FWP SE with T-Mobile and eero

Comments

12 comments

  • Avatar
    gstaylor16

    Just in case of confusion "Verizon FIOS" is not a cellular service and does respond to DHCPv6 requests, but I see threads talking about stability issues and turning off IA_NA.   This thread and another "Verizon 5G Home Internet setup tips" I summarized a bunch of info on, are talking about 5G Cellular provided internet - the providers modem/router only sends IPV6 RA and ignores DHCPv6, and only advertises a /64 via those RA packets.

    I'd recommend FW get hold of one of these Verizon / T-mobile services and do some experimentation!  Ping me directly if you want me to try some stuff, as I'd love to help you get this working in the product so I can use it.

    1
    Comment actions Permalink
  • Avatar
    gstaylor16

    My understanding, although I'm no IPV6 expert, is that FW needs to support RFC 7278.  Google searches suggest this is what Android and IOS do so that when acting as a hotspot so attached devices get IPV6 addresses.  I don't know how other router providers have solved it, and I wondered if "passthrough" in some of the other products also by passed other functionality such as firewall features!

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    What you need is router mode, which works best on SMQ, and ipv6 support.

     https://help.firewalla.com/hc/en-us/articles/4411167832851-Firewalla-Router-Mode-Configuration-Guides

    0
    Comment actions Permalink
  • Avatar
    Travis Walls

    Thank you for the prompt reply and the guide link!

    As I alluded to previously, the eeros could not hand out IPv6 addresses when in router mode.

    I've read various things explaining the cause of this including the T-Mobile gateway not supporting prefix delegation, only offering a /64 prefix, etc. Solutions I've read include using a passthrough mode, using DHCPv6, etc. I may be mixing up some of the details though...

    Will this be a problem with Firewalla's router mode?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If eero not handling out ipv6 and you have ipv6 enabled on those, then firewalla will not be able to do it either. This is likely a restriction with your ISP. 

    0
    Comment actions Permalink
  • Avatar
    gstaylor16

    See also this - my experience with Verizon.  You won't get  IPV6 working unless FW do some enhancements. (I read OpenWRT may support this scenario, as do obviously mobile phones as hotspots, so it is possible.)

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @gstaylor16, what do you mean by enhancements? in 1.54 we have 

    • [IA_NA for DHCPv6] Supported disabling IA_NA for DHCPv6 connection. 

    May make things better. This option is under IPv6 on the WAN configuration.

    0
    Comment actions Permalink
  • Avatar
    gstaylor16

    Cellular providers (at least in US) do not respond to DHCPv6 requests.  My understanding is mobile phones use RFC 7278 instead. I had a discussion with FW support long time back (request 51837) which concluded some enhancement would be required.  

    0
    Comment actions Permalink
  • Avatar
    Travis Walls

    I've heard of a few approaches so far for working IPv6 with T-Mobile Home Internet.

    One is to use IPv6 NAT, using the one address given to the firewall and handing our internal addresses to the rest. Doesn't seem like something supported by the Firewalla UI, and I'm hesitant to mess with things directly (in case an update breaks it, etc.)

    The other is some kind of IPv6 "passthrough" option that some devices support. I think some of the companies included Linksys or Netgear, pfSense, and Mikrotik.

    IQrouter specifically provides instructions for setting up what they call IPv6 DHCP relay:

    T-Mobile gateway - IPv6 DHCP Relay – IQrouter (zendesk.com)

    Maybe that's just a fancy way of saying IPv6 NAT?

    All I know is this is my biggest deal breaker so far with Firewalla. Anything to get it working (NAT, passthrough, relay, etc.) would be hugely appreciated. Having to move everything through T-Mobile's IPv4 CGNAT isn't ideal. When I have working IPv6 (using bridge mode), more than half of my network traffic utilizes it (based on Pi-hole requests), so it isn't like the old days where IPv6 isn't really used much yet.

    I'm loving everything else about Firewalla otherwise.

    • I get great visibility into what is going on in my network.
    • SQM is helping upload bufferbloat wonderfully. Looking forward to adaptive mode to see if it can help downloads as well.
    • The built-in ad and threat blocking is good enough to negate my need for Pi-hole currently.
    • I ended up upgrading to a regular Purple. With 50-70 clients and the number of features I'm using, I wanted the extra processor cores.

    Edit: Maybe scratch Mikrotik off the list. I've seen so many posts with so many vendor names that I'm mixing them up now.

    IPv6 NAT T-Mobile Home Internet - MikroTik

    0
    Comment actions Permalink
  • Avatar
    Travis Walls

    Here's where a few people bring up the option for passthrough:

    Routers with IPV6 Passthrough? : tmobileisp (reddit.com)

    0
    Comment actions Permalink
  • Avatar
    gstaylor16

    "My understanding, although I'm no IPV6 expert, is that FW needs to support RFC 7278"

    Might not be as simple as that.  Not clear to me if devices doing something like RFC 7278 are can be cascaded.

    0
    Comment actions Permalink
  • Avatar
    Travis Walls

    I don't know how it would work. I just know that some other vendors have figured it out. It is a good point though that maybe the methods being used by others would not work when actually inspecting/filtering traffic with a firewall. I'm trying to keep that in mind with Firewalla.

    0
    Comment actions Permalink

Please sign in to leave a comment.