IPv6 Native with Telstra, Australia

Larrikin · Mar 2, 2019, 2:21 PM

@derelict When you read the wiki, you'll see something interesting in the system tuneables page.

What is interesting is that the switch that we're turning back on here to get this working - net.inet6.icmp6.nd6_onlink_ns_rfc4861

Seems to be related to a vulnerability from 2008 and turning this switch on is effectively re-enabling functionality that was changed to fix the problem!

https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc

Not sure what this means yet, but seems low-ish risk limited to ability to spoof packets on local link with ISP. Be interested if you have a view on this.

Larrikin · Mar 2, 2019, 3:06 PM

@derelict Quick question - I am guessing there are a couple of firewall rules I need to put in place to deal with the filtered result as per this? Would you mind letting me know what they are?

Thanks.

login-to-view

Derelict · Mar 2, 2019, 4:32 PM

Glad you got it working.

I don't know. It depends on what they are testing. There's a little ? on the right of each line. Maybe that says what they are looking for.

You have to pass whatever that is. Probably ICMPv6 echo requests.

I assume for hostname they expect you to have DNS. If they do then make it so to pass that test.

Gertjan · Mar 2, 2019, 6:31 PM

@larrikin said in IPv6 Native with Telstra, Australia:

Quick question -

Quick answer.

Glad it finally worked for you.

edit :
login-to-view

Forget about the hostname, except if you want your LAN device to be 'seen' on the Internet.
My only motivation to make that one 'ok' was to have a 20/20 (stupid reason, I know).

dugeem · Mar 2, 2019, 10:40 PM

@Larrikin Well done.

For reference can you please post a capture of successful pfSense IPv6 initialisation on Telstra?

randomaustralian · Mar 2, 2019, 10:43 PM

I got pointed here asking the exact same question on Netgate last night. I have been at this on and off for like 2 years and i'd always give up after a week or so.

@Larrikin i am impressed you got such a good contact from Tesltra, every time i have asked them for this information they refuse to give me any help as it is "unsupported" and when i have said i will support it myself I just need the configuration information they just flat out refused to give it to me or more recently told me to sign up for Telstra Platinum and even they told me there is no point in subscribing because they aren't allowed to give me that information.

I was considering paying for a Netgate support subscription to get the results i was after.

thank you guys for the hard your you have put into this and releasing the information to the public.

next step now is to see if i can get it working myself.

Larrikin · Mar 2, 2019, 11:31 PM

@derelict said in IPv6 Native with Telstra, Australia:

Glad you got it working.

I don't know. It depends on what they are testing. There's a little ? on the right of each line. Maybe that says what they are looking for.

You have to pass whatever that is. Probably ICMPv6 echo requests.

I assume for hostname they expect you to have DNS. If they do then make it so to pass that test.

I looked into it more deeply and it is simply that they can't reach my local laptop internally in my lan for ICMP ping. I am happy that they can't do that - I have no intention of opening that up :).

On another note, when you read the wiki, you'll see something interesting in the system tuneables page.

What is interesting is that the switch that we're turning back on here to get this working - net.inet6.icmp6.nd6_onlink_ns_rfc4861

Seems to be related to a vulnerability from 2008 and turning this switch on is effectively re-enabling functionality that was changed to fix the problem!

https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc

Not sure what this means yet, but seems low-ish risk limited to ability to spoof packets on local link with ISP.

Am interested if you have a view on this.

Larrikin · Mar 3, 2019, 12:30 AM

@dugeem said in IPv6 Native with Telstra, Australia:

@Larrikin Well done.

For reference can you please post a capture of successful pfSense IPv6 initialisation on Telstra?

I'm torn on that. The problem with that is that will publicly give away all my MAC addressing and IP addressing - not something I really want to do. I am all for sharing as much as I can but on this one, however I am a bit nervous of giving away my personal IP and mac details.

Larrikin · Mar 2, 2019, 11:53 PM

@randomaustralian said in IPv6 Native with Telstra, Australia:

next step now is to see if i can get it working myself.

You should be fine - just follow the wiki. If you run into any issues, just WHIM me on whirlpool and I'll help.

randomaustralian · Mar 3, 2019, 12:03 AM

so i followed your guide and the only thing that was different to my existing settings was the system tunable lines of steps 19 and 20.

i do get IPv6 internally rout-able addresses like last time but i still cant seem to pass any traffic which has been my standing problem for a while now.

