dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
885
orangeotto
join:2007-10-11
Winchester, MA

1 edit

1 recommendation

orangeotto

Member

[IPv6] ipv6 configuration best practices?

Long time listener, first-in-a-while caller. I've got what might be a very simple question that has many parts: I want to get IPv6 working on my one-IP static v4 BCI connection, with the ability to subnet the v6 delegation into multiple subnets behind my router/fw. What's the best/right way to do this?

My infrastructure:
Cable Modem: SMC D3G (I believe), Firmware 3.1.6.56
WAN DHCP IPv6 Address: ${WAN_V6}/64
LAN Gateway v6 Address: ${LAN_GW_V6}::1/64
LAN v6 Prefix Delegation: ${LAN_GW_V6}::/64

Firewall/Router: 1U server running OpenBSD 5.6
v4 Network: 3 internal interfaces: WIFI (DHCP), Wired (DHCP), DMZ (Static)
v4 WAN interface statically configured for WAN_v4/30, with 3 statically configured subnets, one on each interface as above.
My LAN is a mix of Linux hosts, OSX, Android and iPhones.

Questions:
* Is rtsold the right way to get the relevant IPv6 address and delegation for my FW and LAN respectively? I can see the RA's coming in on my WAN interface with tcpdump, and running 'rtsold -F $wan_if' works. I can now ping6 and traceroute6 to external v6 hosts on the internet. But what about DHCPv6 ? I've tried various incarnations of isc-dhcp's dhclient as well as wide-dhcpv6's dhcp6c, and all they do is send out dhcpv6 requests, but never receive a response. Is this operating as expected?

* Are any incoming connections on v6 blocked, or is it wide open? I tried ssh'ing from my desktop at work which is v6-enabled to my FW over IPv6, and saw no response on my FW, not even in PF blocks or tcpdump.

* My understanding is that with OpenBSD, if you are using dynamic configuration on one interface (WAN), accepting RA's and with forwarding enabled, you cant advertise connectivity via rtadvd on the internal addresses. Am I missing something, or is this true?

* I see that my LAN v6 delegation is a /64 in the cable modem status UI. As I understand it, this would only allow me to v6-enable one of the WIFI/Wired/DMZ subnets in my home. Correct? I read various posts about /58's and /60's coming. I'll happily sit tight if this is the case, but if I'm missing something that I could get this functionality now, I'm all ears.

MDA
Auto Negotiating
Premium Member
join:2013-09-10
Minneapolis, MN
Netgear CM600
Asus RT-AC66U B1

1 recommendation

MDA

Premium Member

I can kind of answer question 2 and mostly question 4.

Question 2: Your details of your FW are all v4 so unless you have a way to translate your v6 requests to v4 for the FW or setup v6 on your FW, you will not get a response. Don't know if entirely accurate pertaining to what you have set up in OpenBSD.

Question 4: Yes, one /64 block only allows one subnet of prefixed addresses. There is only a few routers that are accepting /60's (for residential) or down to /56 (depending on the size of your business) and you need that for multiple subnets. Router brands like Linksys or D-link are a couple to name that support it. You would need to stop using the SMC as a gateway (don't know if you can bridge that on a business connection) and use a router that supports multiple IPv6 prefixes.

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

1 recommendation

NetDog to orangeotto

Premium Member

to orangeotto
Can you do a drawing of it?
orangeotto
join:2007-10-11
Winchester, MA

1 recommendation

orangeotto

Member

Click for full size
network diagram
Attached is a rudimentary graphic of my network. I tried to fill in as many of the IP blocks, both v4 and v6 as I could with what I've gotten working.

My questions from above remain, among others:
* Is rtsold the right way to request a v6 WAN IP and prefix delegation, or is dhcpv6 the right way to go? (The latter has not worked for me). Or is it that I have to run both?

* Is inbound IPv6 traffic filtered/port-blocked in any way?

I'm more than happy to provide tcpdump output, and/or do testing (I can reboot the modem if it helps fairly easily)

MDA
Auto Negotiating
Premium Member
join:2013-09-10
Minneapolis, MN
Netgear CM600
Asus RT-AC66U B1

1 recommendation

MDA

Premium Member

said by orangeotto:

Is inbound IPv6 traffic filtered/port-blocked in any way?

If you mean to your comcast connection from another remote connection, only the major ports like SMTP, SMB, RCP, NetBIOS, etc. are all blocked for security reasons.

Anything else would be blocked by your firewall depending on how its set up.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

2 recommendations

NetFixer

Premium Member

said by MDA:

said by orangeotto:

Is inbound IPv6 traffic filtered/port-blocked in any way?

If you mean to your comcast connection from another remote connection, only the major ports like SMTP, SMB, RCP, NetBIOS, etc. are all blocked for security reasons.

Anything else would be blocked by your firewall depending on how its set up.

Since the OP appears to be talking about a BCI account, SMTP should not be blocked (unless Comcast detects spambot activity, and then outbound port 25 is blocked). The complete official BCI port blocking list is available at: »businesshelp.comcast.com ··· nternet/ and it applies to both IPv4 and IPv6.