Announcements

For the latest on our response to Coronavirus (COVID-19), click here.

Tutor

 • 

10 Messages

Sat, Mar 11, 2017 11:46 PM

IPv6 with Pace 5268AC and cascaded router

I have just upgraded from an older (AT&T) standard ADSL service to ADSL2+, and am not exactly sure how to get IPv6 working in my current configuration.

 

My old setup was simple:  ASUS RT-AC66U -> plain DSL modem.  The ASUS handled the PPoE sign in, etc., and was configured for using IPv6 using 6rd (the same settings that the new Pace uses, as it turns out).

 

In my new setup, due to there being no true bridge mode on the Pace 5268AC gateway, I have my ASUS router simply cascaded from the Pace (just a simple ASUS WAN port -> Pace LAN, not DMZ'd, nothing else hooked into the Pace, Pace wireless shut off).  This is working fine *except* for IPv6.  I am unsure how I should have my ASUS router's IPv6 configured.  I am admittedly a little hazy on how 6rd tunneling should work across routers.  Unsurprisingly, leaving my ASUS router configured with the same 6rd settings (identical to the Pace settings) does not work.  I've searched around a bit and I am left with the impression that there may be issues with the Pace and its IPv6 6rd handling that prevent this from working (people who are trying this are typically using DMZ, but it seems to me this "should" be possible with a standard cascaded router setup).

 

So, the question becomes:  What should be the proper way to configure a cascaded router configuration to get IPv6 working with 6rd?  But more to the point, how do I get this working with my *specific* setup (this "interesting" Pace gateway)?  The two answers might not be the same.

Responses

ApexRon

Professor

 • 

2.2K Messages

3 years ago

@sbd1138

In my opinion, AT&T's IPv6 associated with the 5268ac is currently broke except for devices, not routers, directly connected to 5268ac.

 

I have a router which I had to move from a cascaded install to a DMZ+ install because of a change with AT&T support of cascaded routers. While I was cascading my router, IPv6 would never work. Now that I have moved my router to DMZ+, directly to internet, you would think IPv6 would work but no it does not. Yet, when I connect my MacBook Pro to the 5268ac I have IPv4 and IPv6 connections.

 

 

_____________________________________________________

Tutor

 • 

10 Messages

3 years ago

Yeah, that's what I was readiing about with DMZ+ and protocol 41 not being passed through.

 

In my case of a "standard" cascaded router configuration, I would think I could put my Asus router into Native IPv6 mode and things should just work...but I tried that, and no dice.

 

One thing that I could use some clarity on is what exactly adding a router as a "cascaded router" in the Pace settings actually does, specifically?  I do NOT have my Asus router added there, and aside from IPv6 everything is working fine (Asus properly has its own subnet, IPv4 internet works, etc.).  I have tried to add it there (it is available as a selectable option, I can put in its IP address and subnet mask), but it just gives me a plain "Error" with no description (and thus it's not added).

ApexRon

Professor

 • 

2.2K Messages

3 years ago

The AT&T U-verse solution was designed/priced/implemented on the basis that all that would be on your home network would be U-verse TV, U-verse telephones, PCs, tablets, and smartphones. Unfortunately for AT&T, home networks and their clients are much more sophisticated and use a larger variety of networking devices than they anticipated. The router/gateways that AT&T implemented caused home networks to break in some cases causing clients to implement LAN switches and routers. The easiest way to implement a home router in any ISP environment is to just plug an Ethernet cable into the ISP modem or router/gateway. To the ISP the home router should just appear as another home network device. The downstream home router network is considered a cascaded network and one that to a large extent is invisible to AT&T. This fact creates FUD (fear, uncertainty, and doubt) for AT&T management because they know that their field techs will get involved in home networks they are untrained to troubleshoot. Here is a good example of how complex a home, cascaded router network can get:

blp1P.jpg

To add your Asus to the DMZ of the 5268ac:

  1. The WAN connection on the Asus router must be configured for DHCP and have a 5268ac DHCP assigned Class-C IP address
  2. On the 5268ac Settings/Firewall/Applications, Pinholes and DMZ page, option 1, insert the IP address of the Asus router and select 'choose' button
  3. After that choose 'Allow all applications (DMZplus mode)' and Save

Your Asus should now take on the same IP address as the 5268ac assigned by the AT&T network.

