Jump to content

fl4co

Forum Members
  • Posts

    41
  • Joined

  • Last visited

Everything posted by fl4co

  1. I have found this log: However, I believe that delegating ULA prefixes can be useful in a local environment with multiple routers. Also, I believe the ULA address space is fc00::/7, so fd00::/8 is not the entirety of the address space. Even if you wanted to block any non globally routable prefix, I can delegate prefixes outside of 2000::/3 as I showed on the first post. By the way, I hope you decide not to block the ULA address space.
  2. Version tested: latest stable (4.0.5) If I delegate a ULA address from a DHCPv6 server to the Keenetic, the server will confirm that the Keenetic requested the ULA prefix and that it is bound: However, the prefix is not found on the Keenetic and cannot be used: Instead, if I try to add a non-ULA prefix, even a non-routable one, the Keenetic correctly acquires it and subnets from it can be advertised on the local segments:
  3. You have to allow ICMP on the firewall. By default it's dropped.
  4. It looks like your Keenetic gets a single IP address and not a prefix, so the devices on your LAN have no IPv6 addresses.
  5. Can you post the IPv6 routing table, both for the router and your PC?
  6. The /128 routes you see on the Web GUI are addresses assigned to the router's network interfaces, while the address you see on the ipv6 test website is your computer's. So it's normal they are different. But I have two fe80::/10 routes too, one is "proto: kernel" and the other is "proto:boot". I don't know if it's intended that both get added and displayed.
  7. I have similar problems, at first I couldn't get a prefix via DHCPv6-PD from my provider (via PPPoE), then I got the prefix but the routes are strange, and no default gateway, so no IPv6 connectivity: Also the logs are full of this errors: Edit: regarding the last problem, it looks like the new cli command is now "show ipv6 route" and not "routes", so maybe that's the cause.
  8. Today I was looking around and found that the standard radvd daemon is used for sending router advertisements in the LAN. It is launched with the configuration file located at /var/run/radvd.conf (which is a symlink to /tmp/run). This means that the configuration file is generated at runtime and can't be edited by the user 🥲 This is the content of the file (one entry for each subnet, IP addresses redacted): /tmp/run # cat radvd.conf interface br0 { AdvSendAdvert on; AdvOtherConfigFlag on; AdvManagedFlag off; prefix 2a00:xxxx:xxxx::/64 { AdvOnLink on; DeprecatePrefix on; AdvAutonomous on; DecrementLifetimes on; AdvPreferredLifetime 716; AdvValidLifetime 716; }; RDNSS fe80::xxxx:xxxx:xxxx:xxxx { }; }; The DNS server is advertised with the RDNSS option, so hopefully a CLI command can be added to have the user set the preferred DNS server 👍
  9. Isn't ICMPv6 necessary for IPv6 to work correctly? Oh wow, prefix delegation would be excellent! However I can't seem to be able to use it in 3.9 Beta 1, when will it be publicly available?
  10. My ISP delegates a /56 IPv6 prefix, which is assigned to my Keenetic gateway and everything works fine. I'd like to statically add a /64 subnet to another router connected to my LAN (or to some VMs behind a supervisor). I can easily achieve this configuration with a static route on the Keenetic. However, I noticed that if the IPv6 firewall is enabled no communication is possible from the Internet. If the firewall is disabled, everything works, but I don't want to completely disable the firewall. Is there any way to allow traffic to a specific subnet? Also, I'm running version 3.9 Beta 1 and I noticed that with the IPv6 firewall enabled hosts on the LAN do not reply to ICMPv6 echo requests (and possibly to ICMPv6 altogether), while the router still answers to pings to the IPv6 address on the Bridge0 interface. Is this an intended change? I'm pretty sure that ICMPv6 used to not be filtered by the firewall.
  11. I'm trying to setup an IPv6 address as my DoT resolver, as I read it should be now supported by version 3.9. I can't do it in the web GUI (the IPv6 address is not accepted), and in the CLI I can add it with "dns-proxy tls upstream <IP address>" but then it doesn't seem to work (web sites will just timeout). I'm using a Skipper.
  12. Thank you! This was not immediately clear to me after reading the Command Reference Guide.
  13. Hi, I'm in the process of learning how to use the API and I succeeded in retrieving information from the router and to change settings. However, I can't find a way to delete a setting and reverting it to default. For example, I'm able to set a connection policy for a client, passing a "mac" and "policy" parameter with a POST method, but I don't know how to delete this setting. I tried with a DELETE method but I always receive an error. In short, I'd like to know the HTTP request for "no ip hotspot host <mac> policy".
  14. My ISP assigns a IPv6 prefix via PPPoE. However, they do not send a Router Advertisement packet. I don't know if it's a technical limitation of IPv6 via PPPoE or choice by the ISP. The result is that the Keenetic router gains the delegated prefix, but no IPv6 default gateway is set, and with no default gateway IPv6 addresses are not distributed on the LAN via SLAAC or DHCPv6. Back in May 2021 I discussed this issue with Keenetic Support, and at last they suggested to run the command interface PPPoE0 ipv6 force-default After appliying this command the PPPoE interface is set as IPv6 default gateway and all devices start getting IPv6 addresses. So, currently a CLI command is required in order to have a functional IPv6 setup. I'd like request that Keenetic implemets one of the two following solutions: Add a "Do not wait for RA" option, like pfSense does. This way the Keenetic router will not wait endlessly for a RA packet that will never arrive, and setup the default gateway autonomously. Automatically set the default gateway as the PPPoE interface, or use the link-local address of the ISP router as gateway. This is what OpenWrt does, as I tested it on network contract. I don't know if every ISP does not send RA packets via PPPoE, but I know of at least two ISPs in my country with this "problem". As of today checking the "Use IPv6" box in the PPPoE section of the Keenetic router does not result in a functional IPv6 setup, because an additional CLI command is required.
  15. fl4co

