Windows IPv6 hosts lose default gateway after couple of minutes
Hi,
I have just purchased an USG20W-VPN a couple of days ago, and noticed some issues with IPv6 connectivity after configuring the device.
USG20W-VPN is running the latest firmware V4.32(ABAR.0).
I have just purchased an USG20W-VPN a couple of days ago, and noticed some issues with IPv6 connectivity after configuring the device.
The problem is that Windows 10 IPv6 hosts lose their default gateway a couple of minutes after they have connected to the network. Right after connecting to the network I am able verify that the host passes test-ipv6.com connectivity check, but already after 4-5 minutes the host might lose default gateway and routing to IPv6 internet is not possible anymore.
Other configuration such as all configured IPv6 host addresses and DNS servers do persist even when the gateway is lost.
My interface configuration is as follows:
The WAN interface is connected to a cable modem which is configured to bridged mode.
My ISP provides a dual stack connection with native IPv4 and IPv6, and the ISP's DHCPv6 server provides a ::/56 network prefix and IPv6 DNS servers for USG20W-VPN.
"lan2" interface is a VLAN trunk port which is connected to a managed switch, "vlan1" is only a management interface, and "vlan2" is the network where IPv6 hosts are connected either via the managed switch or the internal WiFi.
I have enabled DHCPv6 server in vlan2 interface configuration to provide DNS server information, and enabled ICMPv6 Router Advertisements with the Other configuration bit set and added a delegated prefix ::1/64.
The RA packets seem to look good to me in Wireshark:
</code>Frame 34: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface 0<br>Ethernet II, Src: ZyxelCom_xx:yy:zz (bc:99:11:xx:yy:zz), Dst: IPv6mcast_01 (33:33:00:00:00:01)<br>Internet Protocol Version 6, Src: fe80::be99:11ff:fexx:yyzz, Dst: ff02::1<br>Internet Control Message Protocol v6<br> Type: Router Advertisement (134)<br> Code: 0<br> Checksum: 0x4363 [correct]<br> [Checksum Status: Good]<br> Cur hop limit: 64<br> Flags: 0x40, Other configuration, Prf (Default Router Preference): Medium<br> 0... .... = Managed address configuration: Not set<br> .1.. .... = Other configuration: Set<br> ..0. .... = Home Agent: Not set<br> ...0 0... = Prf (Default Router Preference): Medium (0)<br> .... .0.. = Proxy: Not set<br> .... ..0. = Reserved: 0<br> Router lifetime (s): 1800<br> Reachable time (ms): 0<br> Retrans timer (ms): 0<br> ICMPv6 Option (Prefix information : 2001:14ba:1122:3301::/64)<br> Type: Prefix information (3)<br> Length: 4 (32 bytes)<br> Prefix Length: 64<br> Flag: 0xc0, On-link flag(L), Autonomous address-configuration flag(A)<br> 1... .... = On-link flag(L): Set<br> .1.. .... = Autonomous address-configuration flag(A): Set<br> ..0. .... = Router address flag(R): Not set<br> ...0 0000 = Reserved: 0<br> Valid Lifetime: Infinity (4294967295)<br> Preferred Lifetime: Infinity (4294967295)<br> Reserved<br> Prefix: 2001:14ba:1122:3301::<br> ICMPv6 Option (MTU : 1480)<br> ICMPv6 Option (Source link-layer address : bc:99:11:xx:yy:zz)</pre></div><div><br></div><div>However, the (solicited) Neighbor Advertisement packets sent by the router do look suspicious to me, the Router bit is not set in flags:</div><div><pre class="CodeBlock"><code>Frame 81: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0<br>Ethernet II, Src: ZyxelCom_xx:yy:zz (bc:99:11:xx:yy:zz), Dst: 0a:12:65:a0:f1:95 (0a:12:65:a0:f1:95)<br>Internet Protocol Version 6, Src: fe80::be99:11ff:fexx:yyzz, Dst: fe80::f0f5:85df:f6bf:d44b<br>Internet Control Message Protocol v6<br> Type: Neighbor Advertisement (136)<br> Code: 0<br> Checksum: 0xab2c [correct]<br> [Checksum Status: Good]<br> Flags: 0x40000000, Solicited<br> 0... .... .... .... .... .... .... .... = Router: Not set<br> .1.. .... .... .... .... .... .... .... = Solicited: Set<br> ..0. .... .... .... .... .... .... .... = Override: Not set<br> ...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0<br> Target Address: fe80::be99:11ff:fexx:yyzz<br>
I assume that the Router bit being zero might be the culprit of my problem here?
At least according to RFC4861 section 7.2.5 the default router information must be dropped by a host, if that bit is not set.
---
PS. Before purchasing the device I had the same cable modem in router mode, and IPv6 connectivity was working properly.
It did set the Router bit in NA packets, and also supported draft RFC options in RA packets instead of stateless DHCPv6 to advertise DNS servers and routes.
0
Accepted Solution
All Replies
-
Thanks @Ian31, that seems to have solved my problem!I disabled SLAAC on vlan2 interface and configured it to use DHCPv6 prefix delegation instead, and now the Router bit is set in ICMPv6 NA packets.After one hour of testing I haven't observed anything weird with the gateway configuration anymore.0
-
Hello,
I have the exact same problem, but I have not understood how you fixed it. Could you please post some screenshots or tell me what you have changed?
0 -
Hi @ret,The only thing I changed was the IPv6 address assignment of the internal downlink interface "vlan2" where the windows computers are connected. Here is a picture of the modified settings:SLAAC needs to be disabled, and I also assigned a global address to the interface using DHCPv6 prefix delegation and a static suffix from the same ::1/64 range that I had configured earlier in the router advertisement settings for the same interface:The relevant interface configuration has now changed to this:
0 -
@ret
Regarding to your configuration, it seems there is overlap between wan and lan.
Modify Lan's suffix address to ::16dd:a3ff:0:0:11/64
Also, since you already enabled the DHCPv6, please leave empty on Advertised Prefix Table.
After modified, please try it again.
Charlie0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight