Getting an Apple AEBS up and running
Shadow Hawkins on Thursday, 12 March 2009 14:48:18
I am using an Apple Airport Extreme Base Station as my firewall/router. With IPv6 enabled in it and tunnels enabled, all seems to be working. I am wondering what experiences others have had and what the gotchas are.
Getting an Apple AEBS up and running
Carmen Sandiego on Thursday, 26 March 2009 18:15:26
I've blogged about it when I set it up last year. Currently, my biggest problem is that with the latest firmware upgrade (7.4.1), the AEBS doesn't allow icmp6 traffic anymore, therefore the POP sees the link as being down :(
Getting an Apple AEBS up and running
Shadow Hawkins on Wednesday, 08 April 2009 14:24:46
Can you confirm that with the latest firmware? I have a ticket open with Apple on this issue and I got a response not too long ago that indicated they thought the issue was resolved.
I'll paste my ticket below so you can see what they said.
This is a courtesy email regarding Bug ID# 6061710.
Engineering believes that this issue has been addressed in Time Capsule and
AirPort Base Station (802.11n) Firmware 7.4.1. Please verify with this release,
and update this report with your results.
Time Capsule and AirPort Base Station (802.11n) Firmware 7.4.1:
March 5, 2009
http://support.apple.com/downloads/Time_Capsule_and_AirPort_Base_Station_Firmware_Update_7_4_1
Bug reports requiring your update will appear under My Originated Problems.
Please review this bug report and provide the requested information via the
Apple Bug Reporter. Once your report has been updated, Engineering will be
alerted of the new information.
<http://bugreport.apple.com>
Thank you for your assistance in helping us discover and isolate bugs within
our products.
Best Regards,
Kit Cheung
Apple Developer Connection
Worldwide Developer Relations
*****************************************************************
THE INFORMATION CONTAINED IN THIS MESSAGE IS UNDER NON-DISCLOSURE
*****************************************************************
-------------------------------------------------------
Bug ID #: 6061710
Bug Title: Airport Extreme Base Station blocks pinging (ICMPv6 ECHO REQUEST)
of Tunnel
-------------------------------------------------------
<GMT08-Jul-2008 23:19:48GMT> Douglas Baggett:
Summary:
When configuring the Airport Extreme Base Station (AEBS) for a manually
configured IPv6 tunnel, the AEBS does not respond to the tunnel broker's
ICMPv6 ECHO REQUEST of the endpoint of the tunnel. The tunnel broker requires
the ability to ping the endpoint of the tunnel (<tunnel>::2) in order to
confirm that the tunnel is up.
Steps to Reproduce:
1. Manually configure AEBS for IPv6 tunneling with a broker that uses ICMPv6
ECHO request (sixxs.net) for monitoring.
Expected Results:
1. Tunnel is operational and sixxs.net reports the tunnel (on their website)
as being up and operational. The user is credited (sixxs.net uses a credit
system based on the status of tunnels and their uptime).
Actual Results:
1. The tunnel is operational but sixxs.net reports the tunnel as being down.
The user is penalized with negative credit deductions to their account due
sixxs.net being unable to ping the IPv6 tunnel endpoint.
Regression:
1. None
Notes:
1. The following is information from the sixxs.net provider about how exactly
sixxs.net needs to monitor the tunnel. Contact at sixxs.net is Jeroen Massar
jeroen@sixxs.net. Sixxs tunnel service is at sixxs.net.
In addition Jeroen notes below that in addition to fixing ICMPv6 ECHO response,
allowing UDP would enable support for proto-41-heartbeat as specified in the
IETF draft proposal http://unfix.org/~jeroen/archive/drafts/draft-massar-v6ops-heartbeat-01.txt
allowing users with dynamic addresses to utilize the AEBS manual tunnel
configuration.
---
The SixXS PoP (thus <tunnel>::1) pings (ICMPv6 ECHO REQUEST) the
endpoint of the tunnel (thus <tunnel>::2) to check if the tunnel is up.
The endpoint is expected to reply with an ICMPv6 ECHO RESPONSE.
I guess that the AEBS is blocking all ICMPv6 traffic, except hopefully
for "ICMP Packet Too Big" of course. The fix for this problem would be
to simply allow ICMPv6 ECHO requests from anything or just the subnet
that the interface is on, or in case of a tunnel the endpoint of the
tunnel. Could make this into a user configurable option or just set it on.
I personally don't think that ICMP Echo/Response is a big worry for DDoS
attacks, if the bad people want to DDoS one they will do so anyway.
It is annoying for network diagnosis though, which is more important for
most people, especially technical people who want to debug connectivity
issues, this thus includes helpdesks at ISPs. As such just having it
enabled can't be a completely bad thing IMHO.
