dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1886

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 edit

1 recommendation

Gork

Member

Dynamically assigned static DHCPv6 suffixes from ZyWALL

I realize this is a long post. My actual questions start at paragraph 5, the first 3 are after this are included for historical/explanation information.

I've been learning a lot over the past two weeks while trying to get IPv6 working on my network hooked to the Internet via Comcast. I can access IPv6 sites, and I have figured out how to allow my Web server to be accessible to other Web users outside my network. I am currently starting to look into the possibility of using »www.duiadns.net/ to set up DDNS for my web server via IPv6. I'd have to run their client on my Linux box since it doesn't appear the USG20W will use any DDNS hosts which currently provide IPv6 DDNS services. (I don't like that - would much rather have the router handle DDNS directly.)

I've learned that the most difficult thing to get over when trying to learn IPv6 is to toss out the complicated world of IPv4 as opposed to trying to compare the two. For instance, I get a 64 bit prefix delegation from Comcast. For my home that's all I need. Far more than I need. Though the prefix delegation CAN CHANGE, thus upsetting the ability for outsiders to be able to connect to my servers, that doesn't happen often. Even so, I don't need to try to "subnet" this "IPv6 prefix" but just need to accept it. Hopefully I'll find a DDNS solution which will address a possible situation where the IPv6 prefix changes, and hopefully eventually this solution will be built directly into my router.

So, using a 64 bit prefix delegation from Comcast means I need to come up with a 64 bit suffix (aka interface identifier) for each network device on my network I want to be accessible outside my LAN. The 64 bit prefix and 64 bit suffix together make up the 128 bit IPv6 address. Once I got the USG to properly pass on the prefix and learned how my specific devices come up with their own suffixes I felt I finally had a good basic understanding of the system. For example, by default the OS on my main computer, Windows 8.1, creates a suffix randomly. Once created (and if I understand what I'm learning correctly,) it is permanent for all intents and purposes. Once appended to the prefix obtained from Comcast via prefix delegation it makes up the main IPv6 address for the computer which is Internet routable and thus can be used to connect to a server on my LAN from the Internet.

So, every IPv6 capable networked device on my network will have an Internet routable IPv6 address. (I realize I haven't hit upon link local, Windows Temporary IPv6 addresses, gateway IPv6 addresses and the fact that IPv6 interfaces can utilize multiple IPv6 addresses at once but I understand the basics of these things. I think.) But there are a few problems I'm having with IPv6 behind the USG which bother me.

First, what if I don't want some basically random suffix for my IPv6 devices but don't want to statically assign IPv6 suffixes to all my network devices? I can't find a way for the USG to use DHCPv6 to assign suffixes. Is it supposed to be able to do this? It'd be nice to have addresses such as ::0.0.0.10 instead of ::feab:102e:2c2b:192e to be able to organize my network as I please. I've tried changing things in the settings screens but nothing changes on my Win8.1 (for instance) machine. I'm not sure if the USG isn't working, if I'm not implementing the settings properly or if I need to change something in my OS because it's automatically creating random suffixes instead of asking the router for a suffix as I'd like it to do. Maybe Win8.1 won't even allow me to do this? Either automatic or static - no other choice?

My second issue has to do with what seems to be a design implementation with the IPv6 system. If I have a web server and a NAS with a web interface and am using prefix delegation, both will be assigned a globally routable IPv6 address. In order to allow Web users to connect to my Web server I just open http service in the USG's firewall. But since I can't specify a specific IPv6 address in the firewall rule wouldn't opening up port 80 allow Internet users to connect to both my Web Server and the Web interface of my NAS? Or can I control what network addresses on my LAN Web surfers have access to by creating an IPv6 network address object...

I've found testing very difficult because nobody I know outside my network is using IPv6 right now, including my employer.

EDIT:
I was able to create a firewall rule which allowed HTTP traffic to the IPv6 address of my Web server through. HOWEVER, I was forced to specify both the prefix and suffix of the IPv6 address. So, if my ISP changed my prefix delegation I see no way the USG's firewall would let traffic through to the newly assigned IPv6 address of my Web server without me manually going in and adjusting the firewall rule.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 recommendation

Brano

MVM

said by Gork:

For example, by default the OS on my main computer, Windows 8.1, creates a suffix randomly.

