External access via IPv6

[mrcross]

Hello all. New to IPv6 so be gentle.
I have a new fibre connection (City Fibre, reseller is Toob). It uses CG-NAT so DDNS on IPv4 is not possible. Router is ASUS ZenWiFi AX Hybrid.
I also have a site in France which uses a 4G router (Soyealink/Huawei B535-333) this router has limited capabilities but is necessary for the 4G connection, I have an ASUS RT-AC66URT-AC66U hanging off one of its LAN ports. Again the ISP uses CG-NAT and in any case the ASUS is behind the Soyealink/Huawei so DDNS on IPv4 is also not possible.
Ultimately I'd like to set up a VPN between the ASUS routers but for the time being it would be good if I could access the routers remotely. Both networks are IPv6 enabled.
The ASUS DDNS shows the IP of the UK router as (deleted) and if I enter http://[(deleted)] into Firefox, sure enough it displays the Router's login page. However it ONLY does this from within it's own network. It does not work from outside. From outside https is required so the URL should in theory be https://(deleted)]:8443. Again this works fine from within the network but fails from outside.
If I try from outside my own network neither of these URL's work. Router Advertisement is enabled on IPv6 and "Enable Web access from WAN" is turned on. That requires https so the second URL should work but does not.

If I try a tracert -6 to the IP from outside my own network it fails to "Transmit error: code 1231 and if I try a ping it fails to "transmit failed. General failure"

The router's IPv6 page shows the "LAN IPv6 Address" as (deleted) but http://[(deleted)] goes nowhere.

Can anyone tell me where I'm going wrong?

many thanks, Mike

 

[drabisan]

Unfortunately access to the devices behind a CGNAT is not possible.
Depending how they are implementing the NAT, you may be able to establish a VPN tunnel. But don't be surprised if it will not work. CGNAT is a b..t!

 

[sfx2000]

The ISP's may be filtering inbound connections on IPv6, which is common these days because of BotNets

Most of the vendor DDNS clients are IPv4 only (I haven't seen one that does IPv6, but I'm sure they exist).

Have you considered something like TailScale or ZeroTier?

 

[Ripshod]

NOIP will work with IPv6 (AAAA) but whether it'll get around CGNAT is an unknown to me.

 

[drinkingbird]

Unfortunately access to the devices behind a CGNAT is not possible.
Depending how they are implementing the NAT, you may be able to establish a VPN tunnel. But don't be surprised if it will not work. CGNAT is a b..t!

That's why they're trying to use v6 to set up a VPN. CGNAT only applies to v4.

 

[Tech9]

The ISP's may be filtering inbound connections on IPv6, which is common these days because of BotNets

If they really do - this eliminates one of possible IPv6 use cases.

Asuswrt has IPv6 enabled DDNS client, but it was buggy for a very long time. Not sure if it works now.

 

[RMerlin]

Did you open the IPv6 firewall for the target addresses? By default your entire IPv6 subnet is blocked, for security reasons.

 

[sfx2000]

Did you open the IPv6 firewall for the target addresses? By default your entire IPv6 subnet is blocked, for security reasons.

Good point...

 

[sfx2000]

If they really do - this eliminates one of possible IPv6 use cases.

For Fixed Wireless Access (LTe/5G), most of the wireless operators filter all incoming traffic by default on consumer accounts, which is a pain - whether IPv4 (NAT'ed or not) as well as IPv6.

It really does come down to asking the provider if they allow incoming traffic (and if they filter certain ports or not) over IPv4 and/or IPv6. It'll be faster than trying to experiment to see what works or not...

We do have 4G fallback for the office on both ATT and Verizon with static IP's and non-filtered access for IPv4/IPv6 - but those are special business accounts, and trust me, they're spendy as h*ll, I know as I used to have to pay that bill every month - but that's the cost of keeping things up if there is a fiber outage (we have fiber into the building).

 

[drinkingbird]

Did you open the IPv6 firewall for the target addresses? By default your entire IPv6 subnet is blocked, for security reasons.

Even the router GUI if WAN access is enabled?

 

[RMerlin]

Even the router GUI if WAN access is enabled?