_____________________________________________________
JefferMC

ACE - Expert

 • 

17K Messages

3 years ago


@sbd1138 wrote:

 

...

One thing that I could use some clarity on is what exactly adding a router as a "cascaded router" in the Pace settings actually does, specifically?...


Cascaded router is intended for use when you have a public static IP block from AT&T that you want to hand to an internal router for processing.  This sets up a static route in the Pace to route all such traffic to a single router.  It is not designed to handle the normal case of just setting up a router behind the Pace.

 

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
ApexRon

Professor

 • 

2.2K Messages

3 years ago


@JefferMC wrote:

Cascaded router is intended for use when you have a public static IP block from AT&T that you want to hand to an internal router for processing.  This sets up a static route in the Pace to route all such traffic to a single router.  It is not designed to handle the normal case of just setting up a router behind the Pace.

@JefferMC @ATTDSLCare

JefferMC,

I tend to agree with you. However, AT&T killed my cascaded router a week ago by blocking traffic to it and giving me a warning message that I was using a cascaded router. I was forced to put my router in the DMZ and it had been working but right now it is experiencing connectivity issues in the DMZ so I am updating this post using a direct WiFi connection to my 5268ac. In a few minutes I will be going back to cascading at which time I will reboot the 5268ac.

 

The frustration that every ACE is experiencing is that no one knows the technical specs for the 5268ac. All we know is that the firmware has bugs as well as design flaws based on our and other customer experiences. Most of our recommendations involving the 5268ac are circumventions to those bugs and flaws.

 

_____________________________________________________

Tutor

 • 

10 Messages

3 years ago

So, for the purposes of clarity, I see the two options for my situation as:

1)  Set up the secondary router as DMZ+ in the Pace, and have 6rd configured in the secondary router.  The secondary router gets assigned the external/public/facing IP, and all traffic should get passed through to it.

 

1*)  This does not actually work properly for IPv6, because apparently protocol 41 traffic is not getting passed through.

2)  Set up the secondary router as a cascaded router off of the Pace.  Secondary router is configured for Native IPv6, and the Pace should be handling the 6rd tunneling, etc., and downstream local IPv6 assignment/management.

 

2*)  This does not seem to work for IPv6...no external (internet) IPv6 traffic seems to make it to the secondary router.

Is there anything further for option #2 I need to take into consideration (is it correct)?  Are there other options?

=========

And just as a side note, I am not completely unsympathetic to what AT&T is going for insofar as homogenizing their equipment deployment, locking folks into AT&T equipment only (although I dislike it), etc..  And if it weren't for these IPv6 issues I would be "Ok" (not enthused, but "ok") with this setup, as round-about as it is.  However, AT&T needs to realize that while basic users may be fine with having the RG as their networking center, they absolutely have to robustly support opaque networks behind them.  For any competent business-related setup, or just security-conscious home users, expecting someone to rely on externally-provided equipment hooked up un-buffered/directly to your network, not under your control, that might have a firmware update or *anything* done to it without you knowing, will solicit hearty laughs, knee-slapping and wiping away of tears.  Having the gateway simply act as a traffic passthrough needs to work, robustly (and *almost* does).

Semi-amusingly, previous to this I was running an old ADSL setup from AT&T (Pacbell->SBC->AT&T), which had been rock-solid for 17 years (!)...perfect dumb-modem setup, literally not a single problem for eons (and IPv6 working great via 6rd for several years).  The only reason I finally upgraded was because it (and my POTS phone service) was priced to get people to migrate off it; the bill was literally 2x what I pay now, for 1/6 the speed.  Less amusing are these complications and restrictions, which are a step backwards in consumer choice and control.

