Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    RvD
    RvD is offline
    Newbie
    Join Date
    Apr 2016
    Posts
    5

    Talking IPv6 'passthrough'

    Hello,

    I have been using Untangle for several years now and it has always worked fine for me.

    I have the following configuration:

    Internet <--> Cable modem/router (LAN 192.168.2.1) <--> Untangle (WAN 192.168.2.10, LAN 192.168.1.1) <-- > Switches, AP, computers all in 192.168.1.0/24.

    So, both the Cable modem/router and Untangle are routers.
    Untangle is in the DMZ of the Cable Modem and everything is fine, including OpenVPN on Untangle and everything.

    Now, my provider has introduced IPv6. I can choose between DHCPv6 and SLAAC.
    Untangle doesn't have an IPv6 DHCP-client (nor server, I believe), so I have setup the Cable modem/router in SLAAC mode. That works fine: Untangle selects an IPv6 for the WAN interface and from Untangle I can ping the IPv6 internet just fine.

    However, I would also like for my computers to receive an IPv6-address as well. On the LAN IPv6 settings of Untangle, there's only an option for a static IPv6 address. But I cannot be sure what I need to enter there. It should just get one through SLAAC as well? All IPv6 addresses are publicly routable, so no NATv6 should be used.
    Is it possible to allow Untangle to pass-through the SLAAC (router information packets) from the cable modem/router? Or is there another way to get this all to work?
    Or is this even supported? Is it possible to get IPv6 working behind an Untangle router at all?
    When I connect a computer directly to the Cable modem/router, it gets both an IPv4 and IPv6 address just fine, whether I put the the Cable modem/router in DHCPv6 or SLAAC mode.

    Thanks for any help and pointers you can give me.
    IPv6 is relatively new to me and although I have read some white papers on it, it is possible I have some facts wrong :-)

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    SLAAC and DHCPv6 are not alternatives nor exclusive. SLAAC is for link-local address, DHCPv6 is for public addresses.
    For me I use DHCPv6 (manually) to get my prefix, and then assign it statically to the internal interfaces as desired, and use SLAAC on external.

    Passing through SLAAC doesn't make sense, putting a link local address on your internal network would accomplish nothing - they need public addresses.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    RvD
    RvD is offline
    Newbie
    Join Date
    Apr 2016
    Posts
    5

    Default

    Thanks for your reply.

    Then perhaps I don't quite understand what you mean.
    According to me, this is SLAAC:
    "Stateless autoconfiguration or SLAAC is that second method in which the host or router interface is assigned a 64-bit prefix, and then the last 64 bits of its address are derived by the host or router with help of EUI-64 process."

    This cannot be used at the same time as DHCPv6, since that is statefull.
    In that case, the cable modem/router assigns (and keeps track of) IPv6 address.
    In the case of SLAAC, the router advertises the first part of the IPv6 address, the address of the router and DNS servers and then the clients can 'make up' their own IPv6 address, starting the the (/64) prefix offered by the router. Since all IPv6 address are publicly routable (except for the link-local address), it makes sense to get a public IPv6 through SLAAC on the internal interface as well. It won't be strictly needed of course.

    But anyway, the real question then remains: how do I get my computers behind Untangle to pick up on the /64-prefix the cable modem/router advertises? It works fine when connect directly to the cable modem/router (obviously). When I use SLAAC, Windows shows autoconfigured IPv6 address, when I choose the DHCPv6-server instead, Windows shows the IPv6-DHCP server information and gets an address from that.

    But it seems there is some mix-up of terms somewhere?
    SLAAC assigns a public IPv6 address to my Untangle box just fine, it can ping the IPv6 internet? So SLAAC not only assigns internal addresses? And Untangle doesn't yet have an IPv6 Client for the WAN interface?

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    I've never heard of ISPs getting/offering public prefixes with SLAAC.

