest code on consumer hardware.

The FD00::/8 addresses are not meant to be publicly routed, but for private VPN and VLANs. To use the assigned single 2606: address and subnet from fd00::/8 private block you need to use NAT66/NPTv6 which given quick Google search doesn't seem likely supported by your Netgear firewall. One user used software Sophos UTM9 and got unexpected side-effect of working NAT66 further down in this forum (::/128 thread).

note: IPv6 address (QUAD-A or AAAA record) can be looked up by IPv4, an IPv6 DNS server is not required for that to work unless DNS server hosting the domain (or root hint servers) has no IPv4 access. Ie: type "nslookup -type=aaaa www.google.com" from any IPv4-only host, it will come back with the IPv6 address for google.com. Most modern web browsers will lookup and try that address first, if it has an IPv6 route to the address (even if invalid), and on failure goto IPv4 address instead.


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

1 recommendation

said by quesix :

you need to use NAT66/NPTv6 which given quick Google search doesn't seem likely supported by your Netgear firewall.

That's because NAT66 is evil and in nearly all cases is quite unnecessary. Figure out a way to distribute IPv6 addresses to one's LAN (whether that's radvd and SLAAC, a DHCPv6 relay and proxy NDP, or a DHCPv6 server and proxy NDP) and dispense with NATting. NAT has to be absolutely, positively the last option.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

1 recommendation

reply to johndandison
said by johndandison:

If I set the WAN DHCPv6 to stateless, it'll let me pick PD, but then I don't get an address from TWC.

Right. You're not supposed to get an address, you're supposed to get a prefix and allocate an address out of that prefix. I don't know about your CMTS, but the one to which I'm attached will do both DHCPv6 for an address and DHCPv6 for PD. Of course, your router may not be that clever to try to do both simultaneously, or to allocate an address from an obtained prefix (so in that case it just distributes that prefix to the LAN and doesn't get one itself for some odd reason). Mine is a Linux system and I just told Dibbler to do both, and both it and TWC complied.

said by johndandison:

The address the router shows is 2606:a000:dfc0:2a:ecdc:fbb6:1687:1265/64 - how many octets can I go back? Any?

There's no easy way to tell. All that tells us is the network to which it's attached is a /64, and that it's globally routable. But if I had to guess, I'd say the number of octets you can "go back" is zero.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!