Results 1 to 5 of 5
  1. #1
    Untangler
    Join Date
    Jun 2018
    Location
    Pacific Northwest
    Posts
    52

    Default IPv6 Troubleshooting help

    Hi everyone,
    I'm having a spot of trouble trying to get IPv6 working. Yesterday, I replaced our cable modem with a Netgear CM1100 (DOCSIS 3.1, supports IPv6), with Comcast as our ISP. After a wonderful 15 minute conversation with their Robot Phone guardian, the kind representative got everything activated and working (or so I thought).

    Topology:
    CM1100 (gateway) --> External interface (Untangle v14.1.1) --> Internal interface --> Netgear GC728X switch

    The external interface is pulling a Class A IPv4 address from the CM1100 (73.x.x.x/23) but the status for IPv6 address is completed greyed out. I verified that IPv6 configuration is set to Auto (SLAAC/RA) for the external interface. Are there any other steps I'm missing?

    Thanks in advance,
    Ben
    Attached Images Attached Images

  2. #2
    Untangler
    Join Date
    Jun 2018
    Location
    Pacific Northwest
    Posts
    52

    Default

    Update: Disconnected Untangle and plugged my laptop (Windows 10, MSFT insider latest build) directly into the CM1100 (using the same port), and power-cycled the CM1100. Laptop pulled an IPv6 address (2001::x) along with a class A IPv4 address.

    Edit: From the Comcast forum, I'm told they use DHCPv6/Native IPv6/Stateless/PD/RA, and also require ICMPv6 be allowed. Since Untangle supports SLAAC/RA, shouldn't it work?

    Thought:
    Could I take the IPv6 address the laptop pulled, and use that as a static address on the external interface?
    Last edited by Synical; 03-08-2019 at 02:27 PM. Reason: Additional info on Comcast IPv6

  3. #3
    Untangler
    Join Date
    Jun 2018
    Location
    Pacific Northwest
    Posts
    52

    Default

    Found the [NGFW-5946] bug (jira.untangle.com/projects/NGFW/issues/NGFW-5946?filter=allopenissues) while I was digging around. When I SSH'd in and did an ifconfig for the external interface, it's showing a link local (fe80::x) address. When I run the test-ipv6.com though, it still shows I have no IPv6 address.

    I also tried disconnecting Untangle and cloning the MAC address for the internal interface with the laptop. I used that public address (2001:558::x) to try what @dmorris mentions in this thread (forums.untangle.com/networking/41378-ipv6-passthrough.html), to no avail. Specifically, I stuck with the link local address on the external, used the public IP obtained from the laptop with the cloned MAC on the internal, with no luck. I verified my desktop pulled an IPv6 address with the same prefix, but still failed the test-ipv6.com test.

    Anyone else got an idea I could try?

  4. #4
    Untangler
    Join Date
    Jun 2018
    Location
    Pacific Northwest
    Posts
    52

    Default

    Update 2: So, I've continued looking around and reading whatever I can find on various forums. It looks as though Untangle is IPv6 "aware," but has some issues. This reply has some of what I've found - it's not any sort of criticism, more for organizing things so I can find them easier in the future.

    * The link local (fe80::4822) address I mentioned in my initial post probably came from dhclient, which requests dhcp6.name-servers, domain-search, fqdn, and sntp-servers (/etc/dhcp/dhclient.conf).

    * Untangle uses radvd for IPv6 router advertisements. In my distro (14.1.1) the radvd version is 2.15, and the radvd.conf file is blank. Version 2.15 released in September of 2016, before IETF finally ratified IPv6 in July of 2017 (it had been a draft spec since 1998).

    * Packet forwarding for IPv6 appears to be disabled (to allow SLAAC?) in sysctl.conf (commented out).

    * Untangle appears to auto-generate dnsmasq.conf, so I'm assuming the only way to change it is through the console (Config -> Advanced -> DNS and DHCP). It lists interfaces for 'DNS' and 'eth1' only. The dnsmasq version is 2.76 (current version is 2.80) - version 2.77 adds --bogus-priv for IPv6, while version 2.78 addresses several DNS, IPv6, and DHCPv6 security errors (CVE 2017-144991 through 14496). I haven't had a chance to run a scan for the DNS heap overflow or DoS vulnerabilities outlined in those CVE's to see if they made it into the 14.1.1 distro.

    * One blog I saw opines that dnsmasq handles IPv6 better than radvd, but he used an additional package (wide-dhcpv6-client) to obtain IPv6 address and subnet information from his provider (hveem.no/using-dnsmasq-for-dhcpv6). That guide also requires dnsmasq version of at least 2.77, since the --bogus-priv switch is used. I also like how he suggests some minimum IPv6 firewall settings (block all WAN IPv6 traffic except answers for requested traffic, allow LAN clients access to WAN).

    * I've made no changes via CLI - don't want to risk "breaking" something until I've got a better handle on it.

    I'm going to reach out to Comcast to see if they'll tell me what my prefix delegation is - I'm assuming it will be a /64, is anyone familiar with Comcast that could confirm/deny that? Hopefully that will help if I get around to working on any sort of fix in my lab. The stuff we get done during the football offseason......
    Last edited by Synical; 03-10-2019 at 01:33 PM. Reason: Updated to add dnsmasq info

  5. #5
    Untangler
    Join Date
    Jun 2018
    Location
    Pacific Northwest
    Posts
    52

    Default

    Quote Originally Posted by Synical View Post
    I'm going to reach out to Comcast to see if they'll tell me what my prefix delegation is - I'm assuming it will be a /64, is anyone familiar with Comcast that could confirm/deny that? Hopefully that will help if I get around to working on any sort of fix in my lab. The stuff we get done during the football offseason......
    After a couple days of dealing with phone support (worse than useless, and don't get me started on their stupid robot support guardian!), I finally got in touch with someone via online chat yesterday evening. They elevated it to someone on their "Advanced Technical Resolution Team" who understood what I was asking for. All he could see on his end though, was that the modem is pulling a single dynamic IPv6 address. That actually makes more sense to me than a /64 PD-most businesses won't need 2^64 addresses, let alone a consumer account like ours.

    One interesting note from my mucking around: with only a link local address on the external interface and a private local range on the internal (fd9e:x:x:x:: /64), a ping -6 to www.google.com from eth1 (internal) actually resolved the IPv6 address (of course the ping failed, but I digress).

    Apologies for not editing the above post, but apparently there's a time limit or number of edits allowed.
    junglechuck likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2