Announcements
You Could WIN A Year Of Wireless Service – Learn More!

Tutor

 • 

12 Messages

Mon, Aug 18, 2014 7:57 PM

Advanced HOWTO: AT&T "native" IP6 with full /60 subnet.

The NVG589 modem automatically connects to the AT&T 6rd tunnel gateway to provide "native" IP6 for customers when IP6 is enabled.  Each static public IP provides the AT&T customer with a /60 subnet via the 6rd protocol.  The tunnel has near native performance because the gateway is provided by AT&T, and is (hopefully) close to the end user.

There are major limitations with this service. 

1) the NVG589 only supports 1 /64 subnet locally

2) it ignores IP6 RA (Router Advertisement) packets
3) it has no provision for manual static routes

Taken together, this means that you can't actually fully use your /60 subnet from ATT-6RD. 

Fortunately, the NVG589 supports IP Passthrough, including protocol 41, so you can use another fully IP6 capable router/firewall behind the NVG589.   In our case, we used a Linux server running RedHat derived CentOS-6.

1) set the NVG589 to IP Passthrough using dynamic DHCP option, select your router/server MAC as the target.
2) disable IPv6 on the NVG589 - this requires a reboot


On the linux gateway:
1) configure the WAN interface (connected to your DMZ or NVG589) for BOOTPROTO=dhcp
2) ifup WAN interface and verify that IP4 is now working with that interface having your public IP (e.g. ping 8.8.8.8)
3) create a sit1 interface:

/etc/sysconfig/network-scripts/ifcfg-sit1

-----------------------------------------------------

DEVICE=sit1
IPV6INIT=yes
IPV6_MTU=1480
yes
# # For static tunnels
# Magic (anycast) AT&T 6rd border gateway
IPV6TUNNELIPV4=12.83.49.81
# Our public IP
IPV6TUNNELIPV4LOCAL=108.xxx.xxx.xxx
# AT&T 6rd prefix of 2602:300::/28 + our public IP4 in hex * 16 (i.e. add hex '0')
IPV6ADDR=2602:306:cxxx:xxx0::1/60
---------------------------------------------------------------


/etc/sysconfig/network-scripts/route6-sit1

--------------------------------------------------------

2000::/3 dev sit1

--------------------------------------------------------


4) ifup sit1
5) ping6 google.com !
6) you should have system-config-firewall installed, which defaults to allowing all outgoing, but no incoming connections.   Further configuration of ip6tables, additional interfaces, routing, etc, are beyond the scope of this HOWTO.
7) rDNS is handled by AT&T nameservers, and always returns NXDOMAIN currently.  Keeping bugging AT&T to support rDNS via delegation.  They could avoid developing a config webapp by always delegating to a fixed address with the customers 6rd address space (e.g. the ::1 address).  Any "unrouteable" or "not listening" response is converted to NXDOMAIN and cached (as would be the case for most customers).

Responses

m00dawg

Teacher

 • 

17 Messages

5 years ago

I thought I might add in my experience here that the delegation issue still persists. I am using a RouterBoard for my router behind the NVG589 and, in order to make things work, I have to set it up as a DHCP Client of the NVG589. This hands out a /64, though one that is NOT listed in the IPv6 Delegated LAN Prefix section. It's all a bit wonky but a big bummer as having multiple /64 subnets would have been nice as I've been having trouble getting some hosts (looking at you OS X) working using DHCPv6 on the LAN side so I can carve up the single /64 into multiple subnets. Hoping ATT fixes this but given this HOWTO is a year old...guessing we have a bit of a wait still.

Tutor

 • 

12 Messages

5 years ago

Call AT&T tech support, and ask then how to set up rDNS for IP6.  Register your "vote" for simple delegation.  I still recommend delegating to a fixed IP withint the 6RD space.  Maybe not ::1 (as that may be taken by a router or something).  How about xx:xx:xx:xx:A11::1 ?

