Find the perfect gift for the grad in your life with Graduation gifts that connects us from AT&T.
Get superfast AT&T Fiber internet
rand0nness's profile

3 Messages

Tuesday, April 23rd, 2024 5:47 AM

BGW210-700 drops all incoming 6in4 packets?

I'm trying to set up a Hurricane Electric IPv6 tunnel using an OPNsense system behind a BGW210-700 RG, but it turns out that despite disabling the packet filter and pretty much every other firewall option in the RG, it drops all incoming 6in4 (IP protocol 41) packets.  The logs list the reason as "Unknown 6in4 packet."  All other packets, including outgoing 6in4 ones, pass without issue.  Just wanted to see if anyone had more success, and if so, what kind of settings you have for the RG.  Thanks!

Accepted Solution

Community Support

 • 

232.3K Messages

1 month ago

Thanks for reaching us @rand0nness.

We understand your concern with regard to setting up a Hurricane Electric IPv6 tunnel using OPNsense behind a BGW210-700 RG. Let's point you in the right direction.
 
Setting up AT&T gateway using your OPNsense firewall, you can set up port forwarding (NAT) to allow traffic from the Internet to reach your internal network. 

You can do so by checking out our article Set up port forwarding for BGW210.

If you have any other questions, please feel free to write back.

Thank you.
David, AT&T Community Specialist.

Official Solution

Tutor

 • 

440 Messages

1 month ago

The above instructions from ATTHelp are close but may be missing a key piece of information.

In Step 6 of the link provided, you want to select the "IPv6 Tunnel (6 in 4)" service. 

(edited)

3 Messages

1 month ago

Thanks!  I forgot to mention that the Allocation Mode for IP Passthrough is set to Passthrough, so I cannot add the "IP Tunnel (6 in 4)" service, as the "Needed by Device" input box says "No Devices Found." When I click "Add," the error message "A required setting is empty" appears.   I am curious, though, whether this works without passthrough mode.  It would be rather strange because it means passthrough mode actually blocks packets that can be allowed in non-passthrough mode.

Community Support

 • 

232.3K Messages

1 month ago

Hi @rand0nness, thank you for your response.

After reviewing your concern and trying to resolve through the Community Forums, it looks like you may need more account specific support.  To assist you best, we encourage you to review our
Contact Us page (https://www.att.com/support/contact-us/) to identify what method you’d prefer to reach out for this account level help.  You can call, chat, or reach out via social media and we can review your specific issue and provide you support.  We’re sorry we weren’t able to resolve your concern directly in the forums, but let us know if we can assist with anything else.

 

 

Thank you for contacting AT&T Community Forums.

Jasmine, AT&T Community Specialist

2 Messages

21 days ago

I have a BGW320. I also have an OPNsense firewall. I also have problems getting Hurricane Electric 6in4 tunnel working. I have configured my OPNsense firewall to accept syslog messages from my BGW320, and I have configured my BGW320 to send firewall log messages to my OPNsense remote syslog. I have configured my HE 6in4 tunnel on my OPNsense firewall which is operating in "passthrough mode" using the BGW320 DHCP assigned public IP. For the most part, things are working, so we can eschew concerns about general misconfiguration problems.

The ATT equipment is configured by ATT or under contract by the hardware vendor Nokia to block 6in4. ATT is responsible for this.

How do I know? When I attempt to ping the IPv6 address of the HE 6in4 tunnel, the BGW320 sends me syslog messages like this:

May  4 20:42:24 L4 FIREWALL[10073]: nflog_log_fw(), action=DROP reason=POLICY-UNKNOWN-6IN4 hook=PREROUTING mark=136314880 IN=br2 OUT= MAC=00:00:00:00:00:00:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:SRC=XXX.XXX.XXX.XXX DST=XXX.XXX.XXX.XXX LEN=76 TOS=0x00 PREC=0x00 TTL=250 ID=37449 DF

action=DROP reason=POLICY-UNKNOWN-6IN4 is a clear indication of the device breaking my Internet connection by policy (iptables - Version 1.4.16.3, according to the GPL license info).

I also have firewall disabled on my BGW320. The user interface lies about disabling the firewall. Maybe it is a bug. Maybe it is a feature. Lets just get the truth out in the open. Maybe this is just an issue of "ATT forbids" certain traffic. Maybe then we can help everyone avoid feeling like they got a bait-and-switch when they ask ATT sales if they can bridge their own firewall to the ATT fiber network.

For starters, I'd like to see a listing of the BGW320 iptables policies. Maybe step 2 we can talk about how to go about changing something to fix it.

Tutor

 • 

440 Messages

20 days ago

> For starters, I'd like to see a listing of the BGW320 iptables policies.

For security reasons, that will not happen.

Tutor

 • 

440 Messages

20 days ago

> The user interface lies about disabling the firewall. 

That is only in regards to user-defined configurations of the firewall (at best).

3 Messages

20 days ago

Apologies if I missed it somewhere, but where does AT&T disclose the existence of any firewalls other than user-defined configurations, much less how they operate?  I think that's the core issue; if AT&T simply said outright that it does not allow 6in4 tunnels in passthrough mode, that would be more understandable.  Of course, even better would be for AT&T to fix its famously broken native IPv6 implementation; then few people would need to use 6in4 tunnels in the first place.

Tutor

 • 

440 Messages

20 days ago

There is probably a defect in the 6rd implementation, a 6in4 tunnel, in the gateway. Before supporinting native IPv6, AT&T supported 6rd.

In order to allow for users to have their own 6in4 tunnel to an end device, AT&T added a "6in4" port forwarding service in the gateway.

To reduce potential attacks they probably added a filter for 6in4 traffic, turning it off when either user "6in4" portforwarding was defined or the 6rd tunnel in use.

It was probably an oversight that it did not handle a user 6in4 tunnel when IP Passthru and Default was in use.

(edited)

2 Messages

16 days ago

There is an explicit IPTABLES policy implemented in the CPE which says it drops 6in4 specifically.

What else do they drop any why?

I see it logging packet drops to IPv6 servers providing registry.npmjs.org hosting. reason=POLICY

I see it dropping FIN+ACK TCP packets to many HTTPS servers. reason=IP-INVALID

Just be 100% honest if your Internet service is nerfed and broken so people like me can avoid the trial and error before creating a second hop VPN to bypass the merely nominally competent operators.

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.