dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
957
share rss forum feed


gerick

join:2001-01-17
San Antonio, TX
kudos:1

Anybody get IPv6 with router cascaded under DMZPlus working?

Any solution to this yet?

2Wire 3800HGV-B with 6.11.1.29-plus.tm firmware.
3800 lan is in 192.168.0.x subnet.
IPv6 enabled.

Netgear R7000 in DMZPlus of 3800.
R7000 wan port gets public IP.
R7000 lan in 172.16.0.x subnet.


maartena
Elmo
Premium
join:2002-05-10
Orange, CA
kudos:3
said by gerick:

Any solution to this yet?

2Wire 3800HGV-B with 6.11.1.29-plus.tm firmware.
3800 lan is in 192.168.0.x subnet.
IPv6 enabled.

Netgear R7000 in DMZPlus of 3800.
R7000 wan port gets public IP.
R7000 lan in 172.16.0.x subnet.

From what I understand IPv6 cannot be used with DMZPlus and your own router, only when connected directly to the gateway. For IPv6 to work, there should be some sort of a true bridge mode in the gateway. There is no NATting on IPv6, and DMZPlus is a form of NAT as I understand it.

If it is the wireless portion of the gateway you want to replace, you could compromise by disabling the wireless on the gateway, let the gateway handle all the routing, and use a "dumb" access point for your wireless. You should be able to use IPv6 then.

I wouldn't worry about it too much though.... there really isn't much on the internet you need IPv6 for at the moment. My TWC modem has IPv6 and my router picks it up no problem, I test as IPv6, can do IPv6 tests and whatnot.... but when I started looking into what it is I can do with IPv6 (as in IPv6 only sites) I came up with a very very meager amount, just a few websites.... most of which had IPv4 alternatives.

FYI: IPv6 packets are larger in size. Speed tests repeatedly show that IPv6 is about 3-5% slower then IPv4. Not truly a big deal of course, and many IPv6 routers/modems/networks still need to be optimized. But at this moment IPv6 is "cool to have" but still pretty useless overall. At least, I can't think of any host that I NEED IPv6 for.
--
"I reject your reality and substitute my own!"


gerick

join:2001-01-17
San Antonio, TX
kudos:1
said by maartena:

But at this moment IPv6 is "cool to have" but still pretty useless overall. At least, I can't think of any host that I NEED IPv6 for.

I don't really have a need for IPv6. I just thought it would be cool to have.

Maybe someone will find a way to get it working.


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
reply to gerick
Are you wanting to use the provided AT&T IPv6 connectivity or are you trying to connect your own IPv6 tunnel from behind your router? If your Netgear can support DHCP-PD, you should be able to enable IPv6 using the IPv6 capability that AT&T includes on their RG. If you are wanting to establish your own IPv6 tunnel, I am not aware whether anyone has gotten this working in DMZ+ mode with the 3800. I saw a post the other night related to the NVG589 that indicated another security feature had to be disabled for the IPv6 tunnel to work.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/


dahan

join:2000-10-25
Leander, TX

1 edit
said by rolande:

If your Netgear can support DHCP-PD, you should be able to enable IPv6 using the IPv6 capability that AT&T includes on their RG.

Has anyone gotten that to work on a 3800? It's not working for me. Possibly related: there's a "DHCPv6 Enabled" checkbox on RG's IPv6 configuration page, but the checkbox is disabled and can't be checked. Other people mentioned the same issue in the thread about the 6.11 firmware; e.g., »Re: New Firmware:6.11.1.29-enh.tm

BTW, if proper DHCP-PD doesn't work on the 3800, perhaps there are some hacks that might work? »priv.nu/projects/ndppd/ sounds like a possibility, but I haven't had a chance to look into the details.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to gerick
I have not tried that. I doubt that it would work.

DMZPlus is IPv4 based. I don't think your router will be assigned a IPv6 block.

Have you tried running your netgear as a cascaded router (not DMZPlus). I would guess that is more likely to work, though no guarantees there, either.
--
AT&T Uverse; 2Wire 3800-HGV router; openSuSE 13.1; KDE 4.11.5; firefox 30.0


gerick

join:2001-01-17
San Antonio, TX
kudos:1
said by nwrickert:

Have you tried running your netgear as a cascaded router (not DMZPlus).

