IPv6 question

[SomeWhereOverTheRainBow]

And something for @nospamever before I forget and he hits the issue - UPnP doesn't work in double NAT in Asuswrt-Merlin 386.7_2 firmware. It sees the private WAN IP and terminates the connection. Works fine in 386.5_2 though.

Insecure unpnp probably does. (On the second nat router) I still wouldn't use it though. Probably best not to. Don't need clients randomly opening ports.

 

[sfx2000]

Hey we finally agree on something - IPV6 currently provides no real benefit (except for users in countries where IPv6 is the only thing available or who are behind CGNAT) and since people are so used to having a hide NAT (which provides a pretty good basic layer of security), simply switching it on for no reason other than "I can" is not the route to take. Not that a a hide NAT should be your only layer of security, especially if you have UPNP enabled, but it is a good "if all else fails" measure.

I believe some game consoles are more reliant on IPV6 than average computers, but my understanding is they will use 6 in 4 tunnels if needed. So there may be a benefit to going native on those, not sure. My last game console was the original Nintendo.

I work with corporate firewalls every day and even with millions of available registered IPs (yes we're the a-holes who are hoarding all the IPv4 addresses) NAT/PAT is still standard operating procedure. Security isn't the only reason but it is one of them.

There are ISP's that are IPV6 first - TMobile Home Internet is one of them, and IPV4 is handled, well, not very well with their 464XLAT mechanism which breaks all sorts of end-to-end things...

I've been a major proponent of IPV6 with my experience in the mobile space, both as a handset supplier as well as in the Operator core (I'm ex-ATT).

Back in '08, I was in Philadelphia when the IETF turned off IPV4, just to see what the status was at the time... ArsTechnica has a great article in their back archives that discusses this...

The night the IETF turned off IPv4

At a meeting this week, the Internet Engineering Task Force decided to kill …

arstechnica.com

People are using IPV6 every day - and it's transparent to them - here in the US, all the major wireless providers are IPV6 first.. If you have a 4G/5G handset that supports VoLTE, yep, that's IPV6, even for WiFi calling as that handset sets up a L2TP/IPSec tunnel back to the IMS core, and that tunnel is IPv6, even if you are IPv4 only on your LAN...

 

[Tech9]

Don't need clients randomly opening ports.

Agree, but only if you know what needs port forwarding. Gamers may have issues with manual Port Forwarding. It's there for convenience. The same applies to using ISP router DMZ for the second router WAN IP. Not the best, but makes things much easier.

even if you are IPv4 only on your LAN...

What happens upstream doesn't matter. IPv4 only on LAN is good. Not very exciting to see missing IPv6 modules and kernel errors in Asuswrt logs with IPv6 enabled. The problem here is not the technology, but how it is supported on a $50 hardware home router.

 

[sfx2000]

If it's broken, can you help in fixing it? This is going to be real help for the community

Key thing here - I don't work for Asus, so I'm limited in what I can actually contribute, as it is commercial SW.

 

[sfx2000]

Not very exciting to see missing IPv6 modules and kernel errors in Asuswrt logs with IPv6 enabled. The problem here is not the technology, but how it is supported on a $50 hardware home router.

In the newer HND drops from Broadcom, I have to assume that IPV6 is fully supported - it's the merge with the rest of the AsusWRT code is where things have challenges, and some of this is third party...

That $50 travel router - OpenWRT has great IPV6 support...

 

[SomeWhereOverTheRainBow]

In the newer HND drops from Broadcom, I have to assume that IPV6 is fully supported - it's the merge with the rest of the AsusWRT code is where things have challenges, and some of this is third party...

That $50 travel router - OpenWRT has great IPV6 support...

One thing I like with the openwrt scene is the new nftables fw4 support. Seems it is inet family protocol agnostic unless you specify a specific family protocol.

 

[sfx2000]

One thing I like with the openwrt scene is the new nftables fw4 support. Seems it is inet family protocol agnostic unless you specify a specific family protocol.

I agree - nftables and fw4, good in the long term, but there is some short term pain to be had.

