Community Navigation
abbrechen
Vorschläge aktivieren
Mit der automatischen Vorschlagsfunktion können Sie Ihre Suchergebnisse eingrenzen, da während der Eingabe mögliche Treffer angezeigt werden.
Suchergebnisse werden angezeigt für 
Stattdessen suchen nach 
Meintest du 
1

Frage

2

Antwort

3

Lösung

ipv6 host exposure / port forwarding / VPN to home.
arpaterson
Netzwerkforscher
Netzwerkforscher

‎26.08.2022 18:48 - bearbeitet ‎26.08.2022 19:00

I'm sorry my German is not good enough for this topic. 

I want to connect to some computers at home while I am away from home - for example using openVPN or Wireguard. (eg. using a vodafone mobile connection to connect to my home which has vodafone kabel)

 

So far I have not been able to even ping a valid IP, no matter what I try.

 

IPV6 Host Exposure does not seem to work.

Can you please (pRo-Marco, TinaG) look into this?
It is possible I don't understand something with ipv6, but I do have a lot of experience with this in the past.

 

There is no information from Vodafone on this, and a lot of reports of issues with the firmware on the Vodafone Station. My last apartment had huge issues with the Vodafone Station firmware (I had to return it twice because of bugs in the port forwarding that even a factory reset could not resolve, then I gave up trying to use port forwarding).
I would be using a 3rd party router, but there is not even a Bridge Mode option...

 

I am in NRW on a cable connection.

Vodafone Station firmware: 19.3B57-1.0.41


Do I have Dual Stack or DS-Lite?
How is IPV6 Host Exposure supposed to work (if it is working correctly)?

I believe this is something we should be able to do with our home connections, and not something limited to a business account. If that is the case we will cancel our contract immediately as it is unreasonable.

0 Gefällt mir
17 Antworten 17
arpaterson
Netzwerkforscher
Netzwerkforscher

am ‎26.08.2022 19:19

If I disable the VF Station firewall, I am able to SSH into the ipv6 addresses of my home computers while tethered to my mobile.

But... if I disable the firewall, it is automatically re-enabled after 24 hours, and I have no choice about it.
Then I cannot connect anymore.

If I understand correctly, IPV6 host exposure is supposed to be the way around this.
The firewall remains active, but the specified port on the specified host is exposed by IPV6 Host Exposure.


But it doesn't work!

Also, even if it did work - we can only open a port for one host... that doesn't seem to be the way ipv6 should work.

I want to (for example) SSH to two machines in my network.
I can only set port 22 once in IPV6 Host Exposure with the Vodafone Station.
How can I open port 22 to two computers? - it is not possible with ipv4 because we have a single external address and NAT, but with ipv6 it should be possible since we connect to the ipv6 address of individual machines in our /64 range.

0 Gefällt mir
arpaterson
Netzwerkforscher
Netzwerkforscher

‎26.08.2022 19:22 - bearbeitet ‎26.08.2022 19:23

I would also point out that firmware update rollouts are clearly happening FAR TOO SLOWLY.
There are posts here from 6-12 months ago complaining about the Vodafone Station firmware.

Have Vodafone decided that its 'OK' if it works for 90% of users? If so, then give us a way to NOT use the Vodafone Station. It is really the worst router I have ever ever used.

0 Gefällt mir
arpaterson
Netzwerkforscher
Netzwerkforscher
Als Antwort auf arpaterson

am ‎26.08.2022 20:17

I can connect to my home computer using RDP, even when port 3389 is not specified in IPV6 Host Exposure.

But only if the firewall is off. 
Again - it runs itself on again after 24 hours, and we have no choice about that.

0 Gefällt mir
arpaterson
Netzwerkforscher
Netzwerkforscher

‎26.08.2022 20:50 - bearbeitet ‎26.08.2022 20:56

I made some further progress doing Vodafones work for them.

The section "IPV6 Host Exposure" does not update the firewall rules configuration when you click 'Apply'.

The firewall rules only seem to get updated when you disable and re-enable the firewall.

This might be a bug for the firmware team to fix.

The way I was able to configure it to work was:

1. Make a new entry in Internet > IPV6 Host Exposure.

2. Click Save.
3. Turn the rule on (slider -> green)
2. Click Apply

You will see "Changes applied", but also a spinne rthat never ends. You can ignore the spinner and refresh the page after a some time.
4. Confirm that the rule is still there and enabled.
3. Navigate to Firewall.
4. Disable the firewall (slider off), click apply.
5. Enable the firewall (slider green), click apply.

