Hughesnet Community

HT2000W IPv6 inbound services

cancel
Showing results for 
Search instead for 
Did you mean: 
pswired
Junior

HT2000W IPv6 inbound services

I have a new installation with a HT2000W satellite modem. After the unfortunate realization that IPv4 is delivered via CGN and no inbound port forwarding is possible, I'm trying to get IPv6 working for inbound services (security cameras, etc.).

 

I have a Ubiquiti Edgerouter installed behind the HT2000W. The HT2000W has its firewall disabled and is properly assigning a /62 to the Edgerouter via DHCPv6-PD for assignment to its LAN. The Edgerouter has IPv6 connectivity and can initiate outbound connections properly. However, I can't ping the Edgerouter's IPv6 WAN address from the Internet. I can ping the HT2000W's LAN address from the internet. Traceroutes to the Edgerouter WAN address seem to die at the HT2000W. Taking a packet capture at the Edgerouter WAN (connected to HT2000W LAN) ethernet interface doesn't show any inbound ICMP echo when pings are being sent from the Internet.

 

Am I missing a firewall step on the HT2000W here to allow inbound IPv6 to the LAN?

81 REPLIES 81

Actually its really CLOSE to working correctly, and the issue may be on my side... 

If you setup your biz/home router (not the hw router) to DHCPv6 it obtains a ipv6 /62 prefix that it can then advertise and hand out. In fact on my sonicwall I can request a prefix via dhcpv6  and unlike @pswired experiences, my prefix has NOT changed since day 1.  The modems public ipv6 does change however.

 

I can traceroute all the way to my sonicwall, and see ping packets come in, but when I hand them back to the HW Router it doesn't seem to know how to route them (or its not advertising a route back).  Note that this could be a routing issue on my sonicwall itself as my hughesnet is a backup connection and it seems to want to route the packets back out my primary interface.

 

If I plug directly into the HW router, and set my computer to "Automatic" instead of dhcpv6 i get the same experience as @pswired ... I can make everything work but the router is handing out a different ipv6 prefix which seems to change often.

 

 

On another note... as @pswired said it's important to web-reboot your modem after making ANY changes... Note that this is not the Administration-->Reboot button (it appears this just resets the WiFi interface)...

Screen Shot 2017-09-29 at 10.11.34 PM.png

You need to goto the "i" menu and select the Reboot button at the top of the screen.

 

Screen Shot 2017-09-29 at 10.13.18 PM.png

I can confirm @pswired findings... appears the delegated IP they are assigning each of us changes "often"... Ive had one stick around for 2-3 days and other times it changes a couple fo times an hour.

 

@Liz have there been ANY updates from the engineers on this?

Hi tracerrx,

 

Thanks for posting, I've not gotten any word back on this. I've pinged them for an update.

 

If you have a tech or billing question and need help, please start a new thread in the appropriate board. Unsolicited Private Messages may not get replies.

Slow performance? Click me!

Hi folks,

 

Thank you all for your patience, I was just informed that engineering has this concern on their list, it will still be a while before we can get any useful updates. Once I have any news to share, I'll post back.

 

Your patience and understanding are much appreciated.

 

 

If you have a tech or billing question and need help, please start a new thread in the appropriate board. Unsolicited Private Messages may not get replies.

Slow performance? Click me!

@Liz Thanks for the update... For some reason they appear to be allocating ipv6 /62's dynamically instead of issuing static /64's like the rest of the industry (Comcast, Verizon, ATT, Windstream etc).  It makes no sense to issue a /62 dynamically for us to hand out internally only to have it change minutes later... 

 

I would rather have a single /128 and it be static then this dynamically assigned /62 prefix that changes on a whim.  It's not like there is any shortage of ipv6's.

Hi folks, 

 

Thank you again for your continued patience. I received information from engineering on how to open the firewall for IPv6 inbound.

 

Access your Wifi Settings from the System Control Center at 192.168.0.1.

 

From the left menu, navigate to Advanced Setup>Firewall>IPv6

 

Click Add Rule button

 

For Client address enter: ::/0

 

For protocol, select UDP or TCP, depending on traffic that should be allowed through

 

For port, enter the start port and destination port.  For instance, to allow ssh traffic onto the site, enter 22 as start port and 23 as stop port.

 

Enter as many rules as required for the inbound needs.

ipv6.png

Engineering is still working on getting more information out on inbound IPv6 usage, including setting up DDNS, but no ETA on when that will be completed.

 

Please let me know if this helps.

 

 

 

 

If you have a tech or billing question and need help, please start a new thread in the appropriate board. Unsolicited Private Messages may not get replies.