 

[drinkingbird]

There are ISP's that are IPV6 first - TMobile Home Internet is one of them, and IPV4 is handled, well, not very well with their 464XLAT mechanism which breaks all sorts of end-to-end things...

I've been a major proponent of IPV6 with my experience in the mobile space, both as a handset supplier as well as in the Operator core (I'm ex-ATT).

Back in '08, I was in Philadelphia when the IETF turned off IPV4, just to see what the status was at the time... ArsTechnica has a great article in their back archives that discusses this...

The night the IETF turned off IPv4

At a meeting this week, the Internet Engineering Task Force decided to kill …

arstechnica.com

People are using IPV6 every day - and it's transparent to them - here in the US, all the major wireless providers are IPV6 first.. If you have a 4G/5G handset that supports VoLTE, yep, that's IPV6, even for WiFi calling as that handset sets up a L2TP/IPSec tunnel back to the IMS core, and that tunnel is IPv6, even if you are IPv4 only on your LAN...

I thought t-mo home internet used CGNAT for v4 but not very familiar with their setup (other than it can be problematic).

VoLTE being IPv6 is totally different ballgame, that is a private network that connects to their own servers, they control everything end to end, much easier to implement and maintain v6 in that scenario.

Pretty sure when I did a speed test last my mobile data (T mobile) showed an IPv4 IP, whether they're doing some translation on that, I don't know, my VPN etc does work through their hotspot but I rarely use that.

Nothing wrong with V6, the issue is that the average user that has spent decades on a hide NAT based setup, and the basic layer of security it provides, doesn't understand the implications and major differences of going with V6. Having the "passthrough" option in the router should at least bring up a warning message.

When I ran V6 at home it was through a Cisco router and Juniper firewall, was not taking any chances. With these basic home routers, I don't trust it, nor do I have any need for it. If anything, I've run into problems with it, I recall troubleshooting an issue with my mom's email where it was intermittently erroring out, turns out her router had v6 enabled by default and Comcast's v6 email servers (or something in the v6 path, assuming they were the same servers) just weren't reliable. Disabling V6 fixed it for good.

 

[drinkingbird]

I've never seen this happening. Doesn't sound like client, but router issue. Most likely the one the client is connected to.

Many many years ago VPN clients (Nortel specifically) didn't like it. I'm sure there are still some applications out there that could have a problem but it is rare these days.

If a gaming console or camera is relying on uPNP that can be an issue too. I see in another post you said it is related to the latest code but I've seen other setups (non Asus, non Merlin) where it would never make it to the second router. I know there was a time when uPNP would never traverse dual router/dual NAT, maybe newer versions have improved that?

 

[sfx2000]

Nothing wrong with V6, the issue is that the average user that has spent decades on a hide NAT based setup, and the basic layer of security it provides,

IPv4 NAT was never a firewall...

 

[Tech9]

maybe newer versions have improved that?

It has to be working properly on both routers or at least the last one with all ports open for it upstream. I agree with @sfx2000 too many puzzle parts create issues. I've seen many home routers with broken features in firmware. Current Asuswrt is not an exception. Asus is mostly fixing what sells more routers. AiMesh is the most important. The rest is good enough. Very few home users will notice bugs anyway.

 

[drinkingbird]

IPv4 NAT was never a firewall...

I said basic layer of security. "If all else fails". By the strictest definition, it is a firewall, it blocks unknown incoming traffic.

 

[sfx2000]

I said basic layer of security. "If all else fails". By the strictest definition, it is a firewall, it blocks unknown incoming traffic.

As a developer - omigosh, hell no...

 

[drinkingbird]

As a developer - omigosh, hell no...

As a network engineer, yes (overload/hide nat/pat anyway).

 

[Tech9]

I also prefer my LAN devices behind NAT and one gateway to Internet with single public IPv4 address. It works perfectly. I also would like to know the IP addresses of my LAN devices. I know my laptop is 192.168.50.12 because I can easily remember it, but have no clue what hides behind 2001:0db8:85a3:0000:0000:8a2e:0370:7334 and how many other IPv6 addresses the same device has, as an example. I called IPv6 a Big Mac protocol because this is exactly what it is - multi layered sandwich with questionable quality ingredients, all put together in an attempt to improve the taste.

