External access via IPv6

[mrcross]

NOIP will work with IPv6 (AAAA) but whether it'll get around CGNAT is an unknown to me.

asuscomm ddns works fine with IPv6 their nslookup returns both addresses "Result: 100.68.56.157, 2a0e:cb00:700b::39d5:7ae8:a794:d22"

 

[mrcross]

It depends what address he's pinging, but by default ICMPv6 ECHO are allowed through the firewall, due to IPv6 requirements.

 

[drinkingbird]

Wow! Many thanks for your responses, which are much appreciated.

I understand that. My thought was that if I could access the UK router using IPv6 then I might be able to use it as a VPN server with the French site as client. My primary goal (not achieved so far) has been simply to access the UK router via the WAN to show that access is possible. The weird thing is that in France I have a Hilook DVR (digital video recorder) with three cameras. This hangs off one of the LAN ports of the 4G router and has its own LAN to which the cameras attach. It uses Hikconnect (Hikvision's own ddns) and using their IVMS software I can get in and view the cameras, despite the use of CGNAT. Love to know how they make that work!

The cameras initiate outbound to the cloud server, then you access that cloud server. They all work that way so that average non tech people don't have to worry about a ddns service, port forwarding, etc

 

[drinkingbird]

asuscomm ddns works fine with IPv6 their nslookup returns both addresses "Result: 100.68.56.157, 2a0e:cb00:700b::39d5:7ae8:a794:d22"

I just pinged your v6 fine.

 

[drinkingbird]

asuscomm ddns works fine with IPv6 their nslookup returns both addresses "Result: 100.68.56.157, 2a0e:cb00:700b::39d5:7ae8:a794:d22"

And here's your GUI

 

[mrcross]

OK, something weird. Last time I tried ping was from a different location. Now I have a desktop on the router's LAN and I also have a laptop on the LAN of a different router, connected to a different WAN circuit and a ping -6 from the laptop to the router on the other LAN is working with a roundtrip of 17ms. It's possible that the first time I had the Firewall/General "Respond ICMP Echo (ping) Request from WAN" set to "No", it's now set to "Yes" however I still can't access the router's login page from outside. The firewall setting page says "All outbound traffic coming from IPv6 hosts on your LAN is allowed, as well as related inbound traffic. Any other inbound traffic must be specifically allowed here.
You can leave the remote IP blank to allow traffic from any remote host. A subnet can also be specified. (2001::1111:2222:3333/64 for example)".
This is where my lack of knowledge kicks in. If the router's IP is 2a0e:cb00:700b::39d5:7ae8:a794:d22 what should be going in to the firewall fields? Also I've discovered this Asus document https://www.asus.com/uk/support/FAQ/1000926/ where it says
FAQ


Does ASUS Router’s web GUI access supported from WAN over IPv6?

• No, it doesn’t. Currently only IPv4 is supported.
  

That's dated 2021 so I'll ask Asus whether anything's changed, otherwise I think that explains my problem.

 

[mrcross]

And here's your GUI

Progress, thank you! I've now managed to get to it, thank you for your help.

 

[drinkingbird]

Progress! How did you get that GUI to appear, because I can't get it?

https://[v6IP]:8443 but if you have a ddns hostname that is easier.

Ping is working fine too

 

[drinkingbird]

Progress, thank you! I've now managed to get to it, thank you for your help.

Might want to remove your IP from your post. Or see if you can reboot and get a new one. I'll take it out of my quoted posts too.

For your DDNS see if asus lets you disable A records (as that will just return an unreachable IP) and only have AAAA or look for a DDNS service that lets you do that. That will make things easier on you so you can do hostname lookups. Most things will prefer the v6 response but not all.

Does the "remote" site support v6? If not, you're not going to be able to do VPN, unless your carrier is doing 4 to 6 NAT on outbound traffic destined for v6 hosts. You can test by going to whatsmyip.com and see if a v6 one is listed. If so, you should be able to set up VPN. In the firewall, for source you can put the v6 IP that is shown on that site but it is likely that it will change frequently, so you probably have to leave the source IP blank (permit any), put the destination v6 IP of your router (or if that changes a lot, also have to leave that blank) and the port/protocol of the VPN server. Make sure you set it up nice and secure, ideally export a client certificate to install on your VPN client.

I'd probably disable the WAN access to the admin of the router once you have that up and running.

 

[mrcross]

Might want to remove your IP from your post. Or see if you can reboot and get a new one. I'll take it out of my quoted posts too.

