I have a new installation with a HT2000W satellite modem. After the unfortunate realization that IPv4 is delivered via CGN and no inbound port forwarding is possible, I'm trying to get IPv6 working for inbound services (security cameras, etc.).
I have a Ubiquiti Edgerouter installed behind the HT2000W. The HT2000W has its firewall disabled and is properly assigning a /62 to the Edgerouter via DHCPv6-PD for assignment to its LAN. The Edgerouter has IPv6 connectivity and can initiate outbound connections properly. However, I can't ping the Edgerouter's IPv6 WAN address from the Internet. I can ping the HT2000W's LAN address from the internet. Traceroutes to the Edgerouter WAN address seem to die at the HT2000W. Taking a packet capture at the Edgerouter WAN (connected to HT2000W LAN) ethernet interface doesn't show any inbound ICMP echo when pings are being sent from the Internet.
Am I missing a firewall step on the HT2000W here to allow inbound IPv6 to the LAN?
You actually will need to enable the firewall, and forward the appropriate service under Firewall > IPv6...
As far as pinging and such, pretty sure that's droped regardless at the modem unless you disable the Intrusion Detection settings.
Thanks for the reply.
I actually did try re-enabling the firewall and enabling IPv6 rules for an inbound service or two. I suppose I could have gotten the syntax wrong though, do you know if there are any documents for this feature?
I do have intrusion protection disabled- is there any other way to allow ICMPv6 (echo requests specifically) through to the LAN?
I sent this up to the engineers who are better equipped to answer this. I'll let you know what I find out.
No reply, I've pinged them back for any insight into your concern.
I also have this question. When I signed up for services they explicitly told me I would have a dynamic but ROUTABLE ipv6 address (asked twice to confirm). After my install today my router got a fdxxx(PRIVATE) ipv6 address. Called and they told me they only assign public addresses to business accounts?!
Willing to upgrade (even though the first call explicitly told me I would get a dynamic but routable ipv6), but want to make sure your actually assigning routable ipV6's... Need a way to get back in so I can control my whole-home automation system.
@tracerrx, the address you see in the HT2000W's WAN status section is just the link-local address on that interface. There is a routable block that's assigned to the HT2000W's LAN interface. If you plug a device into the LAN, it will be assigned a public routable address block via an IPv6 router advertisement. Also, you can connect a router to the HT2000W's LAN port and receive a public IPv6 block via DHCPv6's prefix delegation feature, which will allow that router to assign another routable subnet to its inside (LAN) interface(s). The HT2000W is giving a /62 to my router in this case.
HOWEVER, it appears to me that the HT2000W is filtering all inbound IPv6 connections to devices connected to the LAN network regardless of the firewall being enabled or disabled, or adding allow rules in the IPv6 section of the configuration. I can ping my HT2000W's LAN IPv6 address from the public Internet, but can't ping any of the devices connected to it. Running packet captures on those devices shows no inbound ICMPv6 at all from the host on the Internet sending the pings. So it appears that the firewall in the HT2000W is not being disabled when instructed to do so through the web UI.
Input and suggestions from a Hughesnet network engineer would be very helpful!