Reply
Emerging Member
Posts: 82
Registered: ‎07-18-2016
Kudos: 33
Solutions: 3

Re: Comcast IPv6 issues when hwnat enabled on ER-X

[ Edited ]

2.0 beta1 is out boys get to testing!

 

edit: new hwnat does not appear to support ipv6 so don't get excited when it works Icon Sad

New Member
Posts: 2
Registered: ‎11-08-2018

Re: Comcast IPv6 issues when hwnat enabled on ER-X

When I follow https://community.ubnt.com/t5/EdgeRouter/IPv6-Newbie/m-p/1397506/highlight/true#M85411 IPv6 works great however as soon as I add some port-forwarding rules IPv6 stops working.

 

Where can we download the 2.0 beta ?

 

Established Member
Posts: 1,843
Registered: ‎03-02-2016
Kudos: 447
Solutions: 142

Re: Comcast IPv6 issues when hwnat enabled on ER-X

 

@jlim0930 wrote:

When I follow https://community.ubnt.com/t5/EdgeRouter/IPv6-Newbie/m-p/1397506/highlight/true#M85411 IPv6 works great however as soon as I add some port-forwarding rules IPv6 stops working.

 

Where can we download the 2.0 beta ?

 


You have to go to your profile settings first and check the box to enable beta access. Then you can go to the beta forum.

New Member
Posts: 2
Registered: ‎11-08-2018

Re: Comcast IPv6 issues when hwnat enabled on ER-X

thank you!

 

New Member
Posts: 6
Registered: ‎04-15-2018
Kudos: 5

Re: Comcast IPv6 issues when hwnat enabled on ER-X

Upgraded to 2.0.0 beta 1 a week ago, rebooted, and have had no issues with losing my IPv6 settings or any other for that matter. Going to keep beta 1 for now even though 2 is out since I want to observe it atleast another week.

Member
Posts: 227
Registered: ‎04-22-2018
Kudos: 26
Solutions: 2

Re: Comcast IPv6 issues when hwnat enabled on ER-X

 


@beastie29a wrote:

Upgraded to 2.0.0 beta 1 a week ago, rebooted, and have had no issues with losing my IPv6 settings or any other for that matter. Going to keep beta 1 for now even though 2 is out since I want to observe it atleast another week.


 

They are already testing 2.0.0 beta 2 FYI


AP AC LITE
UAP nanoHD (x2)
Edgerouter 4
New Member
Posts: 6
Registered: ‎04-15-2018
Kudos: 5

Re: Comcast IPv6 issues when hwnat enabled on ER-X

Nice, yeah I've flashed my router with beta 2 a few days ago and it's been working fine, still have not lost my IPv6 settings.
New Member
Posts: 9
Registered: ‎02-27-2016
Kudos: 2

Re: Comcast IPv6 issues when hwnat enabled on ER-X

[ Edited ]

Hi folks, I've got IPv6 problems (I get address assignments to the PCs but I can't route). I'm not sure if it's related to this thread so before I open a new thread I thought I post here. I'm not sure how to reach the beta and I'd like to avoid it at the moment.

 

Edit: While watching the logs I noticed an ssh request come from 2607:f1c0:1000:002e:5810:196f:0b1e:e820 to one of my inside boxes (2601:...:xxyy), I checked it via ssh from one of my boxes on my lan and I can reach the 2607:... address (???). This suggests some IPv6 is working but that also there is no firewall. My browsers can not pass the connectivity test at test-ipv6 com so I don't know what is going on at this time.

 

Edit 2: Yup, me again, perhaps the firewall is fine:

[WANv6_IN-default-D]IN=eth0 OUT=eth1 MAC=..:..:..:..:..:..:..:..:..:..:..:..:..:.. src=2607:f1c0:1000:002e:5810:196f:0b1e:e820 DST=2601:....:....:....:....:....:....:xxyy LEN=132 TC=32 HOPLIMIT=49 FLOWLBL=0 PROTO=TCP SPT=22 DPT=43683 WINDOW=447 RES=0x00 ACK PSH URGP=0 

After checking all my logs I see no attempt at login so I think I can safely assume that the packets were dropped.