Tutor

 • 

12 Messages

5 years ago


@m00dawg wrote:

I am using a RouterBoard for my router behind the NVG589 and, in order to make things work, I have to set it up as a DHCP Client of the NVG589. This hands out a /64, though one that is NOT listed in the IPv6 Delegated LAN Prefix section.

Can't you set up your "RouterBoard" to use a 6in4 tunnel?  Then you can set the NVG589 to IP passthrough as instructed above, and your RouterBoard becomes your IP6 gateway.   It should be able to provide RA, and possibly even DHCP6.  (Note that DHCP6 is optional with IP6.  RA is all you need to get an address.)

 

m00dawg

Teacher

 • 

17 Messages

5 years ago

Yeah I'm trying the passthrough method but so far no luck. It sees the ATT gateway and looks to be attempting to route through the tunnel, but without success. I'm going to keep playing around with it though.

 

Do you know, ATT still blocks Protocol 41 outside of its network yeah? So I can't use, say, Tunnelbroker (they provide /48's if you really want to go nuts)?

 

DHCPv6 vs SLAAC is another issue, of which I have opinions about but don't relate so much here. I basically don't like that SLAAC requires /64's, which if I can get my /60 up and running is less of an issue. DHCPv6 does not have that requirement, however, I haven't been able to make everything (looking at you OS X) play nice with it. Ultimately though I only need 2, maybe 3, IPv6 subnets so a /60 would do just fine. More gripes about SLAAC are more philosphical.

m00dawg

Teacher

 • 

17 Messages

5 years ago

Whelp, I tried both using ATT's 6rd and Tunnelbroker via my RouterBoard and neither worked. I think the former failed due to RouterBoard not yet support 6rd (it supports 6to4) and the latter because ATT is obnoxiously blocking protocol 41 still.

Tutor

 • 

12 Messages

5 years ago

6rd *is* 6to4.  Configure your router board for 6to4 like I instructed.  The modem needs to be in passthrough for protocol 41 as instructed (with IPv6 disabled on the modem as instructed).   If you fail to disable IPv6 (via 6rd) on the modem, it will *eat* protocol 41.  Your router board is configured for 6to4.  The only role "6rd" plays is constructing the IPv6 prefix as instructed.

6rd is just 6to4 with gateway supplied by the ISP, and the prefix constructed from the IP4.


@m00dawg wrote:

Whelp, I tried both using ATT's 6rd and Tunnelbroker via my RouterBoard and neither worked. I think the former failed due to RouterBoard not yet support 6rd (it supports 6to4) and the latter because ATT is obnoxiously blocking protocol 41 still.


 

m00dawg

Teacher

 • 

17 Messages

5 years ago

Yep already had the modem in passthrough with my IPv4 static assignments setup directly on my RouterBoard. I disabled IPv6 on the modem followed by a reboot. I did do some packet captures, though haven't yet run it through wireshark, and I could see protocol 41 going out and, likewise, traffic going out the 6in4 tunnel, but never any responses. I thought 6rd vs 6in4 might be an issue since some folks on the Microtik (RouterBoard) forums were complaining about 6rd support. You do have to configure things in sort of an odd way when setting up the default gateway, which makes me wonder if there's something going on there. I should have dumped my config before I reverted, so I can certainly attempt it again and post the config and results.

Tutor

 • 

12 Messages

5 years ago

You should ping6 the IP6 of your router board from outside.

Tutor

 • 

12 Messages

5 years ago


@m00dawg wrote:

Yep already had the modem in passthrough with my IPv4 static assignments setup directly on my RouterBoard.


Just noticed this: You actually have to use IP4 DHCP (not static assignments) on your RouterBoard (as instructed).  The modem wants to see the DHCP exchange - otherwise it blocks stuff.  Be sure to configure your RouterBoard MAC for the passthrough on the modem.

You can use static IP6 assignments, since you are the primary IP6 router as the tunnel endpoint.

m00dawg

Teacher

 • 

17 Messages

5 years ago

Yeah sorry that was unclear on my part. It IS using DHCP for IPv4 so the ATT router is handing off my /29 to my RouterBoard. Also good idea pinging the IPv6 range from the outside, although if I get a reply, I'm not sure what that tells me? On the router, I'd either get a timeout or no route to host depending on how I tried to setup the gateway.

