IPV6 seems to be blocking certain sites



  • Been running 2 WAN connections; an IP4 to my ISP in Canada and IPV6 - HE Tunnel.  Everything seems to be working properly but some web sites/services fail when we access them.

    What seems to be happening is if I try to go to netflix my tablet cannot stream the movie.  If I turn off the IPV6 it works

    If I go to the US Comcast WEB site (client when we are in the US) for example they seem to want to use the IPV6 WAN interface but fail to connect.

    It looks like the outgoing connection is going over IP4 instead of the IPV6 Interface.

    Not certain what is causing the problem.  Any help would be appreciated.

    Thanks
    cjb



  • Netflix blocks the Tunnelbroker exit points, as you saw with your tablet experience.

    I believe you have at least two options for Netflix with Tunnelbroker active

    • deny your clients access to a big chunk of Amazon IPV6 space, forcing a fallback to IPV4 (note that this may affect more than Netflix)

    • force your clients to jump through some DNS hoops and filter out AAAA responses with BIND, ensuring IPV4 access


  • LAYER 8 Global Moderator

    "Any help would be appreciated."

    Don't use ipv6 on the devices you want to use for netflix ;)  Would be the easy simple solution..



  • We are using a floating rule to block access to the netflix ipv6 addresses. That way you can keep your ipv6 working, except to accommodate this silly policy of netflix.


  • LAYER 8 Global Moderator

    Not really a silly policy from their point of view and geographic restrictions now is it ;)  You can create a tunnel to any HE location.. So its simple enough to make it look like your IP is from NA when your really in EU.. Just like a vpn.. So if their goal is to block people circumventing geographic restrictions then yeah they would need to block them.

    Until they could work out something with HE that users of their tunnnel endpoints are in the same region, etc.

    Or they block the whole geo restrictions all together..  Which is the silly part if you ask me..  User in NA should have access to same video library as person in EU and vise versa if you ask me..  Which should be the complete library..



  • I suppose one thing that could be done is to create local DNS records for Netflix, that contain only their IPv4 addresses.  That way the computer will not see any AAAA records and try IPv6.  Of course the real solution is for the ISP to get off their butt and provide IPv6.  IPv6 is where the world is moving to and faster than many realize.  For example, my ISP provides me with a /56 prefix and my cell phone (same company) is IPv6 only and has to use 464XLAT for IPv4.


  • LAYER 8 Global Moderator

    "faster than many realize."

    This may be true ;)  But still long way away that IPv4 is not primary.. My cell company also stop handing out ipv4 to the phone.. (T-Mobile)

    To be honest not a big fan of that.. I had to fire up ipv6 vpn so I could still vpn home when only on cell..



  • Does your cell phone not provide IPv4 via 464XLAT or other transition mechanism?  I don't see any problem with having to set up an IPv6, as that's the way the future is going.  You were just encouraged to make that change sooner rather than later.  Regardless, you would have had to do it at some point.  With iPhones, Apple is requiring apps on the app store to support IPv6.

    One thing I find REALLY annoying are those who refuse to move from IPv4.  They seem to think hacks like NAT are normal, despite the problems it causes.  I was also doing some VoIP work at a company that just moved to a new office.  The ISP was providing IPv6, but their IT guy just blocked it.  Absolute stupidity.  Anyone working with networks, at a professional level, but cannot/will not work with IPv6 is incompetent.  Get with the program guys.

    Incidentally, any current Cisco CCNA should be familiar with IPv6.  It's been on the test for years.


  • LAYER 8 Global Moderator

    I don't have a problem with them going with IPv6 - but that they removed it to me seems a bit early is all.. But yeah pushing forward is the way.. Pretty sure I will bee retired before its main stream though ;)  I would love to be able use it more.. Just no push for at it work yet..



  • ^^^^
    Nothing to stop you from pushing, particularly if you're their IT guy.



  • @johnpoz:

    Not really a silly policy from their point of view and geographic restrictions now is it ;)  You can create a tunnel to any HE location.. So its simple enough to make it look like your IP is from NA when your really in EU.. Just like a vpn.. So if their goal is to block people circumventing geographic restrictions then yeah they would need to block them.

