Forum Discussion
Home internet service IPv6 traffic is all filtered even when using a Netgear LTE router. No port forwarding. Plz fix!
My background is in IT / networking and I started using Tmo Home Internet for the past 2 weeks. The router being shipped today to customers is missing very important features for power users - it actually broke my ability to remotely access my home via direct-connection using public IPv6 and IPv4 that I used on comcast.
Contacting support for help is pretty much useless, although I have raised a few tickets regarding the major issues affecting me since switching ISPs, namely:
- Unable to ping my IPv6 WAN address given by T-mobile (to remotely monitor my internet connection)
- Unable to remotely access my home via my VPN server which listens to connections on the WAN IPv6 address (again, T-mobile is filtering ALL my incoming traffic - comcast, att fiber, other major players in the market don’t do this filtering to endpoints except for spam port 25)
- Connecting to a VPN server hosted on the internet is unreliable and unstable.
- T-mobile does not offer IPv6 Prefix Delegation (comcast has it, att fiber does too)
I’ve spent the majority of my time trying to figure out ways to make this work. Most folks out there are blaming the Nokia router firmware which is really locked down by T-mobile, so being the IT engineer I pretend to be I purchased a Netgear LAX20 which is T-mobile and AT&T certified - I swapped SIMs for my Home internet service and tested both.
Even with a router that I fully control, with firewall disabled and allowing WAN icmp/ping responses T-mobile seems to continue to filter traffic (even pings!) incoming towards my service equipment… to make a fair comparison I got an AT&T SIM card and repeated the tests. On AT&T I can ping and access my device remotely when it is on the AT&T LTE network on the same Netgear LAX20.
Decided to post here to vent and share some findings, as this is somewhat frustrating that other LTE carriers that do not offer ‘home internet’ service do allow you to control and manage your network as you see fit while the new “home internet” service does not give you any control at all. Those users who wish to be able to remotely manage their smart home should perhaps stay away for now until T-mobile decides to do the right thing which is for “home internet” service subscribers to have different security network rules than cellphones on the network.
T-mobile please fix your business model for this new service, starting with adding the ability to request zero network filtering for home internet subscribers and the ability to get IPv6 prefix delegated.
- n4mwdNewbie Caller
The original post is over a year old now. Has T-mobile fixed the problem yet? I have a 4g sim with a netgear modem. I can confirm that incoming IPv4 ports are blocked and natted. I have not tested IPv6.
I have looked into VPNs. but the majority of them don’t allow port forwards, and the ones that do are cost prohibitive. Cheaper just to stay with cable.
My sim is prepaid, so if they haven’t gotten this working by the end of the billing cycle, I’m going to assume that they don’t possess the know-how or technology to provide competent internet service.
- lfjeffNetwork Novice
I solved my specific problem, but it’s not a generic solution for all. For those that are interested, here’s how I solved the double-NAT issue and got VOIP to work.
I got the TMHI trashcan gateway to use as a secondary WAN connection (my primary is Cox cable). I’m using a Peplink Balance 20 router, which allows dual WAN connections.
Peplink also offers a service called SpeedFusion Cloud, which is basically a VPN. However, it also offers advantages like WAN smoothing and the ability to selectively route your traffic over both WANs simultaneously. This means you can pull the plug on one WAN and someone on a VOIP call won’t even notice a problem (I verified this by actually doing it).
Since SpeedFusion is an outgoing connection that is initiated by the router, it doesn’t care if it has a public IP. It works fine with the private IP address assigned by the T-Mobile gateway.
This solution is a variation on using a VPN that others have mentioned. The cost of the SpeedFusion cloud service is as low as $20 for six months of service. Right now I’m only routing my VOIP traffic through it, since our VOIP service is critical and it is the only service that appears to be affected by double-NAT issues. Also, it doesn’t make sense to pay for the extra bandwidth just to stream Netflix over a redundant connection. However, it might make sense to route business-critical Zoom calls this way.
For anyone using a Peplink router, this might be a good solution. Now that I can split my traffic across two providers, I’m considering cutting the speed on my Cox service. The cost savings by doing this will just about pay for the TMHI service and the small extra cost of the Speedfusion Cloud service. This means I will have fully-redundant internet service for about the same cost as my original cable service.
- JaykeTransmission Trainee
lfjeff wrote:
I just want to use IPv6 passthrough (bridge mode) so I can connect my external router. I don’t need port forwarding or inbound access. I called before ordering the service and they told me this was possible — but I guess they lied.
