Tutor
•
2 Messages
Unable to access local server from outside over IPv6 behind BGW210-700
I have AT&T Fiber 1000 and a BGW210-700 acting as my router. I have an instance of OpenVPN running on a Raspberry Pi on my local network so that I can access my LAN from external networks (like using my mobile phone's data or when traveling). Everything works fine over IPv4, and I can get the server to route IPv6 inside the VPN tunnel using a delegated /64 block that the Pi requests from the BGW210.
However, I am unable to connect to the OpenVPN server using IPv6 as the transport (outside the tunnel). Here's the behavior I see and things I've tried:
- In general, IPv6 connectivity appears normal for my LAN devices. Everyone gets an address; DNS resolves; traffic routes.
- The IPv6 server address (my Raspberry Pi's Global Unicast Address) and selected port appears unreachable from outside the network.
- If I connect to that same IPv6 address from inside my LAN, the VPN works (UDP6 transport connection, with IPv4 and IPv6 working inside the tunnel...and with new addressed assigned by the VPN server)
- I can easily connect to my VPN using IPv4 as the outside-the-tunnel transport by pointing to my router's WAN address, and the requested port is forwarded to the Pi using NAT rules I put in the router. (UDP4 transport connection, with IPv4 and IPv6 both working inside the tunnel)
- I have tried completely disabling all Advanced Firewall settings in the BGW210.
- I have tried creating a packet filter "Pass" rule to forward IPv6 packets destined for the VPN server's port, the VPN server address, a combination of both, and even all IPv6 packets regardless of destination.
- Previously, I had IPv6 outside the tunnel working when there was a Google WiFi router behind my BGW210, using IP Passthrough. At the time, I wasn't able to get IPv6 inside the tunnel because of an inability for the Pi to request a Prefix Delegation through the intermediate router, but the IPv6 transport for VPN worked as long as I told the Google WiFi to open the right port on IPv6. The BGW210 doesn't appear to have any options for explicitly opening IPv6 ports for clients, besides the packet filter options I have already tried without success.
In short, should I be able to access a server on my LAN from the outside using IPv6? I haven't been able to figure out how permit it using any settings available to me. And no, I don't absolutely need to be able to do this, since IPv4 connectivitiy to the server is fine. But I like things that should work to, you know, actually work.
Any suggestions?
Accepted Solution
Official Solution
aerodave
Tutor
•
2 Messages
5 years ago
Actually, I realized my mistake and I'm no longer having the problem. I was testing my connection to my VPN server from a network that didn't have IPv6 connectivity. (D'oh!) So of course the IPv6-outside-the-tunnel failed! I just got it to work easily by trying from a network that had functional IPv6.
For the record, all I had to do was enable a packet rule passing IPv6 traffic that matched the right protocol, destination port, and destination IP address. With that rule in place, it worked just fine even with the default firewall rules in place.
0
ATTHelp
Community Support
•
231.3K Messages
5 years ago
Hi @aerodave,
Thanks for giving us an update. Please feel free to reach out to us. Thank you for being an AT&T customer.
Lafayette, AT&T Community Specialist
0
0
jbouse
Contributor
•
3 Messages
5 years ago
I had a similar issue with my BGW210-700 but it turns out that I simply needed to turn off "Reflexive ACL" under the Advanced Firewall screen. I was lead to look closer at the BGW210 itself when it was the only thing that I could ping from outside but any IPv6 host inside could go out. Customer Support swore up and down to me that AT&T doesn't block any IPv6 traffic, yet "Reflexive ACL" is turned on by default in the 1.8.18 firmware which essentially blocks all IPv6 traffic inbound if it isn't in direct response to an outbound connection or an allowed firewall rule and as I have packet filtering completely turned off, well you see where that went.
0
0