Edit:

i'd like to add i am receiving IPv6 traffic because i never have had snort report an alert with an IPv6 address. i don't know how to or what a WHIM is on whirlpool.

Larrikin · Mar 3, 2019, 12:04 AM

@randomaustralian said in IPv6 Native with Telstra, Australia:

so i followed your guide and the only thing that was different to my existing settings was the system tunable lines of steps 19 and 20.

i do get IPv6 internally rout-able addresses like last time but i still cant seem to pass any traffic which has been my standing problem for a while now.

Double check steps 1 to 6.

Show screen shots of System, Routing, Gateways and your firewall ruleset on the LAN.

Larrikin · Mar 3, 2019, 12:32 AM

@randomaustralian said in IPv6 Native with Telstra, Australia:

Edit:

i'd like to add i am receiving IPv6 traffic because i never have had snort report an alert with an IPv6 address. i don't know how to or what a WHIM is on whirlpool.

That's fine. Just direct msg me here instead. I frequent both forums. I'm sure we'll get you working. I'm willing to bet its an old setting you've forgotten about when you've played with this that you've assumed aligns with the how to guide, but probably doesn't. We'll find it, and fix it :)

randomaustralian · Mar 3, 2019, 12:34 AM

@larrikin Actually i'm confident your settings are working fine. I can ping IPv6 addresses from my desktop.

In fact. I tried to ping Cloudflares IPv6 DNS server 2606:4700:4700::1111 and realized i had not re-added Cloudflares IPv6 DNS addresses back into my pfSense configuration.

Addresses re-added. Rebooted. http://ipv6-test.com/ reports i have a working IPv6 stack.

login-to-view

Larrikin · Mar 3, 2019, 12:34 AM

@randomaustralian said in IPv6 Native with Telstra, Australia:

@larrikin Actually i'm confident your settings are working fine. I can ping IPv6 addresses from my desktop.

In fact. I tried to ping Cloudflares IPv6 DNS server 2606:4700:4700::1111 and realized i had not re-added Cloudflares IPv6 DNS addresses back into my pfSense configuration.

Addresses re-added. Rebooted. http://ipv6-test.com/ reports i have a working IPv6 stack.

Yep - you are good. It's working. You may not have rebooted before after making the tunable changes which is key for this to work. There you go. Enjoy IPv6!

Derelict · Mar 3, 2019, 12:35 AM

@randomaustralian said in IPv6 Native with Telstra, Australia:

I was considering paying for a Netgate support subscription to get the results i was after.

With an uncooperative ISP who needs special sauce there is probably not a lot we could have done. Paying a local consultant who is familiar with Telstra would have probably been a better bet.

randomaustralian · Mar 3, 2019, 12:36 AM

@derelict Well now i can potentially be that private consultant.

Larrikin · Mar 3, 2019, 12:36 AM

@derelict said in IPv6 Native with Telstra, Australia:

@randomaustralian said in IPv6 Native with Telstra, Australia:

I was considering paying for a Netgate support subscription to get the results i was after.

With an uncooperative ISP who needs special sauce there is probably not a lot we could have done. Paying a local consultant who is familiar with Telstra would have probably been a better bet.

Or not paying anyone and relying on the community working as a team to get this sorted :)

randomaustralian · Mar 3, 2019, 12:40 AM

@larrikin

what i have experienced with Telstra is they are very anal about consumers using Telstra's supplied gear.

They refuse to support your internet connection if you don't use their gear. I have to keep their supplied gateway handy in case i have an outage and then confirm the outage exists on their router too before calling them or they wont support me. :\

Larrikin · Mar 3, 2019, 12:40 AM

@derelict said in IPv6 Native with Telstra, Australia:

@randomaustralian said in IPv6 Native with Telstra, Australia:

I was considering paying for a Netgate support subscription to get the results i was after.

With an uncooperative ISP who needs special sauce there is probably not a lot we could have done. Paying a local consultant who is familiar with Telstra would have probably been a better bet.

I think that's a little unfair. Telstra wasn't uncooperative, and the theory I posted above turned out to be accurate. The system tuneables changes address the ICMPv6 flow neighbor solicit. And part of my theory was built on information supplied by Telstra and the other part built on packet captures. Telstra didn't need to give me that information, but the guy did. It's just that I didn't pay enough attention to it at the time and I (amongst others) got hung up on one UDP packet rather than looking at the bigger picture.

Derelict · Mar 3, 2019, 12:41 AM

@larrikin For you perhaps. Sounds like you have a special friend that is not what everyone's experience is.