It's seemingly random, but it's not. The address is SLAAC in EUI-64 format generated from MAC address, see example here: »supportforums.cisco.com/ ··· -address

See also this, several good points in there:
»www.rmv6tf.org/wp-conten ··· sing.pdf

As for the prefix changing issue, there's currently not good solution, but Zone based firewall should do the trick to some extend.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

4 edits

1 recommendation

Gork

Member

I'm going to confuse all common sense and share that I have read on several sites, including official MS sites, that Win7/8 doesn't use (by default?) EUI-64. In addition to the random suffix (interface identifier) in the "Temporary IPv6 Address" which changes every few days, Windows also assigns a random suffix to the prefix obtained from the ISP which stays the same once created. I looked into this because I noticed the suffix the IPv6 address containing the prefix from Comcast did not match my MAC address as per the EUI-64 specification. Linux, however, uses EUI-64 to create the suffix. (I've read it does, but haven't checked myself.)

One quick non-official example from »www.networkworld.com/art ··· ort.html
quote:
Windows 7 doesn't use the EUI-64 technique by default when forming its interface identifier.
Even so, one would think this randomization would have to be built on some seed(s), but I haven't found what it might be.

Thanks for verifying that I properly understand the problem with the prefix changing issue. It SEEMS it shouldn't be difficult for ZyXEL to implement a solution. What if they allowed the DHCPv6 request object in firewall rules? Then you could specify the prefix with the object and the suffix statically using a static IPv6 suffix on the server. (Or possibly even IPv6 capable DDNS if the router were capable of objectifying and using such a service.) It makes me wonder if Cisco or any other vendors have yet implemented solutions for this issue.

Hopefully someone will be able to chime in about whether or not they've been able to have their ZyXEL device assign static suffixes to network devices via DHCPv6. Everything I'm reading seems to indicate it should work (even on Win8 specifically) if the router works properly and is set up properly. I'm just not sure if I'm using the settings correctly, if the router isn't working properly or if I misunderstand the interface and it's not even designed to use DHCPv6 in this manner.

I kind of feel like IPv6 wasn't very well thought through before implementation. Or perhaps nobody could imagine that ISPs wouldn't want to simply offer static addressing to their customers. It seems to me that most problems wouldn't even exist if we all received static IP addressing from the ISPs, and this makes me wonder if IPv6 was initially designed with the assumption in mind that they would. I can't think of any reason ISPs shouldn't assign static blocks to every customer, other than greediness. I guess privacy might be a concern as well, maybe?

Btw, thanks for the links. The second one is especially chalk full of easy to understand information. I see it doesn't say anything about Win7/8 not using EUI-64 though. Understanding DUID would have been a lot easier for me had I come across that site before the many others I ran across...

Note: I've updated this post WAY too many times. I'll stop editing it now.
JPedroT
Premium Member
join:2005-02-18

1 recommendation

JPedroT

Premium Member

The problem as you mention, is that ISPs are stuck in an IPv4 mindset and do not give you a permanent prefix. Which is no problem, since IPv6 got enough addresses for everybody, supposedly.

So when the ISP broke one of the key things for IPv6 deployment, vendors need to scramble to catch up.
But its not a big issue, it can easily be done, as soon as somebody writes up a feature spec and champions it through the systems.

As for random IPv6 addresses, that is covered by the privacy extensions and then it will create random ip addresses for SLAAC.
For DHCPv6 you will still have the todo the MAC/DUID IP binding as with IPv4 DHCP.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

4 edits

1 recommendation

Gork

Member

JPedroT See Profile; Thanks for the confirmation - between your and Brano See Profile's info it sounds like I pretty much understood after my two weeks of research then. One thing I want to clarify, just because I'm not sure from your verbiage if you understood what I was saying, is that Win7/8 apparently does NOT configured their suffix using EUI-64. MS uses a different (supposedly random) method as opposed to using the MAC and adding the FF FE in. (This is in addition to the "Temporary IPv6 Address" and the "Link-local IPv6 Address.") I found that odd and interesting...

Oh how I can see that the original vanilla IPv6 specification was set up to work so simply and IPSs (possibly other types of companies too) have complicated things... And as I've indicated before, I think the fact ISPs won't assign a static prefix is ridiculous.

