Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




17 posts

Geek


Topic # 146854 31-May-2014 10:52
Send private message

Not sure if this is the best place to post this but the fritz box official forum is dead..

Anyway, here's the issue.

For IPv6 web browsing to work properly, you need to have ICMPv6 Type 2 forwarded to your internal devices. ICMP Type 2 is "Packet too big". IPv6 uses this ICMP type to achieve path MTU discovery, as IPv6 packets are not allowed to fragment.

If a hop on the route or the endpoint has an MTU that's smaller than the packet, the packet is dropped and an ICMP type 2 packet is sent back to the source IP with the node's MTU size. The source then resends a packet of that size until a packet finally reaches the destination, of a size that matches the smallest MTU on the path.

Still with me? That being the case, it's important to ensure ICMP type 2 packets can get into your network, otherwise your devices will never know their outbound packets are too big and the connection will fail.

On the fritz box, you can enable IPv6 port forwarding for your IPv6 hosts based on the interface address. You find this in Internet --> Allow access --> IPv6 tab. When you add a host from the drop down or type the interafce address in manually, you have an option for "Ping6", which is a bit of a misnomer because ping is just one type of many ICMP types, and this rule seems to allow all ICMP types through. (there's also a bug that means you have to save then re-enter to delete the port 80 rule)

Ok great, so we can forward ICMP type 2 through the fritz to our internal devices.

BUT, and it's a huge but, some operating systems, like Android 4.2 onwards, iOS and Linux use "privacy extensions", that is to say when you make an outbound connection, the interface address is NOT the EUI64 address that you can see in the Fritz Box IPv6 port forwarding. Furthermore, you can't manually add your privacy interface address because it changes every hour.

Therefore, your incoming ICMP type 2 packets are dropped by the fritz box, as there's no inbound rule that matches the outgoing interface address.

In Windows and Linux, turning this feature off is trivial. I think in Windows it's off by default.

You can root your Android device and turn it off, but it's a bit hacky and beyond the scope of most home users, and you certainly don't want to be doing this to every android device that comes into your network. iOS you're stuffed whatever.

The issue this causes, is that some websites don't respond or respond sporadically. In my home network, with IPv6 on, I basically can't access Facebook on any mobile devices because of this. Visit a site like http://test-ipv6.com/ and you can see the issue in the report.

Devices with Privacy extensions switched off don't suffer from this as long as you've forwarded "ping6" in the fritz boz as described above.

I am certainly not the only one who's experiencing this. I expect many Snap customers with Fritz boxes will be using IPv6 without even knowing it and will be having issues with IPv6 enabled sites like Facebook.

I would be very surprised if the fritz box developers aren't aware of this issue.

When setting up IPv6 on an enterprise network, using an enterprise grade firewall you have to create a rule like "from any ip6 address, to any ip6 address, allow icmp type2" in both directions across all your interfaces.

You just can't do this in the Fritz Box.

I can't be the only one who's struck this, so I must be missing something. Help please!

Create new topic
BDFL - Memuneh
59180 posts

Uber Geek
+1 received by user: 10414

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1056997 31-May-2014 11:15
Send private message

Moved this to the LAN/Routers forum as it's not a Snap specific post, it seems.







17 posts

Geek


  Reply # 1057013 31-May-2014 11:52
Send private message

I guess not, but there won't be many in NZ using a Fritz box with IPv6 who are not on Snap.

 
 
 
 


2032 posts

Uber Geek
+1 received by user: 649

Subscriber

  Reply # 1057071 31-May-2014 13:45
Send private message

Thanks for this splodge.
Im on Snap UFB using an Edge Router Lite instead of the fritz box. Haven't bothered setting up IPv6 yet due to all the threads saying it causes problems and the only fix being suggested being "turn off IPv6" Now when I get round to setting it up I know what to do to get IPv6 working properly.



17 posts

Geek


  Reply # 1057154 31-May-2014 17:09
Send private message

Ok, so I have found a suitable workaround for this issue.

In the Fritz box, go Internet --> Account Information --> IPv6 tab and scroll to the bottom. Click Set MTU manually and leave it at 1280 bytes and click Apply. This now sets the MTU size of the client machines via Router Advertisement to be 1280, the smallest possible MTU, so your client devices will never create a condition that causes a packet too big ICMP message to be returned.

It's not ideal that you have to effectively break a fundamental rule of IPv6 and create unnecessary overhead with a small MTU to get IPv6 working properly on a Fritz Box, but it is what it is I guess. Snap should be setting this option for all users by default until such time as AVM release a properly IPv6 compatible firmware.

73 posts

Master Geek
+1 received by user: 5

Subscriber

  Reply # 1057448 1-Jun-2014 11:27
Send private message

Have you tried using tracepath6 (linux) to see if you can 'get away' with a larger value than the min spec you've set ?

'That VDSL Cat'
6761 posts

Uber Geek
+1 received by user: 1281

Trusted
Spark
Subscriber

  Reply # 1057453 1-Jun-2014 11:44
Send private message

this is an interesting work around indeed..




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


SCM

456 posts

Ultimate Geek
+1 received by user: 46


  Reply # 1057577 1-Jun-2014 15:11
Send private message

Interesting indeed.

Just as interesting was when I went to apply this workaround. Though the MTU options were not selected, the greyed out MTU value was already 1280.

Time to hit up some sites I been having issues with....




 Click to see full size

 

 




17 posts

Geek


  Reply # 1057661 1-Jun-2014 18:39
Send private message

nickt: Have you tried using tracepath6 (linux) to see if you can 'get away' with a larger value than the min spec you've set ?

You'er always going to end up finding MTUs of 1280 on the IPv6 Internet. 1280 MTU is the standard for any tunnelled IPv6 over IPv4 type setup.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.