Not sure if this is the best place to post this but the fritz box official forum is dead..Anyway, here's the issue.For IPv6 web browsing to work properly, you need to have ICMPv6 Type 2 forwarded to your internal devices. ICMP Type 2 is "Packet too big". IPv6 uses this ICMP type to achieve path MTU discovery, as IPv6 packets are not allowed to fragment.If a hop on the route or the endpoint has an MTU that's smaller than the packet, the packet is dropped and an ICMP type 2 packet is sent back to the source IP with the node's MTU size. The source then resends a packet of that size until a packet finally reaches the destination, of a size that matches the smallest MTU on the path.Still with me? That being the case, it's important to ensure ICMP type 2 packets can get into your network, otherwise your devices will never know their outbound packets are too big and the connection will fail.On the fritz box, you can enable IPv6 port forwarding for your IPv6 hosts based on the interface address. You find this in Internet --> Allow access --> IPv6 tab. When you add a host from the drop down or type the interafce address in manually, you have an option for "Ping6", which is a bit of a misnomer because ping is just one type of many ICMP types, and this rule seems to allow all ICMP types through. (there's also a bug that means you have to save then re-enter to delete the port 80 rule)Ok great, so we can forward ICMP type 2 through the fritz to our internal devices.BUT, and it's a huge but, some operating systems, like Android 4.2 onwards, iOS and Linux use "privacy extensions", that is to say when you make an outbound connection, the interface address is NOT the EUI64 address that you can see in the Fritz Box IPv6 port forwarding. Furthermore, you can't manually add your privacy interface address because it changes every hour.Therefore, your incoming ICMP type 2 packets are dropped by the fritz box, as there's no inbound rule that matches the outgoing interface address.In Windows and Linux, turning this feature off is trivial. I think in Windows it's off by default.You can root your Android device and turn it off, but it's a bit hacky and beyond the scope of most home users, and you certainly don't want to be doing this to every android device that comes into your network. iOS you're stuffed whatever.The issue this causes, is that some websites don't respond or respond sporadically. In my home network, with IPv6 on, I basically can't access Facebook on any mobile devices because of this. Visit a site like http://test-ipv6.com/ and you can see the issue in the report.Devices with Privacy extensions switched off don't suffer from this as long as you've forwarded "ping6" in the fritz boz as described above.I am certainly not the only one who's experiencing this. I expect many Snap customers with Fritz boxes will be using IPv6 without even knowing it and will be having issues with IPv6 enabled sites like Facebook.I would be very surprised if the fritz box developers aren't aware of this issue.When setting up IPv6 on an enterprise network, using an enterprise grade firewall you have to create a rule like "from any ip6 address, to any ip6 address, allow icmp type2" in both directions across all your interfaces.You just can't do this in the Fritz Box.I can't be the only one who's struck this, so I must be missing something. Help please!
↧