01-22-2011 11:40 AM
I've been trying to establish a 6in4 tunnel to hurricane electric since I move my internet services to AT&T. Its all been going rather fine except for one thing: I can't find any way to get the 2wire gateway's firewall to do port mapping on anything other than TCP and UDP. Since 6in4 tunnels set their ip header protocol number to 41, this is clearly a problem. It works just fine if I tell the gateway to set my tunneled enpoint as a dmz system, since that will just pass all traffic, but I'd rather not do that, as I use the system to access several home services that are not dmz-ed. Does anyone know of a way to do port forwarding on frames that aren't TCP or UDP? Alternatively is there any update on when AT&T will be offering IPv6 addresses to residential customers as part of their internet package? That would work better than a tunnel for me in the end.
01-22-2011 12:31 PM
The only way that non-TCP/non-UDP traffic can traverse a NAT router is if the NAT helper code is part of the router's firmware. For example, the U-Verse RG can be set to allow an inbound PPTP connection, which uses TCP port 1723 and IP type 47 (GRE). The helper code built into the firmware allows inbound type 47 to the same host that the inbound TCP/1723 is going to.
The U-Verse RG contains no NAT helper code for IP type 41 (IPv6 in IPv4). Thus, there is no way to allow an inbound 6in4 tunnel with the NAT enabled.
As you have discovered, the only way to allow it is to use the DMZPlus option.
I currently have a 6in4 tunnel up to Hurricane Electric, I am routing this using my own router behind the RG (a Cisco 2811) as the DMZPlus device. I have other inbound ports open also for a web server, these are handled on the Cisco.
01-23-2011 5:47 AM
Yeah, I'm setting it up that way now. I really would rather have been able to pass the tunnel through the RG's firewall without having to configure the firewall there. Oh well, guess you can't have everything.
01-26-2011 3:04 PM
The easiest way for me to get the 6to4 tunneling to work without reconfiguring the router was to use SIXXS.net TIC tunnel or GOGO6.net tunnel service.
Hurricane Electric requires that they be able to ping the endhost and protocol 41 (ipv6 6to4 tunneling protocol) be opened up at the router and firewall, which the latter (protocol 41) AT&T has no clue about on the 2 wire gateway.
Hope this helps.
01-26-2011 3:28 PM
02-01-2011 4:26 PM
So, I've been trying to get an answer out of the e-chat people and telephone support people for a few days now, I'm hoping to have better luck here. Now that IANA is out of ipv4 addresses, and the RIR's are going to be out shortly, I'd like to get a clear statement from AT&T representatives regarding their plans for IPv4 address delegation and their IPv6 roadmap. I'm concerned that AT&T might decide to manage the v4 address shortage by double/triple/etc NAT-ing my one routeable IPv4 address, which will break several applications I have here at home, including my work VPN, and IPv6 tunnel, effectively making my internet connection useless for much of what I need it for. In short, could someone from AT&T please tell me:
1) What are AT&T plans for providing IPv4 globally routeable addresses to individual consumers? Are we guaranteed a routeable v4 address at our Residental gateway?
2) What is AT&T's roadmap for IPv6? When can we expect to start getting served a globally routeable IPv6 prefix? How large will the prefix be?
02-01-2011 7:44 PM
AT&T is clearly lagging behind other providers in it's IPv6 plans. And synonymous with that, they're not really commenting when presented with the question.
The best information we have right now is in this article from Network World. There aren't giant amounts of specifics, but clearly at least part of AT&T's plans may be carrier-wide NAT for ongoing IPv4 service.
IPv6 service is likely to be deployed using 6rd at first, which would work pretty well until the core systems are upgraded.
02-02-2011 4:01 AM
I've read that article, and while it gives some insight, its just not sufficient in my mind. This is an issue that affects every single one of AT&T's residential customers. Its not ok for them to be taciturn about it. If they opt to deploy Carrier wide NAT on my internet service I have several applications which will simply break. I'd be willing to look into business class service If I could get information on which service levels will offer ipv6 as well as ipv4, and generally speaking I'd like to know when I can expect Ipv6 service on Uverse just for own education. I don't think its too much for an AT&T representative to tell their customers that. So I ask again:
1) What is AT&T's plan regarding IPv4 address management? Are U-verse customers expected to have a routeable ip address at their residential gateway for the foreseeable future? how will we be informed if that changes?
2) What are AT&T's plans for Ipv6 rollout? When can we expect to see IPv6 addresses offered at our homes?
- edited 05-04-2011 3:43 PM
"AT&T says it has some IPv6 services available to its enterprise customers today, and that it will be ready with a suite of IPv6 offerings for its enterprise and residential customers before market demand arrives."
Dear AT&T, this is market demand arriving. Where is our native IPV6?
I'm getting very tired of using a tunnel through another provider (HE). And maybe this ipv6 deployment will push you to fix a number of problems with the existing 2wire (now bought by Pace) RGs.
It doesn't matter to me how AT&T does it, whether it's native ipv6 throughout their network infrastructure or using 6rd. However, if they use 6rd and the ipv4 encapsulation header counts against my traffic usage with these new caps, that's not going to make me very happy. NO IPV6 BANDWIDTH TAX!
I can almost hear AT&T's response to queries about IPv6: "But it's so HARD to roll it out on a network of our size!"
First, it's not that hard to set up 6rd gateways and roll it out slowly at first to customers who specifically ask for it. Second, a company of AT&T's size is supposed to have some good network engineers, and they've had many years to prepare, knowing this transition was coming. Planning failure is not an acceptable excuse.