ER707-M2 IPV6 NAT and address reservation

ER707-M2 IPV6 NAT and address reservation

ER707-M2 IPV6 NAT and address reservation
ER707-M2 IPV6 NAT and address reservation
2024-06-24 15:40:25
Model: ER707-M2  
Hardware Version: V1
Firmware Version: latest

Hi team!!!

 

I have an ER707-M2 IPV6 that correctly receives a fixed IPv6 prefix from the ISP and I want to assign an IPv6 address to a server connected to one of the ports.

 

To assign the address I can enable the DHCPv6 service, however I don't see how to reserve the address then. So it happens that the address changes.

 

How can I fix this issue?

 

Then, once I assign an address to the device, I see that there are no traffic restrictions-I don't need to do NAT. Is this correct? 

 

If yes how do I limit the traffic to only port 443?

  0      
  0      
#1
Options
8 Reply
Re:ER707-M2 IPV6 NAT and address reservation
2024-06-25 02:12:52

Hi @SDVConsulting 

Thanks for posting in our business forum.

v6 does not have a DHCP reservation yet.

There is no firewall for the v6 yet. If you need to limit the traffic, you may consider the ACL.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:ER707-M2 IPV6 NAT and address reservation
2024-06-25 08:07:36

  @Clive_A Ok, now it is clear.

 

Actually I don't need the DHCPv6.

SLAAC can be used as well. Simply the device choose its own address based on its mac address and it is static.

But it seems this address can't be reached from the public network. Only local machine can access the device. 

 

So, I suppose that I need to configure something... any suggestion?  

  0  
  0  
#3
Options
Re:ER707-M2 IPV6 NAT and address reservation
2024-06-25 09:20:33

Hi @SDVConsulting 

Thanks for posting in our business forum.

SDVConsulting wrote

  @Clive_A Ok, now it is clear.

 

Actually I don't need the DHCPv6.

SLAAC can be used as well. Simply the device choose its own address based on its mac address and it is static.

But it seems this address can't be reached from the public network. Only local machine can access the device. 

 

So, I suppose that I need to configure something... any suggestion?  

Is it actually that you get a public v6 address?

What about the firewall settings on your local machine?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:ER707-M2 IPV6 NAT and address reservation
2024-06-25 09:54:51 - last edited 2024-06-25 10:05:55

  @Clive_A 

Yes, the ISP provide me a static prefix. So I can create as much subnet as I need and assing public address to my device.

As the IPv6 address are public, I hope there are no default limitation. In contrary, I wondering how to limit, but before to limit I want to see the device to be reacheable from the public network, so I did not configured any rule on the firewall right now.

Please let me know if I'm doing something wrong.

  0  
  0  
#5
Options
Re:ER707-M2 IPV6 NAT and address reservation
2024-06-25 17:32:02 - last edited 2024-06-25 17:35:40

  @Clive_A 

Anyway, I've added a access control rule but nothing happened:

 

Policy: Allow

Service Type: All

IP Type: IPv6

Direction: All

Source: IPV6GROUP_ANY

Destination: IPV6GROUP_ANY

Effectiv time: any

States: New, Established, Related

 

 

It should mean "no firewall" ...

  0  
  0  
#6
Options
Re:ER707-M2 IPV6 NAT and address reservation
2024-07-05 15:59:42

  @SDVConsulting

 

I tried enabling IPv6 from WAN (DHCPv6) with Prefix Delegation (for LAN). That works - hosts on LAN assigned address from delegated prefix.

 

But even when adding various allow all IPv6 traffic access control policies, it appears that IPv6 routing on router (ER707-M2, with 1.2.2 Build 20240324 Rel.42799 firmware) isn't properly set up as traceroutes report address or network address unreachable at the ER707-M2 router (packets get to router but no beyond it).

 

And testing with various Internet servies that check for IPv6 connection always report no IPv6 address for the host (on the LAN).

 

Has anyone had any success in getting this to work (ideally DHCPv6 with Prefix Delegation from ISP) to allow actual communication.

 

The router works great to handle two WANs - one active, one backup. But it be nice to make use of IPv6 ... 

 

Thanks.

