IPv6 can not connect to IPv6
-
Dear all,
Complete newbie hereBeen using pfsense for some years, but really starting to go deeper into into it :-)
A problem have raised
We have several users in the US that options a IPv6 on their mobile phones.
When they try to connect to our mail servers or SIP servers, they can not connect. actually I do not even see the tries in the log.Help me out :-)
If a IPv6 contacts a server, using a IPv4 behind a pfsense firewall, that would work - or am I wrong?
-
@mhank I don't know of any US Cell carriers that are IPv6-only. It would be up to the carrier to provide something like dual stack or some other way for an IPv6 host to access the IPv4 internet like perhaps MAP-T.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
@derelict Thank you for your reply
I was surprised my self, we are Telecom Operator (or and MVNO in several countries), and I have not seen it before.
I had my CTO contact his counterpart in Tmobile, and he confirmed that in some cases, it is indeed the case wwith IPv6 only -
@mhank If your server is on IPv4 and they are, indeed, on IPv6-only with no transition mechanism in place, about all you can do is implement IPv6 on your servers.
-
Normally, IPv6 is preferred to IPv4. However, there may be issues with the carrier. I'm on Rogers in Canada, which does IPv6 very well, but Bell Canada has a poor IPv6 implementation. Have the user try test-ipv6.com. On Rogers I get 10/10, but with a work phone on Bell, it was only 1/10, IIRC.
-
I don't know about U.S. carriers, but Rogers, in Canada, uses 464XLAT, which converts IPv4 to IPv6 and back. I expect some U.S. carriers would do similar.
-
@jknott "with no transition mechanism in place"
-
Are there such carriers? Seems to me that would cut people off from a large chunk of the Internet.
-
@mhank said in IPv6 can not connect to IPv6:
We have several users in the US that options a IPv6 on their mobile phones.
T-Mobile is IPv6 only here in the chicagolan region.. But they clearly have method in place for the IPv6 only phone to get to IPv4 addresses..
As mentioned already with no method to do that - these users would not be able to access most of the internet. Because while sure IPv6 is making progress and the future.. There are some serious major players on the internet that do not have IPv6 access to their services.
I know t-mobile is ipv6 only - because can see it on my phone.. And well this info from back in 2014 when they started the move..
My phone while out and bought on cell only can for sure connect to IPv4 only - since I can get to my plex server and per notification of new IP being used for a client I get that they are connecting via IPv4 even though my IPv6 only phone is making the connection.
NetRange: 172.32.0.0 - 172.63.255.255 CIDR: 172.32.0.0/11 NetName: TMO9 OriginAS: AS21928 Organization: T-Mobile USA, Inc. (TMOBI)I can not be sure about other Carriers in the US, but I would have to assume that many of them are doing only IPv6 - there is just so many freaking phones..
I would look to troubleshooting why they can not actually make whatever connection - but I find highly unlikely that any mobile phone carrier would only be doing IPv6 at this time. Without a method for that device to talk to IPv4 addresses. It is just not a viable solution at this time. There is too much of the planet that does not yet have IPv6..
-
It appears T-Mobile is doing the same as Rogers. My phone gets an IPv4 address 192.0.0.4, which, IIRC, is within the reserved addresses for 464XLAT.
Also, what type of phone is having this issue? I believe iPhones handle this differently from Android.
-
@jknott I don't see how make of the phone should matter. Because if a carrier rolled out some IPv6 network. And you could not get to IPv4 if you used phone maker X.. That carrier wouldn't be in business very long.
I would look more to these protocols they mention mail and sip.. Its quite possible the translation the carrier is doing for IPv6 to IPv4 does not support the protocol they are doing, or they on purpose block it, etc. Especially to say another country..
I would test something simple like can this phone user access a website your hosting on http or https?
-
One other issue is whether a VPN is used. Some VPNs won't work through NAT.
-
@jknott I vpn into my pfsense over their translation setup just fine.. Not saying that couldn't be an issue..
But he specifically called out mail and sip, and made no mention of vpn - and says they are not even seeing connection attempt.
But I am curious to know how they knew what IPv4 address to look for - because they sure wouldn't see a IPv6 address trying to talk to their IPv4 address.
What I would suggest they do is have these phone users access something simple like a website they host..
-
@johnpoz said in IPv6 can not connect to IPv6:
I vpn into my pfsense over their translation setup just fine.. Not saying that couldn't be an issue..
NAT breaks IPSec authentication headers. Other VPNs, such as OpenVPN use plain UDP that passes through NAT. Also, WiFi calling uses IPSec in UDP for the same reason.
