Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




17 posts

Geek


Topic # 146854 31-May-2014 10:52
Send private message

Not sure if this is the best place to post this but the fritz box official forum is dead..

Anyway, here's the issue.

For IPv6 web browsing to work properly, you need to have ICMPv6 Type 2 forwarded to your internal devices. ICMP Type 2 is "Packet too big". IPv6 uses this ICMP type to achieve path MTU discovery, as IPv6 packets are not allowed to fragment.

If a hop on the route or the endpoint has an MTU that's smaller than the packet, the packet is dropped and an ICMP type 2 packet is sent back to the source IP with the node's MTU size. The source then resends a packet of that size until a packet finally reaches the destination, of a size that matches the smallest MTU on the path.

Still with me? That being the case, it's important to ensure ICMP type 2 packets can get into your network, otherwise your devices will never know their outbound packets are too big and the connection will fail.

On the fritz box, you can enable IPv6 port forwarding for your IPv6 hosts based on the interface address. You find this in Internet --> Allow access --> IPv6 tab. When you add a host from the drop down or type the interafce address in manually, you have an option for "Ping6", which is a bit of a misnomer because ping is just one type of many ICMP types, and this rule seems to allow all ICMP types through. (there's also a bug that means you have to save then re-enter to delete the port 80 rule)

Ok great, so we can forward ICMP type 2 through the fritz to our internal devices.

BUT, and it's a huge but, some operating systems, like Android 4.2 onwards, iOS and Linux use "privacy extensions", that is to say when you make an outbound connection, the interface address is NOT the EUI64 address that you can see in the Fritz Box IPv6 port forwarding. Furthermore, you can't manually add your privacy interface address because it changes every hour.

Therefore, your incoming ICMP type 2 packets are dropped by the fritz box, as there's no inbound rule that matches the outgoing interface address.

In Windows and Linux, turning this feature off is trivial. I think in Windows it's off by default.

You can root your Android device and turn it off, but it's a bit hacky and beyond the scope of most home users, and you certainly don't want to be doing this to every android device that comes into your network. iOS you're stuffed whatever.

The issue this causes, is that some websites don't respond or respond sporadically. In my home network, with IPv6 on, I basically can't access Facebook on any mobile devices because of this. Visit a site like http://test-ipv6.com/ and you can see the issue in the report.

Devices with Privacy extensions switched off don't suffer from this as long as you've forwarded "ping6" in the fritz boz as described above.

I am certainly not the only one who's experiencing this. I expect many Snap customers with Fritz boxes will be using IPv6 without even knowing it and will be having issues with IPv6 enabled sites like Facebook.

I would be very surprised if the fritz box developers aren't aware of this issue.

When setting up IPv6 on an enterprise network, using an enterprise grade firewall you have to create a rule like "from any ip6 address, to any ip6 address, allow icmp type2" in both directions across all your interfaces.

You just can't do this in the Fritz Box.

I can't be the only one who's struck this, so I must be missing something. Help please!

Create new topic
BDFL - Memuneh
60271 posts

Uber Geek
+1 received by user: 11332

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1056997 31-May-2014 11:15
Send private message


17 posts

Geek


  Reply # 1057013 31-May-2014 11:52
Send private message

I guess not, but there won't be many in NZ using a Fritz box with IPv6 who are not on Snap.

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
2575 posts

Uber Geek
+1 received by user: 946

Subscriber

  Reply # 1057071 31-May-2014 13:45
Send private message

Thanks for this splodge.
Im on Snap UFB using an Edge Router Lite instead of the fritz box. Haven't bothered setting up IPv6 yet due to all the threads saying it causes problems and the only fix being suggested being "turn off IPv6" Now when I get round to setting it up I know what to do to get IPv6 working properly.



17 posts

Geek


  Reply # 1057154 31-May-2014 17:09
Send private message

Ok, so I have found a suitable workaround for this issue.

In the Fritz box, go Internet --> Account Information --> IPv6 tab and scroll to the bottom. Click Set MTU manually and leave it at 1280 bytes and click Apply. This now sets the MTU size of the client machines via Router Advertisement to be 1280, the smallest possible MTU, so your client devices will never create a condition that causes a packet too big ICMP message to be returned.

It's not ideal that you have to effectively break a fundamental rule of IPv6 and create unnecessary overhead with a small MTU to get IPv6 working properly on a Fritz Box, but it is what it is I guess. Snap should be setting this option for all users by default until such time as AVM release a properly IPv6 compatible firmware.

81 posts

Master Geek
+1 received by user: 9

Subscriber

  Reply # 1057448 1-Jun-2014 11:27
Send private message

Have you tried using tracepath6 (linux) to see if you can 'get away' with a larger value than the min spec you've set ?

'That VDSL Cat'
7745 posts

Uber Geek
+1 received by user: 1567

Trusted
Spark
Subscriber

  Reply # 1057453 1-Jun-2014 11:44
Send private message

this is an interesting work around indeed..




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


SCM

457 posts

Ultimate Geek
+1 received by user: 46


  Reply # 1057577 1-Jun-2014 15:11
Send private message

Interesting indeed.

Just as interesting was when I went to apply this workaround. Though the MTU options were not selected, the greyed out MTU value was already 1280.

Time to hit up some sites I been having issues with....




 Click to see full size

 

 




17 posts

Geek


  Reply # 1057661 1-Jun-2014 18:39
Send private message

nickt: Have you tried using tracepath6 (linux) to see if you can 'get away' with a larger value than the min spec you've set ?

You'er always going to end up finding MTUs of 1280 on the IPv6 Internet. 1280 MTU is the standard for any tunnelled IPv6 over IPv4 type setup.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Umbrellar becomes Microsoft Cloud Solution Provider
Posted 22-May-2018 15:43


Three New Zealand projects shortlisted in IDC Asia Pacific Smart Cities Awards
Posted 22-May-2018 15:14


UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55


Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12


Framing Facebook: It’s not about technology
Posted 14-May-2018 16:02


Vocus works with NZ Police and telcos to stop scam calls
Posted 12-May-2018 11:12


Vista Group signs Aeon Entertainment, largest cinema chain in Japan
Posted 11-May-2018 21:41


New Privacy Trust Mark certifies privacy and customer control
Posted 10-May-2018 14:16


New app FIXR connects vehicle owners to top Mechanics at best prices
Posted 10-May-2018 14:13


Nutanix Beam gives enterprises control of the cloud
Posted 10-May-2018 14:09



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.