 

I've now turned off the IPv6 offloading and I can now use IPv6. I also had to reboot some of the servers. I am now able to ping, tracroute and run ssh to IPV6 addresses.

 

Thanks

 

ISP: Comcast

Version: v1.10.8
HW model: EdgeRouter Lite 3-Port

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group IPV4BOGONS {
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 192.168.0.0/16
            network 203.0.113.0/24
            network 224.0.0.0/4
            network 240.0.0.0/4
        }
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow ICMPv6"
            protocol icmpv6
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        rule 1 {
            action drop
            description "drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "Inbound WAN to (W)LAN"
        rule 10 {
            action accept
            description "allow estabished"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "drop invalid"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "To router from WAN"
        rule 10 {
            action accept
            description "allow established"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "drop invalid"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "allow icmp"
            protocol icmp
        }
        rule 80 {
            action drop
            description "drop bogon source"
            source {
                group {
                    network-group IPV4BOGONS
                }
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Internet (Eth0)"
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    prefix-id ::2
                    service slaac
                }
                prefix-length 60
            }
            prefix-only
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.24.252/22
        description "Bridge Home LAN"
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
        }
        ipv6 {
            address {
                autoconf
                eui64 2001:db8::1/64
            }
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                link-mtu 0
                managed-flag true
                max-interval 600
                other-config-flag false
                prefix ::/64 {
                    autonomous-flag true
                    on-link-flag true
                    preferred-lifetime 14400
                    valid-lifetime 86400
                }
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
        vrrp {
            vrrp-group 100 {
                advertise-interval 1
                description "VRRP for internet access"
                preempt true
                priority 100
                virtual-address 192.168.24.254/22
            }
        }
    }
    ethernet eth2 {
        description "Bridge Home LAN"
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
    tunnel tun0 {
        address 10.255.255.1/30
        encapsulation ipip
        local-ip 192.168.24.252
        multicast disable
        remote-ip 192.168.24.253
        ttl 255
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface eth1
    rule 1 {
        description "SSH to 1"
        forward-to {
            address 192.168.24.1
            port 22
        }
        original-port 10001
        protocol tcp
    }
    rule 2 {
        description "SSH to 2"
        forward-to {
            address 192.168.24.2
            port 22
        }
        original-port 10002
        protocol tcp
    }
    rule 3 {
        description "SSH to 3"
        forward-to {
            address 192.168.24.3
            port 22
        }
        original-port 10003
        protocol tcp
    }
    wan-interface eth0
}
protocols {
    rip {
        default-information {
        }
        network 192.168.24.0/22
        passive-interface eth0
        redistribute {
            static {
            }
        }
    }
    static {
        interface-route 192.169.100.1/32 {
            next-hop-interface eth0 {
                description "Please leave this here as an example but not needed for the modem"
            }
        }
        route 192.168.128.0/24 {
            next-hop 192.168.24.2 {
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 1000
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description WAN_MASQ
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    snmp {
        community write {
            authorization rw
        }
        community read {
            authorization ro
        }
        contact Budhatigger
        listen-address 192.168.24.252 {
            port 161
        }
        listen-address 192.168.24.254 {
            port 161
        }
        location "Network Rack"
        trap-target 192.168.24.2 {
        }
    }
    ssh {
        listen-address 192.168.24.252
        listen-address 192.168.24.254
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
}
system {
    config-management {
        commit-revisions 20
    }
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    domain-name comcast.net
    host-name Router
    ipv6 {
        neighbor {
            base-reachable-time 30
            stale-time 60
            table-size 16384
        }
    }
    name-server 208.67.222.222
    name-server 208.67.222.221
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 192.168.24.1 {
            prefer
        }
        server 192.168.24.2 {
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding enable
        }
    }
    package {
        repository squeeze {
            components "main contrib non-free"
            distribution squeeze
            password ""
            url http://http.us.debian.org/debian
            username ""
        }
        repository squeeze-security {
            components main
            distribution squeeze/updates
            password ""
            url http://security.debian.org
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host 192.168.24.2 {
            facility all {
                level notice
            }
        }
    }
    time-zone America/New_York
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.8.5142440.181120.1645 */

 

 

Reply