USG60W IPv6 Delegation & DNS

2»

All Replies

  • FrankLauer
    FrankLauer Posts: 45  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer

    Well, it looks correct and exactly what I have on my USG110 and than the device fills out the Address field automatically.

    • Check if you still got a prefix delegation when you check this under 'object->dhcp6'
    • Reboot the USG

    If it doesn't help here's another idea: Because I got a /56 delegation I have a prefix something like this: 2003:xxxx:xxxx:7900/56. I can use 256 suffixes. For example with ::1:0:0:0:1/64 I get 2003:xxxx:xxxx:7901:0:0:0:1/64. Because of this I thought it is ADDING the suffix. However the USG may REPLACE the suffix.

    In this case you had to use ::c:0:0:0:1/64 and ::d:0:0:0:1/64 there. Please try this.

  • mjk
    mjk Posts: 10  Freshman Member
    First Anniversary First Comment

    I performed a reboot.

    Lan1 clients get 'fd' addresses. Ping resolves to an IPv6 address but fails.

    I give up. I've wasted at least 4 days over my Christamas break trying to get this to work.

    Support used to help via chat, now they charge €99 per 30 minutes. I guess that it's so complicated to setup that their devices support was overloaded, and charging €200 per hour is a good way to reduce their workload.

    Last time support helped, they managed to setup an isolated packet based VLAN (non-Zyxel WLAN) forwarded to Guest, I had no idea how they set it up and it stopped working after a firmware update.

    VPN is patchy as it regularly refuses to authenticate for no apparent reason, same client, same device, same VPN user. I also never managed to get authentication via Active directory to work, it wouldn't connect to the Active Directly and the server just reported invalid credentials.

    It's too complicated, the handbook and online articals are unreliable and there is no way to troubleshoot. There's just no feedback when things don't work as expected.

    I will not renew any of my services and as soon as I can move to a cloud based security solution I will recycle all my ZyXel devices! I will also not recomend this stuff any more, it's just not cost effective for small businesses.

    I thank you for your help.

  • FrankLauer
    FrankLauer Posts: 45  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer

    What should I say. From starting to implement IPv6 in our company till I had a first sucess I needed 3 months! And yes, network engineering can be an academic job.

    But I think you are quite close to success. Positively seeing you got in these 4 days different things working. Your WAN interface looks fine. Both of your LAN port looks fine. And Router Advertising RA seems also to work.

    Further things that now have to be checked are for example firewall rules. Pings are not working in every case. It also can be that the recipient refuses ping (ICMPv6 echo). Or security rules in the USG. May check also the log or set for testing all rules to 'allow'.

    How about DNS ?

    BTW: What also helped me a lot was checking network traffic with Wireshark. But I agree, it's complicated ;-)

  • mjk
    mjk Posts: 10  Freshman Member
    First Anniversary First Comment

    This is not an academic job, this is black box trial & error with insufficient documentation and zero feedback for troublshooting.

    For example, the contents of my DHCP log after a sequence of lan1 configuration changes and attempts to renew the IPv6 addresses using ipconfig /release6 & ipconfig /renew6:

    Client which is connected to lan1 now has four adddress, two from 'fc' and two from 'fd'. It has only ever been connected to lan1, and has been restarted:

    netsh for the client is adds to the bizare:

    There is a mixture of short, long and infinte length validities, and all of the this from my ISP modem that that currently reports only 14 hours left on the lease:

    IPv6-Adresse: 2a00:79c0:501:75a8::1, Validity: 52673/52673s,

    IPv6-Präfix: 2a00:79c0:7b6:8700::/56, Validity: 52673/52673s

    So even 'if' I managed to get ping to work, the address prefixing / leasing is actually not working as expected.

    Given the two options:

    1. Carry on with trial & error configuation changes,
    2. Throw away the ZyXel box and use already working ISP modem.

    Number '2' wins.

