Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Switched to AT&T fiber, IPv6 tunnel broken

    Scheduled Pinned Locked Moved General pfSense Questions
    44 Posts 6 Posters 9.8k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BiloxiGeekB Offline
      BiloxiGeek
      last edited by

      Recently moved from a cable modem with an IPv6 tunnel setup (he.net) that was working to AT&T fiber and now the tunnel stopped working. I've put the fiber modem (BGW320) into passthrough mode, disabled the IPv6 and it's firewall.

      Using an SG2100 and it was working just fine on the cable modem to SparkLight. I've poked around in the pfSense and I don't see anything that seems to be set differently now. Is there something about this fiber modem that will block a tunnel from working? Searching the webs I do find that protocol 41 could be the cause but I'm unsure if AT&T blocks that protocol.

      Bob.DigB johnpozJ JonathanLeeJ 3 Replies Last reply Reply Quote 0
      • Bob.DigB Offline
        Bob.Dig LAYER 8 @BiloxiGeek
        last edited by

        @BiloxiGeek You have to update your IPv4 with HE.

        BiloxiGeekB 1 Reply Last reply Reply Quote 0
        • JKnottJ Online
          JKnott
          last edited by

          Doesn't AT&T provide native IPv6? I only used a tunnel until my ISP provided it native.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          BiloxiGeekB 1 Reply Last reply Reply Quote 0
          • BiloxiGeekB Offline
            BiloxiGeek @Bob.Dig
            last edited by

            @Bob.Dig I update my IPv4 through a DynDNS setup so tunnelbroker knows about my new IPv4 address.

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • BiloxiGeekB Offline
              BiloxiGeek @JKnott
              last edited by

              @JKnott I'm gonna look into that but I was wanting to just keep the setup I already have but using the AT&T fiber connection which is faster especially on the upload side.

              1 Reply Last reply Reply Quote 0
              • Bob.DigB Offline
                Bob.Dig LAYER 8 @BiloxiGeek
                last edited by

                @BiloxiGeek And it has to be ping-able.

                1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator @BiloxiGeek
                  last edited by johnpoz

                  @BiloxiGeek and they give you a public IP, or is cgnat? For you to create a tunnel, you have to be able to ping the IP..

                  You are using this setup for your IP change?

                  https://forums.he.net/index.php?topic=1994.0

                  I know its quite dated.. And I have not had to change mine in years and years - I just have the actual IP in my tunnel setup on HE.. If my IP changes I would just update it on HE..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  BiloxiGeekB 1 Reply Last reply Reply Quote 0
                  • BiloxiGeekB Offline
                    BiloxiGeek @johnpoz
                    last edited by

                    @johnpoz Yep, that's the setup I've got in place. It's been working for quite a few years for me when I was on a cable modem.

                    @Bob.Dig My SG2100 does get a public IP, it is pingable from the outside world but still get no tunnel. In the Gateways widget the tunnel just shows "Offline, Packetloss"

                    1 Reply Last reply Reply Quote 0
                    • BiloxiGeekB Offline
                      BiloxiGeek
                      last edited by

                      Near as I can tell protocol 41 is being actively blocked somewhere upstream. Doesn't seem to be any way to get them to unblock it.

                      I may be able to get around it but it looks like I'll have to pay extra to switch to a business account and/or pay even more extra to get a static IP setup.

                      If anyone has found a way to get around that protocol 41 block I'd really like to know how they did it.

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ Online
                        JKnott @BiloxiGeek
                        last edited by

                        @BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

                        If anyone has found a way to get around that protocol 41 block I'd really like to know how they did it.

                        Why mess around with tunnels if AT&T provides IPv6? Don't forget, with tunnels, you also have a smaller MTU and more latency.

                        Have you run a packet capture to see if port 41 is actually being blocked?

                        I ran a tunnel starting in May 2010, but when my ISP started providing native IPv6, 9 years ago, I started using it and stopped using the tunnel.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        BiloxiGeekB 1 Reply Last reply Reply Quote 0
                        • BiloxiGeekB Offline
                          BiloxiGeek @JKnott
                          last edited by

                          @JKnott

                          I'm trying to find a way to get my tunnel working without paying AT&T for their native IPv6.

                          I did run a capture and saw protocol 41 packets going out but nothing came back.

                          Waiting to hear from AT&T on how much some static IPv6 address space will cost and exploring the possibility of setting a NordVPN. That should hide the protocol 41 traffic and provide the VPN protections as a bonus.

                          johnpozJ JKnottJ 2 Replies Last reply Reply Quote 0
                          • johnpozJ Online
                            johnpoz LAYER 8 Global Moderator @BiloxiGeek
                            last edited by

                            @BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

                            paying AT&T for their native IPv6.

                            Why would they charge you for IPv6?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            BiloxiGeekB 1 Reply Last reply Reply Quote 0
                            • BiloxiGeekB Offline
                              BiloxiGeek @johnpoz
                              last edited by

                              @johnpoz

                              Well I don't know that they will yet, waiting for an answer to an email I sent yesterday.

                              But since it's AT&T I suspect they are gonna want to charge me extra for the additional service. They actively block protocol 41 to make sure any customers can be milked for a bit more profit if they want to have something beyond the typical single dynamic IPv4 address.