Furthermore:
- If you reboot the router, all the ipv6 addresses for your devices will change. I don't know if the VF Station can do anything about this. It depends if it is using SLAAC or dhcpv6.
This makes it very confusing to assess this problem, because a reboot will restart the firewall, but it will also change all the ipv6 addresses. Don't reboot. Instead disable and re-enable the firewall.
If they were to stay the same, we would no longer need dynamic DNS!

- Disabling Host exposure riles seems to work.
But editing Host exposure rules requires the firewall to be disabled and re-enabled.

- Can only only open a port once, despite EACH machine having its own ipv6 address on the internet and there fore its own ports. This seems like a leftover from ipv4+NAT thinking. Port overlaps should not be a thing in ipv6 host exposure, correct me if I am wrong.

I am still testing, maybe this will stop working after a day. 

0 Gefällt mir
reneromann
SuperUser
SuperUser
Als Antwort auf arpaterson

am ‎27.08.2022 01:19

Just to be clear - you get what you paid for. The Vodafone station is not really a good router at all - it (barely) works if you want to surf a bit and check emails, but it's definitely not worth to deal with if you want to do anything else...

 

Better opt for the HomeBox option (which includes a rental FritzBox) -or- buy a cable router on your own...

0 Gefällt mir
arpaterson
Netzwerkforscher
Netzwerkforscher
Als Antwort auf reneromann

‎01.09.2022 10:24 - bearbeitet ‎01.09.2022 10:42

Is it possible to use our own cable modem/ router in NRW? My understanding is that we must use the Vodafone Station or the fritz. I would absolutely not pay vodafone a rental for this basic functionality. We should have bridge mode, or the option to use our own hardware.

That said, I am making more progress. If I am very careful with the web interface (so that it does not crash/timeout/brick the Vodafone Station) I can get some devices through the firewall. I am able to hit Windows machines via ipv6.

 

It appears that between vodafone station's RA and DCHCPv6 configuration (for which we have zero configurability) and Debian/Ubuntu, there is a routing problem.

0 Gefällt mir
arpaterson
Netzwerkforscher
Netzwerkforscher
Als Antwort auf arpaterson

‎01.09.2022 10:38 - bearbeitet ‎01.09.2022 10:44

To give more detail, the Vodafone Station is doing 'DHCP Stateful'.
That means that the 'managed' flag is set in the Router advertisements (RA), and devices get an ipv6 address from the vodafone stations DHCPv6.

The 'other config' flag is also set, allowing devices to get info like DNS settings ( whether or not they use DHCPv6 or SLAAC to set their ipv6 address).

My linux devices are doing both - they have a SLAAC generated ipv6 address, as well as the DHCPv6 assigned address from the Vodafone Station.

In 'Host Exposure' we do not open a port and NAT it to an internal ipv4address : port, but instead we select a MAC address - and the Vodafone station routes connections to the DHCPv6 assigned ipv6 address for that MAC (one port at a time). 

So, with Vodafone Station's current firmware, we can never connect from outside to any static ipv6 address or SLAAC ipv6 addresses, despite them being valid GUA's, because they are forever firewalled.
Only the DHCPv6 address can be exposed by the firewall - thats what 'Host Exposure. is doing.

This works, if the routes are set up correctly.

But they are not.

I am not sure if it is on the debian/ubuntu side, or in the RA/DHCPv6 side that the connection is not being made.
Blaming debian/ubuntu isn't all that helpful, because we are locked into using the DHCPv6 assigned address to get thru the firewall. I can't simply assign an address with the correct flags and routes, as connections to it would never be let thru the firewall.

0 Gefällt mir
reneromann
SuperUser
SuperUser
Als Antwort auf arpaterson

‎01.09.2022 11:02 - bearbeitet ‎01.09.2022 11:03

You can use own cable devices - but they have to meet the technical interface specification from Vodafone.

 

This means -as far as I know- that those devices:

a) Must support at least EuroDOCSIS3.0 with 16 downstream and 4 upstream channels

b) Must support DOCSIS3.1 with 2 downstream and 2 upstream channels on top in case of a 1 GBit/s connection (or faster)

c) Must support DualStack-Lite operation

 

And as far as I am aware, there's barely only FritzBoxes available on the retail market that are certified for EuroDOCSIS3.0 and DOCSIS3.1 -- as most CPEs are sold exclusively to the cable service providers and are not available on the retail market.

 

This also means that you CANNOT use US cable modems as they don't meet the requirement to support EuroDOCSIS 3.0 operation...

0 Gefällt mir
RobertP
Giga-Genie
Giga-Genie
Als Antwort auf arpaterson

am ‎01.09.2022 11:20

@arpaterson 

which kind of contract do you have?

if you have a Gigabit connection f.e. it is possible to contact Vodafone and let them switch your connection to dual stack

if dual stack is enabled it is possible to activate bridge mode in the webinterface of the Vodafone station

0 Gefällt mir