IPv6 Native with Telstra, Australia

Larrikin

@derelict said in IPv6 Native with Telstra, Australia:

Glad you got it working.

I don't know. It depends on what they are testing. There's a little ? on the right of each line. Maybe that says what they are looking for.

You have to pass whatever that is. Probably ICMPv6 echo requests.

I assume for hostname they expect you to have DNS. If they do then make it so to pass that test.

I looked into it more deeply and it is simply that they can't reach my local laptop internally in my lan for ICMP ping. I am happy that they can't do that - I have no intention of opening that up :).

On another note, when you read the wiki, you'll see something interesting in the system tuneables page.

What is interesting is that the switch that we're turning back on here to get this working - net.inet6.icmp6.nd6_onlink_ns_rfc4861

Seems to be related to a vulnerability from 2008 and turning this switch on is effectively re-enabling functionality that was changed to fix the problem!

https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc

Not sure what this means yet, but seems low-ish risk limited to ability to spoof packets on local link with ISP.

Am interested if you have a view on this.

Larrikin

@dugeem said in IPv6 Native with Telstra, Australia:

@Larrikin Well done.

For reference can you please post a capture of successful pfSense IPv6 initialisation on Telstra?

I'm torn on that. The problem with that is that will publicly give away all my MAC addressing and IP addressing - not something I really want to do. I am all for sharing as much as I can but on this one, however I am a bit nervous of giving away my personal IP and mac details.

Larrikin

@randomaustralian said in IPv6 Native with Telstra, Australia:

next step now is to see if i can get it working myself.

You should be fine - just follow the wiki. If you run into any issues, just WHIM me on whirlpool and I'll help.

randomaustralian

so i followed your guide and the only thing that was different to my existing settings was the system tunable lines of steps 19 and 20.

i do get IPv6 internally rout-able addresses like last time but i still cant seem to pass any traffic which has been my standing problem for a while now.

Edit:

i'd like to add i am receiving IPv6 traffic because i never have had snort report an alert with an IPv6 address. i don't know how to or what a WHIM is on whirlpool.

Larrikin

@randomaustralian said in IPv6 Native with Telstra, Australia:

so i followed your guide and the only thing that was different to my existing settings was the system tunable lines of steps 19 and 20.

i do get IPv6 internally rout-able addresses like last time but i still cant seem to pass any traffic which has been my standing problem for a while now.

Double check steps 1 to 6.

Show screen shots of System, Routing, Gateways and your firewall ruleset on the LAN.

Larrikin

@randomaustralian said in IPv6 Native with Telstra, Australia:

Edit:

i'd like to add i am receiving IPv6 traffic because i never have had snort report an alert with an IPv6 address. i don't know how to or what a WHIM is on whirlpool.

That's fine. Just direct msg me here instead. I frequent both forums. I'm sure we'll get you working. I'm willing to bet its an old setting you've forgotten about when you've played with this that you've assumed aligns with the how to guide, but probably doesn't. We'll find it, and fix it :)

randomaustralian

@larrikin Actually i'm confident your settings are working fine. I can ping IPv6 addresses from my desktop.

In fact. I tried to ping Cloudflares IPv6 DNS server 2606:4700:4700::1111 and realized i had not re-added Cloudflares IPv6 DNS addresses back into my pfSense configuration.

Addresses re-added. Rebooted. http://ipv6-test.com/ reports i have a working IPv6 stack.

0_1551573288324_336c257b-5881-4611-8f43-413e093d0c6d-image.png

Larrikin

@randomaustralian said in IPv6 Native with Telstra, Australia:

@larrikin Actually i'm confident your settings are working fine. I can ping IPv6 addresses from my desktop.

In fact. I tried to ping Cloudflares IPv6 DNS server 2606:4700:4700::1111 and realized i had not re-added Cloudflares IPv6 DNS addresses back into my pfSense configuration.

Addresses re-added. Rebooted. http://ipv6-test.com/ reports i have a working IPv6 stack.

Yep - you are good. It's working. You may not have rebooted before after making the tunable changes which is key for this to work. There you go. Enjoy IPv6!

Derelict

@randomaustralian said in IPv6 Native with Telstra, Australia:

I was considering paying for a Netgate support subscription to get the results i was after.