So the only question I still have is if the XyXEL device is SUPPOSED to allow for IPv6 suffix assignments to network devices as it now stands and it isn't working properly (or I don't know what I'm doing,) or if XyXEL is still in "scrambling mode" and hasn't implemented this yet. The 20W's web interface has IPv6 options on the LAN side, to include an area called DHCPv6 Lease Options where you can enter an IPv6 Lease Object (wherein you can enter an interface's DUID and an IPv6 PREFIX). Perhaps these options are not doing what I assume they should be doing.

And I'm still finding that my Win8.1 machine drops it's IPv6 address from time to time. (I haven't figured out if it's time-based, or happens when the computer sleeps or what.) The IPv6 addresses are repopulated when I toggle the WAN option on the router to have the ISP assign an IPv6 address to the WAN interface. (I'm still not sure if toggling a different option in the router would cause the same results.) This seems like a bug in the router to me.
JPedroT
Premium Member
join:2005-02-18

1 recommendation

JPedroT

Premium Member

Privacy extension is used by default on Windows

»andatche.com/blog/2012/0 ··· windows/

As for losing the IPv6 address, it probably comes down to lifetime settings for host/router addresses. This might have defaults in the device or reuse the values that are given to the WAN port.

Also if the WAN port loses its IPv6 address for some reason, then the address assignments on LAN will be affected to. For instance a router lifetime value gets set to 0 etc. One issue might be a to low value on some timers etc.
Do a packet trace to see all of the flags and values in RA and DHCPv6.

As for ZyWALL supporting suffixes on the firewall rules etc, no idea, we got a static /48 in the office where I got a ZyWALL.
And at home I got a static /60, so never had to poke around with it.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 recommendation

Gork

Member

/jealous

Good page which describes well what I've been trying to say.

The address on the computer is lost; running ipconfig shows only the link-local IPv6 address when this happens. I would think there should be something in place for the computer to renew a lease if that's what the problem is. I haven't checked to see what happens with the address assigned to the WAN port of the router, that port is assigned a /128 IPv6 address with a different prefix than what network devices on the LAN are assigned. But even when I don't have an address assigned to the WAN interface the prefix is forwarded to my computer, it comes up with its suffix and it passes IPv6 connection tests.

So I just tried running a packet capture but here's where the water starts muddying up for me. I used Wireshark while the IPv6 connect was up but could only see advertisement type traffic. (Neighbor solicitation/advertisement, solicit/advertise XID) Do I need to look into that traffic further to find what I'm looking for? I don't see anything that might be related to flags and values in RA. I don't think. And I don't see anything that appears to be a router advertisement. I do have the "enable router advertisement" option checked in the web interface of the USG, but I don't really understand the settings I've entered into that section. (sigh)
Gork

1 recommendation

Gork

Member

I finally found a router advertisement. Is this the part of it I should be looking in for the information you suggested? (I changed addresses, but same=same). I see very large valid lifetime numbers...

Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0xa18e [correct]
    Cur hop limit: 64
    Flags: 0x80
    Router lifetime (s): 1800
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Prefix information : 1234:1234:1234:1234::1/64)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 64
        Flag: 0xe0
        Valid Lifetime: 2592000
        Preferred Lifetime: 604800
        Reserved
        Prefix: 1234:1234:1234:1234::1 (1234:1234:1234:1234::1)
    ICMPv6 Option (Prefix information : 1234:1234:1234:1234::/64)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 64
        Flag: 0xc0
        Valid Lifetime: 4294967295 (Infinity)
        Preferred Lifetime: 4294967295 (Infinity)
        Reserved
        Prefix: 1234:1234:1234:1234:: (1234:1234:1234:1234::)
    ICMPv6 Option (MTU : 1480)
        Type: MTU (5)
        Length: 1 (8 bytes)
        Reserved
        MTU: 1480
    ICMPv6 Option (Source link-layer address : 01:52: ** etc1 **)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: 01:52: **etc1 ** (01:52: ** etc1 **)
 

After a "Solicit XID" message I found the following DHCPV6 "Advertise XID" msg:

DHCPv6
    Message type: Advertise (2)
    Transaction ID: 0x27e531
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        Value: ** mask bee74 **
        DUID: ** mask bee74 **
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Nov 15, 2013 17:54:32.000000000 Mountain Standard Time
        Link-layer address: e0:cb: ** etc 1 **
    Server Identifier
        Option: Server Identifier (2)
        Length: 10
        Value: ** mask f06a **
        DUID: ** mask f06a **
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 02:67: ** etc 2 **
    Status code
        Option: Status code (13)
        Length: 2
        Value: 0002
        Status Code: NoAddrAvail (2)
 

Is this where I should be looking as well? Does that "NoAddrAvail" mean either the USG is borked or I have something set up incorrectly?