 

 

 

  0  
  0  
#7
Options
Re:ER707-M2 IPV6 NAT and address reservation
2024-07-06 12:35:48

  @BVolz 

 

My router is providing IPv6 address to my network. So any device correctly receive an IPv6 address via DHCPv6 protocol.

 

My ISP is providing one /64 subnet so I've assigned :1:: to my router and then I've configured DHCPv6 to assign addresses and it works.

If I browse https://whatismyipaddress.com/ I can see my pc IPv6 address.

There are two issues:
a) I can't reserve an address to a device, therefore it can be changed in time. But I can manually assign the address to the network interface on the device operating system. So this is a minor issue

b) even if IPv6 addresses are "public addresses" I did not found the way to allow the traffic incoming from the wan to reach the device. 

Any firewall configuration I've tried fails.

  0  
  0  
#8
Options
Re:ER707-M2 IPV6 NAT and address reservation
2024-07-06 15:35:36

  @SDVConsulting 

If you use SLAAC and make sure your device doesn't use privacy MAC addresses, the address should stay stable (based on MAC address). Or, as you indicate, you can also use a static address on the device instead of DHCP or SLAAC. You also want to disable temporary IPv6 addresses if the device is requesting them.

 

In theory, it would seem that a rule that only allows IPv6 incoming traffic to the device you want to put on the Internet should work (allow traffic to that address on the LAN from the WAN) and block anything else coming in from the WAN. It does open up all IPv6 traffic to that device, so you'd have to lock down the device itself using a firewall on that device.

 

It would be nice if there was a IPv6 firewall that by default allowed all out (from LAN to WAN) and blocked all in that isn't part of an outgoing request (similar to what is done for IPv4). Then, yes, adding port and IPv6 address based filtering for incoming traffic would be nice -- but the changing IPv6 addresses do make that a bit more challenging and may need to be tried to adding DHCPv6 reservations (which shouldn't be that big a deal).

 

I have a long background in IPv6 and implemented much of the Cisco Prime Network Registrar's DHCPv6 code and worked on many of the DHCP and DHCPv6 standards in the IETF.

 

 

In my case, my WAN port (2.5G WAN1) is set as follows:

 

IPV6: Enabled

 

Internet Connection Type: Dynamic IP (SLAAC/DHCPv6)

IPv6 Address: ...:402:3848:F6B:...:DAE7/64

Primary DNS: 2001:4860:4860::8888

Secondary DNS: 2001:4860:4860::8844

DUID: 03:03:00:01:...

Link-local Address: FE80::.../64

 

Advanced:

Get IPv6 Address: DHCPv6 checked

Prefix Delegation: Enable

Prefix Delegation Size: 56

DNS Address: Get dynamically from ISP checked

Primary DNS: 2001:4860:4860::8888

Secondary DNS: 2001:4860:4860::8844

 

My LAN is set as follows:

 

LAN(VLAN): 1

Assigned Type: SLAAC+Stateless DHCP

Prefix: Get from Prefix Delegation checked

IPv6 Prefix Delegation WAN: 2.5G WAN1

IPv6 Prefix ID: 1

Address Prefix: ...:2601::/64

DNS Address: Auto

Address: ...:2601:42ed:ff:...:141f/64

RA Priority: Medium

RA Valid Lifetime: 86400

RA Preferred Lifetime: 14400

 

My MAC (on the LAN) gets an proper IPv6 address (well, 2, one "permanent" and another "temporary").

 

Traceroute to the router's addresses (both on the WAN and LAN side) works.

 

Traceroute to an other IPv6 address returns !N in the traceroute (no route) from the ER707-M2's address. Hence, the ER707-M2 doesn't appear to route this out to the ISP's network as it should. I've tried various firewall access controls (some that prohibit, other's that allow) but no luck.

 

https://whatismyipaddress.com/ says no IPv6 address detected.

 

I do have load balancing enabled with a backup WAN which only provides IPv4 support; not sure if that might play a role in why my setup fails. I may disable that sometime soon and experiment a bit more to see if that perhaps impacts this in some way from working correctly.

  0  
  0  
#9
Options

Information

Helpful: 0

Views: 856

Replies: 8

Related Articles