ER707-M2 IPV6 NAT and address reservation
Hi team!!!
I have an ER707-M2 IPV6 that correctly receives a fixed IPv6 prefix from the ISP and I want to assign an IPv6 address to a server connected to one of the ports.
To assign the address I can enable the DHCPv6 service, however I don't see how to reserve the address then. So it happens that the address changes.
How can I fix this issue?
Then, once I assign an address to the device, I see that there are no traffic restrictions-I don't need to do NAT. Is this correct?
If yes how do I limit the traffic to only port 443?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks for posting in our business forum.
v6 does not have a DHCP reservation yet.
There is no firewall for the v6 yet. If you need to limit the traffic, you may consider the ACL.
- Copy Link
- Report Inappropriate Content
@Clive_A Ok, now it is clear.
Actually I don't need the DHCPv6.
SLAAC can be used as well. Simply the device choose its own address based on its mac address and it is static.
But it seems this address can't be reached from the public network. Only local machine can access the device.
So, I suppose that I need to configure something... any suggestion?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
SDVConsulting wrote
@Clive_A Ok, now it is clear.
Actually I don't need the DHCPv6.
SLAAC can be used as well. Simply the device choose its own address based on its mac address and it is static.
But it seems this address can't be reached from the public network. Only local machine can access the device.
So, I suppose that I need to configure something... any suggestion?
Is it actually that you get a public v6 address?
What about the firewall settings on your local machine?
- Copy Link
- Report Inappropriate Content
@Clive_A
Yes, the ISP provide me a static prefix. So I can create as much subnet as I need and assing public address to my device.
As the IPv6 address are public, I hope there are no default limitation. In contrary, I wondering how to limit, but before to limit I want to see the device to be reacheable from the public network, so I did not configured any rule on the firewall right now.
Please let me know if I'm doing something wrong.
- Copy Link
- Report Inappropriate Content
@Clive_A
Anyway, I've added a access control rule but nothing happened:
Policy: Allow
Service Type: All
IP Type: IPv6
Direction: All
Source: IPV6GROUP_ANY
Destination: IPV6GROUP_ANY
Effectiv time: any
States: New, Established, Related
It should mean "no firewall" ...
- Copy Link
- Report Inappropriate Content
I tried enabling IPv6 from WAN (DHCPv6) with Prefix Delegation (for LAN). That works - hosts on LAN assigned address from delegated prefix.
But even when adding various allow all IPv6 traffic access control policies, it appears that IPv6 routing on router (ER707-M2, with 1.2.2 Build 20240324 Rel.42799 firmware) isn't properly set up as traceroutes report address or network address unreachable at the ER707-M2 router (packets get to router but no beyond it).
And testing with various Internet servies that check for IPv6 connection always report no IPv6 address for the host (on the LAN).
Has anyone had any success in getting this to work (ideally DHCPv6 with Prefix Delegation from ISP) to allow actual communication.
The router works great to handle two WANs - one active, one backup. But it be nice to make use of IPv6 ...
Thanks.
- Copy Link
- Report Inappropriate Content
My router is providing IPv6 address to my network. So any device correctly receive an IPv6 address via DHCPv6 protocol.
My ISP is providing one /64 subnet so I've assigned :1:: to my router and then I've configured DHCPv6 to assign addresses and it works.
If I browse https://whatismyipaddress.com/ I can see my pc IPv6 address.
There are two issues:
a) I can't reserve an address to a device, therefore it can be changed in time. But I can manually assign the address to the network interface on the device operating system. So this is a minor issue
b) even if IPv6 addresses are "public addresses" I did not found the way to allow the traffic incoming from the wan to reach the device.
Any firewall configuration I've tried fails.
- Copy Link
- Report Inappropriate Content
If you use SLAAC and make sure your device doesn't use privacy MAC addresses, the address should stay stable (based on MAC address). Or, as you indicate, you can also use a static address on the device instead of DHCP or SLAAC. You also want to disable temporary IPv6 addresses if the device is requesting them.
In theory, it would seem that a rule that only allows IPv6 incoming traffic to the device you want to put on the Internet should work (allow traffic to that address on the LAN from the WAN) and block anything else coming in from the WAN. It does open up all IPv6 traffic to that device, so you'd have to lock down the device itself using a firewall on that device.
It would be nice if there was a IPv6 firewall that by default allowed all out (from LAN to WAN) and blocked all in that isn't part of an outgoing request (similar to what is done for IPv4). Then, yes, adding port and IPv6 address based filtering for incoming traffic would be nice -- but the changing IPv6 addresses do make that a bit more challenging and may need to be tried to adding DHCPv6 reservations (which shouldn't be that big a deal).
I have a long background in IPv6 and implemented much of the Cisco Prime Network Registrar's DHCPv6 code and worked on many of the DHCP and DHCPv6 standards in the IETF.
In my case, my WAN port (2.5G WAN1) is set as follows:
IPV6: Enabled
Internet Connection Type: Dynamic IP (SLAAC/DHCPv6)
IPv6 Address: ...:402:3848:F6B:...:DAE7/64
Primary DNS: 2001:4860:4860::8888
Secondary DNS: 2001:4860:4860::8844
DUID: 03:03:00:01:...
Link-local Address: FE80::.../64
Advanced:
Get IPv6 Address: DHCPv6 checked
Prefix Delegation: Enable
Prefix Delegation Size: 56
DNS Address: Get dynamically from ISP checked
Primary DNS: 2001:4860:4860::8888
Secondary DNS: 2001:4860:4860::8844
My LAN is set as follows:
LAN(VLAN): 1
Assigned Type: SLAAC+Stateless DHCP
Prefix: Get from Prefix Delegation checked
IPv6 Prefix Delegation WAN: 2.5G WAN1
IPv6 Prefix ID: 1
Address Prefix: ...:2601::/64
DNS Address: Auto
Address: ...:2601:42ed:ff:...:141f/64
RA Priority: Medium
RA Valid Lifetime: 86400
RA Preferred Lifetime: 14400
My MAC (on the LAN) gets an proper IPv6 address (well, 2, one "permanent" and another "temporary").
Traceroute to the router's addresses (both on the WAN and LAN side) works.
Traceroute to an other IPv6 address returns !N in the traceroute (no route) from the ER707-M2's address. Hence, the ER707-M2 doesn't appear to route this out to the ISP's network as it should. I've tried various firewall access controls (some that prohibit, other's that allow) but no luck.
https://whatismyipaddress.com/ says no IPv6 address detected.
I do have load balancing enabled with a backup WAN which only provides IPv4 support; not sure if that might play a role in why my setup fails. I may disable that sometime soon and experiment a bit more to see if that perhaps impacts this in some way from working correctly.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 833
Replies: 8
Voters 0
No one has voted for it yet.