Side-note: proto-41-heartbeat support would be easy as it is just
sending a small string over UDP every n seconds. See:
http://unfix.org/~jeroen/archive/drafts/draft-massar-v6ops-heartbeat-01.txt
effectively: http://www.sixxs.net/archive/sixxs/heartbeat/heartbeat.sh
Having that would solve the issue for most users who have a dynamic
address, as then they can configure the tunnel like they already do, set
the heartbeat password and they are done. Would allow a lot of users to
enjoy that too. AYIYA (which is quite more complex code wise) is not
needed for these people as the AEBS does the NAT and thus they don't
have to break through that layer, they do get the IP changes from their
ISP though.
]]
2. Configuration information uploaded to this ticket is from a basestation that IS NOT CONFIGURED for manual tunnel. I had to upload something or the ticket would not allow me to submit :)
Getting an Apple AEBS up and running
Carmen Sandiego on Sunday, 17 May 2009 14:32:36
I had to disable my tunnel today, because I needed the upgrade of 7.4.x applied to enable TimeMachine. Although I love having IPv6 at home, cool backups have higher priority. I'm really annoyed by it, especially since Apple doesn't seem to want to fix it.
Getting an Apple AEBS up and running
Shadow Hawkins on Thursday, 11 June 2009 14:41:21
Sorry to keep everybody waiting. Apple has been characteristically quiet (surprise..surprise).
You know...I don't think they really care.
Getting an Apple AEBS up and running
Shadow Hawkins on Saturday, 04 April 2009 00:42:07
Can you confirm that with the latest firmware? I have a ticket open with Apple on this issue and I got a response not too long ago that indicated they thought the issue was resolved.
Getting an Apple AEBS up and running
Jeroen Massar on Saturday, 04 April 2009 11:04:40
But which part? The ICMPv6 replies or the heartbeat support? :)
(The latter was once thought of at Apple, but it required changes in the Configuration UI which where apparently too difficult to push through changes :( )
Getting an Apple AEBS up and running
Carmen Sandiego on Wednesday, 08 April 2009 13:36:47
The ICMPv6 support at least isn't fixed in the latest firmware. I checked.
Getting an Apple AEBS up and running
Shadow Hawkins on Wednesday, 08 April 2009 16:05:52
I have both an AEBS and Apple Time Capsule that I am trying to configure for IPv6 tunneling as well. My setup has the AEBS bridged using WDS with the Apple Time Capsule and several systems physically connected to the Time Capsule.
My IPv6 tunnel is configured on the AEBS. Unfortunately I have no way to know whether the IPv6 tunnel is up or down - no status on AEBS or SixXS side (unless you count the traffic graphs). I am interested in getting this working and helping in the effort. Please let me know if I can assist - can also open a ticket with Apple.
One idea I may try is to create my own tunnel between AEBS to Time Capsule with two laptops on either end for testing purposes and can then try ICMP6 to determine whether it is being blocked.
I am running the latest Apple firmware on AEBS and Time Capsule. Also I have a pair of Linksys WRT-54GL routers available that I can also use to set this up.
Best,
Frank
Getting an Apple AEBS up and running
Shadow Hawkins on Thursday, 09 April 2009 17:48:54
I did a number of tests last night using both the Apple Extreme Base Station (AEBS) and Time Capsule (TC). Both devices are running 7.4.1 firmware and show the same problem with ICMP6. For testing I used OS X, Linux and XP (physically connected to AEBS or TC). I used settings from SixXS and Hurricane Electric. In all testing I have unchecked the "block ipv6 connections from outside".
Here is my setup:
/ - Linux laptop
Internet Cable Modem - AEBS [
\ - TC - OS X
\ XP
/ - Linux laptop
Internet Cable Modem - TC [
\ - AEBS - OS X
\ XP
In both cases the IPv6 tunnel is configured on the Apple device connected to the cable modem. AEBS and TC are configured to connect wirelessly as either WDS or by extending the network (5GHz). On the inside all devices have IPv6 addresses and can all ping each other except for the IPv6 address of the Apple (AEBS or TC) which is connected to the cable modem (outside device). If the Apple device in the configuration does not have its WAN interface configured and the setting to share the Internet connection with other devices, then its IPv6 address can be reached with ICMP6.
The issue seems to be with the WAN port being configured for Internet and being shared by internal systems (mine is setup for DHCP for IPv4).
The results are the outide Apple device can not have any of its IPv6 addresses pinged and I am unable to reach IPv6 external addresses using ICMP6 or other protocols such as HTTP over IPv6. The log files for AEBS/TC show nothing that is useful.
Items AEBS / TC needs in the GUI:
1. A way to know whether the tunnel is up/down.
2. A way to ping6 addresses and show results.
3. A log file for the firewall and tunnel operations. I may try the Syslog option to see whether that shows anything from the firewall.