I don't remember if enabling WAN Access on the Administration page will also open it to IPv6 or only IPv4. But to access anything on the LAN you definitely need to configure the firewall for it.

 

[drinkingbird]

I don't remember if enabling WAN Access on the Administration page will also open it to IPv6 or only IPv4. But to access anything on the LAN you definitely need to configure the firewall for it.

Yup agreed, just figured since OP wasn't even able to ping the router WAN something else was at play. But maybe that is a default setting that can't be changed.

@mrcross try putting something on a machine behind the router and open the firewall, even if just for ping, see if that works.

 

[RMerlin]

Yup agreed, just figured since OP wasn't even able to ping the router WAN something else was at play. But maybe that is a default setting that can't be changed.

It depends what address he's pinging, but by default ICMPv6 ECHO are allowed through the firewall, due to IPv6 requirements.

 

[drinkingbird]

It depends what address he's pinging, but by default ICMPv6 ECHO are allowed through the firewall, due to IPv6 requirements.

But potentially blocked to WAN interface IP (may or may not be affected by the "allow ping" setting)?

Only way to know is to try pinging something behind the router. Ideally with tcpdump running to see if it ever even hits the WAN.

If none of that works need to use the router as a client and connect to an external server so you're initiating the connection. But in OPs case sounds like the remote site is CGNAT only with no v6 in which case, need some sort of service in the middle where both sites act as the client.

 

[RMerlin]

But potentially blocked to WAN interface IP (may or may not be affected by the "allow ping" setting)?

The web option to block WAN PINGs only affects IPv4. IPv6 stays allowed due to RFC requirements. So if he's pinging the router's WAN IP and he gets no response, his ISP must be blocking it, or he has a second router in front which blocks all IPv6 traffic regardless of RFC requirements (not every router follows RFC 4890 as closely as Asus).

 

[drinkingbird]

The web option to block WAN PINGs only affects IPv4. IPv6 stays allowed due to RFC requirements. So if he's pinging the router's WAN IP and he gets no response, his ISP must be blocking it, or he has a second router in front which blocks all IPv6 traffic regardless of RFC requirements (not every router follows RFC 4890 as closely as Asus).

I know a lot of ICMP is required, is echo specifically though?

But that is a good point, @mrcross is there any ISP device other than ONT/Fiber bridge in the path?

 

[RMerlin]

I know a lot of ICMP is required, is echo specifically though?

Yes, it's used as part of node discovery. Might not be as critical on the WAN side, but it is on the LAN side.

 

[drinkingbird]

Yes, it's used as part of node discovery. Might not be as critical on the WAN side, but it is on the LAN side.

Eh, I guess with IPv6 that line sort of doesn't exist anymore when it comes to routing and addressing etc. I know PMTUD type discovery must be allowed end to end, wasn't sure if node discovery was in the same boat. I do know one of the biggest issues with v6 adoption is the refusal to allow ICMP through, even though ICMPv6 is pretty different and is supposed to address those concerns. Sounds like this particular ISP may be one of the ones breaking the rules.

Stop probing my nodes.

 

[mrcross]

Wow! Many thanks for your responses, which are much appreciated.

Unfortunately access to the devices behind a CGNAT is not possible.
Depending how they are implementing the NAT, you may be able to establish a VPN tunnel. But don't be surprised if it will not work. CGNAT is a b..t!

I understand that. My thought was that if I could access the UK router using IPv6 then I might be able to use it as a VPN server with the French site as client. My primary goal (not achieved so far) has been simply to access the UK router via the WAN to show that access is possible. The weird thing is that in France I have a Hilook DVR (digital video recorder) with three cameras. This hangs off one of the LAN ports of the 4G router and has its own LAN to which the cameras attach. It uses Hikconnect (Hikvision's own ddns) and using their IVMS software I can get in and view the cameras, despite the use of CGNAT. Love to know how they make that work!

 

[mrcross]

The ISP's may be filtering inbound connections on IPv6, which is common these days because of BotNets

Most of the vendor DDNS clients are IPv4 only (I haven't seen one that does IPv6, but I'm sure they exist).

Have you considered something like TailScale or ZeroTier?

Thanks, I'll ask the ISP, however they haven't replied to Friday's question so maybe it falls into the category of "too difficult".