cancel
Showing results for 
Search instead for 
Did you mean: 

HT2000W IPv6 inbound services

New Poster

HT2000W IPv6 inbound services

I have a new installation with a HT2000W satellite modem. After the unfortunate realization that IPv4 is delivered via CGN and no inbound port forwarding is possible, I'm trying to get IPv6 working for inbound services (security cameras, etc.).

 

I have a Ubiquiti Edgerouter installed behind the HT2000W. The HT2000W has its firewall disabled and is properly assigning a /62 to the Edgerouter for assignment to its LAN. The Edgerouter has IPv6 connectivity and can initiate outbound connections properly. However, I can't ping the Edgerouter's IPv6 WAN address from the Internet. I can ping the HT2000W's WAN address from the internet. Traceroutes to the Edgerouter WAN address seem to die at the HT2000W. Taking a packet capture at the Edgerouter WAN (connected to HT2000W LAN) ethernet interface doesn't show and inbound ICMP echo when pings are being sent from the Internet.

 

Am I missing a firewall step on the HT2000W here to allow inbound IPv6 to the LAN?

11 REPLIES
Instructor

Re: HT2000W IPv6 inbound services

You actually will need to enable the firewall, and forward the appropriate service under Firewall > IPv6...

As far as pinging and such, pretty sure that's droped regardless at the modem unless you disable the Intrusion Detection settings.

Personal Machine: ECS B85H3-M | Intel i5 4460 | 16GB DDR3-1333 | eVGA 750Ti | Samsung 830 120GB - Server: ASUS M5A99FX Pro R2.0 | AMD FX8350 | 32GB DDR3-1600 ECC | Intel Quad Gigabit NIC | 2x Intel Gigabit NIC | IBM M5015 | 650w OCZ ZS PSU | eVGA LP 710 | 8x WD RE 4TB disks - http://chucksbasix.com
New Poster

Re: HT2000W IPv6 inbound services

Thanks for the reply. 

 

I actually did try re-enabling the firewall and enabling IPv6 rules for an inbound service or two. I suppose I could have gotten the syntax wrong though, do you know if there are any documents for this feature?

 

I do have intrusion protection disabled- is there any other way to allow ICMPv6 (echo requests specifically) through to the LAN?

Instructor

Re: HT2000W IPv6 inbound services

I personally don't know off the top of my head...  @Liz or @Amanda might be able to get us some more information on it.

Personal Machine: ECS B85H3-M | Intel i5 4460 | 16GB DDR3-1333 | eVGA 750Ti | Samsung 830 120GB - Server: ASUS M5A99FX Pro R2.0 | AMD FX8350 | 32GB DDR3-1600 ECC | Intel Quad Gigabit NIC | 2x Intel Gigabit NIC | IBM M5015 | 650w OCZ ZS PSU | eVGA LP 710 | 8x WD RE 4TB disks - http://chucksbasix.com
Moderator
Moderator

Re: HT2000W IPv6 inbound services

Hi folks, 

 

I sent this up to the engineers who are better equipped to answer this. I'll let you know what I find out.

 

Thanks,
Liz

Did my post answer your question? Accept as Solution to help others find it faster.--------------------------------->

Highlighted
New Poster

Re: HT2000W IPv6 inbound services

Thank you, Liz. 

 

New Poster

Re: HT2000W IPv6 inbound services

Hi, @Liz. Anything back from engineering on this?

Moderator
Moderator

Re: HT2000W IPv6 inbound services

No reply, I've pinged them back for any insight into your concern.

 

Thanks,
Liz

Did my post answer your question? Accept as Solution to help others find it faster.--------------------------------->

New Member

Re: HT2000W IPv6 inbound services

I also have this question.  When I signed up for services they explicitly told me I would have a dynamic but ROUTABLE ipv6 address (asked twice to confirm).  After my install today my router got a fdxxx(PRIVATE) ipv6 address.  Called and they told me they only assign public addresses to business accounts?!  

 

Willing to upgrade (even though the first call explicitly told me I would get a dynamic but routable ipv6), but want to make sure your actually assigning routable ipV6's... Need a way to get back in so I can control my whole-home automation system.  

New Poster

Re: HT2000W IPv6 inbound services

@tracerrx, the address you see in the HT2000W's WAN status section is just the link-local address on that interface. There is a routable block that's assigned to the HT2000W's LAN interface. If you plug a device into the LAN, it will be assigned a public routable address block via an IPv6 router advertisement. Also, you can connect a router to the HT2000W's LAN port and receive a public IPv6 block via DHCPv6's prefix delegation feature, which will allow that router to assign another routable subnet to its inside (LAN) interface(s). The HT2000W is giving a /62 to my router in this case.

 

HOWEVER, it appears to me that the HT2000W is filtering all inbound IPv6 connections to devices connected to the LAN network regardless of the firewall being enabled or disabled, or adding allow rules in the IPv6 section of the configuration. I can ping my HT2000W's LAN IPv6 address from the public Internet, but can't ping any of the devices connected to it. Running packet captures on those devices shows no inbound ICMPv6 at all from the host on the Internet sending the pings. So it appears that the firewall in the HT2000W is not being disabled when instructed to do so through the web UI.

 

Input and suggestions from a Hughesnet network engineer would be very helpful!