  • FrankLauer
    FrankLauer Posts: 45  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer

    The DHCP log is maybe empty because it logs often on errors (deny rules) only. You would have to set the log to log the 'allow' rules too. However in such cases I trust only a traffic analysis with Wireshark. For example you could collect the traffic on the USG for LAN1 while rebooting your computer. Than download this file and inspect it with Wireshark. There you would see DHCP, DNS, router solicitation, router advertisement, neighbor solicitation, neighbor advertisement. As you can imagine, it needs horrible lot of time.

    As for your interface console output: I would have said your are connected to LAN2 in the 87fd range. This would have explained the infinite life time there. Temporary address for 87fd is also ok, that's the privacy extension in IPv6. And the 87fc addresses are left from previous tests. This you can check only with traffic inspection.

    And just one last thought: I have seen that you have a dynamic IPv6 address, changing regular, as usual in Germany. This can have sideeffects if you get a /62 prefix only from your FritzBox. In the beginning of our discussion we had a prefix delegation that allowed these 4 letters: c, d, e and f at the end. After your IP6 address is changing you may also get another /62 address range, f.ex. with letter 8, 9, a and b at the end. Keep in mind.

    Sorry that I couldn't help you to fix your problem. But it's really complex stuff.

  • FrankLauer
    FrankLauer Posts: 45  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer

    The additional WAN1 address looks not correct to me, but maybe needs some investigation later. But for the first step your USG seems to be connected to IPv6 because you can ping it in the diagnose console.

    For testing some additional steps: Use the latest firmware or at least a newer one. To make things easer for testing deactivate LAN2 and just try in a first step get LAN1 working well.

    • For LAN1 interface the IPv6 Adress Assignement must be /64. Use something like ::0:0:0:1/64 there.
    • In your picture I have seen that you got on your LAN1 PC a prefix of 2a00:79c0:79e:1dfd::/64. But your USG shows 2a00:79c0:79e:1dfc::/128. That's not only a wrong netmask (should be /64 as already said). It's also a different subnet. The interface address and the RA prefix must be in the same subnet. (Check the suffix there.)

    You can use f. ex 2a00:79c0:79e:1dfc::/64 for LAN1 prefix and 2a00:79c0:79e:1dfc:0:0:0:1/64 for LAN1 interface address.

     And 2a00:79c0:79e:1dfd::/64 for LAN2 as prefix. And 2a00:79c0:79e:1dfd:0:0:0:1/64 for LAN2 interface address.

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @mjk

    We apologized that you met certain IPv6 related issue in your environment. Actually we also use IPv6 in our office environment and didn't have certain issue so far.


    To understand and help to check if any possibilities in your network, can we have your configuration file to verify on it in our lab directly (and will be helpful if you can provide us a topology regarding to your network)?

    We will build a similar lab in our office and see if we can help to solve it as much as possible.

    Thank you.

  • mjk
    mjk Posts: 10  Freshman Member
    First Anniversary First Comment
    Thanks for reiterating the fact that I'm too stupid to use your hardware.

    This is not the first time that i have failed miserably to configure my USG60W.

    Last time support helped, they managed to setup an isolated packet based VLAN (non-Zyxel WLAN) forwarded to Guest, I had no idea how they set it up and it stopped working after a firmware update. In the end I bought a an OpenVPN compatible router and just used that as a dedicated isolated access point.

    I also tried to setup an OpenVPN channel via the USG60W, but it doesn't support OpenVPN configuration files and it refused to connect to a NordVPN server via a manual configuration.

    I never managed to get the USG60W to authenticate user via AD/LDAP, so my Windows 10 clients couldn't user their Domain credentials to log in. Again, after hours of internet searches and trial and error I just gave up and managed the users for VPN manually.

    During my attempts to setup IPv6 my Windows Server ended up with 9 IPv6 addresses and I had to restart the network adapter to reset it. Again, no idea what was going on there. I guess that it was something to do with the dynamic IPv6 address and the fact that none of my clients reported any expiry dates on the leases.

    As a final note, you have increased the cost of the one year licence bundle by 15%.




Security Highlight