I have not tried that. Do you mean having the Netgear get its WAN ip from the RG DHCP (192.x.x.x) and keeping the LAN ip as 172.x.x.x. Double-Natting.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
said by gerick:

Do you mean having the Netgear get its WAN ip from the RG DHCP (192.x.x.x) and keeping the LAN ip as 172.x.x.x. Double-Natting.

Yes. Give that a try.
--
AT&T Uverse; 2Wire 3800-HGV router; openSuSE 13.1; KDE 4.11.5; firefox 30.0


maartena
Elmo
Premium
join:2002-05-10
Orange, CA
kudos:3
said by nwrickert:

said by gerick:

Do you mean having the Netgear get its WAN ip from the RG DHCP (192.x.x.x) and keeping the LAN ip as 172.x.x.x. Double-Natting.

Yes. Give that a try.

That has nothing to do with IPv6 however. IPv6 will automatically award an internal and an external IP address to a host, and will be protected by a firewall of course. There is no more NAT, no more separating networks in the way we have done for decades with IPv4. It's quite a different way of configuring things. You can still have separate networks, but the networks will just receive IPv6 addresses in the same range.

Its a dry read, but this document has some info on it:

»tools.ietf.org/html/draft-ietf-v ··· oices-01
--
"I reject your reality and substitute my own!"


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
reply to nwrickert
said by nwrickert:

DMZPlus is IPv4 based. I don't think your router will be assigned a IPv6 block.

It isn't about the DMZ+ feature assigning the IPv6 address block. It can't because like you said it is only designed for IPv4. The point is having your router in DMZ+ mode for IPv4 while simultaneously being able to delegate one of the 16 IPv6 /64 netblocks from the RG to your router for internal use. I am able to do it with my NVG589 and my Cisco 3825 running in IP Passthrough mode which is equivalent to DMZ+ on the 2Wire units. I configured my router to use DHCP-PD on the outside interface and the RG assigned me a /64 prefix that I've assigned to one of my internal networks.

I saw someone post recently that they were able to get their own IPv6 tunnel working when their router was in DMZ+ mode. There was supposedly a security setting they had to disable on the RG for it to work.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/


gerick

join:2001-01-17
San Antonio, TX
kudos:1
said by rolande:

...having your router in DMZ+ mode for IPv4 while simultaneously being able to delegate one of the 16 IPv6 /64 netblocks from the RG to your router for internal use....

I configured my router to use DHCP-PD on the outside interface and the RG assigned me a /64 prefix that I've assigned to one of my internal networks....

I don't see anything about DHCP-PD on my router, but it is supposed to support ipv6.

Options that I do see dealing with ipv6 are: PPPoE, DHCP, or fixed.
Choosing DHCP shows Router’s IPv6 Address on WAN as "Not Available".

There are also options for "IPv6 6to4 Tunnel" and "IPv6 Pass Through".

[I wish the 3800 had a working bridge mode.]


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk
DHCP-PD is a component of DHCPv6. You first have to get an IPv6 address assigned to your router's outside interface. You should set the outside WAN interface of your router to do IPv6 SLAAC or auto-addressing (EUI-64). The router should automatically pick a unique IPv6 address on the same subnet the RG is using. At that point, the router should have live connectivity to the IPv6 Internet. Then you configure your router to use DHCPv6 to obtain a prefix delegation from the AT&T RG that you can assign to your inside LAN interface.

The RG is assigned a /60 IPv6 netblock from AT&T. The first /64 netblock is assigned to the local RG LAN. The other 15 /64 netblocks are there for the taking. There is no option on the RG, at this point, to statically assign them. But, if you can figure out how to get your router to make the DHCPv6 request, it should delegate a /64 netblock to your router.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to rolande
said by rolande:

It isn't about the DMZ+ feature assigning the IPv6 address block. It can't because like you said it is only designed for IPv4.

I expect it has to do with whether the router announcements that are used for IPv6, are passed to the DMZPlus computer. And that's a question of how the RG is programmed. My experience with a 3800 is such that I do not expect it to work.
--
AT&T Uverse; 2Wire 3800-HGV router; openSuSE 13.1; KDE 4.11.5; firefox 30.0


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105
reply to rolande
said by rolande:

You first have to get an IPv6 address assigned to your router's outside interface.

Link local will suffice though. And that doesn't require anything "special," just the DAD part of NDP. All the delegating router needs is an address to which to route packets destined for the delegated network prefix. As long as there is no service on the router which would need better than link local connectivity, that'll do. It can then take a delegated prefix and start advertising on the LAN, or dole out addresses via DHCPv6.

