IPv6 with Pace 5268AC and cascaded router

@sbd1138

In my opinion, AT&T's IPv6 associated with the 5268ac is currently broke except for devices, not routers, directly connected to 5268ac.

I have a router which I had to move from a cascaded install to a DMZ+ install because of a change with AT&T support of cascaded routers. While I was cascading my router, IPv6 would never work. Now that I have moved my router to DMZ+, directly to internet, you would think IPv6 would work but no it does not. Yet, when I connect my MacBook Pro to the 5268ac I have IPv4 and IPv6 connections.

Yeah, that's what I was readiing about with DMZ+ and protocol 41 not being passed through.

In my case of a "standard" cascaded router configuration, I would think I could put my Asus router into Native IPv6 mode and things should just work...but I tried that, and no dice.

One thing that I could use some clarity on is what exactly adding a router as a "cascaded router" in the Pace settings actually does, specifically?  I do NOT have my Asus router added there, and aside from IPv6 everything is working fine (Asus properly has its own subnet, IPv4 internet works, etc.).  I have tried to add it there (it is available as a selectable option, I can put in its IP address and subnet mask), but it just gives me a plain "Error" with no description (and thus it's not added).

The AT&T U-verse solution was designed/priced/implemented on the basis that all that would be on your home network would be U-verse TV, U-verse telephones, PCs, tablets, and smartphones. Unfortunately for AT&T, home networks and their clients are much more sophisticated and use a larger variety of networking devices than they anticipated. The router/gateways that AT&T implemented caused home networks to break in some cases causing clients to implement LAN switches and routers. The easiest way to implement a home router in any ISP environment is to just plug an Ethernet cable into the ISP modem or router/gateway. To the ISP the home router should just appear as another home network device. The downstream home router network is considered a cascaded network and one that to a large extent is invisible to AT&T. This fact creates FUD (fear, uncertainty, and doubt) for AT&T management because they know that their field techs will get involved in home networks they are untrained to troubleshoot. Here is a good example of how complex a home, cascaded router network can get:

To add your Asus to the DMZ of the 5268ac:

1. The WAN connection on the Asus router must be configured for DHCP and have a 5268ac DHCP assigned Class-C IP address
2. On the 5268ac Settings/Firewall/Applications, Pinholes and DMZ page, option 1, insert the IP address of the Asus router and select 'choose' button
3. After that choose 'Allow all applications (DMZplus mode)' and Save

Your Asus should now take on the same IP address as the 5268ac assigned by the AT&T network.

---

@sbd1138 wrote:

 

...

One thing that I could use some clarity on is what exactly adding a router as a "cascaded router" in the Pace settings actually does, specifically?...

---

Cascaded router is intended for use when you have a public static IP block from AT&T that you want to hand to an internal router for processing.  This sets up a static route in the Pace to route all such traffic to a single router.  It is not designed to handle the normal case of just setting up a router behind the Pace.

---

@JefferMC wrote:

---

Cascaded router is intended for use when you have a public static IP block from AT&T that you want to hand to an internal router for processing.  This sets up a static route in the Pace to route all such traffic to a single router.  It is not designed to handle the normal case of just setting up a router behind the Pace.

@JefferMC @ATTDSLCare

JefferMC,

I tend to agree with you. However, AT&T killed my cascaded router a week ago by blocking traffic to it and giving me a warning message that I was using a cascaded router. I was forced to put my router in the DMZ and it had been working but right now it is experiencing connectivity issues in the DMZ so I am updating this post using a direct WiFi connection to my 5268ac. In a few minutes I will be going back to cascading at which time I will reboot the 5268ac.

The frustration that every ACE is experiencing is that no one knows the technical specs for the 5268ac. All we know is that the firmware has bugs as well as design flaws based on our and other customer experiences. Most of our recommendations involving the 5268ac are circumventions to those bugs and flaws.

So, for the purposes of clarity, I see the two options for my situation as:

1)  Set up the secondary router as DMZ+ in the Pace, and have 6rd configured in the secondary router.  The secondary router gets assigned the external/public/facing IP, and all traffic should get passed through to it.

1*)  This does not actually work properly for IPv6, because apparently protocol 41 traffic is not getting passed through.

2)  Set up the secondary router as a cascaded router off of the Pace.  Secondary router is configured for Native IPv6, and the Pace should be handling the 6rd tunneling, etc., and downstream local IPv6 assignment/management.

2*)  This does not seem to work for IPv6...no external (internet) IPv6 traffic seems to make it to the secondary router.

Is there anything further for option #2 I need to take into consideration (is it correct)?  Are there other options?