    If your ISP does that (which I guess there is no reason it couldn't since hosts do the same thing locally) I suppose you could do the prefix delegation to your internal interface manually based on the address you get.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    RvD
    RvD is offline
    Newbie
    Join Date
    Apr 2016
    Posts
    5

    Default

    Thanks, yes, my ISP does provide public IPv6 addresses through SLAAC.

    I have setup an IPv6 address on the LAN interface and that causes my computer to also get an IPv6-address in the correct range.
    However, no IPv6 DNS-servers are propagated and neither is the IPv6 default gateway. So, I can ping the LAN IPv6 address of Untangle now just fine, but I cannot access the IPv6 internet. Any ideas where I might configure this in Untangle? Or should I set-up IPv6 on each computer manually (static) as well?

    *Edit: manually specifying an IPv6 address and setting the gateway and DNS to the LAN IPv6-address of Untangle, does not work. Untangle DNS doesn't seem to be listening on IPv6 and Untangle also doesn't route. Setting the default gateway to my cablemodem also doesn't work.
    Last edited by RvD; 12-20-2018 at 05:01 PM.

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by RvD View Post
    Thanks, yes, my ISP does provide public IPv6 addresses through SLAAC.

    I have setup an IPv6 address on the LAN interface and that causes my computer to also get an IPv6-address in the correct range.
    However, no IPv6 DNS-servers are propagated and neither is the IPv6 default gateway. So, I can ping the LAN IPv6 address of Untangle now just fine, but I cannot access the IPv6 internet. Any ideas where I might configure this in Untangle? Or should I set-up IPv6 on each computer manually (static) as well?
    who is your ISP?

    Can you ping Untangle's default gateway? Can Untangle ping Untangle's default gateway? What is Untangle's default gateway? What is Untangle external IP? What is Untangle's internal intf IP?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,810

    Default

    What I'd really love to be able to do (and maybe I already can) is set up IPv6 "Port forward rules". I have static IPv6 addresses from my ISP I don't use. I'd like to be able to set a port forward rule to direct that traffic to a server's internal IPv4 address, without changing anything at all on the server, where the server might even have IPv6 disabled.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,541

    Default

    Quote Originally Posted by jcoehoorn View Post
    What I'd really love to be able to do (and maybe I already can) is set up IPv6 "Port forward rules". I have static IPv6 addresses from my ISP I don't use. I'd like to be able to set a port forward rule to direct that traffic to a server's internal IPv4 address, without changing anything at all on the server, where the server might even have IPv6 disabled.
    You do realize that the entire point of v6 is to do away with NAT right? You're supposed to slap the v6 address on the equipment in question, and then use the firewall to control what gets to it when and how...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,810

    Default

    Quote Originally Posted by sky-knight View Post
    You do realize that the entire point of v6 is to do away with NAT right?
    Yes, I do. But that's not where I'm at right now. I actually kind of like one layer of NAT on my network, where allow all outbound and deny all inbound is the default state of things, without needing any rules at all to make it so. Where I can look at logs on the internal interface and see everything going to a specific server based on a single address I can recognize. Where a device on my internal network only has one address, and therefore only counts for one license.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  10. #10
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by jcoehoorn View Post
    Yes, I do. But that's not where I'm at right now. I actually kind of like one layer of NAT on my network, where allow all outbound and deny all inbound is the default state of things, without needing any rules at all to make it so. Where I can look at logs on the internal interface and see everything going to a specific server based on a single address I can recognize. Where a device on my internal network only has one address, and therefore only counts for one license.
    What you're talking about is a 6-to-4 tunnel kind of functionality, not a "port forward". Its just semantics thought - I get what you're saying and yes that makes sense.

    With IPv6 you will need to just create a policy to block all inbound, and allow all outbound sessions. In the real world I suspect we will see this as the default deployment configuration because the world is comfortable with it now. Thats basically the same as NAT policy gives you implicitly, except you lose some "privacy" because external services actually get more information about the distinct hosts on your network.
    In this case instead of creating a port forward - you would punch a whole in your ingress filter.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2