Results 1 to 6 of 6
  1. #1
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default How to completely block IPv6

    Hi, I have had an ongoing problem with Untangle for a long time. I have researched in the past and have moved on for lack of time and interest, and now I am revisiting it again. I still can't find anything in the forums to answer my questions.

    My question is how to completely disable or block IPv6 in Untangle? The Untangle boxes are in router mode. I have IPv6 disabled on the interfaces. Yet, my computers still pickup IPv6 DNS servers from my ISP. This ends up causing me problems periodically because they are unresponsive. And Windows always prefers IPv6 DNS over IPv4 DNS servers.

    I have had this issue in multiple locations, and on several versions of Untangle. I'm running 13 now.

    Disabling IPv6 on the ISP provided equipment is not an option - specifically, Comcast doesn't provide anyway to completely disable IPv6.

    This has to be something to do with IPv6 and how it is able to auto configure itself, but it is foreign to me. I just can't believe my hosts are still able to pick up ISP provided DNS servers via whatever auto configuration mechanism is built in to IPv6 even sitting behind an Untangle box. It really kind of ticks me off, especially being companies like Comcast force it down your throat.

    Anybody know how to stop or block this behavior with Untangle? And, for my own curiosity and education, WHY or HOW this happens? Even a link to the relevant information would be much appreciated! Thanks.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    If v6 is disabled, it doesn't pass. I'd be trying to figure out how you're getting v6 DNS addresses on your clients, because I've never seen that on any of my networks. Untangle in router mode pulls whatever DHCP hands it, and then passes out via DHCP the DNS IP addresses of the appropriate DNS servers. Your ISP doesn't control this process, your DHCP server responsible for your LAN does. If you were using v6, you'd be using advertisements to do this instead, and again Untangle doesn't do that.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default

    Thanks for the reply. I've done quite a bit of research on this in the past, but it's been months or years now since the last time I seriously dug in to it. I assure you, my system picks up IPv6 addresses that are confirmed to be the IPv6 DNS servers of my ISPs and nothing else on my network is handing that out, except for the ISPs modem on the other side of the Untangle. Mind you, this happens in more than one location and even with different ISPs.

    I thought there was a mechanism built in to IPv6 that allowed it to "peek" beyond the gateway (Untangle) and see upstream information from other routers. This is what I'm assuming it is getting it's info from. I also seem to remember something about the Teredo tunnel adapter doing something fancy with this when IPv6 has been blocked on the network. The Teredo adapter is present on the host I am currently sitting at and having trouble with. Matter of fact, based on the IPCONFIG output below, it looks like the Teredo interface picked up a public IPv6 address.

    I don't have a problem figuring this out and troubleshooting, but it sure seems like this has to be something obvious and I strongly suspect built in to some IPv6 thing I'm not familiar with and most likely revolving around the Teredo tunnel.

    Anyways, thanks for your help. I'll keep playing with it and post anything I find. I just need this to be a universal fix, not something where I have to go in and tweak a bunch of Windows machines from non-standard configs like disabling IPv6, or whatever.

    Sample IPCONFIG /ALL even after rebooting and trying release / renew:
    Windows IP Configuration

    Host Name . . . . . . . . . . . . : ****
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : ***.local

    Ethernet adapter vEthernet (External):

    Connection-specific DNS Suffix . : ***.local
    Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
    Physical Address. . . . . . . . . : 70-4D-7B-86-74-AD
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::c54e:7895:533a:5a86%5(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.1.30(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Sunday, August 13, 2017 11:03:01 PM
    Lease Expires . . . . . . . . . . : Monday, August 14, 2017 11:03:01 PM
    Default Gateway . . . . . . . . . : 192.168.1.1
    DHCP Server . . . . . . . . . . . : 192.168.1.1
    DHCPv6 IAID . . . . . . . . . . . : 259018107
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-0A-DB-AA-70-4D-7B-86-74-AD
    DNS Servers . . . . . . . . . . . : 2602:306:3bd2:1b60::1
    192.168.1.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:2410:1f38:9c42:de49(Preferred)
    Link-local IPv6 Address . . . . . : fe80::2410:1f38:9c42:de49%2(Preferred)
    Default Gateway . . . . . . . . . : ::
    DHCPv6 IAID . . . . . . . . . . . : 134217728
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-0A-DB-AA-70-4D-7B-86-74-AD
    NetBIOS over Tcpip. . . . . . . . : Disabled

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    If you want to block Teredo, get into your firewall and make a rule that blocks anything destined to UDP 3544.

    There is no magic with v6, it's just another protocol. It's either there, or it isn't. And that tunneling interface doesn't do anything without being told to do so. Just like that v6 address in your DNS field didn't just show up, something put it there.

    Honestly, I'm curious as to how this is happening too, because again I've never seen this. Unless I turn on v6 functionality on my AD servers, all I get is v4 addresses on everything. With server 2012/2016 there are times when the servers will use v6 addresses internally, but never externally.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default

    Thanks for the help. I did block traffic destined to UDP port 3544 just now. I'm not sure if this is a good test, but I released and renewed my IP and I received the same results. Still a valid Teredo IPv6 Address and still an IPv6 DNS server listed on my primary interface.

    I'll keep plugging away at this. I'm able to disable IPv6 on this particular internet connection so that will help me to troubleshoot. I disabled it, and it didn't make a difference. So, I suspect the addresses might be stuck in the network interface config somehow. It's not the behavior I have always seen though, I have seen a host that has never been connected to the network before pick up the ISP's IPv6 DNS servers behind an Untangle box.

    I'm not even sure if it has anything to do with Untangle, but it's where I have noticed it. It's just time to buckle down and really solve it.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,228

    Default

    You have to have something on your network doing an advertisement to push that configuration out. Untangle doesn't do that by default, though I suppose if you were to hack it you could get dnsmasq to pass something.

    Time to get out the packet sniffer!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2