Slow performance? Click me!

C0RR0SIVE
Associate Professor

@Liz

We understand how to open the firewall, but thank you : )

 

The problem is the dynamically assigned ipv6 prefixes (They shouldn't be dynamic per ipv6 conventions which is why there is very limited support for DDNS in ipv6).  It sounds like maybe your engineers understand this and are working on a fix (fingers crossed).

 

 

Hi,

 

Yes, engineering is still working on allowing inbound IPv6 pings, this will be addressed in a future update. No ETA, but it's on our roadmap.

 

 

If you have a tech or billing question and need help, please start a new thread in the appropriate board. Unsolicited Private Messages may not get replies.

Slow performance? Click me!

Liz, to be clear, there are two issues here:

 

-The HT2000W inbound IPv6 firewall implementation is buggy and requires the above posted workaround to disable the firewall entirely. Using the firewall as intended does not seem to be possible. The inability to ping downstream devices is a symptom of this problem.

 

-The IPv6 prefix assigned to a downstream device via DHCP-PD is dynamic and indeed changes often. This is undesirable because it prevents IP-based firewall rules from being implemented for downstream devices and prevents remote access to those devices.

Thanks for the clarification, I'll pass this up.

 

If you have a tech or billing question and need help, please start a new thread in the appropriate board. Unsolicited Private Messages may not get replies.

Slow performance? Click me!

Hi pswired,

 

Got a quick turnaround from engineering on your concerns:


Regarding your first point about the firewall being buggy, this will be escalated to our modem team.

 

Regarding the IPv6 prefix assignments, that is how our modems operate and is unlikely to change anytime soon.

 

In reference to tracerrx's concern with routable IPv6 addresses, a user always gets a public IPv6 prefix as long as it's associated with an IP gateway. If the user isn't seeing this public IPv6 prefix and it's associated with a gateway, then we'd troubleshoot.

 

If you have a tech or billing question and need help, please start a new thread in the appropriate board. Unsolicited Private Messages may not get replies.

Slow performance? Click me!

@Liz If the situation of having dynamic IPv6 prefixes is not expected to change anytime soon, then HughesNet sales and support staff should be trained to tell customers and prospects that using remote access devices such as security camera systems is not possible with the service offering. CGN prevents it on IPv4 and dynamic addressing prevents it via IPv6. That's very unfortunate since this seems to be requested quite often here in the forums.

@Liz

I concur with @pswired, I was specifically told by sales that we would receive routable static IPv6 addresses.

C0RR0SIVE
Associate Professor

@tracerrx and @pswired

 

Are you residential subscribers or business subscribers?  Sales agents are not to say that IPv6 is static on these systems, static isn't offered normally by Hughesnet.

Good morning folks,

 

Thank you for your input, I think this is a topic worth bringing up to management. I'll send it up, thank you for your feedback!

 

If you have a tech or billing question and need help, please start a new thread in the appropriate board. Unsolicited Private Messages may not get replies.

Slow performance? Click me!

@C0RR0SIVE I am a residential subscriber. I personally was never promised static IPv6 addresses (or any IPv6 at all, for that matter) during the sales process, but it appears that others have been. Regardless, every other ISP that I'm aware of in the US provides static IPv6 prefixes to its fixed customers. This is a central design feature of IPv6, evidenced by the lack of wide support for IPv6 dynamic DNS and Hughesnet's own IPv6 firewall design in its HT2000W router. The firewall rules must be built with the end device's IPv6 address, so if those addresses are dynamic, the user would need to reconfigure their firewall rules every few days.

@C0RR0SIVE I'm also a residential subscriber, but offered to become a business subscriber if it would make a difference (After our discovery that these ipv6 delegates arent static).  I was toldf it works the same way for business subscribers, and the only way to have a static ipv4 or ipv6 address is to be a legacy business customer.

Just a quick update for anyone looking for answers to this in the future.

 

Until HughesNet addresses thier very strange implementation of ipv6, I have reverted to using a raspberry pi plugged directly into the hughesnet modem to perform DDNS via DYNv6.  Anything you want to access remotely (besides the pi) will need to be configured to use stateless ipv6 (making your mac address public).  You then would need to alter the DYNv6 update script on the pi (they supply a nice one on thier website) to glue together the /51 assigned by hughes to the stateless address on your device... or you can just use the pi to route/redirect ports instead.  I believe @pswired has done something similar using his own script.  If anyone needs step by step for the raspberry pi let me know. 

 

Note that this effectively puts the pi open to the world, and you should take measures to secure it against such.

@Liz

Any update from the "Engineers" regarding this issue?