4. Include the tunnel traffic in the charts
If anyone has any suggestion or would like me to try something, let me know.
Frank
Getting an Apple AEBS up and running
Shadow Hawkins on Monday, 08 June 2009 10:01:41
I've got a similar setup, I'm having some strange problems (besides the IMCP/ping issue):
In any mode, except for "automatic tunnel" (6to4), the IPv6 auto-configuration on the LAN (wired and wireless) does not seem to work. The PCs on the LAN only generate a link-local address, no global (or whatever configured as LAN IP).
Apparently, the AEBS does not send RA messages (which it does in 6to4 mode).
Any thoughts? (I tried 7.3.2 and 7.4.1, both seem to have this problem).
Also, are there any (older) Sw versions that do work (and respond to ICMP on tunnel).
/Eduard
Getting an Apple AEBS up and running
Shadow Hawkins on Friday, 21 August 2009 20:43:53
Of course, in automatic (6to4) mode, you don't have to manually enter in the correct information.
Are you sure that you aren't running as either "IPv6 Mode: Node" or "IPv6 Mode: Tunnel" (but without an entered correct "LAN IPv6 Address" value)? Naturally, if you are running as either a Node (rather than a router) or if you aren't providing your router with a proper subnet to advertise, you won't get RA's on the local LAN.
Getting an Apple AEBS up and running
Carmen Sandiego on Sunday, 28 June 2009 00:55:12
Small update, 7.4.2 did not solve this issue either. Seems Apple is not interested in getting this to work. A shame.
Getting an Apple AEBS up and running
Shadow Hawkins on Tuesday, 30 June 2009 16:52:28
I am really tempted to suggest that if any of you are developers in the Apple program to open up bug tracker tickets. Showing that there is interest in getting this fixed might help get the necessary resources working on the solution.
I have the original Apple Airport Express, which only has link local IPv6 support, and I had been tempted to update my router to get the new IPv6 support, but given the experience people have had, I am probably going to hold out for an OpenWRT release for the Linkys WRT160NL. Either way its a waiting game to get a router with good IPv6 support.
Getting an Apple AEBS up and running
Shadow Hawkins on Friday, 21 August 2009 20:36:00
I'm running 7.4.2 on an AEBS Extreme (the one with GigE, but not the newer one with dual radios) and everything is fine. My config:
IPv6 Mode: Tunnel
(checked) Block incoming IPv6 Connections (i.e. run IPv6 Firewall)
Configure IPv6: Manually
(entering in my info for my SIXXS 6in4-Static tunnel and subnet)
Remote IPv4 Address: [my SIXXS tunnel 'PoP IPv4']
Remote IPv6 Address: [my SIXXS tunnel 'PoP IPv6']
Local IPv6 Address: [my SIXXS tunnel 'Your IPv6']
LAN IPv6 Address: [my SIXXS subnet 'Prefix', as xxxx:xxxx:xxx::]
Then, in the IPv6 Firewall section, I added an entry:
Description: Tunnel Public Interface
IPv6 Address: [my SIXXS tunnel 'Your IPv6']
Allow: All services and ports
SIXXS has been able to ping my tunnel. The local LAN gets RA. LAN clients get IPv6 connectivity. It's been working for months.
The only drawback I can imagine is the firewall entry for the tunnel public interface is limited to either "Allow Specific TCP and UDP ports" or "All services and ports" -- so to open up ICMP, you have to allow all TCP and UDP as well. I think that before 7.4.2, an entry for the tunnel interface IP didn't work and you had to simply turn off the IPv6 Firewall to get pings. Now, you can just open up your tunnel interface IP -- at least, it's been working for me.
Getting an Apple AEBS up and running
Carmen Sandiego on Monday, 31 August 2009 23:56:35
Indeed! It's working for me too using your recipe. Great! Thanks. Got IPv6 at home again :D
Getting an Apple AEBS up and running
Shadow Hawkins on Tuesday, 08 September 2009 02:25:54
I have added an entry in the Wiki based on your instructions:
https://www.sixxs.net/wiki/Apple_Airport
If anyone wishes to further improve the explanation or add screen shots, feel free to do so.
Getting an Apple AEBS up and running
Shadow Hawkins on Tuesday, 08 September 2009 15:58:46
This is so effing frustrating! I'm taking the exact same steps and it's still not working. I've got the same AEBS, same firmware..
Why-O-Why?
Getting an Apple AEBS up and running
Jeroen Massar on Sunday, 13 September 2009 17:48:21
Because "it is broken".
If you want something to be fixed, or people to help you, then provide people with informations on what does not work. Interface list, routing tables, traceroutes etc. See the contact pages "reporting problems" for more details.