Not a developer...

 

[drinkingbird]

I also prefer my LAN devices behind NAT and one gateway to Internet with single public IPv4 address. It works perfectly. I also would like to know the IP addresses of my LAN devices. I know my laptop is 192.168.50.12 because I can easily remember it, but have no clue what hides behind 2001:0db8:85a3:0000:0000:8a2e:0370:7334 and how many other IPv6 addresses the same device has, as an example. I called IPv6 a Big Mac protocol because this is exactly what it is - multi layered sandwich with questionable quality ingredients, all put together in an attempt to improve the taste.

Not a developer...

You can sort of fudge it by using something like 2001::1 but sort of defeating the purpose (plus you'll likely get a /48 or /64 not a /16). Hostnames, dynamic DNS, etc all become much more critical under IPv6 (and since ISPs so far don't want to give you a static block like they're supposed to, and won't let you update their DNS, it is already broken).

 

[Tech9]

You can sort of fudge it

The other resemblance of Big Mac is the difference in advertising picture and what you actually get. Free ketchup, mustard and mayonnaise make you feel better though.

 

[drinkingbird]

The other resemblance of Big Mac is the difference in advertising picture and what you actually get. Free ketchup, mustard and mayonnaise make you feel better though.

My company (service provider) has been IPv6 enabled for a decade and we offer it all the time to our customers who have private IPs. Not a single one has opted for it. It will be a long time before it gets used for anything other than management IPs or closed networks like LTE. Afraid we're going to be seeing more and more CGNAT and various other flavors of translation. Heck I won't be surprised even when people start going IPv6 if they want to do NAT66 just to keep things similar to what they have now.

 

[Tech9]

Not a single one has opted for it.

Most residential customers don't know what an IP is. If you don't ship your devices with IPv6 enabled by default, very few will bother to change the settings. Half of the networks around my place have SSID BELLxxx and Rogersxxxxx. The technician comes and installs "Internet", shows it working with YouTube. Some prefer connecting to the 2.4GHz band because it reaches that far bedroom. They promptly pay for Gigabit service every month.

 

[drinkingbird]

Most residential customers don't know what an IP is. If you don't ship your devices with IPv6 enabled by default, very few will bother to change the settings. Half of the networks around my place have SSID BELLxxx and Rogersxxxxx. The technician comes and installs "Internet", shows it working with YouTube. Some prefer connecting to the 2.4GHz band because it reaches that far bedroom. They promptly pay for Gigabit service every month.

I take it you're in Canada? Those are two of the carriers we use up there (commercial point to point lines not home internet, though that line is becoming blurred these days, a lot of the infra is shared).

Here, Comcast ships all their stuff v6 enabled. That caused issues for my mom's email and had to disable it. Not sure if Verizon (the other big one in my area) does or not since I don't use their hardware and they only just recently enabled v6 here. Comcast is using native v6 for STB and modem management, have been for a long time, that's why they were one of the first to deploy v6, so they could recover a lot of v4 for customer use.

Comcast also enables every one of their routers with a special "Xfinity" guest network that any of their customers can use, and it uses your bandwidth (but at least it doesn't count toward your data cap). First thing I disable when I set someone up. That's how they can advertise "tens of thousands of hotspots" or whatever number they claim. They are awful. Another good reason not to pay them $15 a month for their junk router. With their mobile service the phone will jump on to any of their routers in range that are broadcasting that SSID for data (they initially tried having it do that for wifi calling by default, preferring it over the mobile network to save them money, but had many issues with that).

I'm also amazed how many people fall for the gigabit plan. Verizon offers it for like $20 more than the default 300 meg plan and people just take it. Comcast is now offering multi-gig in some areas. These people are probably using under 100 meg most of the time, and when they go above it, they wouldn't have noticed that it took a little longer to download a big file anyway.

I hate cable companies.