Switched to AT&T fiber, IPv6 tunnel broken

BiloxiGeek

@JKnott

I'm trying to find a way to get my tunnel working without paying AT&T for their native IPv6.

I did run a capture and saw protocol 41 packets going out but nothing came back.

Waiting to hear from AT&T on how much some static IPv6 address space will cost and exploring the possibility of setting a NordVPN. That should hide the protocol 41 traffic and provide the VPN protections as a bonus.

johnpoz

@BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

paying AT&T for their native IPv6.

Why would they charge you for IPv6?

BiloxiGeek

@johnpoz

Well I don't know that they will yet, waiting for an answer to an email I sent yesterday.

But since it's AT&T I suspect they are gonna want to charge me extra for the additional service. They actively block protocol 41 to make sure any customers can be milked for a bit more profit if they want to have something beyond the typical single dynamic IPv4 address.

johnpoz

@BiloxiGeek I thought back when they first rolled out ipv6 they were using 6rd and were blocking 41 because they were using it, but from a bit of googling when they switched over to native dual stack 41 was opened. I have seen multiple posts saying that you could run HE with att residential connection.

I don't have att to know for sure - and even if they are still blocking in some areas or everywhere it would make no sense for them to charge to use IPv6. Other than what your after is a "static" ipv6 prefix delegation.

As to working with some vpn service - I doubt that would work to be honest. For starters you wouldn't be able to ping your IP your setting the tunnel up with from the HE side, second protocol 41 is not a port I doubt it work work through a natting vpn type of service.

So if you put your att device into bridge mode - not sure if disable IPv6 is something you want?

I've put the fiber modem (BGW320) into passthrough mode, disabled the IPv6 and it's firewall.

I would think putting it into bridge mode would disable any sort of firewalling it would do but you still might need to leave IPv6 enabled? I don't have their service or that device to play with. But I would try not disabling IPv6 on the device when you put it into bridge mode and just use it at a modem vs a gateway.

marcg

@BiloxiGeek FWIW, I've had ATT Fiber with a BGW320 in Passthrough Mode for 3+ years (in Northern California). v6 with a pfSense+ router works fine, including DDNS. I use Dynu as the DDNS provider. I didn't have to pay anything extra for (dynamic) v6 prefixes.

An unfortunate thing with ATT's v6 service is that it delegates /64s individually rather than in a larger block, e.g., a /61. This thread explains how to request multiple /64s. There's another explanation of the steps here.

v6 (protocol 41) is not blocked on ATT's network, at least here in my area. Even with it blocked on the BGW per the OP, it's not clear to me why that would affect the HE tunnel which is v6-over-v4 (i.e., v4 from the BGW's perspective).

johnpoz

@marcg said in Switched to AT&T fiber, IPv6 tunnel broken:

Passthrough Mode for 3+ years (in Northern California)

Do you have anything in this devices settings saying to disable IPv6? The OP stated he disabled IPv6 in his bgw320 - just curious if that somehow could cause issue even when in bridge mode.

marcg

@johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

Do you have anything in this devices settings saying to disable IPv6? The OP stated he disabled IPv6 in his bgw320 - just curious if that somehow could cause issue even when in bridge mode.

There's an option to enable/disable v6 on the BGW's LAN side, under HomeNetwork>IPv6. Mine is set to On as I want pfSense to receive RAs, DHCPv6 PDs, etc. That's the only BGW320 v6 enable/disable option I know of.

pfSense is the only thing connected to the BGW in my case. If that's the same for the OP, I don't understand how that setting would affect the HE tunnel since it's v4 from the BGW perspective.

johnpoz

@marcg while I agree it shouldn't have any effect - but its possible with disable IPv6 setting on his device it blocks protocol 41?

If he is unable to setup a tunnel.. I would for sure as a test not disable IPv6 on att device and see if the tunnel then comes up.

On a bit of side note - personally I would still run a HE tunnel, vs native IPv6 unless I could get a delegation that doesn't change. And would allow for dns settings on the that prefix - don't really need a full /48 but something like a /56 should be available.