Should I really be running this trace when the IPv6 address disappears, though...
JPedroT
Premium Member
join:2005-02-18

1 recommendation

JPedroT

Premium Member

How many devices do you have on your LAN that requests a DHCPv6 lease? And how big is your DHCPv6 scope?

But yes, the server can/will not assign an address to the client, why, well that is unclear

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 recommendation

Gork

Member

I receive a /64 from Comcast. This is just me dabbling at home, and I've only tried to play around with IPv6 on four machines. One is just my phone, one is my main PC and the other two are my WinXP "server" on which I run a VM for my web server on Ubuntu. I have maybe five other network devices which may or may not be set up to receive IPv6 addresses - I've not checked them or cared about them at this point. So the short of it, no more than 10 devices on my LAN at the most would be requesting a DHCPv6 lease.

I can't even tell how big my DHCPv6 scope is. It is either not an option the USG allows me to set or I don't understand the web based interface well enough to set it up properly.

Thanks for verifying that I was reading the results correctly from the packet sniff.

I've attached a screenshot with the IPv6 settings for the bridged interface I'm using. It should be obvious that I don't know what I'm doing, but I've tried so many different settings and I haven't been able to use the USG as a DHCPv6 server on this interface for my LAN at all.


JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

You are confusing me a bit here now.

You mentioned a bridged interface, what is bridged, LAN and WAN interface or LAN and WLAN or something else entirely

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

Gork

Member

I've bridged LAN to WLAN - the GUI interface is the same as if I were using only LAN, so no difference there.
JPedroT
Premium Member
join:2005-02-18

2 recommendations

JPedroT

Premium Member

You are supposed to use Prefix Delegation on your ZyWALL DHCPv6 server. PD is to delegate a prefix to another router that will use that prefix for its LAN.

Create an object of type address pool and assign that object to the DHCPv6 server on the correct interface. This object should be an address pool inside your delegated prefix. Example you prefix is 2001:DB8::/64 then you create a ppol that says 2001:DB8::100 to 2001:DB8::200 for instance.

You probably should create a couple DNS Server objects also and add those as well.

Now this creates an issue with your prefix changing again, so lets try the following (which I have not).
Start address : 0:0:0:0:0:8000::100
End address : 0:0:0:0:0:8000::200

Make sure RA is enabled and tells your LAN what the prefix is.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 edit

Gork

Member

Makes sense what you're saying about using "address pool" instead of PD. I tried it and there is good news and bad news. My computer properly obtains an IPv6 address from within the entered address pool. That's the good news. The bad news is using the zeros didn't work and the computer will be assigned whatever I put in the address pool. aaaa:bbbb:cccc::100 works splendidly, for instance. But of course that is outside the PD from my ISP... If I properly enter the prefix delegated to me followed by whatever suffixes I want for the address pool everything is peachy. But as you say, this creates an issue if my prefix changes again.

Since I'm assigned a /64 I tried using:
Start address - 0:0:0:0:8000::100
End address - 0:0:0:0:8000::200

This assigns me:
IPv6 Address. . . . . . . . . . . : ::8000:0:0:100

Isn't that just lovely? Just exactly as I told it to. heh

I did try creating a couple of DNS Server objects before and couldn't get that working. So in order to concentrate on the DCHPv6 addressing I statically entered the IPv6 DNS addresses into my computer while I test.

I'll post my current settings in the GUI for the interface on my LAN side. With these settings my computer is properly assigned ::0:0:0:100


JPedroT
Premium Member
join:2005-02-18

1 recommendation

JPedroT

Premium Member

Then you should contact ZyXEL, I do not have a setup to experiment with

Since my ZyWALL is in production and dishing out PD to about 12 other routers in my lab etc

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

2 edits

1 recommendation

Gork

Member

Alright, thank you - doesn't look like you see anything wrong with what I'm trying to do then so it appears to be a flaw in ZyXEL's implementation. (I'm not sure I'll call them - they make me SO angry...)