Getting an Apple AEBS up and running
Shadow Hawkins on Sunday, 13 September 2009 17:28:53
I have just got myself the 'Apple Airport Extreme' and followed the above instructions, posted by John Everett, but I am not able to connect with my Mac. The Mac gets an address, but trying to 'ping6 ipv6.google.com' results in no response. Trying 'telnet ipv6.google.com' results in 'telnet: connect to address 2001:4860:b002::68: Host is down'. My settings are (have modifed my the 'e:22' part of address for posting):
--IPv6 Tab--
IPv6 Mode: Tunnel
Block incoming IPv6 connections: checked
Configure IPv6: Manually
Remote IPv4 Address: 216.14.98.22
Remove IPv6 Address: 2001:4978:e:22::1
Local IPv6 Address: 2001:4978:e:22::2
LAN IPv6 Address: 2001:4978:e:22::
--IPv6 Firewall Tab--
As described in John's post
The version of the Airport software I am using is 7.4.1
Getting an Apple AEBS up and running
Jeroen Massar on Sunday, 13 September 2009 17:46:34 Trying 'telnet ipv6.google.com' results in 'telnet: connect to address 2001:4860:b002::68: Host is down'
Telnet is port 23, HTTP is port 80. I am fairly sure you don't have Telnet access to ipv6.google.com. If you do that test, at least try 'telnet ipv6.google.com 80'
Also, what might be useful to try is a: traceroute6 ipv6.google.com
That at least show you that packets will go outbound etc.
Remove IPv6 Address: 2001:4978:e:22::1 Local IPv6 Address: 2001:4978:e:22::2 LAN IPv6 Address: 2001:4978:e:22::
You can't have the /64 of the tunnel on multiple interfaces, the 2001:4978:e:22::1/64 prefix is a tunnel. You need a subnet if you want to put IPv6 on your LAN interface.
Getting an Apple AEBS up and running
Shadow Hawkins on Sunday, 13 September 2009 19:22:45
Sorry that was a cut and paste error. I was doing:
telnet ipv6.google.com 80
A bit more investigation revealed that the computer I had previously used as my router was still doing router advertisements. I have since deactivated that, reset my local network interface and restarted the Airport Extreme.
Thanks for spotting the subnet issue. I already have subnet, but I was not using the right value, so I have added the right value now for "LAN IPv6 Address":
2001:4978:15d::1/64
which gets adjusted to:
2001:4978:15d::1
In doing all this my computer does not get a routable IPv6 address. I am really wondering whether the settings are actually being passed to the hardware. All I get is:
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::223:6cff:fe88:684f%en1 prefixlen 64 scopeid 0x6
inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255
ether 00:23:6c:88:68:4f
media: autoselect status: active
supported media: autoselect
Getting an Apple AEBS up and running
Shadow Hawkins on Friday, 18 September 2009 02:27:19 LAN IPv6 Address: [my SIXXS subnet 'Prefix', as xxxx:xxxx:xxx::]
I have added the right value now for "LAN IPv6 Address":
2001:4978:15d::1/64
which gets adjusted to:
2001:4978:15d::1
Getting an Apple AEBS up and running
Shadow Hawkins on Saturday, 19 September 2009 23:46:50
I actually did end up specifying 2001:4978:15d:: , but that did not work.
Either way I have confirmation by from Apple development that what I am experiencing is a known issue. I have updated the wiki page for the Airport with a workaround that I was given, but it will only work if your WAN configuration is Ethernet/manual. I am using PPPoE. Hopefully I won't have to wait long for a fix.
Getting an Apple AEBS up and running
Shadow Hawkins on Tuesday, 22 September 2009 03:09:35
Hmmm. I'm not really what's the workaround of the steps you posted. Unless I'm missing something, it looks like the same as the setup for a static 6in4 tunnel that I posted.
That's unfortunate that the AEBS IPv6 doesn't work for PPoE connections. I wonder if it works for Ethernet DHCP connections and heartbeat tunnels.
I have an Ethernet static IP connection from my ISP so I've only tried the static 6in4 tunnel -- well, that and the 6to4 tunnel that it does when you set "IPv6 Mode" to "Tunnel" and "Configure IPv6" to "Automatic".
Does your AEBS do a 6to4 tunnel when you set "Configure IPv6" to "Automatic"?
Getting an Apple AEBS up and running
Shadow Hawkins on Wednesday, 30 September 2009 04:37:35
You're right they are essentially the same. I just copied and pasted the instrucions I was provided and didn't really check the details. The main difference being the static WAN setting. Feel free to update the instructions as necessary.
I never thought of trying the automatic mode, since I was focused on using the SixXS Tunnel. Yes I do find that working for me. In fact it never hit me that since the router is on the NAT border, it doesn't suffer from NAT interfering with 6to4, the whole reason we need solutions such as aiccu and teredo.
Posting is only allowed when you are logged in. |