Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

You could do like me and disable IPv6 and bury your head in the sand. I really don't want to need to remember IPv6 addresses....

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

I have a need for IPv6 right now.

I got it setup where it's (what's the word) stateless or maybe it's stateful. I want to say stateless, so I only have to remember the first three groups, and then it's a ::1, ::2, ::3, ::4, instead of the MAC address thing.

I prefer it that way, easier to remember. Minus the public IPv6 address the PCs are receiving, of course. They're the other one, that uses the MAC address to create the address.

My wife's laptop, for example, is receiving both. Just like the OpenWRT one. The public and "private" IPv6 address. The "private" one ends in ::5. Want to get rid of the public part though and have the router handle the NAT6.

I know they're not called private addresses, but I can't remember what they're actually called and I'm too busy to look it up right now. link-local comes to mind, but I don't think that's correct. I think that's more like the local loopback.

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

Do you have Ipv6 set as passthrough? (May be named something else. I only have an ASUSWRT router in front of me ATM.)

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

Not familiar with ASUSWRT, but if it's based on OpenWRT, I might. I will check for the word passthrough.

Any ideas where I might find this? Would it be under the interface network setting, where it shows LAN, WAN, WAN6? Or would it be under the main DHCP setting? For each interface, there's also DHCP settings, depending on if I got it bridged or not (like the LAN is bridged to the wan, wan6 ports). I cannot set anything on the cable modem now, because it's in bridge mode, minus telephone stuff and VPN I think, plus wireless, which is disabled.

Let me finish messing around with this switch I'm trying to finally get configured properly and then I'll check. Might take a few hours with this switch though. Thanks Goontron!

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

Link Local is correct, there is also a "localhost" (::1) address for IPV6. But I still don't see why you need local IPV6 in the situation you describe. It's just another translation of the MAC address and your local IPV4 address works just fine as a translation too.

I just have my IPV6 setup "correctly", so all my LAN machines that have IPV6 stacks also have public IPV6 addresses. However my firewall blocks incoming IPV6 packets to all but one machine that I explicitly want IPV6 connectivity upon.

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

You have much more faith in the Windows firewall than I.

My wife's machine is running 10 Home, and I just don't feel comfortable with having it have a public IP address.

I thought link-local was the ones that didn't go through the router, and there was yet another name for the type I'm talking about. I can google it. I asked once, when I wanted to have our cable modem assign private IPv6 addresses, but it wasn't possible with our cable modem, because of the firmware it was running.

Now that I'm running OpenWRT, I figure it should be possible. I'm halfway there atleast, I got the "link-local" that is private, and not accessable from the outside world, on the devices, being handed out by the OpenWRT, but I also got the public ones, the ones I don't want on the devices.

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

I do not use Windows Firewall, the IPV6 firewall is done at the router that also routes IPV6.

Yes link-local is only for LAN-only IPV6. But now you say you actually want IPV6 requests to go out ... so what's wrong with standard public address IPV6 configuration? Unless your IPV6 router is out of your control, but I would have thought openwrt is doing your IPV6 routing?

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

OpenWRT is temporary. I do not feel comfortable having public IP addresses on my LAN. At Deposit, we had public IPs on the LAN. All these PCs running Symantec Endpoint, with public IPs, dealing with credit card info, social security numbers, etc. I brought that up to the one of the higher managers (before I was a manager) and next thing I know, we're switching them all to public.

I feel a bit safer when people can not directly scan my PC. Right now, with public IP addresses, it's equivalent to being in the DMZ. My firewall on the OpenWRT doesn't have anything to do with that. That's only for WAN to private LAN, not WAN to WAN addresses.

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

Site-local was the word I was looking for, not link-local.

We use Windows Firewall along side another program that's been fairly well, but I'd rather not see log entries in the PC about various types of attacks every morning. The local firewall on the PC does a good job of protecting us, but I'd rather just have that extra layer of security by not having global IPv6 addresses on the LAN, if we could help it.

If it's simply impossible, I guess there's nothing we can do. But being open source firmware, seeing how we're handed out link-local addresses along with global addresses, I'd think we'd have something configured incorrectly.

It'd be like the router handing out private IPs and public IPs to the PCs on the LAN. Although the firewall can protect us, that's something I don't want. I want the PC to have private IPs on the LAN, and let the router handle the NAT. To me, that makes it a bit harder for someone to get in. We have ports open on the PCs, programs open ports on the firewall (the Brother setup program for our printer, for example). It wouldn't take much for us not to check on time and make sure the programs properly wrote the correct rules.

And yes, we could just tell the programs not to open the ports, and try to manually write the rules ourselves, that's possible, but a real PIA. I'd rather have all the ports closed on the firewall, and not have to worry about it so much.