I also see nothing built into the GUI to allow me to set up a static DHCPv6 table either.

EDIT:
And with your help I have DNSv6 addresses being assigned through DCHPv6 as well. I just needed a push in the right direction for that one - and to KNOW that it actually works. If I KNOW there's a way to do it because someone else has told me they're doing it I can usually figure it out.
Gork

1 edit

1 recommendation

Gork to JPedroT

Member

to JPedroT
Figured out how to set up a DHCPv6 table! (For stateful DHCPv6.) It suffers from the same problem with the address pool method you mentioned above though. That is, if the Prefix Delegation from the ISP changes it creates an issue.

1) Create a DHCPv6 address lease using the DUID of the computer you want assigned the static IPv6 address via DHCPv6. Reference this object to the proper interface. (ie LAN1)

2) Check the IPv6 interface page to ensure this object is listed under DHCPv6 Lease Options.

(In Windows the command line command IPCONFIG /ALL will give you the DUID of the machine's network interface.)

EDIT:
I CAN'T FOR THE LIFE OF ME FIGURE OUT HOW TO GET THE DUID IN UBUNTU. Ugh.
Kirby Smith
join:2001-01-26
Derry, NH

1 recommendation

Kirby Smith to Gork

Member

to Gork
So, what could be used is a NAT capability from the WAN assigned IPv6 address to the LAN DHCP static assigned IPv6 addresses. I realize this is anathema to the IPv6 community, but I seem to recall seeing an RFC on the subject.

Aha! Found RFC 5902 and RFC 6296 as potentially topical. Of course, existence of an RFC does not mean that someone incorporated its ideas into router software.

kirby
JPedroT
Premium Member
join:2005-02-18

1 recommendation

JPedroT

Premium Member

You know that everytime somebody says IPv6 needs NAT an Angel and a cat and child and probably one each of everything that is cute and cuddly DIES A HORRIBLE DEATH!!!!!


Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

LMAO!

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 recommendation

Gork to JPedroT

Member

to JPedroT
The more I learn the more I tend to agree that a very capable and simple IPv6 is needlessly being turned into another monster.
JPedroT
Premium Member
join:2005-02-18

1 recommendation

JPedroT to Gork

Premium Member

to Gork
The dumb thing is the ISP, you got the DUID of the router, so its NO problem to give out the same PD to the same router for the lifetime of the router.
And if the customer changes router, then fine, its a bit more hassle to update all firewall rules etc, but its something you most likely wont do more than once a year.

So the proper fix, is not to change the PD prefixes every month etc.
JPedroT

JPedroT to Gork

Premium Member

to Gork
said by Gork:

EDIT:
I CAN'T FOR THE LIFE OF ME FIGURE OUT HOW TO GET THE DUID IN UBUNTU. Ugh.

jpt@jpt-acer2:/$ cat /etc/dhcp/dhclient.conf | grep dhcp-client-identifier

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 recommendation

Gork

Member

Yeah, I have to agree it IS dumb for the ISPs to muddle this all up. If they can give a static range to business class customers, they can do it for everyone. And even with PD the ranges handed out are supposed to only change very infrequently. Well, if that's the case why make them change EVER?

Sadly the only DUID in that file is an example line behind a REM (#). So either a DUID hasn't been created on my Ubuntu machine or it's hiding somewhere else. And I've looked at a lot of places after several hours of Google searches. So I'm currently looking into how I might CREATE one, assuming it hasn't been done yet.
Gork

4 edits

1 recommendation

Gork

Member

EDIT 1/18/2015:
Please see my post below to correct an error in this post... (»Re: Dynamically assigned static DHCPv6 suffixes from ZyWALL)

Ok, FINALLY found the DUID for the Ubuntu VM. The only way I was able to find it was from a packet trace. I found a DHCPv6 "Confirm XID" packet which contained a DUID. However, this DUID was too long. There was a "Link-layer address" below it which was the proper length and in the end that is the DUID I used in the router to dynamically assign the IPv6 suffix I wanted to the Ubuntu VM.