    Until they could work out something with HE that users of their tunnnel endpoints are in the same region, etc.

    Or they block the whole geo restrictions all together..  Which is the silly part if you ask me..  User in NA should have access to same video library as person in EU and vise versa if you ask me..  Which should be the complete library..

    I suppose you could argue that a tunnel changes your location, but I think for most people, a tunnel is a way to get ipv6 when the isp doesn't support it. I think most people use a vpn for changing their location and on top of that, you get additional privacy.


  • LAYER 8 Global Moderator

    Dude I have been PUSHING for many years..  The problem is I work for a tier 1 telecom subsidiary, the service branch..  And if the customers don't ask, then they don't do ;)

    Believe me if was working at my old enterprise sort of job, would of been on ipv6 years ago there.. Where I had some input to overall direction for the enterprise.  Current position is more a fire fighter to why something is not working that I rarely had any say on the design of..  Or on some projects just the banana bender - make this happen.  Shit I have been complaining for years as well if your not going to use IPv6 then you shouldn't leave it unconfigured on the images your deploying..  Which finally got some traction when I showed them the % of traffic that is noise when 400 machines on just 1 segment with the default windows setup produces related to ipv6 when you leave it default out of the box.  Not multiply that by all the other segments with 1000's of more machines and producing a bunch of noise your switches have to handle for no reason at all..

    As of late I no longer in the DC side of things other than when problem to fix, and more wan, etc. So even less input to what they do in the data centers.. I can see their point though - until such time they have a customer that needs/wants ipv6 there is little need to fire it up in a data center that is all rfc1918 space other than the edge.. And when you have a /16 of public space to work with and using a very very small % of that ipv6 doesn't really scream required..

    I have been playing with ipv6 for many many years.. Got my free sage tshirt back jan of 2011 from HE ;)  I have been pushing for it, have had ipv6 on my network for years!!


  • Moderator



  • have had ipv6 on my network for years!!

    I first got IPv6 on my home network in May 2010 via 6in4 tunnel.  My ISP finally started offering it last April.

    BTW, I first heard of IPv6 in the April 1995 issue of Byte magazine.



  • @johnpoz:

    Dude I have been PUSHING for many years..  The problem is I work for a tier 1 telecom subsidiary, the service branch..  And if the customers don't ask, then they don't do ;)

    Believe me if was working at my old enterprise sort of job, would of been on ipv6 years ago there.. Where I had some input to overall direction for the enterprise.  Current position is more a fire fighter to why something is not working that I rarely had any say on the design of..  Or on some projects just the banana bender - make this happen.  Shit I have been complaining for years as well if your not going to use IPv6 then you shouldn't leave it unconfigured on the images your deploying..  Which finally got some traction when I showed them the % of traffic that is noise when 400 machines on just 1 segment with the default windows setup produces related to ipv6 when you leave it default out of the box.  Not multiply that by all the other segments with 1000's of more machines and producing a bunch of noise your switches have to handle for no reason at all..

    As of late I no longer in the DC side of things other than when problem to fix, and more wan, etc. So even less input to what they do in the data centers.. I can see their point though - until such time they have a customer that needs/wants ipv6 there is little need to fire it up in a data center that is all rfc1918 space other than the edge.. And when you have a /16 of public space to work with and using a very very small % of that ipv6 doesn't really scream required..

    I have been playing with ipv6 for many many years.. Got my free sage tshirt back jan of 2011 from HE ;)  I have been pushing for it, have had ipv6 on my network for years!!

    We've had ipv6 since around 2012. It's amazing how much traffic will be carried over ipv6 if you have it available. I don't watch it closely now that I'm using pfsense, but when I was using sophos utm it emailed me a report every month. Some months it was 80-90%. And that was using a hurricane electric tunnel, which I will continue to use until pfsense 2.4 is released (hopefully with the RA fix). At that point, I'll switch to native dual stack. The latency and bandwidth of ipv4 and ipv6 are the same, if not better for ipv6.


Log in to reply