Reply
Member
Posts: 174
Registered: ‎05-24-2014
Kudos: 64
Solutions: 4
Accepted Solution

IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

I have no trouble getting IPv6 to work most of the time, but I cannot get this configuration to work. This is a Spectrum internet connection on the west coast. My usual experience is with Comcast, not Spectrum.

 

I have a new ER-X-SFP and new Netgear CM500 modem.

 

My WAN is eth0.

 

I've tried /64, /60, and /56 prefixes.

 

I've tried setting eth0 ipv6 address autoconf and eth0 ipv6 dup-addr-detect-transmits 1.

 

I've tried eth0 dhcpv6-pd pd 0 prefix-only.

 

Here's my normal configuration (I use a zone-based firewall):

 

 

interfaces ethernet eth0
    address dhcp
    description Internet
    dhcpv6-pd {
        pd 0 {
            interface switch0 {
                host-address ::1
                prefix-id :0
                service slaac
            }
        }
        rapid-commit enable
    }
    duplex auto
}

Firewall rules:

 

firewall ipv6-name wan-local-6
 default-action drop
 enable-default-log
 rule 1 {
     action accept
     description "Allow established/related"
     state {
         established enable
         related enable
     }
 }
 rule 2 {
     action drop
     description "Drop invalid state"
     log enable
     state {
         invalid enable
     }
 }
 rule 100 {
     action accept
     description "Allow IPv6 icmp"
     protocol ipv6-icmp
 }
 rule 150 {
     action accept
     description "Allow dhcpv6"
     destination {
         port 546
     }
     protocol udp
     source {
         port 547
     }
 }
}
firewall ipv6-name wan-lan-6
 default-action drop
 enable-default-log
 rule 1 {
     action accept
     description "Allow established/related"
     state {
         established enable
         related enable
     }
 }
 rule 2 {
     action drop
     description "Drop invalid state"
     log enable
     state {
         invalid enable
     }
 }
 rule 100 {
     action accept
     description "Allow IPv6 icmp"
     protocol ipv6-icmp
 }
}

 

firewall ipv6-name local-wan-6
 default-action accept
 rule 1 {
     action accept
     description "Allow established/related"
     state {
         established enable
         related enable
     }
 }
 rule 2 {
     action drop
     description "Drop invalid state"
     log enable
     state {
         invalid enable
     }
 }
 rule 100 {
     action accept
     description "Allow IPv6 icmp"
     protocol ipv6-icmp
 }
}
zone-policy
 zone LAN {
     default-action drop
     from WAN {
         firewall {
             ipv6-name wan-lan-6
             name wan-lan
         }
     }
     from local {
         firewall {
             ipv6-name local-lan-6
             name local-lan
         }
     }
     interface switch0
 }
 zone WAN {
     default-action drop
     from LAN {
         firewall {
             ipv6-name lan-wan-6
             name lan-wan
         }
     }
     from local {
         firewall {
             ipv6-name local-wan-6
             name local-wan
         }
     }
     interface eth0
 }
 zone local {
     default-action drop
     from LAN {
         firewall {
             ipv6-name lan-local-6
             name lan-local
         }
     }
     from WAN {
         firewall {
             ipv6-name wan-local-6
             name wan-local
         }
     }
     local-zone
 }
}

 

 This exact config definitely works on Comast.

 

Any help is much appreciated!


Accepted Solutions
Member
Posts: 174
Registered: ‎05-24-2014
Kudos: 64
Solutions: 4

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

[ Edited ]

hwnat offload seems to have been the culprit.

 

I disabled hwnat offload and IPv6 started working. 

 

 

For further info on this hwnat offload bug with the ER-X series, see this thread, where the problem also affects Comcast users:

https://community.ubnt.com/t5/EdgeRouter/Comcast-IPv6-issues-when-hwnat-enabled-on-ER-X/td-p/1850112

View solution in original post


All Replies
Senior Member
Posts: 5,118
Registered: ‎01-04-2017
Kudos: 713
Solutions: 254

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

And what does the a packet sniff show? Are you sure ip6 is even offered in your area?
Member
Posts: 174
Registered: ‎05-24-2014
Kudos: 64
Solutions: 4

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

Can you provide the command to run the packet sniffer? Not sure what I'm looking for in this instance.

show dhcpv6-pd log is empty.

 

These are relatives, and I've set up two working ER-X-SFPs on Spectrum in the same area, although they are using different modems. I believe one is an Arris SB6190 and the other is a Spectrum-provided Cisco modem. Logging into the Netgear modem does show that the modem is "IPv6 Provisioned". The two working modems are not zone-based firewalls, although there should be no functional difference from my understanding, as the rules are the same, and this configuration works on Comcast,

Senior Member
Posts: 5,118
Registered: ‎01-04-2017
Kudos: 713
Solutions: 254

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

[ Edited ]

Run up two SSH sessions. In one run:

 

sudo tcpdump -n -i eth0 ip6 and udp port 546 or udp port 547 -w /tmp/eth0_dhcpv6.pcap

...and in the second:

 

release dhcpv6-pd interface eth0
delete dhcpv6-pd duid renew dhcpv6-pd interface eth0 Starting new daemon...