I ran into a lot of snags on the way and wish I could post them here to help others - but there were just too many and my head's all abuzz. (I'll try...) The most confusing thing is that I did not find the DUID in ANY .lease or .conf file in Ubuntu. At some point AFTER I ran DHCLIENT -6 -v -r etho0 and DHCLIENT -6 -v commands to try to release my old DHCPv6 lease (it didn't work properly btw) /var/lib/dhcp/dhclient6.leases was created where only dhclient.leases existed before. It had a single line in it to define the default-duid number, but it wasn't a readable number. (Its format is like "\001\034KR\" etc.)

Ubuntu kept pulling ::0:0:0:101/128 from the DHCPv6 lease I created in the router earlier (using the address pool as described above) and even when I inputted an address object into the router based on the DUID I obtained from the packet sniff it kept assigning ::0:0:0:101/128 instead of the DHCPv6 static address of ::0:0:0:80/128 I put into the router. (I assumed for way too long that I was using an incorrect DUID.) I tried to get Ubuntu to release the :101 lease to see if it'd pull the :80 lease, but DHCLIENT just kept hanging.

I finally found the :101 address at /var/lib/NetworkManager/dhclient6-*-eth0.lease (the * indicates a lot of numbers/letters,) but that file should not have been in use, only /var/lib/NetworkManager/dhclient6-eth0.conf. BAH!

One last thing to try. I removed the DHCPv6 address pool object from the router, leaving the address object ::0:0:0:80/128 in place. I released the IPv6 lease from eth0 (as noted above) and renewed it. Voila! Ubuntu took on ::0:0:0:80/128 as assigned by the router. (It still has :101/128 assigned as well, and if I put the address pool back into the router I'm afraid it'll never lose that address. But that is a continuing saga.)

After going through these steps more info was magically added to /var/lib/dhcp/dhclient6.leases which included "option dhcp6.client-id" followed by the DUID I had initially found via a packet sniff. Crazy, but there you have it. This hasn't been a very user-friendly experience. I'm afraid IPv6, at least when used with prefix delegation from the ISP and DHCPv6, is NOT ready for primetime yet.

Now, other than any problems I'll run into when trying to reactivate the address pool object in the router, the only problem is what happens if the prefix delegation from my ISP changes? It doesn't appear the USG can handle that, and unless someone else shares knowledge it probably comes down to contacting ZyXEL as JPedroT See Profile suggested. My guess is the router is just simply no capable of handling such an occurrence in its current firmware state. It'd be nice if we could use DHCPv6 Prefix Delegation Request objects within DHCPv6 lease objects in order to define the IPv6 prefix or something else so we didn't have to literally define the IPv6 prefix... Or something that works similarly!

Oh yes, and there's still the problem of trying to figure out why (at least) my Win8.1 computer loses its IP address and the router doesn't renew it unless I toggle some setting in the router to "wake it up" or something. Yuck.

AND the issue where you can't use a specific IPv6 address, or object, to pass connections through the USG's firewall to a specific computer instead of to all computers on the interface... Another ZyXEL fault it would appear.

AND the issue I brought up in my other thread where no IPv6 DDNS client is included in the router's firmware. (Yeah, can't totally blame ZyXEL for this one. But wouldn't it be wonderful if they got »www.duiadns.net/ working natively in the router?!)

The next hurdle will be trying to figure out why my WinXP-32 machine doesn't have a DUID and how to change that so the router can give it a static IP via DHCPv6 as well if that's even possible, I mean, since WinXP is dead and all. (This is the machine my Ubuntu VM runs on, and WinXP itself runs a few server programs which need to be accessible from the Internet.) None of this is important right now, but it sure has been a good learning experience.

Here's a graphic of the part of the packet trace I was talking about:


Gork

1 recommendation

Gork

Member

said by Gork:

you can't use a specific IPv6 address, or object, to pass connections through the USG's firewall to a specific computer instead of to all computers on the interface

Figured out that you CAN do this by creating an IPv6 Address Object, duh! BUT with the same caveat that you can't use an object for the prefix so if the ISP changes the prefix delegation you're hosed until you go in and manually update...
JPedroT
Premium Member
join:2005-02-18

2 edits

1 recommendation

JPedroT to Gork

Premium Member

to Gork
Not that it helps you, but I got what you want to do in regards to changing prefixes, working with the VMG8924, actually I did not do anything.

