Setting up IPv6 on a ER7172PC router?
I'm trying to setup IPv6 for the first time with this router. My first time with a TP-Link router, but experienced with others.
The ISP is also brand new (still installing fiber), so it's hard to tell where the issues are.
I setup the WAN and with DHCP, get a valid address (per the setup page); different every time, but that's expected.
There does seem to be a mac-based EUI64 address assigned as well.
I don't see a gateway being assigned, however. That seems like the first problem to attack. Can I trust the GUI? it just shows a hyphen.
I can not ping that address from here (the router is remote). (My IPv6 here works fine, for years. Not tp-link gear.)
I can't access the router configuration pages directly from here.
If I connect to a PC behind the router, test-ipv6.com reports no IPv6 connectivity from it. But I can ping the router's IPv6 address. And access the config (Omaa SDN "controller" pages.)
I have the LAN set to supply SLAAC-RDNSS from prefix delegation, whichis a bit weird sincec the ISP only gives a /64. But that should work..
Note that IPv4 works as expected. Unfortunately, behind an ISP (but not carrier grade) NAT.
Questions:
- Is there any other setting that would prevent the router itself from processing external pings/connections to its internal webserver? (IPv4 and v6)
- Is an ACL required for this? If so, how is it setup?
- I don't see anything helpful in the logs. Is there a way to turn up the logging level for debugging? Not being physically at the site, packet trace isn't a viable option.
- I got lost in the menus trying to see if I will need to setup other enabling rules for IPv6. Just the defaults are present. I see how to setup an IPv6 group (and have), but I get
- lost the the GUI for the firewall - it seems very IPv4 oriented. (I'm very familiar with iptables, so it seems like an overlay of that.)
Amy clues from those who've been here before would be appreciated...
Thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @tlhackque
Thanks for posting in our business forum.
IPv6 does not have a firewall. IPv4 has. Only on WAN IP. Block ping from WAN in the firewall settings.
ACL setup is a generic question that can be answered by the User Guide. It's intuitive and you should set it up based on what you need. IPv6 is also supported on some models. Be sure you check the release note before you set it up.
Set up your log server.
System is currently focusing on the v4. v6 is gradually added over the updates.
- Copy Link
- Report Inappropriate Content
Yes, I read the (400 page) manual before posting. And did research as best I could. I tried to provide context for my questions, but perhaps that made things unclear.
I do appreciate your taking the time to reply.
Among other things:
What's intuitive to you isn't necessarily to me. I've decades of experience in the industry, but the GUI in this device keeps leading me astray. It uses a different vocabulary, and assumes a tp-link culture. It's not intuitive, but I'm learning. I'm certainly open to help with that.
I have a very simple setup. This router, and an EAP245 access point. PC, printer, voice on the LAN. That's it. No VLANs (yet) - just going for basic operation.
I can not access WAN from behind the router via IPv6. Nor ping the router from the WAN. The ISP of course thinks it's a router issue. I see the missing gateway, and suspect the ISP's DHCP is not providing a gateway address. Assuming the display is accurate.
Can I trust it? Have you, or anyone, used DHCP to get a WAN address and seen a gateway address in that space? Just that information would be very helpful.
Can I get debug-level logs displayed on the device?
I wish I could setup a log server - unfortunately, the only computes on the site are a desktop windows PC. I did setup the router to e-mail logs - the internal log has the helpful message "failed to email log to ...". No indication of WHY it failed. Sending a test-email worked, of course.
Even IF I could setup a log sever, can I specity the logging level? The 4 references to "log server" in th documentation provide no evidence that I can get the detail necessary to understand this issue. Just that there's a checkbox for "client" detail. I need the detail of the router's exchange with the ISP over the WAN. (There must be syslog for windows, though a desktop PC that gets turned off at night isn't a great choice..)
I wish I could just plug in a packet trace to the WAN - but the site is 3 hours away!
I can't tell whether the router itself (meaning the GUI, ping responses, etc) is considered part of the WAN, the LAN, or distinct from both. This particularly applies to the firewall/ACL rules.
I can not find a place to setup an IPv6 static route. The manual shows (on page 267) that there's a radio button to select IPv4 or IPv6. But the section is on managed devices. So is the router itself not a managed device? Does "switch" only apply to separate physical tp-link switches? But not the switch in the router? (Which is called a switch in the manual.)