For your DDNS see if asus lets you disable A records (as that will just return an unreachable IP) and only have AAAA or look for a DDNS service that lets you do that. That will make things easier on you so you can do hostname lookups. Most things will prefer the v6 response but not all.

Does the "remote" site support v6? If not, you're not going to be able to do VPN, unless your carrier is doing 4 to 6 NAT on outbound traffic destined for v6 hosts. You can test by going to whatsmyip.com and see if a v6 one is listed. If so, you should be able to set up VPN. In the firewall, for source you can put the v6 IP that is shown on that site but it is likely that it will change frequently, so you probably have to leave the source IP blank (permit any), put the destination v6 IP of your router (or if that changes a lot, also have to leave that blank) and the port/protocol of the VPN server. Make sure you set it up nice and secure, ideally export a client certificate to install on your VPN client.

I'd probably disable the WAN access to the admin of the router once you have that up and running.

Many thanks for your help. I've deleted the IPv6's as suggested. Should be able to get to the remote site later this month and will have a go at the VPN then. Many thanks again , Mike

 

[mrcross]

The cameras initiate outbound to the cloud server, then you access that cloud server. They all work that way so that average non tech people don't have to worry about a ddns service, port forwarding, etc

That puzzles me. I have three cameras there and an allowance of 210Gb a month yet never seem to run short on data, which I'd expect if they were streaming data 24/7. If I logon to hik-connect.com I'm shown the IPv4 address but not the IPv6. The IPv4 address shown appears to be a static belonging to the mobile operator (LAN is on a 4G cellular modem). Hopefully I'll be able to find the c6 address next time I'm over there.

 

[drinkingbird]

That puzzles me. I have three cameras there and an allowance of 210Gb a month yet never seem to run short on data, which I'd expect if they were streaming data 24/7. If I logon to hik-connect.com I'm shown the IPv4 address but not the IPv6. The IPv4 address shown appears to be a static belonging to the mobile operator (LAN is on a 4G cellular modem). Hopefully I'll be able to find the c6 address next time I'm over there.

They aren't streaming 24x7, only when you log in and view them (or if you have them set to upload motion recordings to the cloud, they do that from time to time). Other than that they're just sending heartbeats to keep the connection alive which is very small bandwidth.

You're seeing the real IP that the ISP hides the CGNATs behind, just like what your router does with your internal IPs when it maps them to the single WAN IP. This only works when the connection is initiated from "inside". So the camera has to initiate a connection to the cloud server and keep it alive, then you can access that same cloud server and, through that existing connection, your cameras.

Many apps work this way to get around NAT issues. Teamviewer (remote access/screen sharing) is another common example. Even some of the asus apps like AiCloud etc work this way.

 

[mrcross]

They aren't streaming 24x7, only when you log in and view them (or if you have them set to upload motion recordings to the cloud, they do that from time to time). Other than that they're just sending heartbeats to keep the connection alive which is very small bandwidth.

You're seeing the real IP that the ISP hides the CGNATs behind, just like what your router does with your internal IPs when it maps them to the single WAN IP. This only works when the connection is initiated from "inside". So the camera has to initiate a connection to the cloud server and keep it alive, then you can access that same cloud server and, through that existing connection, your cameras.

Many apps work this way to get around NAT issues. Teamviewer (remote access/screen sharing) is another common example. Even some of the asus apps like AiCloud etc work this way.

Many thanks for taking the time and giving the explanation. Mike

 

[tofflock]

@mrcross I have a similar setup - 2 sites - UK & France. Both are behind firewalls running OPNsense. When both were running IPV4 (public, not CG-NAT) everything worked fine. I had an IPsec Site2site VPN working flawlessly. Both now have FTTP connections (Toob in UK, & Free in France) and they both come dual-stack.
Fortunately Free will give you a public V4 address without charge, whereas Toob charge for the priviledge. So I'm currently paying for public V4 in the UK and still running the IPsec VPN over V4 cos that's the easy option. However, IPV6 has IPsec capability built in (allegedly ), so it's on my list to learn how to configure everything to implement my VPN over IPsec/V6 and then I can drop the monthly payment to avoid CG-NAT on Toob.
Since it seems you're stuck behind CG-NAT at both ends, perhaps you'd like to investigate this yourself. Here's a URL to start you off; it's a bit high level, but it might whet your apetite. If I manage to get it sorted myself, I'll let you know. Sorry I can't help more at the moment.

An introduction to IPv6 packets and IPSec

Let's break down IPv6 packets and take a look at how IPSec is implemented in this protocol.

www.redhat.com