Just saying...
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105
reply to gerick
As some others have pointed out, DMZ+ is nominally an IPv4 thing. IPv6 frames do not even have the same frame type (0x86DD) as IPv4 (0x0800), so one layer up than DMZ+, really.

You might also consider asking in the IPv6 forum as well.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!

Cerlyn
Premium
join:2009-07-30

3 edits

1 recommendation

reply to gerick
Click for full size
3801HGV System Info

3801HGV Disabled IPv6 LAN Status
  

OpenWRT 6rd LAN/external setup
I have this working with a 3801 in DMZ mode in Florida and OpenWRT with 6rd running only on the DMZ-exposed OpenWRT router. But I am starting to think that my success is an exception given everyone else seems to have problems.

The OpenWRT router has radvd enabled. I manually gave the LAN network on the router an IPv6 address mostly matching my external :1 IPv6 address but ending with :2 and a /64 subnet. This was done to enable client IPv6 autoconfiguration.

A more user-friendly router may not require the above paragraph to be done.

The 6rd relay is 12.83.49.81 with an IPv6 prefix of 2602:300:: and an IPv6 prefix length of 28. This would have to be setup on your Netgear router presuming it supports 6rd (and also presuming IPv6 is disabled on your 3800 VDSL modem).

I would recommend testing IPv6 works from your nested router before claiming it does not work from your internal LAN. While settings things up I was able to get my router to do IPv6 pings over 6rd rather quickly; but getting IPv6 properly routed to the LAN segment took some time to figure out.


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

1 recommendation

6rd is tunnelling over IPv4. It's like 6to4, but is generally operated by your ISP (as opposed to whoever wants to take the anycast traffic of 6to4). That's why it works with your IPv4 mechanisms. It's also why you get 2602:300:: addresses instead of 2002:: addresses.

The OP is attempting to set up native access instead of tunnelled.
--
English is a difficult enough language to interpret correctly when its rules are followed, let alone when a writer chooses not to follow those rules.

Jeopardy! replies and randomcaps REALLY suck!


dahan

join:2000-10-25
Leander, TX

1 recommendation

said by rchandra:

The OP is attempting to set up native access instead of tunnelled.

U-verse doesn't have native IPv6 yet... what was added in the 6.11 firmware was the ability for the RG to be the tunnel endpoint--note that the IP address on the RG is still a 2602:300:: one.

I don't know whether the OP cares whether the RG is the endpoint or his own router, but I personally don't--I just want to have IPv6 again (while keeping my own router for IPv4 stuff). That's interesting that Cerlyn was able to get it working with his router and a 3801... neither 6rd nor 6in4 to tunnelbroker.net worked for me with a 3800, using config files that were working prior to the 6.9 firmware.


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

1 recommendation

Oh, right...missed that (address thing). I apologize.


gerick

join:2001-01-17
San Antonio, TX
kudos:1

1 recommendation

reply to gerick
OK. I guess the RG does not pass any IPv6 addresses to the DMZ.

Removed the Netgear router from the DMZ, giving it an 192.x.x.x address.

First attempt, had Netgear router IPv6 set to DHCP. The clients were getting ip addresses that started with 'fe' (local addresses?).

Then I changed the Netgear IPv6 setting to Pass-through. Now the clients are getting ip addresses that start with 2602:304:b0ld:xxxx.

Anytime the router is in the DMZ, it never gets an IPv6 address assigned to its outside interface (WAN port). I guess the 3800 is incapable of having IPv6 address assigned to the DMZ.


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk

1 recommendation

said by gerick:

Anytime the router is in the DMZ, it never gets an IPv6 address assigned to its outside interface (WAN port). I guess the 3800 is incapable of having IPv6 address assigned to the DMZ.

That should not be the case. It may be a limitation with how IPv6 is configured on your router.

I have my router in IP Passthrough mode behind my NVG589 and it has the public IPv4 address assigned from the RG. I also have it configured for IPv6 auto-addressing using EUI-64. I then configured my router for DHCP-PD and I am delegated one of the /64 netblocks which I've assigned to one of my internal networks.

Does IPv6 Pass-Through on your router not work when your router is configured on the 3800 for DMZ+ mode? I am using a Cisco router which gives me all of the manual configuration flexibility. Your router seems to only gives you a few drop down options for IPv6 configuration. I'm not sure why an IPv4 configuration would have any impact on how IPv6 operates.