Tutor

 • 

12 Messages

5 years ago

So if your RouterBoard is handling the /29, you must have a WAN IP on your interface facing the modem.  Suppose that WAN interface has IP 123.45.67.89, then that is 0x7b2d4359 in hex, and your IP6 subnet is 2602:307:b2d4:3590::/60.  (Substitute your actual WAN IP.)
Your IP6 tunnel interface needs to be 2602:307:b2d4:3590::1/60.  You can assign another global IP6 to your LAN interface.   The remote tunnel IP4 is always 12.83.49.81, that is a magic AT&T anycast IP.  Your local tunnel IP4 is 123.45.67.89.

Since you have a IP4 /29, you can set up an additional IP6 /60 on every usable static IP (6 additional subnets).  In my case, I had only a single static IP (why pay for additional IP4s when IP6/60 provides more IPs than I'll ever need?) , so it is *possible* that 6RD does not work with your WAN IP.  You may need to setup the tunnel on the IP4 from the /29 assigned to your router board.  Or vice versa, maybe the 6RD only works with your WAN IP.

Note that your RouterBoard may block incoming proto 41 by default in the firewall.  You will need to allow proto 41 in both directions.   You probably want to allow incoming ping6 and maybe ssh as well.

m00dawg

Teacher

 • 

17 Messages

5 years ago

My word it was a struggle but I finally got it working. The Rotuerboard Wiki doc was incorrect for setting up the 6rd gateway was the ultimate problem. Here is my working config using one of my static IPs from my /28 IPv4 block as the basis for the 6rd address:

[router] /interface 6to4> print
Flags: X - disabled, R - running 
 # N MTU ACTUAL-MTU LOCAL-ADDRESS REMOTE-ADDRESS KEEPALIVE 
 0 R 6 1480 1480 [redacted].58 12.83.49.81 

[router] /ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 # ADDRESS FROM-... INTERFACE ADV
 0 G fde7:[redacted]::1/64 LAN Bridge yes
 1 G 2602:301:[redacted]a0::1/60 6rd no 
 2 G 2602:301:[redacted]a1::1/64 LAN Bridge yes
 3 DL fe80::[redacted]:991b/64 LAN Bridge no 
 4 DL fe80::[redacted]:9912/64 Port 1 - WAN no 
 5 DL fe80::[redacted]:dd3a/64 6rd no 

[router] /ipv6 route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 # DST-ADDRESS GATEWAY DISTANCE
 0 A S 2000::/3 6rd 1
 1 ADC 2602:301:[redacted]a0::/60 6rd 0
 2 ADC 2602:301:[redacted]a1::/64 LAN Bridge 0
 3 ADC fde7:[redacted]::/64 LAN Bridge 0

The wiki docs called for configuring the route using the following:

ipv6 route add dst-address=2000::/3 gateway=::12.83.49.81%6rd

This did not work for me. Instead, I did this:

ipv6 route add dst-address=2000::/3 gateway=6rd

Hopefully that'll save folks a lot of heartache and pain. Next up for me to try is using more than 1 subnet from the /60 but for now I'm just happy I have a hopefully stable IPv6 deployment now.

Tutor

 • 

12 Messages

4 years ago

Corrections from the field:

o It should be DHCPS-fixed to a single IP.  

o Using DHCPS-dynamic also works, but now the router is natting packets, and you need to use the private IP it assigns you in ifcfg-sit1 (which might change).

o At some point, your router will get a hard reset - and you won't remember how to make it work again.  Write down the instructions!

janthony6

Tutor

 • 

10 Messages

3 years ago

Anybody know how to configure this via the 6to4 settings in DDWRT?

Tutor

 • 

12 Messages

3 years ago

You don't.  Configure DDWRT for 6in4, using the ip6 prefix and gateway described above.  AT&T uses 6rd, which is 6in4 with the AT&T gateway as the "tunnel broker".