News: This forum is now permanently frozen.
Pages: [1]
Topic: m0n0wall on Comcast Dual Stack  (Read 2050 times)
« on: May 03, 2013, 17:23:03 »
aveiga *
Posts: 2

I'm one of the IPv6 Engineers working for Comcast.  I was able to get m0n0wall 1.8.1b538 running on a Soekris net6501-70 with our native dual-stacked environment.  I set it up with WAN in DHCP mode and LAN in DHCP-PD mode.  I got a default route (I'm assuming since we're using DHCPv6 here, it paid attention to the RA?) and everything setup and assigned correctly.  However, in order to get routing operating (actually passing packets from the LAN to the Internet) I had to put some explicit rules in the IPv6 firewall.  I'm not entirely sure of the reason as I didn't have time to go debugging, but it looks like the firewall was actively blocking everything from crossing the LAN/WAN boundary, including ICMPv6.  After putting in two rules, one for ICMPv6 and one for tcp/udp I was able to make IPv6 connections with no issues.  I'm not going to post rules that allow free access to the world, but I also wasn't able to find any better fine-tuning in the amount of time I had to work on this.  Ideally, I'd like to present documentation to our users to allow all outbound, and all initiated inbound connections over IPv6.  Perhaps this is also something that would make for sane defaults in the IPv6 firewall rules, and I'd be willing to work with folks to determine to proper configuration.
« Reply #1 on: May 03, 2013, 18:04:29 »
Fred Grayson *****
Posts: 994

Hello and welcome to the forum.

I am a Comcast user and have been running m0n0wall in dual stack since Comcast turned up native IPv6 in my area. Prior to that I had been using a Hurricane Electric IPv6 tunnel.

The only rule I had to add to get IPv6 routing out to the internet was the following (which mirrors the default rule for IPv4):

Interface: LAN
Proto: *
Source: LAN Net
Port: *
Destination: *
Port: *
Description: Allow IPv6 from LAN to Any

If you have additional OPT interfaces, they too will require the same rule.

This rule does not allow unsolicited traffic from the WAN to LAN.

I believe it would be helpful if this rule was a default IPv6 rule for the LAN interface as it is currently for IPv4.

One ongoing unrelated problem with m0n0wall IPv6 as configured for Comcast is that the System Log is being flooded with messages related to routing advertisements arriving on the WAN interface:

rtadvd[215]: <ra_input> received RA from fe80::201:5cff:fe22:c9c1 on non-advertising interface(fxp1)

After a few of these are written to the log, they are continued with the following entry instead:

last message repeated 162 times


The m0n0wall developers are aware of this problem, and it is hoped that it will be solved soon.


--
Google is your friend and Bob's your uncle.
« Reply #2 on: May 06, 2013, 18:59:47 »
aveiga *
Posts: 2

Thanks for the info.  I'll put together a document to post to mydeviceinfo.comcast.net with that ruleset and instructions.  Hopefully it gets fixed in a future release.  The more devices working with dual-stack, the better.
« Reply #3 on: May 06, 2013, 19:01:57 »
Fred Grayson *****
Posts: 994

Yer welcome.

--
Google is your friend and Bob's your uncle.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines