Archive > 19.7 Legacy Series

IPv6 in LAN can only reach FritzBox but not the internet

<< < (2/2)

jimpd:
Sorry for the late reply

I have tested the following with IPv6:
device1 in LAN1
device2 in LAN2

device1 can ping device2
device2 can ping device1

installed webserver on device2 and allowed port 80 in opnsense on WAN interface for device2
-> device1 can access website running on device2

jimpd:
Next approach

Allow incoming port 443 on OPNsense WAN interface (which is in LAN1) with exposed Host configured in fritzbox -> OPNsense interface is reachable from remote via IPv6

Then I tried the similar setup as before from the internet (with curl)

device1 in LAN1
device2 in LAN2

device1 webserver port 80
i opened port 80 for device1 in fritzbox
-> access to webserver on device1 from remote server via IPv6 is possible
tcpdump on port 80

--- Code: ---13:43:46.206828 IP6 ipv6-of-device1:198d.54222 > ipv6-of-device2:e03a.http: Flags [S], seq 4161419774, win 28640, options [mss 1432,sackOK,TS val 3100947471 ecr 0,nop,wscale 7], length 0
13:43:46.206879 IP6 ipv6-of-device2:e03a.http > ipv6-of-device1:198d.54222: Flags [S.], seq 2344778224, ack 4161419775, win 64260, options [mss 1440,sackOK,TS val 457004862 ecr 3100947471,nop,wscale 7], length 0
.....
13:43:46.213160 IP6 ipv6-of-device1:198d.54222 > ipv6-of-device2:e03a.http: Flags [P.], seq 1:104, ack 1, win 224, options [nop,nop,TS val 3100947478 ecr 457004862], length 103: HTTP: GET / HTTP/1.1
......

--- End code ---

device2 webserver port 80
i opened firewall for opnsense (exposed host) and allowed also to access the delegated IPv6 prefixes for this device in fritzbox
i opened port 80 in opnsense on WAN interface for device2
-> access to webserver on device2 from remote server via IPv6 was **not** possible

i saw the request from the remote server in my opnsense firewall log
lan   [remote-ipv6::2]:59836 [ipv6-of-device:e03a]:80   tcp   let out anything from firewall host itself

then i tcpdump'd on device2 port 80
i saw the requests:

--- Code: ---13:55:21.417708 IP6 remote-ipv6::2.42044 > ipv6-of-device2:e03a.80: Flags [S], seq 2674231027, win 28800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
13:55:21.417754 IP6 ipv6-of-device2:e03a.80 > remote-ipv6::2.42044: Flags [S.], seq 4276351807, ack 2674231028, win 64800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
13:55:22.442402 IP6 ipv6-of-device2:e03a.80 > remote-ipv6::2.42044: Flags [S.], seq 4276351807, ack 2674231028, win 64800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0

--- End code ---

I wireshark'd this via http://fritz.box/html/capture.html - image1 is on eth1 - image2 on wan interface
(please ignore that image2 is ::1 instead of ::2, doesnt matter here)

also tcpdump'd on the remote server

--- Code: ---14:18:13.265952 IP6 remote-ipv6::2.39468 > ipv6-of-device2:e03a.80: Flags [S], seq 730490927, win 28800, options [mss 1440,sackOK,TS val 2624988435 ecr 0,nop,wscale 7], length 0

--- End code ---

verbose:

--- Code: ---14:17:36.967342 IP6 (flowlabel 0xc305c, hlim 64, next-header TCP (6) payload length: 40) remote-ipv6::2.39466 > ipv6-of-device2:e03a.80: Flags [S], cksum 0xe30d (incorrect -> 0xeca7), seq 2577571887, win 28800, options [mss 1440,sackOK,TS val 2624952138 ecr 0,nop,wscale 7], length 0

--- End code ---

johnsmi:

--- Quote from: jimpd on January 03, 2020, 05:12:25 pm ---Kindersicherung

--- End quote ---
This is broken in the current FritzOS


You need to disable "Kindersicherung" entirely.


I had the same problem. AVM is aware of this.

--- Quote from: AVM-Support ---Das Problem ist uns bekannt und wird in einem kommenden Update gefixt.

Workaround:

Kindersicherung komplett abschalten, das geht nur indirekt. Dazu alle Einschränkungen in der Kindersicherung abschalten, dann werden die Kindersicherungs-Module nicht geladen:

- Alle Einschränkungen im Standard-Profil "Alle anderen Geräte" entfernen.
- Alle Einschränkungen im Gast-Profil "Alle Geräte im Gastnetz" entfernen.
- Alle Geräte auf Standard-Profil setzen.

Das Problem sollte sich damit lösen lassen.

--- End quote ---


I removed all the stuff i don't need from my FritzBox and IPv6 runs fine.

jimpd:
This issue is probably fixed with new Fritz!OS 7.20


- **Behoben** Geräte, die an einen nachgelagerten Router via IPv6-Präfixdelegation angebunden sind, bekamen bei aktiver Kindersicherung keine IPv6-Internetverbindung
- **Behoben** Geräte, die an einen nachgelagerten Router via IPv4 Static Routes angebunden sind, bekamen bei aktiver Kindersicherung keine IPv4-Internetverbindung

https://ftp.avm.de/fritzbox/fritzbox-7590/deutschland/fritz.os/info_de.txt

I will report back once my FritzBox received the 7.20 update too

Navigation

[0] Message Index

[*] Previous page

Go to full version