It was the default setup for the device, but for some reason it only works with Windows and not OS X which is my main OS at home.

On my vmg the dhcp pool was already set to

0:0:0:0::2 to 0:0:0:0::ffff

which made no sense at first sight, then I tried to insert the full 16 quads address and it said that was wrong. And since I use a /64 on the LAN it made no sense with 5 quads for the pool. Logically, to me atleast, it should have been 4 quads for the prefix and 4 for the suffix.

Then my slow brained, thought, hmmm what if I my /60 assignment is the reason for the 5 quads. Fire of up wireshark, nothing really makes sense from the packet trace.
I see that RA M and O flags are set, since I want to run a stateful setup ie dhcp does most of the work and RA should just say that, hence M and O being set to on.

Okay, OS X does things differently than Windows and ZyXEL are very Windows centric shop.
Find a laptop with Windows and fire it up, lo and behold it works. I get the ::2 address from the prefix I have assigned to my LAN.

So the three questions I have now are

1. Why does it not work with OS X?
2. Does it work with Linux?
3. Can we do the same setup with a ZyWALL?

Just a note to self really
»en.wikipedia.org/wiki/Co ··· _systems

//Edit

OS X 10.10 ie Yosemite works, I upgraded my mac from 10.9 to 10.10 and now it works the same way the Windows 7 laptop did.

But according to the Wikipedia link (caveat emptor) it is supposed to work with Lion and up, ie 10.7 and newer.

Gork
Ou812ic
join:2001-10-06
Bountiful, UT

1 recommendation

Gork

Member

Since I get a /64 from the ISP and don't subnet it further I should use 0:0:0:0::30 for a single address. When I do that Win8.1 tells me the parameter is incorrect and it gets no IPv6 address assigned.

With Ubuntu, IFCONFIG shows the address assigned as simply ::80/64. However, when I use an IPv6 web proxy to try to connect using prefix::80 it does connect.

I suppose the router is designed to send the packet on even though the FULL address isn't assigned to the interface on the computer. Linux allows the address to be assigned without the prefix and my guess is that Windows and OSX both balk at it since it's not a good IPv6 address so it breaks the system. Honestly, I feel the router SHOULD assign the full prefix:suffix to the computer, but I don't know what the protocol is.
Gork

2 edits

1 recommendation

Gork

Member

This is to document an error in my post above, »Re: Dynamically assigned static DHCPv6 suffixes from ZyWALL , and to provide some additional information.

Above I mentioned that I was able to discover via a DUID via a packet sniff which allowed my router to assign my Ubuntu VM an IP address via DHCPv6. I indicated the DUID in the packet was too long, but there was a shortened version of it called the Link-layer address. I posted a screen shot. This address actually did NOT work. I had confused two different packets somehow.

So to explain what I believe actually IS happening after running a few more packet traces... During boot Ubuntu sends a request using the longer DUID. The web interface of the USG only allows 14 pairs of numbers for a DUID (11:22 would be two pairs, for example) but this DUID is 18 pairs long. So I can't use this longer DUID in order to assign an IPv6 address using an address object in the router.

After Ubuntu boots up, when I run DHCLIENT to assign an IPv6 address to my Ethernet interface Ubuntu sends a completely different DUID for whatever reason, and this one is only 14 pairs long. So the router properly assigns the address using the address object and the shorter DUID. It appears the specifications for DUIDs indicate the DUID can be longer than 14 pairs.

So far the best I can figure out is a workaround to have the computer manually run DHCLIENT at boot time:

DHCPv6 not automatically assigning a "static" IPv6 address at boot
sudo dhclient -6 -v eth0 - Running this command after boot would do it, or per:
»askubuntu.com/questions/ ··· ery-boot
Add this same command to /etc/rc.local before the exit 0 statement
JPedroT
Premium Member
join:2005-02-18

1 edit

1 recommendation

JPedroT to Gork

Premium Member

to Gork
said by Gork:

Since I get a /64 from the ISP and don't subnet it further I should use 0:0:0:0::30 for a single address. When I do that Win8.1 tells me the parameter is incorrect and it gets no IPv6 address assigned.

If the ZyWALL supports the same stuff as the VMG, then it should be 0:0:0::30 and assuming I have understood this correctly.