With an uncooperative ISP who needs special sauce there is probably not a lot we could have done. Paying a local consultant who is familiar with Telstra would have probably been a better bet.

randomaustralian

@derelict Well now i can potentially be that private consultant.

Larrikin

@derelict said in IPv6 Native with Telstra, Australia:

@randomaustralian said in IPv6 Native with Telstra, Australia:

I was considering paying for a Netgate support subscription to get the results i was after.

With an uncooperative ISP who needs special sauce there is probably not a lot we could have done. Paying a local consultant who is familiar with Telstra would have probably been a better bet.

Or not paying anyone and relying on the community working as a team to get this sorted :)

randomaustralian

@larrikin

what i have experienced with Telstra is they are very anal about consumers using Telstra's supplied gear.

They refuse to support your internet connection if you don't use their gear. I have to keep their supplied gateway handy in case i have an outage and then confirm the outage exists on their router too before calling them or they wont support me. :\

Larrikin

@derelict said in IPv6 Native with Telstra, Australia:

@randomaustralian said in IPv6 Native with Telstra, Australia:

I was considering paying for a Netgate support subscription to get the results i was after.

With an uncooperative ISP who needs special sauce there is probably not a lot we could have done. Paying a local consultant who is familiar with Telstra would have probably been a better bet.

I think that's a little unfair. Telstra wasn't uncooperative, and the theory I posted above turned out to be accurate. The system tuneables changes address the ICMPv6 flow neighbor solicit. And part of my theory was built on information supplied by Telstra and the other part built on packet captures. Telstra didn't need to give me that information, but the guy did. It's just that I didn't pay enough attention to it at the time and I (amongst others) got hung up on one UDP packet rather than looking at the bigger picture.

Derelict

@larrikin For you perhaps. Sounds like you have a special friend that is not what everyone's experience is.

Derelict

Telstra chose to be different and refuse to document that difference.

Larrikin

@derelict said in IPv6 Native with Telstra, Australia:

@larrikin For you perhaps. Sounds like you have a special friend that is not what everyone's experience is.

Well, again, to defend Telstra... I simply posted a problem once I was having in a public forum. A back of house Telstra person personally reached out to me in a private chat message providing his work email address and fixed the issue. He gave me his mobile number and we also spoke on the phone.

He also asked not to be named publicly at the time for that, he was just happy to resolve it. That's how he became my contact. Because of his initiative.

Reading his posts, I'm not the only one he has helped.

Derelict

If you search this forum for net.inet6.icmp6.nd6_onlink_ns_rfc4861 you will find this thread.

No other ISP in the world is known to require that default be changed.

Bigmaccius

@derelict the problem with Telstra in my experience has always been that there's two sides to their company - there's some great people there who are extremely knowledgeable on the business side as @Larrikin proves through his contact (and I've got similar contacts at Telstra too).

But the Consumer side of Telstra and especially the Level 1 Support are more than often terrible and to @randomaustralian's point as soon as you tell them you're not using the supplied Gateway as that point they are completely off-script and completely useless.

Larrikin

@derelict said in IPv6 Native with Telstra, Australia:

Telstra chose to be different and refuse to document that difference.

Different to what? My issue with IPv6 is that it's incredibly complex compared to IPv4, and there are many ways to implement it and still be compliant to the standard.

I agree it would be nice for Telstra to document how they run IPv6, but they have made a commercial decision that if you sign up with them, you use their router. Everything that has been done has been unofficial. If we don't like it, then we find another ISP. I'm not arguing that Telstra is right in their approach, it's just the decision they have taken.

They are by far the largest ISP in Australia - they own the market. And that means most people are standard "mums and dads" who just want an end to end service supported - so Telstra can support the router as well given that they control it.

Anyhow, I guess in summary, in part I agree with you in that I'd like them to publish this information, but the moment they do, they are creating a rod for their own back for then getting sucked into supporting third party routers which goes against the grain of the company's position.

I also keep coming back to IPv6 is a very complex beast. Even if they did publish more info on it, each vendor has different ways to configure it, so what then?

Derelict

That is true for all ISPs. It is particularly problematic when an ISP chooses to deploy something that requires special treatment and is silent about what that special treatment is.