Fritzbox 7390 - IPv6 forwarding not allowed despite forwarded and ports open

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Fritzbox 7390 - IPv6 forwarding not allowed despite forwarded and ports open

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#195462 20-Apr-2016 19:01

I'm trying to access my Owncloud server from the internet via IPv6. I'm with 2degreesbroadband now and have a static /56 ipv6. The 7390 is connected via IPv6 and all the servers on the network have an IPv6 address that is valid. I can access the owncloud login via IPV6, IPv4 or the hostname so all is good. It's been added to my DNS server too.

I've set the IPv6 forwarding up in the fritzbox, opened port 80 and 443 etc. I've also added the address to my registrar so I can do my hostname properly owncloud.domain.com for example, but when trying to ping the IPv6 address from the internet it won't work. Using the online websites that can ping for you, I get the following:

PING Owncloud server IP(Owncloud server IP) 32 data bytes
From Router IP Address icmp_seq=0 Destination unreachable: Administratively prohibited
From Router IP Address icmp_seq=1 Destination unreachable: Administratively prohibited
From Router IP Address icmp_seq=2 Destination unreachable: Administratively prohibited
From Router IP Address icmp_seq=3 Destination unreachable: Administratively prohibited

I've removed the Router IP Address from the results but that is what it shows, and it won't get past the router despite the ports being open.

Anyone else using a 7390 and port forwarding IPv6?

Cheers,

Chris

1 | 2

584 posts

Ultimate Geek
+1 received by user: 153

ID Verified

#1536923 20-Apr-2016 19:10

So your using in Fritzbox settings

- Internet

- Permit Access

- IPv6 Port Forwarding...

Dean

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#1536926 20-Apr-2016 19:12

yes; IPv4 port forward works fine as that is currently being sent to my load balancers for the mail servers... Just not IPv6, its being blocked by the router for some reason by the looks of it.

Eitsop

584 posts

Ultimate Geek
+1 received by user: 153

ID Verified

#1536927 20-Apr-2016 19:13

And are you doing a ping6 or ping -6

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#1536938 20-Apr-2016 19:28

from my work pc which is windows powered (and I was at work) I used ping -6, and also using various online sites such as SubnetOnline.com and their IPv6 pinger.

Eitsop

584 posts

Ultimate Geek
+1 received by user: 153

ID Verified

#1536940 20-Apr-2016 19:32

And you enabled ping echo?

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#1536944 20-Apr-2016 19:37

I believe so as the Ubuntu firewall is not enabled; I presume this is the case as it doesn't appear to be getting a reply from the server at all... The port forward setting has Ping6 enabled.

HP

Shop now for HP laptops and other devices (affiliate link).

Eitsop

584 posts

Ultimate Geek
+1 received by user: 153

ID Verified

#1536949 20-Apr-2016 19:48

can you ping from internal network?

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#1536998 20-Apr-2016 20:52

Yes, both IPv4, IPv6 and by hostname (FQDN). I can also access the owncloud server using the IPv6 address from the address bar of IE11; its simply accessing the server from the outside world seems to get stuck at the router.

Eitsop

584 posts

Ultimate Geek
+1 received by user: 153

ID Verified

#1537027 20-Apr-2016 21:20

Hmm.. well I just pinged my folks apple extreme from my place via ping6

I did have all ports open though.. have you opened it to all ports?

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#1537029 20-Apr-2016 21:22

I've tried both options; all ports and only ports 80/443... Neither work from the outside.

How is your folks apple extreme connected to the internet? My 7390 will allow me OUT via IPv6, but its not accepting incoming connections.

fe31nz

1294 posts

Uber Geek
+1 received by user: 423

#1537043 20-Apr-2016 21:45

Pings and port forwarding are completely different things. If may be that the FritzBox is not responding to an IPv6 ping for some reason, but the IPv6 ports are likely to be open. Pings are usually done using an ICMP ECHO_REQUEST packet and expecting an ICMP ECHO_RESPONSE packet, so your firewall has to pass those ICMP packets in the appropriate directions. The rules for passing ICMP packets are completely different from the ones passing TCP packets, so to get IPv6 ping to work, you need to allow those ICMPv6 packets as well as setting up the port forwarding rules.