Anyhow, there is no such button on the router. You can also see that on the emulator (though it's not current). The page on the actual device matches the image on P. 97. S I guess this IPv6-supporting router doesn't let me add a static IPv6 route? That seems a very basic omission.
The release notes for the latest frimware are not very helpful. "Fixed some known security vulnerabilities." Doesn't even list the ER7212PC as a supported device, even though the firmware is on it's download page. The previous version says "Improve comapatibility with " (a switch I don't have). The one before that does list a lot of changes...
Attack defense - it's not clear whether it applies to both IPv4 and IPv6. It's also not clear whether it applies to the router itself, or only to devices behind it.
Assuming both, []block ping from WAN is NOT checked. The router does not respond to pings from the WAN.
I could go provide even more detail, but it sounds like (a) the router's support for IPv6 is very limited and (b) I'm pretty much on my own to figure out what's happening.
This is disappointing. I certainly expected reasonably mature IPv6 support to be present in a router that claims to support it. Or by now, any router.
- Copy Link
- Report Inappropriate Content
Hi @tlhackque
Thanks for posting in our business forum.
tlhackque wrote
Yes, I read the (400 page) manual before posting. And did research as best I could. I tried to provide context for my questions, but perhaps that made things unclear.
I do appreciate your taking the time to reply.
Among other things:
What's intuitive to you isn't necessarily to me. I've decades of experience in the industry, but the GUI in this device keeps leading me astray. It uses a different vocabulary, and assumes a tp-link culture. It's not intuitive, but I'm learning. I'm certainly open to help with that.
I have a very simple setup. This router, and an EAP245 access point. PC, printer, voice on the LAN. That's it. No VLANs (yet) - just going for basic operation.
I can not access WAN from behind the router via IPv6. Nor ping the router from the WAN. The ISP of course thinks it's a router issue. I see the missing gateway, and suspect the ISP's DHCP is not providing a gateway address. Assuming the display is accurate.
Can I trust it? Have you, or anyone, used DHCP to get a WAN address and seen a gateway address in that space? Just that information would be very helpful.
Can I get debug-level logs displayed on the device?
I wish I could setup a log server - unfortunately, the only computes on the site are a desktop windows PC. I did setup the router to e-mail logs - the internal log has the helpful message "failed to email log to ...". No indication of WHY it failed. Sending a test-email worked, of course.
Even IF I could setup a log sever, can I specity the logging level? The 4 references to "log server" in th documentation provide no evidence that I can get the detail necessary to understand this issue. Just that there's a checkbox for "client" detail. I need the detail of the router's exchange with the ISP over the WAN. (There must be syslog for windows, though a desktop PC that gets turned off at night isn't a great choice..)
I wish I could just plug in a packet trace to the WAN - but the site is 3 hours away!
I can't tell whether the router itself (meaning the GUI, ping responses, etc) is considered part of the WAN, the LAN, or distinct from both. This particularly applies to the firewall/ACL rules.
I can not find a place to setup an IPv6 static route. The manual shows (on page 267) that there's a radio button to select IPv4 or IPv6. But the section is on managed devices. So is the router itself not a managed device? Does "switch" only apply to separate physical tp-link switches? But not the switch in the router? (Which is called a switch in the manual.)
Anyhow, there is no such button on the router. You can also see that on the emulator (though it's not current). The page on the actual device matches the image on P. 97. S I guess this IPv6-supporting router doesn't let me add a static IPv6 route? That seems a very basic omission.
The release notes for the latest frimware are not very helpful. "Fixed some known security vulnerabilities." Doesn't even list the ER7212PC as a supported device, even though the firmware is on it's download page. The previous version says "Improve comapatibility with " (a switch I don't have). The one before that does list a lot of changes...
Attack defense - it's not clear whether it applies to both IPv4 and IPv6. It's also not clear whether it applies to the router itself, or only to devices behind it.
Assuming both, []block ping from WAN is NOT checked. The router does not respond to pings from the WAN.
I could go provide even more detail, but it sounds like (a) the router's support for IPv6 is very limited and (b) I'm pretty much on my own to figure out what's happening.
This is disappointing. I certainly expected reasonably mature IPv6 support to be present in a router that claims to support it. Or by now, any router.
The gateway should show up.