Maybe the 3800 does have some strange limitation that it won't assign the IPv4 address and an IPv6 /64 netblock to the same MAC address. But, I would not think that would be the case.

Based on what you posted, it appears that IPv6 Pass-Through does work, as you are getting a publicly delegated range from AT&T assigned.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

1 recommendation

Maybe the RG is just bridging any frames it doesn't understand, such as the IPv6 Ethertype? just guessing.


dahan

join:2000-10-25
Leander, TX

1 recommendation

reply to gerick
said by gerick:

OK. I guess the RG does not pass any IPv6 addresses to the DMZ.

My 3800 will do NDP/SLAAC with the DMZ machine--it gets both a public IPv4 address, and a public IPv6 address. However, I haven't gotten the 3800 to answer any DHCPv6 solicit requests.


gerick

join:2001-01-17
San Antonio, TX
kudos:1

1 recommendation

reply to gerick
said by gerick:

I guess the RG does not pass any IPv6 addresses to the DMZ.

CORRECTION.
I am getting IPv6 address (on most clients) while the Netgear R7000 is in the DMZ. My Nexus 7 would get a IPv4 and IPv6 if connected to the 5GHz band, and only get a IPv4 if connected to the 2.4GHz band. (Bug with the R7000 or Nexus 7?).

So it does work to have your router in the DMZ and have it pass IPv6 address to its devices.

Another question. Since my router (R7000) is in the DMZ of the RG, I have disabled all of the RG's firewall options. This puts the responsibility of the firewall on the R7000's SPI firewall. BUT, in IPv6 Pass-Through mode, the router works as a Layer 2 Ethernet switch with two ports (LAN and WAN Ethernet ports) for IPv6 packets. The router does not process any IPv6 header packets.

Does this mean that there is no Statefull Packet Inspection Firewall of IPv6 packets? Am I vulnerable if using IPv6 since I am getting a public address on each PC?


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

2 recommendations

said by gerick:

Does this mean that there is no Statefull Packet Inspection Firewall of IPv6 packets? Am I vulnerable if using IPv6 since I am getting a public address on each PC?

Yes, this is a concern. However, I am not in panic mode about it. And here's why:

(1) I would have to be specifically targeted. Many attacks against IPv4 system are using random attack targets. The IPv6 address space is so large, that won't work. So we really only need to concern ourselves with specific targeting.

(2) At least for most client machines, your IPv6 address changes every day. If you are using Windows, it gives your system two IPv6 addresses with global scope. One permanent, while the other is temporary. Your outbound connections all use the temporary address. So the trace of your IPv6 address that you leave in logs of sites that you connect to, will all be temporary. That makes specific targeting harder. I'll note that some linux machines might only use a permanent address. I'm not sure about Macs. And, of course, the permanent address of servers will be known, since that is what they will advertise. But this is reasonable protection for client-only machines.

(3) Most system software has its own firewall, so have a firewall in your router/gateway might not be important. Microsoft added a firewall to Windows XP -- I think that was in SP1. Before that time, there were break-ins to campus computers running Windows (and directly on the Internet). Since that time, almost all breakins have depended on social engineering, which bypasses a firewall anyway. So experience at least suggests that there is not a huge potential problem.

At least that's how I see it.

As IPv6 becomes more common, we will probably see a market develop for routers with good firewall capabilities.
--
AT&T Uverse; 2Wire 3800-HGV router; openSuSE 13.1; KDE 4.11.5; firefox 30.0


rolande
Certifiable
Premium,Mod
join:2002-05-24
Dallas, TX
kudos:6
Reviews:
·AT&T U-Verse
·ViaTalk

2 recommendations

said by nwrickert:

I'm not sure about Macs.

Macs have a global and a temp address as well. The assumption is that they use them in a similar manner.

The RGs do have IPv6 security filters in place by default. Coincidentally, that was the primary instigator of the pause in IPv6 rollouts that occurred this past year. AT&T demanded the vendors fix all of the known security gaps and order of operations problems/bugs that were afflicting IPv6 on the RGs. There were a number of ugly issues. Now, that is not to say that the RG has a robust IPv6 firewall in place. But, they do have a considerable amount of control and they are providing fundamental protection.
--
Scott, CCIE #14618 Routing & Switching
»rolande.wordpress.com/