Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




17 posts

Geek


Topic # 146854 31-May-2014 10:52
Send private message

Not sure if this is the best place to post this but the fritz box official forum is dead..

Anyway, here's the issue.

For IPv6 web browsing to work properly, you need to have ICMPv6 Type 2 forwarded to your internal devices. ICMP Type 2 is "Packet too big". IPv6 uses this ICMP type to achieve path MTU discovery, as IPv6 packets are not allowed to fragment.

If a hop on the route or the endpoint has an MTU that's smaller than the packet, the packet is dropped and an ICMP type 2 packet is sent back to the source IP with the node's MTU size. The source then resends a packet of that size until a packet finally reaches the destination, of a size that matches the smallest MTU on the path.

Still with me? That being the case, it's important to ensure ICMP type 2 packets can get into your network, otherwise your devices will never know their outbound packets are too big and the connection will fail.

On the fritz box, you can enable IPv6 port forwarding for your IPv6 hosts based on the interface address. You find this in Internet --> Allow access --> IPv6 tab. When you add a host from the drop down or type the interafce address in manually, you have an option for "Ping6", which is a bit of a misnomer because ping is just one type of many ICMP types, and this rule seems to allow all ICMP types through. (there's also a bug that means you have to save then re-enter to delete the port 80 rule)

Ok great, so we can forward ICMP type 2 through the fritz to our internal devices.

BUT, and it's a huge but, some operating systems, like Android 4.2 onwards, iOS and Linux use "privacy extensions", that is to say when you make an outbound connection, the interface address is NOT the EUI64 address that you can see in the Fritz Box IPv6 port forwarding. Furthermore, you can't manually add your privacy interface address because it changes every hour.

Therefore, your incoming ICMP type 2 packets are dropped by the fritz box, as there's no inbound rule that matches the outgoing interface address.

In Windows and Linux, turning this feature off is trivial. I think in Windows it's off by default.

You can root your Android device and turn it off, but it's a bit hacky and beyond the scope of most home users, and you certainly don't want to be doing this to every android device that comes into your network. iOS you're stuffed whatever.

The issue this causes, is that some websites don't respond or respond sporadically. In my home network, with IPv6 on, I basically can't access Facebook on any mobile devices because of this. Visit a site like http://test-ipv6.com/ and you can see the issue in the report.

Devices with Privacy extensions switched off don't suffer from this as long as you've forwarded "ping6" in the fritz boz as described above.

I am certainly not the only one who's experiencing this. I expect many Snap customers with Fritz boxes will be using IPv6 without even knowing it and will be having issues with IPv6 enabled sites like Facebook.

I would be very surprised if the fritz box developers aren't aware of this issue.

When setting up IPv6 on an enterprise network, using an enterprise grade firewall you have to create a rule like "from any ip6 address, to any ip6 address, allow icmp type2" in both directions across all your interfaces.

You just can't do this in the Fritz Box.

I can't be the only one who's struck this, so I must be missing something. Help please!

Create new topic
BDFL - Memuneh
58919 posts

Uber Geek
+1 received by user: 10292

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1056997 31-May-2014 11:15
Send private message

Moved this to the LAN/Routers forum as it's not a Snap specific post, it seems.







17 posts

Geek


  Reply # 1057013 31-May-2014 11:52
Send private message

I guess not, but there won't be many in NZ using a Fritz box with IPv6 who are not on Snap.

 
 
 
 


1905 posts

Uber Geek
+1 received by user: 602

Subscriber

  Reply # 1057071 31-May-2014 13:45
Send private message

Thanks for this splodge.
Im on Snap UFB using an Edge Router Lite instead of the fritz box. Haven't bothered setting up IPv6 yet due to all the threads saying it causes problems and the only fix being suggested being "turn off IPv6" Now when I get round to setting it up I know what to do to get IPv6 working properly.



17 posts

Geek


  Reply # 1057154 31-May-2014 17:09
Send private message

Ok, so I have found a suitable workaround for this issue.

In the Fritz box, go Internet --> Account Information --> IPv6 tab and scroll to the bottom. Click Set MTU manually and leave it at 1280 bytes and click Apply. This now sets the MTU size of the client machines via Router Advertisement to be 1280, the smallest possible MTU, so your client devices will never create a condition that causes a packet too big ICMP message to be returned.

It's not ideal that you have to effectively break a fundamental rule of IPv6 and create unnecessary overhead with a small MTU to get IPv6 working properly on a Fritz Box, but it is what it is I guess. Snap should be setting this option for all users by default until such time as AVM release a properly IPv6 compatible firmware.

71 posts

Master Geek
+1 received by user: 5

Subscriber

  Reply # 1057448 1-Jun-2014 11:27
Send private message

Have you tried using tracepath6 (linux) to see if you can 'get away' with a larger value than the min spec you've set ?

'That VDSL Cat'
6513 posts

Uber Geek
+1 received by user: 1242

Trusted
Spark
Subscriber

  Reply # 1057453 1-Jun-2014 11:44
Send private message

this is an interesting work around indeed..




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


SCM

456 posts

Ultimate Geek
+1 received by user: 46


  Reply # 1057577 1-Jun-2014 15:11
Send private message

Interesting indeed.

Just as interesting was when I went to apply this workaround. Though the MTU options were not selected, the greyed out MTU value was already 1280.

Time to hit up some sites I been having issues with....




 Click to see full size

 

 




17 posts

Geek


  Reply # 1057661 1-Jun-2014 18:39
Send private message

nickt: Have you tried using tracepath6 (linux) to see if you can 'get away' with a larger value than the min spec you've set ?

You'er always going to end up finding MTUs of 1280 on the IPv6 Internet. 1280 MTU is the standard for any tunnelled IPv6 over IPv4 type setup.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone TV — television in the cloud
Posted 17-Oct-2017 19:29


Nokia 8 review: Classy midrange pure Android phone
Posted 16-Oct-2017 07:27


Why carriers might want to embrace Commerce Commission study, MVNOs
Posted 13-Oct-2017 09:42


Fitbit launches Ionic, its health and fitness smartwatch
Posted 12-Oct-2017 15:52


Xero launches machine learning automation to improve coding accuracy for small businesses
Posted 12-Oct-2017 15:45


Bank of New Zealand uses Intel AI to detect financial crime
Posted 12-Oct-2017 15:39


Sony launches Xperia XZ1, a smartphone with real-time 3D capture
Posted 11-Oct-2017 10:26


Notes on Nokia’s phone comeback
Posted 10-Oct-2017 10:06


Air New Zealand begins Inflight Wi-Fi rollout
Posted 9-Oct-2017 20:16


The latest mobile phones in perspective
Posted 9-Oct-2017 18:34


Review: Acronis True Image 2018 — serious backup
Posted 8-Oct-2017 11:22


Lenovo launches ThinkPad Anniversary Edition 25
Posted 7-Oct-2017 23:16


Less fone, more tech as Vodafone gets brand make-over
Posted 6-Oct-2017 08:16


API Talent Achieves AWS MSP Partner Status
Posted 5-Oct-2017 21:20


Stellar Consulting Group now a Domo Partner
Posted 5-Oct-2017 21:03



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.