                              johnpozJ M JKnottJ 3 Replies Last reply Reply Quote 0
                              • johnpozJ Online
                                johnpoz LAYER 8 Global Moderator @BiloxiGeek
                                last edited by johnpoz

                                @BiloxiGeek I thought back when they first rolled out ipv6 they were using 6rd and were blocking 41 because they were using it, but from a bit of googling when they switched over to native dual stack 41 was opened. I have seen multiple posts saying that you could run HE with att residential connection.

                                I don't have att to know for sure - and even if they are still blocking in some areas or everywhere it would make no sense for them to charge to use IPv6. Other than what your after is a "static" ipv6 prefix delegation.

                                As to working with some vpn service - I doubt that would work to be honest. For starters you wouldn't be able to ping your IP your setting the tunnel up with from the HE side, second protocol 41 is not a port I doubt it work work through a natting vpn type of service.

                                So if you put your att device into bridge mode - not sure if disable IPv6 is something you want?

                                I've put the fiber modem (BGW320) into passthrough mode, disabled the IPv6 and it's firewall.

                                I would think putting it into bridge mode would disable any sort of firewalling it would do but you still might need to leave IPv6 enabled? I don't have their service or that device to play with. But I would try not disabling IPv6 on the device when you put it into bridge mode and just use it at a modem vs a gateway.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                JKnottJ 2 Replies Last reply Reply Quote 0
                                • M Offline
                                  marcg @BiloxiGeek
                                  last edited by marcg

                                  @BiloxiGeek FWIW, I've had ATT Fiber with a BGW320 in Passthrough Mode for 3+ years (in Northern California). v6 with a pfSense+ router works fine, including DDNS. I use Dynu as the DDNS provider. I didn't have to pay anything extra for (dynamic) v6 prefixes.

                                  An unfortunate thing with ATT's v6 service is that it delegates /64s individually rather than in a larger block, e.g., a /61. This thread explains how to request multiple /64s. There's another explanation of the steps here.

                                  v6 is not blocked on ATT's network, at least here in my area. Even with it blocked on the BGW per the OP, it's not clear to me why that would affect the HE tunnel which is v6-over-v4 (i.e., v4 from the BGW's perspective).

                                  johnpozJ 1 Reply Last reply Reply Quote 1
                                  • johnpozJ Online
                                    johnpoz LAYER 8 Global Moderator @marcg
                                    last edited by

                                    @marcg said in Switched to AT&T fiber, IPv6 tunnel broken:

                                    Passthrough Mode for 3+ years (in Northern California)

                                    Do you have anything in this devices settings saying to disable IPv6? The OP stated he disabled IPv6 in his bgw320 - just curious if that somehow could cause issue even when in bridge mode.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    M 1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      marcg @johnpoz
                                      last edited by marcg

                                      @johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

                                      Do you have anything in this devices settings saying to disable IPv6? The OP stated he disabled IPv6 in his bgw320 - just curious if that somehow could cause issue even when in bridge mode.

                                      There's an option to enable/disable v6 on the BGW's LAN side, under HomeNetwork>IPv6. Mine is set to On as I want pfSense to receive RAs, DHCPv6 PDs, etc. That's the only BGW320 v6 enable/disable option I know of.

                                      pfSense is the only thing connected to the BGW in my case. If that's the same for the OP, I don't understand how that setting would affect the HE tunnel since it's v4 from the BGW perspective.

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ Online
                                        johnpoz LAYER 8 Global Moderator @marcg
                                        last edited by johnpoz

                                        @marcg while I agree it shouldn't have any effect - but its possible with disable IPv6 setting on his device it blocks protocol 41?

                                        If he is unable to setup a tunnel.. I would for sure as a test not disable IPv6 on att device and see if the tunnel then comes up.

                                        On a bit of side note - personally I would still run a HE tunnel, vs native IPv6 unless I could get a delegation that doesn't change. And would allow for dns settings on the that prefix - don't really need a full /48 but something like a /56 should be available.

                                        I would rather live with a slight bump in latency to have a prefix that never changes, and ability to modify PTR for this prefix. Than some prefix that is changing all the time and no ability to edit the PTRs

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                        1 Reply Last reply Reply Quote 0
                                        • JKnottJ Online
                                          JKnott @BiloxiGeek
                                          last edited by

                                          @BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

                                          I'm trying to find a way to get my tunnel working without paying AT&T for their native IPv6.

                                          They charge for it? Very unusual. Rogers doesn't. In fact, it's to an ISPs advantage to have customers use IPv6, because there aren't anywhere near enough IPv4 addresses to go around.

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          1 Reply Last reply Reply Quote 0
                                          • JKnottJ Online
                                            JKnott @BiloxiGeek
                                            last edited by

                                            @BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

                                            But since it's AT&T I suspect they are gonna want to charge me extra for the additional service.

                                            I bet it's already available. With my ISP, I just had to enable it and it works. Configure pfSense for IPv6 and see what happens.

                                            PfSense running on Qotom mini PC
                                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                            UniFi AC-Lite access point

                                            I haven't lost my mind. It's around here...somewhere...

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.