Then stop the capture and take a look through to see if there's a DHCPv6 Solicit and Reply. For example:

 

reading from file /tmp/filename.pcap, link-type EN10MB (Ethernet)
[snip]
13:40:59.161765 IP6 (hlim 1, next-header UDP (17) payload length: 93) fe80::f29f:c2ff:fe06:e322.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=2a95a8 (client-ID hwaddr/time type 1 time 539185258 f09fc206e327) (rapid-commit) (elapsed-time 0) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/56 pltime:4294967295 vltime:4294967295)))
13:40:59.162242 IP6 (class 0xe0, hlim 255, next-header UDP (17) payload length: 93) fe80::250:56ff:fe90:7634.dhcpv6-server > fe80::f29f:c2ff:fe06:e322.dhcpv6-client: [udp sum ok] dhcp6 reply (xid=2a95a8 (server-ID hwaddr type 1 005056904048) (client-ID hwaddr/time type 1 time 539185258 f09fc206e327) (rapid-commit) (IA_PD IAID:0 T1:300 T2:480 (IA_PD-prefix 2001:db8:1200:300::/56 pltime:600 vltime:1800)))
[snip]

Also check your firewall stats and make sure you're seeing hits on the appropriate rule.

 

show firewall ipv6-name wan-local-6 statistics

 

Member
Posts: 174
Registered: ‎05-24-2014
Kudos: 64
Solutions: 4

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

I assume you mean eth0, as that is my WAN?

 

Firewall statistics before:

 

IPv6 Firewall "wan-local-6"

 Active on - 
  zone [local] from zone [WAN]

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
1     0           0           ACCEPT  Allow established/related
2     0           0           DROP    Drop invalid state
100   3168        186176      ACCEPT  Allow IPv6 icmp
150   0           0           ACCEPT  Allow dhcpv6
10000 0           0           DROP    DEFAULT ACTION

After running tcpdump:

 

3 packets received by filter

Firewall statistics after:

 

IPv6 Firewall "wan-local-6"

 Active on - 
  zone [local] from zone [WAN]

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
1     0           0           ACCEPT  Allow established/related
2     0           0           DROP    Drop invalid state
100   3435        202392      ACCEPT  Allow IPv6 icmp
150   0           0           ACCEPT  Allow dhcpv6
10000 0           0           DROP    DEFAULT ACTION

pcap file attached there are 3 solicits and no replies

 

 

Senior Member
Posts: 5,118
Registered: ‎01-04-2017
Kudos: 713
Solutions: 254

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

[ Edited ]

@adamjb wrote:

 

 

pcap file attached there are 3 solicits and no replies

 


^^^^ Well there is your answer, You can call and ask Spectrum what the issue is.

 

(Unless of course its a firewall issue)  But i think your default rule would of jumped up if that was the case

Member
Posts: 174
Registered: ‎05-24-2014
Kudos: 64
Solutions: 4

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

I have now tested a computer plugged directly into the modem, and I do get an IPv6 address.

Senior Member
Posts: 5,118
Registered: ‎01-04-2017
Kudos: 713
Solutions: 254

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

Getting a ipv6 address on a computer is alot different then getting prefix delegation
Member
Posts: 174
Registered: ‎05-24-2014
Kudos: 64
Solutions: 4

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

[ Edited ]

I assume the computer is using SLAAC to get an address directly from the Spectrum gateway?

 

It does show that the circuit is at least partially IPv6 capable. Is it possible at least to get an IPv6 address on the router's WAN interface without PD, just for testing?

 

I just downgraded to 1.9.7 hf4 (from 1.10.1) and that didn't help.

  

Not looking forward to the Spectrum support call. Not sure how many tiers up I'm going to have to go before the tech has even heard of IPv6, and they'll probably just blame our equipment.

Senior Member
Posts: 5,118
Registered: ‎01-04-2017
Kudos: 713
Solutions: 254

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

Remove the firewall rules and try again from the er. Just set ipv6 address to auto to get an address for the wan.
Member
Posts: 174
Registered: ‎05-24-2014
Kudos: 64
Solutions: 4

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

[ Edited ]

hwnat offload seems to have been the culprit.

 

I disabled hwnat offload and IPv6 started working. 

 

 

For further info on this hwnat offload bug with the ER-X series, see this thread, where the problem also affects Comcast users:

https://community.ubnt.com/t5/EdgeRouter/Comcast-IPv6-issues-when-hwnat-enabled-on-ER-X/td-p/1850112

Senior Member
Posts: 5,118
Registered: ‎01-04-2017
Kudos: 713
Solutions: 254

Re: IPv6 on Spectrum with EdgeRouter and Netgear CM500 modem

Its a known problem with Comcast, I guess we should add Spectrum to that list
Reply