    MAP-T

    Hello, are there any news on the MAP-T implementation? Since mid December Sky Italia officially switched to MAP-T, especially for new customers. Old customers are in MAP 1:16, MAP 1:1 if port forwarding is detected and in dual stack in some rare cases (but bound to switch to MAP-T in January). Sky Italia seems to be one of the fastest growing ISPs in Italy, and there's currently no alternative to their CPE besides customized OpenWrt which is not feasible for non techincal users. It would be nice to have Keenetic as an option.
  16. It works, thank you! I thought you could only add one rule per port. By the way, I'd argue that this system with MAC addresses is not simpler than using the IP addresses, and you are using the CLI anyway... Also you are allowing connections to every IP address on that interface. Anyway it works for what I want to do at the moment 🙂
  17. Ok, that's what I thought, but I want to access host 1 to [2::1]:80 and host 2 to [3::2]:80 behind the same ISP. Am I right that this is currently not possible?
  18. How do I do this? I'm looking at the manual and it seems to me I can set an input interface, not an address:
  19. Yes, I tried and it works, but: If I have 1 device with 2 IP addresses, I can't host different services on different addresses but same port; Even worse, I can't host 2 services on 2 different addresses on DIFFERENT hosts. For example, if I wanted to host 2 web servers on 2 different comuters, on port 80, I coudn't because the router will forward every connection on port 80 to a single MAC address. So I'm forced to host web servers on one host for the entire network. This is just an example but applies to every kind of service, for example an IP cam.
  20. I'm aware of the privacy extensions but I think anyone hosting a service will set a static address, there's not shortage of that in IPv6 anyway 😃 I can see that, but why not allowing this kind of configuration at least on the CLI? It's already available for IPv4 with the "access-list" commands where one can input IP addresses. One of the main points of IPv6 is having multiple public IP addresses. Currently on Keenetic routers it's not possible to accept multiple connections on the same port for different IPv6 addresses.
  21. I have full IPv6 connectivity from my ISP. I also have the ipv6 firewall command enabled as default, because otherwise my whole network would be exposed. I'm trying to allow connections to some of the IPv6 addresses. For example, let's say I want to host a web server on one of my devices. As I understand, at the moment I have to use the command: ipv6 static tcp <WAN interface> <device MAC> 80 This way, I can reach my web server from outside on its IPv6 address because I think that every TCP connection on port 80 on my prefix will be forwarded to the device, but at layer 2 level. But what if the device has two IPv6 addresses? Or, what if I want to host two web servers on the different devices? How can I allow connections to port 80 for two IPv6 addresses? Why isn't an IP-based firewall avalable for IPv6, like for IPv4?
  22. Hello. I created an IKEv2 connection to a VPN service on my Keenetic router. I created a new connection policy and selected the VPN connection as the only conenction for that policy. When I assign clients to the VPN policy, their IPv4 traffic is correctly routed via the VPN service. However, the IPv6 traffic keeps going through the main ISP, thus leaking my real IPv6 addresses. The only way to stop this is to disable IPv6 on every client when I assign them to the VPN policy, but this is annoying because I frequently move clients to and from the VPN policy. I guess maybe it's difficult to block the IPv6 traffic because SLAAC is stateless and the Keenetic router doesn't know which device has an IPv6, but maybe it's possibile to track the MAC addresses?
  23. fl4co

    MAP-T

    In their configuration page they just say this: IPoE IPv4/IPv6 protocol NAT: MAP-T Mapping of Address and Port, Translation mode (RFC7599) I will post more information when they make the switch or if they release new information.
×
×
  • Create New...