AT&T U-verse → Re: Anybody get IPv6 with router cascaded under DMZPlus working?

OK. I guess the RG does not pass any IPv6 addresses to the DMZ.

Removed the Netgear router from the DMZ, giving it an 192.x.x.x address.

First attempt, had Netgear router IPv6 set to DHCP. The clients were getting ip addresses that started with 'fe' (local addresses?).

Then I changed the Netgear IPv6 setting to Pass-through. Now the clients are getting ip addresses that start with 2602:304:b0ld:xxxx.

Anytime the router is in the DMZ, it never gets an IPv6 address assigned to its outside interface (WAN port). I guess the 3800 is incapable of having IPv6 address assigned to the DMZ.

That should not be the case. It may be a limitation with how IPv6 is configured on your router.

I have my router in IP Passthrough mode behind my NVG589 and it has the public IPv4 address assigned from the RG. I also have it configured for IPv6 auto-addressing using EUI-64. I then configured my router for DHCP-PD and I am delegated one of the /64 netblocks which I've assigned to one of my internal networks.

Does IPv6 Pass-Through on your router not work when your router is configured on the 3800 for DMZ+ mode? I am using a Cisco router which gives me all of the manual configuration flexibility. Your router seems to only gives you a few drop down options for IPv6 configuration. I'm not sure why an IPv4 configuration would have any impact on how IPv6 operates.

Maybe the 3800 does have some strange limitation that it won't assign the IPv4 address and an IPv6 /64 netblock to the same MAC address. But, I would not think that would be the case.

Based on what you posted, it appears that IPv6 Pass-Through does work, as you are getting a publicly delegated range from AT&T assigned.

Maybe the RG is just bridging any frames it doesn't understand, such as the IPv6 Ethertype? just guessing.

My 3800 will do NDP/SLAAC with the DMZ machine--it gets both a public IPv4 address, and a public IPv6 address. However, I haven't gotten the 3800 to answer any DHCPv6 solicit requests.

CORRECTION.
I am getting IPv6 address (on most clients) while the Netgear R7000 is in the DMZ. My Nexus 7 would get a IPv4 and IPv6 if connected to the 5GHz band, and only get a IPv4 if connected to the 2.4GHz band. (Bug with the R7000 or Nexus 7?).

So it does work to have your router in the DMZ and have it pass IPv6 address to its devices.

Another question. Since my router (R7000) is in the DMZ of the RG, I have disabled all of the RG's firewall options. This puts the responsibility of the firewall on the R7000's SPI firewall. BUT, in IPv6 Pass-Through mode, the router works as a Layer 2 Ethernet switch with two ports (LAN and WAN Ethernet ports) for IPv6 packets. The router does not process any IPv6 header packets.

Does this mean that there is no Statefull Packet Inspection Firewall of IPv6 packets? Am I vulnerable if using IPv6 since I am getting a public address on each PC?

Yes, this is a concern. However, I am not in panic mode about it. And here's why:

(1) I would have to be specifically targeted. Many attacks against IPv4 system are using random attack targets. The IPv6 address space is so large, that won't work. So we really only need to concern ourselves with specific targeting.

(2) At least for most client machines, your IPv6 address changes every day. If you are using Windows, it gives your system two IPv6 addresses with global scope. One permanent, while the other is temporary. Your outbound connections all use the temporary address. So the trace of your IPv6 address that you leave in logs of sites that you connect to, will all be temporary. That makes specific targeting harder. I'll note that some linux machines might only use a permanent address. I'm not sure about Macs. And, of course, the permanent address of servers will be known, since that is what they will advertise. But this is reasonable protection for client-only machines.

(3) Most system software has its own firewall, so have a firewall in your router/gateway might not be important. Microsoft added a firewall to Windows XP -- I think that was in SP1. Before that time, there were break-ins to campus computers running Windows (and directly on the Internet). Since that time, almost all breakins have depended on social engineering, which bypasses a firewall anyway. So experience at least suggests that there is not a huge potential problem.

At least that's how I see it.

As IPv6 becomes more common, we will probably see a market develop for routers with good firewall capabilities.

Macs have a global and a temp address as well. The assumption is that they use them in a similar manner.

The RGs do have IPv6 security filters in place by default. Coincidentally, that was the primary instigator of the pause in IPv6 rollouts that occurred this past year. AT&T demanded the vendors fix all of the known security gaps and order of operations problems/bugs that were afflicting IPv6 on the RGs. There were a number of ugly issues. Now, that is not to say that the RG has a robust IPv6 firewall in place. But, they do have a considerable amount of control and they are providing fundamental protection.