USG60W IPv6 Delegation & DNS

mjk

My ISP has provided a dynamic IPv6 WAN address and /56 Prefix. Currently there is a Fritz!Box 7490 being used as a moden with exposed host for IPv4 and IPv6.

IPv4 is all okay.

I have setup wan1, lan1 & lan2 according to https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=015837&lang=EN & https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=016169&lang=EN. This all appears okay:

lan 1 is the main network, lan2 has a direct cableconnectio to a Win10 notebook with only IPv6 enabled.

Ethernet Adapter lan1 PC:

Ethernet Adapter lan2 PC:

The IPv6 address delegation seems to work, but there's no DNS and IPv6 is not working. I cannot ping 'ipv6.google.com'.

If I connect directly to the Fritz!Box via WLAN, then I can ping 'ipv6.google.com'.

I've sifted through other ZyXel KB articles, but none of them help.

Does anyone have any idea?

jasailafan

Did you enable DHCPv6 server and fill in DHCPv6 lease options for DNS server in lan?

The configuration guide in this discussion may help.

https://businessforum.zyxel.com/discussion/comment/1136#Comment_1136

mjk

WAN:

LAN:

The DNS and prefix requests are both setup in wan1 and both respond. Clients receive a prefix based IPv6 address, but no DNS.

If I connect the one of the client devices directly to the same Fritz!Box that the USG60W is connected too then the DNS is also configured and IPv6 WEB based checks pass.

The USG60W can ping ipv6.google.com 'Maintenance -> Diagnostics -> Network tool -> PING IPv6'.

FrankLauer

Unfortunately Zyxel tutorials are often not accurat.

Try this: https://www.dslreports.com/forum/r31455551-Enabling-IPv6-on-your-Zyxel-Zywall-device

First of all I see you have on LAN1 and LAN2 a /128 net. That's obviously wrong. You need a /64 net there.

If your provider promised you a /56 prefix delegation he is lying. In your DHCP setting you got a /62 prefix.

And in your WAN settings I believe there is also something wrong. On my USG110 I don't have 2 DCHP entries. I have only the /128 address. That's the address the provider is given for the WAN interface. But you have additionally a /64 net of our own network range. I don't think that's correct.

Have a look to the pictures in the tutorial in the link I gave you.

Edit: And I also don't think it makes sense if LAN2 is in the same subnet as the LAN1 port. It makes more sense if it is in a different subnet, like different VLANs. If you just want to use the ports of LAN1 and LAN2 in the same network (acting like a switch) you can set both of them in interface->port role to LAN1.

mjk

I originally looked at https://www.dslreports.com/forum/r31455551-Enabling-IPv6-on-your-Zyxel-Zywall-device, but if I use this I get:

This doesn't match the instructions, which is strange as they have setup SLACC, but it's not using a stateless SLACC address.

IPv6 prefix delegation appears to be working, each of my clients gets an IPv6 Address from the prefix assigned by the Fritz!Box. The Fritz!Box gets the /56 and is providing the subnets to the ZyXel box. The WAN DHCPv6 DNS request is receiving an address and the DHCPv6 prefix request is receiving a /62. The USG60W has IPv6 access (including DNS):

My problem is that I cannot get a DNS server, via DHCPv6 to the clients.

FrankLauer

This forum sucks! I posted the answer 4 times and it always got lost after a while. I give up.

Sent a PM

mjk

The answer you tried to post:

The additional WAN1 address looks not correct to me, but maybe needs some investigation later. But for the first step your USG seems to be connected to IPv6 because you can ping it in the diagnose console.

For testing some additional steps: Use the latest firmware or at least a newer one. To make things easer for testing deactivate LAN2 and just try in a first step get LAN1 working well.

• For LAN1 interface the IPv6 Adress Assignement must be /64. Use something like ::0:0:0:1/64 there.
• In your picture I have seen that you got on your LAN1 PC a prefix of 2a00:79c0:79e:1dfd::/64. But your USG shows 2a00:79c0:79e:1dfc::/128. That's not only a wrong netmask (should be /64 as already said). It's also a different subnet. The interface address and the RA prefix must be in the same subnet. (Check the suffix there.)

You can use f. ex 2a00:79c0:79e:1dfc::/64 for LAN1 prefix and 2a00:79c0:79e:1dfc:0:0:0:1/64 for LAN1 interface address.

 And 2a00:79c0:79e:1dfd::/64 for LAN2 as prefix. And 2a00:79c0:79e:1dfd:0:0:0:1/64 for LAN2 interface address.

mjk

I have the latest firmware: 4.35(AAKZ.2).

The IP addresses are automatically assigned, via delegation. The following setup if from lan 1:

The modem from my ISP is managing a /56 prefix and handing out subnets (at least this is my understanding), and I can only set the suffix. IP addresses are working.

The problem is that the clients are not get IPv6 DNS addresses, but they do get correct DNS if I bypass the USG60W and connect the clients directly to the ISP modem.

mjk

I modified wan1 so that there is no suffix based IP address asignment:

I checked the prefix given to the wan1 by the ISP modem:

Based on the above (and my understanding):

• wan1 has a IPv6 EUI-64 using the delegated prefix from the ISP modem.
• wan1 has been given a 2a00:79c0:759:4afc::/62 to delegate, so 'fc' & 'fd' appear good.
• lan1 has used wan1 delegation and the suffix (::1/128)
• lan2 has used wan1 delegation and the suffix (::2/128)

I still have no IPv6 DNS when I ipconfig /release6 & ipconfig /renew6.

I can't ping /6 ipv6.google.com, but DNS appears to be resolving via IPv4:

FrankLauer

Ok, WAN looks fine now :-)

Now try suffixes ::0:0:0:1/64 for LAN1 and ::1:0:0:0:1/64 for LAN2 (IPv6 Address Assignement) and suffixes ::0/64 for LAN1 and ::1/64 for LAN2 for Router Advertisment

This should result in: 2a00:79c0:759:4afc::1/64 for LAN1 Interface and 2a00:79c0:759:4afd::1/64 for LAN2 interface.

And the computers in LAN1 should get addresses in 2a00:79c0:759:4afc::/64 and in LAN2 addresses in 2a00:79c0:759:4afd::/64.

As long these settings are not correct you also can't ping.

And last but not least: you got a fd00:: address for your DNS server by DCHP. That's the ULA address range which is may not correct supported in Zyxel USGs.

mjk

lan1:

lan2:

I modified the suffix address as you suggested, and now there is no IPv6 address from lan1 or lan2 and clients on lan1 do not get IPv6 addresses any more.