Hughesnet Community

HT2000W IPv6 inbound services

cancel
Showing results for 
Search instead for 
Did you mean: 
pswired
Junior

HT2000W IPv6 inbound services

I have a new installation with a HT2000W satellite modem. After the unfortunate realization that IPv4 is delivered via CGN and no inbound port forwarding is possible, I'm trying to get IPv6 working for inbound services (security cameras, etc.).

 

I have a Ubiquiti Edgerouter installed behind the HT2000W. The HT2000W has its firewall disabled and is properly assigning a /62 to the Edgerouter via DHCPv6-PD for assignment to its LAN. The Edgerouter has IPv6 connectivity and can initiate outbound connections properly. However, I can't ping the Edgerouter's IPv6 WAN address from the Internet. I can ping the HT2000W's LAN address from the internet. Traceroutes to the Edgerouter WAN address seem to die at the HT2000W. Taking a packet capture at the Edgerouter WAN (connected to HT2000W LAN) ethernet interface doesn't show any inbound ICMP echo when pings are being sent from the Internet.

 

Am I missing a firewall step on the HT2000W here to allow inbound IPv6 to the LAN?

81 REPLIES 81

Good morning pswired,

 

Thank you for your update and sharing the steps you took to re-enable functionality. I sent your notes back to the engineers so they have it for reference.

 

 

If you have a tech or billing question and need help, please start a new thread in the appropriate board. Unsolicited Private Messages may not get replies.

Slow performance? Click me!

@pswired Can you post a screenshot of the firewall rule your using on the HW?  

Here's a bad screenshot- hopefully this helps.Capture.JPG

Yup... got the exact same rule... No Dice... 

Are you able to take a packet capture from your sonicwall's WAN interface to see if your inbound connection attempts are reaching the Sonicwall?

Yup.. Looks like it's receiving and replying... Maybe hughes is filtering icmpv6 out?

 

Screen Shot 2017-09-26 at 9.53.01 PM.png

Interesting. When I was having problems, the ICMPv6 pings would not even make it in past the HT2000W. I think there must be something else going on here. Do you have a laptop or something you could plug directly into the HT2000W and disable the firewall completely on? What are you using to test from (ping origin)? I have been using the Level3 looking glass here:

 

http://lookingglass.level3.net/

 

Using the Atlanta, GA site. It seems that not all of the sites are actually IPv6 enabled. 

 

One note: ICMPv6 is a core part of IPv6 functionality, so network operators can't get away with blocking it wholesale like they could with IPv4. 

Also maybe open up remote admin on your sonicwall and try to make a http/s connection via IPv6. But don't leave it open for long since your IP is posted above 🙂

Yup agree... Will check.. In the meantime

  1. On your HW check HOME-->Info-->LAN I can PING that ipv6 address : )
  2. Also check ADVANCED-->FIREWALL-->INTRUSION and uncheck "Discard Ping To WAN Interface"

This will allow you to ping your HW modem (I'm using Pingdom to alert for connection issues).  

 

I have no idea how "static" this ipv6 address is....

 

It is not static at all, or at least hasn't been the past few days. Sometimes it lasts a couple days, other times a few hours and they assign a new prefix. Really annoying and not the way IPv6 is supposed to work. I'm still sorting out some sort of dynamic DNS solution to do the updates automatically.

I have a Pingdom monitor setup on it, will let you know if it changes... but note this is just the ipv6 of the HW modem, which is a totally seperate prefix then what I get from dhcpv6 (which hits the sonic, sonic sends reply to HW router and then dies before routing back to origin)

Ok, some more testing today both with and without the Sonicwall.  From the sonicwall packet captures you can clearly see the packets accepted from HW modem --> Sonic responds but gets a ipv6 neighborhood error (i.e. doesnt know how to route the response packets... )

 

So then I connected my macbook directly to the ethernet port on the HW, disabled all WiFi and IPv4 in total on my macbok, and guess what?!  The Macbook also couldnt resolve anything from the HW (not even the HW itself via ipv6).  So it looks like the problem is within the HW itself, either not supporting a full ipv6 stack, or the ipv6 stack is misconfigured, or the ipv6 stack is configured for inbound only.  You can't even hit googles ipv6 DNS.

 

Screen Shot 2017-09-27 at 6.39.58 PM.jpg

Can you post all your HT2000W configuration settings? I am able to ping, traceroute, etc. both inbound and outbound on mine.

 

FWIW, I'm on the San Diego IP gateway.

Which settings?  Just IPv6 pages? 

 

Are you using MacOS/Windows/Linux ip stack?  BTW, i'm on East Coast, no idea which gateway.

 

Sending you a PM with my contact info, maybe easier that way and we can post solution to board if we find one.

All posters, I am very interested in the outcome and solution to the issues described above.  Ultimately what I'm trying to do is connect a Hikvision security camera DVR so I can monitor the cameras remotely via cell phone.  I'm new to HughesNet (in fact business account being installed today at our church in Texas), but eager to learn.   

Here's how to get it to work:

 

Go to your HT2000W setup page and, under advanced settings, in the firewall section:

-Enable the firewall

-Disable DMZ

-Disable both intrusion detection checkboxes

-In IPv6 rules, add a rule with "::" as the client address (no quotes), TCP, start port 1, end port 1.

-REBOOT THE ROUTER USING THE WEB UI OPTION, then don't change any more firewall settings

 

Your Hikvision DVR (assuming it's moderately recent) will pick up an IPv6 address and will be accessible from the Internet if your device has IPv6 connectivity. You can see what the address of your DVR is by going to the network settings page in the web interface. It's also worth mentioning that any other IPv6 capable devices on your network will also receive publicly accessible Internet addresses, so be sure they have proper local firewalling, etc.

 

I am noticing my IPv6 previx change quite frequently, which is somewhat useless for remote access. But YMMV on that.

BirdDog
Assistant Professor

"I am noticing my IPv6 previx change quite frequently, which is somewhat useless for remote access. But YMMV on that."

 

Sounds like they need to lock prefix's on the system once they are established, give the user the option to lock or release it. Not a IPv6 user yet but seems they should start implementing more control on the user/client side. All I know is IPv6 was supposed to allow much more control and direct Internet addressing access for the average customer.

C0RR0SIVE
Associate Professor
BirdDog
Assistant Professor


@C0RR0SIVE wrote:

Sadly with how these units work, I don't think the gateways will tolerate it very well...


Sadly, seems like another unfulfilled promise. Maybe not so much a promise but sure remember many old posts by long time posters and official reps that IPv6 would result in reliable static IP direct connection over satellite. No? Am I really getting that senile?

 

Would think some dedicated servers on the gateway side would be able to handle it and only a few millisecond delay on an already high latency system. Maybe they don't feel the investment on return is worth it.

C0RR0SIVE
Associate Professor

I never said it, I just said that IPv6 is the only way to remotely connect to these terminals.  Static IPv6 wont be coming any time soon.

BirdDog
Assistant Professor


@C0RR0SIVE wrote:

I never said it, I just said that IPv6 is the only way to remotely connect to these terminals.  Static IPv6 wont be coming any time soon.


Guess I am senile then because I sure remember everyone talking up what a savior IPv6 would be for satellite, especially on Gen 5. I'll shutup now. Sometimes good to rock the boat IMO, how we progress.