I would rather live with a slight bump in latency to have a prefix that never changes, and ability to modify PTR for this prefix. Than some prefix that is changing all the time and no ability to edit the PTRs

JKnott

@BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

I'm trying to find a way to get my tunnel working without paying AT&T for their native IPv6.

They charge for it? Very unusual. Rogers doesn't. In fact, it's to an ISPs advantage to have customers use IPv6, because there aren't anywhere near enough IPv4 addresses to go around.

JKnott

@BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

But since it's AT&T I suspect they are gonna want to charge me extra for the additional service.

I bet it's already available. With my ISP, I just had to enable it and it works. Configure pfSense for IPv6 and see what happens.

JKnott

@johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

I thought back when they first rolled out ipv6 they were using 6rd and were blocking 41 because they were using it

My ISP was offering 6to4 and 6rd before going native. I had no problem using 6in4, back then. There should have been no conflict with protocol 41.

JKnott

@johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

I would think putting it into bridge mode would disable any sort of firewalling

Given the firewall in those modems, is that a bad thing?

Since this is a pfSense forum, I expect people here will be running pfSense for their firewall.

johnpoz

@JKnott said in Switched to AT&T fiber, IPv6 tunnel broken:

There should have been no conflict with protocol 41.

I agree - just what I read some places, doesn't mean its true. Some thread somehwere was stated that att was blocking protocol 41 for anything other than their network, and when they moved to dual stack vs 6rd for their IPv6 rollout they remove the 41 block.

I am leaning towards the disable ipv6 in his att device to be honest, since if you are using the device as passthru and wanted to disable IPv6 blocking protocol 41 would be a way to stop a client connected from creating a tunnel and using IPv6 that way, etc.

BiloxiGeek

Is there a difference between bridge mode and passthrough? I've set passthrough already and didn't get the tunnel up. If there's a separate bridge mode I'm more than willing to give it a try but I've not seen that setting anywhere in the BGW320 config.

And I too would prefer to deal with any latency issues in order to keep the 6in4 tunnel with the known and expected addresses.

johnpoz

@BiloxiGeek that might what its called on that device, can you enable IPv6 and leave it passthru?

marcg

@johnpoz There's no true bridge mode on the BGW320 AFAIK. IP Passthrough is bridge-like, but is NAT under the hood. With Passthrough enabled and v6 disabled on the BGW LAN side, I could see how that might prevent ATT's native v6 from working. Disabling v6 might prevent the Passthrough v6 NAT states from being created.

@BiloxiGeek, if you haven't already done so, suggest that the BGW's Passthrough Mode be configured as DHCPS-Fixed with the pfSense WAN MAC entered as the Passthrough Fixed MAC Address. If there's ever more than one device on the BGW's LAN side -- wired or wireless -- at boot time, the DHCPS-Dynamic option will cause the BGW to pick whichever device it sees first as the passthrough client, not necessarily pfSense (probably not what you want).

johnpoz

@marcg said in Switched to AT&T fiber, IPv6 tunnel broken:

isabling v6 might prevent the Passthrough v6 NAT states from being created.

concur - I do believe that is his problem.. I don't think those devices do a true bridge, more like a nat with with dmz host sort of thing.

marcg

@johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

I don't think those devices do a true bridge, more like a nat with with dmz host sort of thing.

It's similar, but different. In Passthrough mode, pfSense gets the public v4 IP of the BGW. For v6, the pfSense gets a routeable IP via DHCP for its WAN IP, and any delegated prefixes that it requests. pfSense thinks that it's directly on the WAN with routeable addresses and prefixes.

The BGW then 1:1 NATs every flow to/from pfSense, keeping the same source/destination address/port on both sides of the NAT. There's a snippet from the BGW's NAT table below. The x's are to obscure my routeable addresses and prefixes.

Guessing one reason they don't do a true bridge is to enable the BGW to NAT+route in parallel for its non-Passthrough LAN-side clients (none in my case).

johnpoz

@marcg well that is good, then it should work for the OP.