The reason why it does not work, you should first examine how your WAN IPv6 works. What connection type that is.
The log I am talking about is this. This is the log server for detailed device/system running.
You cannot specify the log level. It should contain all levels. In the standalone mode, you can.
There is no firewall for IPv6.
For both WAN and LAN.
If it does not for the ping from WAN, is your WAN IP a public one? Show me the screenshot of the WAN IPv4 address. Mosaic the last two parts.
For the business product line, no product is perfectly fitting v6 yet. If v6 is necessary for your network, you can return it in time. We are still adding the main features for v4. v6 will be the future considerations. It is not our top priority at this moment.
Update:
How did you test your IPv6? Verification steps? You should try the IPv6 check websites and make sure you don't have any VPN or proxy enabled during the tests.
- Copy Link
- Report Inappropriate Content
Thanks for the information. Here are answeres to your questions and the results of a couple of hours of experimenting (using remote hands & eyes):
I knew what was meant by log server. I've found a trivial Perl script that will capture syslog on windows, and ... unfortuneately, it shows that the router provides no information.
The listener does not filter anything, and all it got was one line (the first is a test from a PC, the second is the only line from the router):
20240429220953 192.168.90.4 65473 Notice local0 Apr 29 10:09:53 PM LivingRoom2 WinSyslog: This is a SyslogTest
20240429221235 192.168.90.1 58422 Informational local3 0 0 -04-30T02:12:30.987Z AvH_Castle_Router - - - Master Administrator TheAdmin enabled advanced features.
The important thing here is that this does show that the router is talking to the syslog server. The bad thing is that it isn't saying anything about the IPv6 connection dropping, or starting. And not the details of what configuration data it's getting from the ISP's DHCPv6 server. I would be happy to install firmware that logs this information...
What I did while it ran was to disconnect the IPv6 connection (using the router's connection panel), then reconnect. We got a new address, but nothing in syslog.
IPv4 is behind a carrier NAT. I don't expect ping to work for IPv4. That's why IPv6 is important; I need to get a VPN/remote support tunnel up.
IPv6 is a public, dynamic address, and should be reachable. It gets the address from DHCPv6 on the WAN side. I believe the missing gateway is the issue. I don't know if the ISP isn't providing one. Or if the router is not accepting it.
There is no proxy or VPN involved. I checked IPv6 several ways:
- test-ipv6.com fails to detect it.
- ipv6.google.com won't connect via browser, nor will it ping.
- My own websites (obviously, not located where this router is) run IPv6; pinging the tp-link router's address fails.
- My systems can't be reached.
The ISP has not provided the gateway address for testing, so I can't try pinging it. (It isn't mumble::1 - I tried that.)
Below are the settings and status panels from the router. Note that the gateway address for IPv6 is blank, still.
Any further clues or advice would be appreciated.
- Copy Link
- Report Inappropriate Content
Also, this is the LAN configuration for IPv6. YOu can see that we do get a delegated prefix.
I am wondering on the WAN side if I really can believe the GUI's blank gateway, since in the IPv6 case it ought to be coming from the RA message vs. directly from DHCP (as in IPv4)...
In any case, don't know what to do next unless we can get some more information out of the router...
I was able to reboot the router with syslogd running; there was no useful technical information. There must be a way to get debug-level messages sent to a remote syslog.
What little was logged is below the screen capture. Doesn't even mention IPv6 - or the IPv4 dhcp success, or the reboot....
20240430210425 192.168.90.1 56813 Informational local0 0 0 -05-01T01:04:19.335Z AvH_Castle_Router - - - [ap:Castle_Ceiling_AP:9C-53-22-CA-5D-66] was connected.
20240430210425 192.168.90.1 56813 Informational local0 0 0 -05-01T01:04:23.087Z AvH_Castle_Router - - - [osg:Castle_Router:78-8C-B5-02-61-CC] was connected.
20240430210427 192.168.90.1 56813 Informational local0 0 0 -05-01T00:57:59.000Z AvH_Castle_Router - - - The LAN IP address/mask of [ap:Castle_Ceiling_AP:9C-53-22-CA-5D-66] were changed to 192.168.90.2/255.255.255.0.
20240430210513 192.168.90.1 56813 Informational local0 0 0 -01-01T05:00:15.000Z AvH_Castle_Router - - - The LAN(LAN) IP address/mask of <null> were changed to 192.168.90.1/255.255.255.0.