Tutor

 • 

10 Messages

3 years ago

Just wanted to refresh this and present my second option as a more clear/direct question:

 

Generally speaking (irrespective of the peculiarities/issues with the Pace RG), in a cascaded router setup, should it be the case that the internet-facing router is the one configured for 6rd tunneling, and anything connected to/cascaded from it is simply configured for Native IPv6?

ApexRon

Professor

 • 

2.2K Messages

3 years ago

The 5268ac is our router/gateway into the local AT&T infrastructure that at some point connects to the internet. Because the 5268ac broadband status shows us "6rd" this and that we have to believe that this local AT&T infrastructure is an IPv4 network at least at our locations. Even if the local AT&T infrastructure were IPv6, at one or more points from our network to our destination network, our IPv6 packet could be transported across an IPv4 network.

 

As far as our home network is concerned, should you be fortunate enough to have a device that speaks native IPv6 compatible with the 5268ac, then it will. The same is true of a router that is cascaded off of the 5268ac. If that router can speak IPv6 to the 5268ac and is capable of passing downstream, native IPv6 data traffic without using the NAT function then it will. However, any IPv4 data traffic would still have to use NAT. The problem today is that home routers that would be used for cascading are not real sophisticated to support IPv6 and NAT concurrently. Additionally, consider a native IPv6 home network. Have you been successful in configuring all your devices to only use IPv6?

 

Bottom line - AT&T presents IPv6 to you the subscriber, using 6rd to connect to the local AT&T infrastructure, for anything directly connected to their 5268ac. Will IPv6 work in your home network is dependent on the devices on your home network. Unless you have the network tools and an intimate relationship with the firmware on your devices, troubleshooting and fixing IPv6 issues is a real crap shoot.

_____________________________________________________

Tutor

 • 

10 Messages

3 years ago

Thanks for the reply, ApexRon.

 

Ultimately, I'm trying to gain an understanding of two things:

1)  How it should work (theoretically).

2)  How to get it working with this specific setup (if possible).

 

With regards to #1, my understanding is that the only thing that (should) need to know anything about (or be configured for) any IPv6-on-IPv4 tunneling is the outward-facing router.  As far as anything connected to it is concerned it's just a normal (native) IPv6 network.  This makes sense, since obviously you don't do any special config on a computer or the like, you just enable IPv6 and off you go.  I was not completely sure if there had to be any special consideration for a cascaded router.

 

With regards to #2, my own router supports IPv6 fairly robustly...in my specific case, before my U-Verse upgrade, I had been using my Asus router configured for 6rd connected directly to a plain DSL modem (AT&T, same 6rd settings), which worked fine (IPv6 websites, etc., worked).  In this new config, with my router cascaded off the Pace and set up for native IPv6, I cannot access IPv6 websites.  I am unclear if there are specific settings on the Pace or further special configuration on my Asus router I can tweak to make this work.

 

Ideally, if DMZ+ on the Pace 5268ac actually worked for IPv6 tunneling (actually passed through protocol 41 traffic) then it's a non-issue...it would effectively be a bridge mode and my router handles everything.

Tutor

 • 

10 Messages

3 years ago

After some more forum searching, the apparent consensus is that IPv6 with a secondary router behind the Pace does not work.

 

1)  DMZ+ doesn't work for IPv6 6rd because the Pace doesn't pass through protocol 41 traffic.

2)  A "normal" cascaded router doesn't work because the Pace doesn't support DHCP-PD (IPv6 prefix delegation), which is the issue I believe I am currently up against.

 

https://forums.att.com/t5/AT-T-Internet-Equipment/5268AC-IPv6-limitations/td-p/4800413

Tutor

 • 

6 Messages

3 years ago

I have a cascaded router setup using a block of static IPv4 addresses. No matter what I try, there is simply NO WAY to use IPv6, even though the firewall I have (PFSense) is perfectly capable of supporting it and routing it properly. AT&T needs to make changes to their network design for IPv6 to work. Instead of tunneling using 6rd, they need to setup native IPv6, and additionally they need to add proper routing support to their gateways.