I use tcptraceroute6 from one of my Linux boxes to check if a TCP port is open. That uses TCP SYN packets to the specified port, so it works on just that port, and does not involve pings. To test your firewall, you can try using similar tools from sites like this:

http://www.subnetonline.com

Unfortunately, there seems to be no comparable tool to tcptraceroute6 available for Windows. There is an IPv4 one (tracetcp).

You can also use ncat (netcat) if you just want to do a just port ping rather than a trace. There are Windows versions of ncat that do IPv6, but virus checkers often object to installing ncat as it can be used for various attacks on sites. I have forgotten the ncat command for this, but I am sure there is a web page out there that can tell you.

Dyson

Shop now for Dyson appliances (affiliate link).

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#1537046 20-Apr-2016 21:52

fe31nz:

Pings and port forwarding are completely different things. If may be that the FritzBox is not responding to an IPv6 ping for some reason, but the IPv6 ports are likely to be open. Pings are usually done using an ICMP ECHO_REQUEST packet and expecting an ICMP ECHO_RESPONSE packet, so your firewall has to pass those ICMP packets in the appropriate directions. The rules for passing ICMP packets are completely different from the ones passing TCP packets, so to get IPv6 ping to work, you need to allow those ICMPv6 packets as well as setting up the port forwarding rules.

I use tcptraceroute6 from one of my Linux boxes to check if a TCP port is open. That uses TCP SYN packets to the specified port, so it works on just that port, and does not involve pings. To test your firewall, you can try using similar tools from sites like this:

http://www.subnetonline.com

Unfortunately, there seems to be no comparable tool to tcptraceroute6 available for Windows. There is an IPv4 one (tracetcp).

You can also use ncat (netcat) if you just want to do a just port ping rather than a trace. There are Windows versions of ncat that do IPv6, but virus checkers often object to installing ncat as it can be used for various attacks on sites. I have forgotten the ncat command for this, but I am sure there is a web page out there that can tell you.

I've been using that site; its how I got the details of the ping being blocked by the router. If I use the port scanner on the site and scan for 443 on the IP it states its not connected, which seems to correlate with the fact that the router is blocking the port forward.

fe31nz

1294 posts

Uber Geek
+1 received by user: 423

#1537057 20-Apr-2016 22:11

Just to confirm the basics, you do have access to external IPv6 sites working? So "ping -6 google.com" and "tracert -6 google.com" from Windows both work and when you go to http://www.facebook.com it is still working? The Facebook site returns long IPv6 packets, so it is an excellent site to use to check that IPv6 is fully operational and that MTU discovery is working. If it gives you partial pages or nothing at all, then you likely have MTU problems.

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#1537061 20-Apr-2016 22:15

Yes, IPv6 is setup and working fine from my connection; Geekzone displays the IPv6 logo beside the site name too. They also work from the Ubuntu installation serving owncloud. As before I can also access owncloud using the IPv6 address internally.

fe31nz

1294 posts

Uber Geek
+1 received by user: 423

#1537093 20-Apr-2016 22:45

The next step might be to confirm that the FritzBox is where the problem is. If you go to this hidden page on your FritzBox:

http://<your_fritzbox_address>/support.lua

and click on "Packet traces", that gives you a web page that allows you to capture the traffic from the various network interfaces of the FritzBox. You need to capture the packets from the "Internet connection" and the "lan" ports at the same time while you try using the tools from SubnetOnline to access your ports. Make sure that you do not have much other traffic going through the FritzBox or it will have problems sending the packet captures to your web browser due to overloading of the Ethernet connection. Once you have the captures, you can use Wireshark (http://www.wireshark.org) to read the packet captures and see what IPv6 traffic is happening. If you can see the incoming IPv6 TCP SYN packets for ports 80 and 443 in the Internet Connection packets, but not on the LAN port, then that is proof that the FritzBox is the problem.

I have a 7390 myself, but I only use it for VOIP - it is hidden away inside my network behind my Ubiquiti ERLite routers. So I can not test whether it really does IPv6 port forwarding properly.

1 | 2