20240430210513 192.168.90.1 56813 Informational local0 0 0 -05-01T00:55:20.000Z AvH_Castle_Router - - - The LAN(LAN) IP address/mask of [osg:Castle_Router:78-8C-B5-02-61-CC] were changed to 192.168.90.1/255.255.255.0.
- Copy Link
- Report Inappropriate Content
I have been experimenting with a couple of Cisco routers, since I may have to replace the tp-link router with one - at least temporarily.
Making some assumptions about what the ISP is doing, I can reproduce the symptoms when the client (simulating the tp-link router) does not install a default route from the RA messages. Perhaps the tp-link firmware is omitting this step. You would not notice this omission if testing with the server and client on the same LAN did not include off-LAN tests.
This seems likely: When I can get one, a packet trace will confirm. If no RAs, the ISP needs to fix. If there are, it's definitely a tp-link problem.
The ISP tells me that they do have routers successfully supporting IPv6. It's possible that those routers automatically install default routes to the source of the RA messages, or are configured to do so. (Or that the ISP installs default routes over the wire, in which case they could suppress the RA messages.)
FWIW: in the Cisco router, the default is not to install a default route. (Probably because with multiple WAN links, it is not clear which one(s) are gateways. In any case to prevent operational mistakes, a router is forbidden to send RAs until manually configured.)
In the Cisco routers, the "default" keyword (for "install default-route") is required with "ipv6 address autoconfig default".
Background:
- Routers announce their presence on a LAN with "advertisement" messages, which can also cary dhcp-like options.
- Unlike DHCPv4, DHCPv6 doesn't deliver routes. Either they are supplied administratively, or (usually) from router advertisement messages.
- DHCPV6 does not provide a default router/gateway address.
- A RA with non-zero lifetime indicates a router that is willing to be the default router for a link.
- Suppressing RAs is an option in several scenarios:
- when the configuration is static
- to prevent information leakage
- to limit overhead
- Copy Link
- Report Inappropriate Content
Hi @tlhackque
tlhackque wrote
I have been experimenting with a couple of Cisco routers, since I may have to replace the tp-link router with one - at least temporarily.
Making some assumptions about what the ISP is doing, I can reproduce the symptoms when the client (simulating the tp-link router) does not install a default route from the RA messages. Perhaps the tp-link firmware is omitting this step. You would not notice this omission if testing with the server and client on the same LAN did not include off-LAN tests.
This seems likely: When I can get one, a packet trace will confirm. If no RAs, the ISP needs to fix. If there are, it's definitely a tp-link problem.
The ISP tells me that they do have routers successfully supporting IPv6. It's possible that those routers automatically install default routes to the source of the RA messages, or are configured to do so. (Or that the ISP installs default routes over the wire, in which case they could suppress the RA messages.)
FWIW: in the Cisco router, the default is not to install a default route. (Probably because with multiple WAN links, it is not clear which one(s) are gateways. In any case to prevent operational mistakes, a router is forbidden to send RAs until manually configured.)
In the Cisco routers, the "default" keyword (for "install default-route") is required with "ipv6 address autoconfig default".
Background:
- Routers announce their presence on a LAN with "advertisement" messages, which can also cary dhcp-like options.
- Unlike DHCPv4, DHCPv6 doesn't deliver routes. Either they are supplied administratively, or (usually) from router advertisement messages.
- DHCPV6 does not provide a default router/gateway address.
- A RA with non-zero lifetime indicates a router that is willing to be the default router for a link.
- Suppressing RAs is an option in several scenarios:
- when the configuration is static
- to prevent information leakage
- to limit overhead
Since my ISP supports IPv6. It assigns the following parameters so I did not set it manaully. For the connection, you should configure based on what ISP suggests. If I set the PD incorrectly, it will not work properly.
- Copy Link
- Report Inappropriate Content
Of course I use the ISP's setting - which is DHCPv6. They explicitly do not support SLAAC.
Are we talking about the same tp-link router? Your screenshot has very different contents (compare with mine in reply #5). Selecting anything under "dynamic IP" does not give a display with as much information as yours.
My router is ER7172PC, with the latest (last week's) firmware. If the same router, are you running pre-release firmware?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 558
Replies: 8
Voters 0
No one has voted for it yet.