 

Until then, you will have to decide how much of a deal breaker IPv6 is for you. It's not a dealbreaker for me, I can do everything on the internet by using IPv4 so far, so I decided having my gigabit speeds is more important. There is a reason why AT&T techs are typically staying silent when a sentence contains "ipv6" and "my own router", because its not going to work, period. 

 

 

Basically what it comes down to is choosing between using your OWN router or having IPv6. Choose, you can't have both. 😞

Tutor

 • 

10 Messages

3 years ago

Yep, that's the conclusion/decision point I've reached as well.  I actually have to support IPv6 in some engineering (programming) projects I'm involved with, so it's a little worse than "wouldn't it be nifty to run IPv6?".  That said, it's not the end of the world to just plug into the Pace when needed to test internet-facing IPv6, but it is a massive pain-in-the-wan-port.

 

It does seem these issues are all specific to the Pace 5268AC, meaning that it seems that a firmware tweak for protocol 41 pass through would solve the DMZ+ issue.  I suppose adding DHCP-PD support for the cascaded router scenario is more involved.

 

I've inferred from other threads that there may be slightly older hardware that AT&T has that does not have these issues (some with a true bridge mode, others that DMZ+ actually fully works on, etc.).  If I can sort out which ones people have had success with perhaps I'll try to get my Pace swapped out for something more robust.

Tutor

 • 

4 Messages

3 years ago

@sbd1138 said:

1)  DMZ+ doesn't work for IPv6 6rd because the Pace doesn't pass through protocol 41 traffic.

2)  A "normal" cascaded router doesn't work because the Pace doesn't support DHCP-PD (IPv6 prefix delegation), which is the issue I believe I am currently up against.

https://forums.att.com/t5/AT-T-Internet-Equipment/5268AC-IPv6-limitations/td-p/4800413

Since I'm being quoted there, let me set the record at least a bit straighter: DHCP-PD does work correctly with the 5268 (though it'll only delegate a single /64 downstream, and you may need to adjust your pd-request hint to match that), it just didn't seem to want to play nicely at first so I assumed the worst.

The remaining problem that I have is that there's no way (that I've found, anyway) to disable stateful inbound ipv6 filtering.  V6 clients work fine, but I can't ssh in or reach any other services remotely.

Tutor

 • 

10 Messages

3 years ago

Thanks for the additional info @ermuller,

 

That is somewhat encouraging that you've had some measure of success getting things working.  If it's not too much trouble, do you mind going over your setup (things you had to tweak on the Pace, things you had to tweak on your router)?  I'd be interested to hear how your setup might differ from my description above for "how it theoretically should work".

 

On my end there isn't a firmware interface option for my ASUS ac66u for tweaking the DHCP-PD pre-request hint, but from what I've been reading 64 seems to be the default.

Tutor

 • 

3 Messages

3 years ago

In case others find this thread and want to know the general configuration behind the 5268AC (I spent a couple hours figuring it out)...

 

This is not in a cascaded router configuration, but a DMZ+ configuration so the public IP is shared with the PFSense router

 

On PFSense (latest stable version in the 2.3 train)

WAN Interface:

DHCPv6

Request only an IPv6 prefix (checked)

DHCPv6 Prefix Delegation size: 64

Send IPv6 prefix hint (checked)

Block Bogon Networks (unchecked)

 

LAN Interface:

DHCPv6: Tracking

IPv6 Interface: WAN

IPv6 Prefix: 0

 

I'm not sure if you need to have bogon networks unchecked, it is good practice to block your LAN address space on your wan interface...

 

The KEY Item for me once I had this general configuration was firewall rules (SMH).  Make sure that IPv6 ICMP is permitted to/from the WAN interface AND you have a rule for DHCPv6 (aka UDP 546).  It will look like the below...you can obviously customize it as you like for more specificity:

IPv6 UDP source: any:546 dest: any:any

IPv6 UDP source: any:any dest: any:546

 

This actually permits the DHCP request and the "ICMP" traffic needed to make this happen. 

AT&T TV – All Your Entertainment In One Spot.  Learn more…