10-18-2017 11:34 AM
nvg589 6in4 tunnels broken again on firmware 9.2.2h0d88
I just got my update to 9.2.2h0d88 on 10/17/17. I initially had the corrupt database issue upon inspection, so I though this was the issue with slow connectivity. After wiping the 589 with a full reset, and re-configuring the issue still existed. This issue was around 3-10 seconds of normal throughput followed by a 1-3 second "hang" (numerous pings returned over 1000ms). This was evidenced by running ping through to a known good destination "126.96.36.199" and to the device address itself "192.168.1.254" with these consistent results. Additionally the interface on the 589 also would hang between clicks at the same time the ping times would fluctuate. For some reason I decided to shutdown the 6in4 tunnel I had going to HE, and like magic pings were back to normal. So extensive testing revealed that this is the issue. This was working prior to the upgrade, and I have had to move the tunnel off to another connection. ESP header forwarding and ESP ALG have both been enabled as usual. What has changed, and will there be a workaround?
10-19-2017 11:59 AM
We are sorry about the issues you are having with your services. We will be glad to help. To assist further, we need to gather more information. If you could please send us a private message by clicking here.
-Thor, AT&T Community Specialist
10-21-2017 3:27 PM
No update... I send a PM to the staff. I moved my tunnel to a different ISP connection.. I know that is not an option for most. Are you using a 589 also? I am curious if this problem exists across other CPE's.
10-21-2017 4:35 PM
10-24-2017 1:36 PM
I'm having the same issue as described by jasonbegley. My connectivity is completely broken when 6rd is enabled and restored immediately when it's disabled. It fails with AT&T 6rd and HE.net Tunnelbroker GIF. Help?
10-26-2017 5:56 AM
Thank you for reaching out to us! We will love to research your case for you and discover a resolution.
I did notice you have sent us a private message. We appreciate this and I will respond within the private message.
Please look forward to my response. Thanks!
Adam, AT&T Community Specialist
10-31-2017 6:11 PM
I dug into this and I've been able to verify the new firmware is explicitly blocking 6rd connections. I enabled syslog in the gateway and was able to get the iptables log directly from it. This is the syslog when pfSense tries to bring up the 6rd:
Nov 1 00:13:00 192.168.1.1 1 2017-10-31T20:13:00-04:00 dsldevice/<modemSn> - - - L4: action=DROP reason=POLICY-UNKNOWN-6IN4 hook=PREROUTING mark=134217728 IN=br2 OUT= MAC=00:00:00:00:00:00:00:1a:f0:2b:fb:da:08:00 src=188.8.131.52 DST=99.10.x.x LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF
This is also logged in the GUI logs in the gateway itself:
No. Date/Time SourceIP DestinationIP Proto Reason
156 2017-10-31T20:14:00-04:00 184.108.40.206 99.10.x.x n/a Unknown 6in4 packet
I was able to mitigate the ping delays however (as previous reported and experienced) by setting my pfSense router to a static WAN IPv4 address and changing the gateway to Manual Passthrough Mode.
Modem GUI >Firewall >IP Passthrough >Passthrough Mode >Manual
I'll be honest, this stinks. Over 20% of the Internet is IPv6 (see https://www.google.com/intl/en/ipv6/statistics.html) so I'm expecting a pretty quick fix to a simple iptables error (I assume) or a 20% decrease in my monthly rate as I can no longer access 20% of the servers I'm paying AT&T to route to.
11-11-2017 2:40 PM
Still at "tier 1" so I don't see this getting fixed anytime soon.They have been provided a RCA and steps to reproduce.