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

With the global addresses, doesn't the router just pass incoming requests right over the OpenWRT firewall and consider it WAN to WAN traffic, seeing how it's not the one handing out the IPv6 global addresses? It's just kinda acting as a relay agent, I believe that's the term.

I could be wrong, I never properly learned about IPv6 before, just stuff I picked up here and there on the net.

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

You need to set the router to block incoming requests - whichever router is routing the packets. I don't know how you have your router setup, but I have a pfSense box that handles the gateway between IPV4 and IPV6 and routes IPV6 natively on my LAN. As it does the conversion and routing, I have it blocked off there.

I technically could give you my IPV6 address to my internal workstation and you can tell that it's effectively blocked off from the outside world despite it is the actual public IP address (but I'm not going to, because just like an ipv4 NAT address, people can still packet flood ...)

Re: OpenWRT, Spectrum DOCSIS 3 Cable Modem and IPv6 addresses.

You're right. I did some reading last night, and it seems it's now discouraged from using private IPv6 addresses, unless you're experimenting. The whole purpose of NAT was to fix the not enough IPv4 addresses, not to add an extra layer of security, like I was thinking.

I had it setup like this:

Cable mode -> Bridge Mode
OpenWRT WAN port connected to Cable Modem's Ethernet port 1.

Wifi on the OpenWRT router enabled:

4 private network addresses, four different subnets, plus the public.

It seems though, the Cable Modem in Bridge Mode was actually handing out the public IPv6 addresses some how, along with the OpenWRT router handing out the public IPv6 addresses.

We had to remove the OpenWRT. It cannot handle the network traffic. Keep in mind, this is a Vizio Router and it's supported for OpenWRT. It has very little flash memory. I custom compiled the OpenWRT kernel after patching it, to add support. I think I'm the only one running OpenWRT on it.

I could, at the time, only get the experimental github version of OpenWRT running, and at first, it'd be fine, and after a little bit of traffic with the switch, the load on the router would sky rocket and it'd have to be restarted.

With the cable modem, we don't have much control at all, unfortunately. For IPv6 firewall, we have on or off. It's set to On.

For IPv4, we have off, low, medium, high. If we set it to Medium, we can't ping, which is something we use for testing purposes. So we need to set it to low. What does Low, Medium, and High do? No idea.

This is Spectrum's cable modem, and even if were to purchase our own, it has to be one that they list as compatible, and they flash their own custom firmware, that greatly limits our ability (we'd have the same interface we have now, unfortunately).

There's a built-in SSH and Telnet server running on the cable modem, but it's filtered, and seems to only be used for Spectrum to login. If I could gain SSH access somehow, then I would probably see the cable modem is running some sort of Linux and has iptables, iptables6, and I could manually configure it, along with static routes, and my issues would be fixed. I wouldn't need to put the cable modem in bridge mode, I could just configure a static route for my 48 port switch VLANs, and I'd have everything working just fine.

But on the cable modem, currently, there's no way to set a static route. It doesn't have a routing protocol enabled, like RIP. To get that, we have to become business grade, which, optimally, would be the way to go, but would cost more money. The TV would need to stay on Residential, which would mean two accounts with Spectrum, one business, one residential, and you'd think having just TV with Spectrum would be cheap, but by removing telephone and internet, the price actually goes up, not down, because of these stupid "promo's" they have. Bundle and save kinda shit.

Puts us in a predicament. Currently, the only reasonable competing ISP would be Empire Access, which, for residential (or even business) would provide us with a cheaper price and they use fibre for tv, phone, and internet. But the issue there is there's no IPv6 (yet).

I've been waiting. Originally, when they first came in, they offered 100Mbps down, 20 up, wich was amazing. But the more people who joined, the slower the speeds got (being a shared fibre line) and now people get around 20ish Mbps down, if that. A dedicated fibre line I could go through either company.

Also, with Spectrum Business, no IPv6.

I could setup some sort of tunnel I guess to my VPS and get IPv6 that way, but I don't know how to do that, and I'm sure that'd affect latency a good bit.

I think my only real option here is to purchase a better route, put the cable modem back into Bridge mode, and have the real router handle the traffic. Then purchase some sort of wifi access point, to provide wireless.

I'd like to get a Cisco router, but I'm not sure that would be fully compatible with the switch I have....generally, I try to keep the networking hardware the same. But I think picking a Cisco router, and using an HPE switch would be okay. I know it's not needed, but for the trunk line from the switch to the router, I'd like to try using that SFP slot, the 40Gbps or the 10Gbps port. But they cost money too. Maybe eventually, upgrade to that. But for now, just use CAT6 and make a small run (literally, I'd have to go maybe a foot from the router to the switch).