USG LITE 60AX and IPv6 support

Lohkamp

I have an AVM FRITZ!Box 6890 LTE that worked marvellous with both IPv4 + IPv6 on a German Telekom VDSL incl. port forwarding and am quite shocked that our new USG LITE 60AX does not seem to support IPv6 to the internet or even DNS forwarding.
nslookup anysite.xy
is not answered but ping is working, however only with IPv4.
Was is a real big step back to replace the FRITZ!Box as a router by the USG LITE 60AX?
The FRITZ!Box is without any configuration change (except the IPv4 subnet) connected to the WAN port of the 60AX.

Zyxel_Melen

Hi @Lohkamp,

After consulting with our product team, we want to inform you that IPv6 support for the USG Lite 60AX is not currently planned.

Zyxel_Melen

Hi @Lohkamp

Thanks for the information. Since USG Lite 60AX doesn't support IPv6, the client can't connect the remote access VPN if it's uplink router/moden that only has a IPv6 public IP. It is a design limitation.

teRceLde

Same here with a Zyxel SCR 50AXE. There is no IPv6, neither in the WAN nor the LAN, no IPv6 Router-Advertisements, no stateless DHCPv6 server, no stateful DHCPv6 server. There are no configuration options regarding IPv6 in the Nebula Control Center (NCC).

Surprisingly, when you reset the Zyxel, it did IPv6 on top of PPPoE for me. Double checked via a switch in Port Mirroring mode. And then there was SLAAC plus stateless DHCPv6 in the LAN. However, all that disappears when first configured via NCC.

Consequently, already IPv6 web surfing does not work. I do not even think about offering a service via a IPv6 firewall, or even IPv6 prefix delegation for router cascading. As of today, Zyxel SCR and USG Lite series are IPv4-only devices. Although at least IPv6 surfing should be a de-facto feature for 13 years now, its lack is nowhere documented?

The FRITZ!Box is […] connected to the WAN port of […].

Not sure I got that.

If you use a router like the Zyxel via WAN/DHCP attached to FRITZ!Box, you have to enable IPv6 Prefix Delegation: fritz.box → Heimnetz → Netzwerk → (Reiter) Netzwerkeinstellungen → (Taste) weitere Einstellungen → (Taste) IPv6-Adressen → DHCPv6-Server in der FRITZ!Box für das Heimnetz aktivieren: DNS-Server und IPv6-Präfix (IA_PD) zuweisen. This is disabled on default.

If you use a router like the Zyxel via WAN/PPPoE attached to a FRITZ!Box, you have to enable PPPoE Passthrough. This is disabled on default. If your Internet Service Provider (ISP) does not allow multiple logins, you have to set „Zugangsdaten“ to „Nein“ which sets the FRITZ!Box itself to WAN/DHCP and allows the attach router do the single PPPoE login.

I am using a pure, simple modem in front of my Zyxel, still no chance for IPv6.

Lohkamp

Still no IPv6 support with firmware V2.10(ACIP.0) | 2024-12-18 08:38:26 in the release notes of

https://community.zyxel.com/en/discussion/27841/usg-lite60ax-v2-10-acip-0-c0-firmware-release#latest

Zyxel_Melen

Hi @Lohkamp,

After consulting with our product team, we want to inform you that IPv6 support for the USG Lite 60AX is not currently planned.

Lohkamp

That is sad. But hope dies last. And the lack of IPv6 support is of course also a show stopper for the product for many customers because this should actually be a matter of course in all products nowadays.

Lohkamp

We have a customer now with a USG LITE 60AX, and he wants to work from his home office which only has a VDSL internet connection with IPv6 (no IPv4). I could configure the usual Windows VPN connection that is working from other sites (e. g. via hotspot from cellphone) via RemoteAccess_Windows_IPSec_VPN.bat, but the home PC cannot connect.
The internet connection on the WAN port of the USG LITE 60AX (AVM FRITZ!Box 6890 LTE via VDSL) has a permanently active IPv4 + IPv6 connection.

Is this by design?

Zyxel_Melen

Hi @Lohkamp

1. Could you provide the topology? Is it VDSL service provider —- AVM FRITZ!Box 6890 LTE —— USG LITE 60AX at his home? Does this USG LITE 60AX has IPv4 IP on WAN interface?
2. Where is the remote access VPN server? Is it in other site? Is it also USG LITE 60AX?
3. What's the error message after connection failure?

Lohkamp

The office to reach from home has a FRITZ!Box with active IPv6 + IPv4 internet address and is connected to the WAN port of the UST LITE 60AX.
The home office has a FRITZ!Box with only IPv6 internet address but for sure can access IPv4 web sites.

I configured the Windows VPN access using the .bat file provided by NCC. I can check for the error message, but I think it said that the DNS name could not be resolved. Using other devices with internet access or the mobile hotspot from the smartphone is working.

So my first question was more in general if you allow VPN access from VDSL internet connections with only IPv6 which is more and more the case.

I can test further and copy the error message if you generally can state that VPN access should be possible from everywhere, where I can e. g. open https://ipv4.loedv.de (= ipv4.loedv.de) in a web browser.

Zyxel_Melen

Hi @Lohkamp

Thanks for the information. Since USG Lite 60AX doesn't support IPv6, the client can't connect the remote access VPN if it's uplink router/moden that only has a IPv6 public IP. It is a design limitation.

teRceLde

I think, there is a misunderstanding here. The remote party = office offers its VPN service via IPv4, correct? Then, the local party = home office (behind den USG Lite or SCR) should be able to connect to that service. There are no IPv6-only Internet Service Providers (ISP) in Germany, yet. You can have four alternatives: IPv4-only, or Dual-Stack (IPv6 + IPv4), or CGNAT (IPv6 + IPv4 is translated by ISP), or DS-Lite Tunnel (IPv6 + IPv4 is translated by upstream router). The USG Lite and SCR do not support DS-Lite Tunnels (IETF RFC 6333) yet.

@Lohkamp consequently, you have an upstream router which does the translation, in your case a FRITZ!Box in home office. There are reports on the Internet, that some VPN clients have somewhat problems with DS-Lite Tunnels. However, I had no such scenario myself, yet. And do not know the technical reason. If you face a problem on DNS already, this should be looked into.

Alternatively you can ask your ISP to change from DS-Lite Tunnel to Dual Stack. Many allow this for free (1&1, Vodafone, …), but you have to ask them. Sometimes, they reply with E-mail instructions about PCP. In that case, you have to reply on that E-mail, that this is not sufficient.

Lohkamp

Thank you very much for your profound answer. I will check further, give it a try and report my findings here. It may take some days or even weeks due to holidays or other reasons.