=========

And just as a side note, I am not completely unsympathetic to what AT&T is going for insofar as homogenizing their equipment deployment, locking folks into AT&T equipment only (although I dislike it), etc..  And if it weren't for these IPv6 issues I would be "Ok" (not enthused, but "ok") with this setup, as round-about as it is.  However, AT&T needs to realize that while basic users may be fine with having the RG as their networking center, they absolutely have to robustly support opaque networks behind them.  For any competent business-related setup, or just security-conscious home users, expecting someone to rely on externally-provided equipment hooked up un-buffered/directly to your network, not under your control, that might have a firmware update or *anything* done to it without you knowing, will solicit hearty laughs, knee-slapping and wiping away of tears.  Having the gateway simply act as a traffic passthrough needs to work, robustly (and *almost* does).

Semi-amusingly, previous to this I was running an old ADSL setup from AT&T (Pacbell->SBC->AT&T), which had been rock-solid for 17 years (!)...perfect dumb-modem setup, literally not a single problem for eons (and IPv6 working great via 6rd for several years).  The only reason I finally upgraded was because it (and my POTS phone service) was priced to get people to migrate off it; the bill was literally 2x what I pay now, for 1/6 the speed.  Less amusing are these complications and restrictions, which are a step backwards in consumer choice and control.

Just wanted to refresh this and present my second option as a more clear/direct question:

Generally speaking (irrespective of the peculiarities/issues with the Pace RG), in a cascaded router setup, should it be the case that the internet-facing router is the one configured for 6rd tunneling, and anything connected to/cascaded from it is simply configured for Native IPv6?

The 5268ac is our router/gateway into the local AT&T infrastructure that at some point connects to the internet. Because the 5268ac broadband status shows us "6rd" this and that we have to believe that this local AT&T infrastructure is an IPv4 network at least at our locations. Even if the local AT&T infrastructure were IPv6, at one or more points from our network to our destination network, our IPv6 packet could be transported across an IPv4 network.

As far as our home network is concerned, should you be fortunate enough to have a device that speaks native IPv6 compatible with the 5268ac, then it will. The same is true of a router that is cascaded off of the 5268ac. If that router can speak IPv6 to the 5268ac and is capable of passing downstream, native IPv6 data traffic without using the NAT function then it will. However, any IPv4 data traffic would still have to use NAT. The problem today is that home routers that would be used for cascading are not real sophisticated to support IPv6 and NAT concurrently. Additionally, consider a native IPv6 home network. Have you been successful in configuring all your devices to only use IPv6?

Bottom line - AT&T presents IPv6 to you the subscriber, using 6rd to connect to the local AT&T infrastructure, for anything directly connected to their 5268ac. Will IPv6 work in your home network is dependent on the devices on your home network. Unless you have the network tools and an intimate relationship with the firmware on your devices, troubleshooting and fixing IPv6 issues is a real crap shoot.

Thanks for the reply, ApexRon.

Ultimately, I'm trying to gain an understanding of two things:

1)  How it should work (theoretically).

2)  How to get it working with this specific setup (if possible).

With regards to #1, my understanding is that the only thing that (should) need to know anything about (or be configured for) any IPv6-on-IPv4 tunneling is the outward-facing router.  As far as anything connected to it is concerned it's just a normal (native) IPv6 network.  This makes sense, since obviously you don't do any special config on a computer or the like, you just enable IPv6 and off you go.  I was not completely sure if there had to be any special consideration for a cascaded router.

With regards to #2, my own router supports IPv6 fairly robustly...in my specific case, before my U-Verse upgrade, I had been using my Asus router configured for 6rd connected directly to a plain DSL modem (AT&T, same 6rd settings), which worked fine (IPv6 websites, etc., worked).  In this new config, with my router cascaded off the Pace and set up for native IPv6, I cannot access IPv6 websites.  I am unclear if there are specific settings on the Pace or further special configuration on my Asus router I can tweak to make this work.

Ideally, if DMZ+ on the Pace 5268ac actually worked for IPv6 tunneling (actually passed through protocol 41 traffic) then it's a non-issue...it would effectively be a bridge mode and my router handles everything.

After some more forum searching, the apparent consensus is that IPv6 with a secondary router behind the Pace does not work.

1)  DMZ+ doesn't work for IPv6 6rd because the Pace doesn't pass through protocol 41 traffic.

2)  A "normal" cascaded router doesn't work because the Pace doesn't support DHCP-PD (IPv6 prefix delegation), which is the issue I believe I am currently up against.

https://forums.att.com/t5/AT-T-Internet-Equipment/5268AC-IPv6-limitations/td-p/4800413