It sounds to me like you want IPv6 delegation, not passthrough. In pass through your router behind theirs actually acts as a bridge. In delegation their router accepts dhcpv6 requests and then delegates subnets to your router. TMHI supports passthrough just fine, unfortunately they do not support delegation. They want to bundle prefixes to simplify their network and that complicates delegation, though there are plenty of both standard and nonstandard solutions that work to fix that and aren’t even mutually incompatible. Ie they could implement both RFC 6603, prefix shortening and multi /64 prefix delegation all on the same device. All would solve the issue and none would interfere with each other.
- djb14336Bandwidth Buddy
Oh I could run a v6 DNS query from the command line fine and all.
It was just too slow.
My phone got along with it just fine. It was the Winblows and $ony platforms that didn't behave well.
By default, some browsers will fall back to a v4 query if the v6 takes too long. I just didn't feel like farting around with them to figure out how to override or otherwise tweak the timeout limit for the query (not to mention Microsoft's screwy stuff). Most everything I do is still reliant on v4 addressing and all, so wasn't up for the headache.
That is another part of the problem... way too many applications are not geared to use V6 properly yet.
- LocutusTransmission Trainee
djb14336 wrote:
yeah... v6 passthrough "works" with my Asus.
Native/delegation appeared to work at first, but irt crapped out when I tried to run a v6 compliance test like 30 seconds later.
I say passthrough "works" more so because of client side issues then network issues.
DNS can be sluggish (at least in Windoze), causing your browsers to fall back to v4 lookups. But if you are avoiding that screwy slow DNS fall back scenario (like on your phone), it works.
Just frustrating. They should have known better. Sometimes it feels like the DOCSIS beta days. You can see there should be a better way to do things... but it just is not happening.
Phones on T-Mobile use DNS64. So, you will always get an IPv6 response and address from DNS on a phone. This is not the case with TMHI. You will only get an IPv6 address if there is a AAAA registration for the host. For me, DNS is working properly with TMHI. My clients use IPv6 for sites and services that support IPv6. If I completely turn off IPv4 on a client, I still have connectivity to those sites and services. I even tested using DNS64 servers and turned off IPv4 and I had no issues with apps or service except for the T-Mobile digits app.
- djb14336Bandwidth Buddy
yeah... v6 passthrough "works" with my Asus.
Native/delegation appeared to work at first, but irt crapped out when I tried to run a v6 compliance test like 30 seconds later.
I say passthrough "works" more so because of client side issues then network issues.
DNS can be sluggish (at least in Windoze), causing your browsers to fall back to v4 lookups. But if you are avoiding that screwy slow DNS fall back scenario (like on your phone), it works.
Just frustrating. They should have known better. Sometimes it feels like the DOCSIS beta days. You can see there should be a better way to do things... but it just is not happening.
- LocutusTransmission Trainee
lfjeff wrote:
I just want to use IPv6 passthrough (bridge mode) so I can connect my external router. I don’t need port forwarding or inbound access. I called before ordering the service and they told me this was possible — but I guess they lied.
Front-line support are mostly useless and don’t even know about double-NAT and why it is a problem for VOIP and many other apps.
Does T-Mobile have any real network engineers? It seems like the people on this forum are better qualified.
IPv6 passthrough with your router should be working. It does for me. But, that’s a function of your router. If its not working, the issue is on the inside of your network. Its not with the gateway. But, if your VOIP service doesn’t support IPv6, using passthrough won’t help. Also, I don’t have an issues with VOIP services. In the past, I have heard of others having issues. But, I do not.
- lfjeffNetwork Novice
I just want to use IPv6 passthrough (bridge mode) so I can connect my external router. I don’t need port forwarding or inbound access. I called before ordering the service and they told me this was possible — but I guess they lied.
Front-line support are mostly useless and don’t even know about double-NAT and why it is a problem for VOIP and many other apps.
Does T-Mobile have any real network engineers? It seems like the people on this forum are better qualified.
- LocutusTransmission Trainee
djb14336 wrote:
Just got home and pulled up the ASN info on my TMO HI.
It is the AS21928 ID I looked at earlier from work…
... the one with 12, 671, 488 v4 IP's assigned.
This particular 172.58.0.0/21 subnet has been reserved/announced since 2016 (was 172.58.0.0/15 for about 10 months beforehand).
So no... they didn't exactly become a V6 only network.
They have been maintaining active v4 IP's for quite a while... this particular subnet since 20160825. The history here dates back into 2012, where it notes a different subnet described as internet backbone.
Their TRANSIT may have moved over to v6... but they have maintained their v4 assignments.
And yes, the gripe includes the inbound traffic.. but there is more to it.
The geo data assigned to my v4 addresses put me out of state... which monkeys up functionality for some services (sometimes Charlotte, other times Atlanta--I live in Florence, SC). It is also monkeying with game traffic as well.
People have posted here those problems go away when going through their phones and/or hotspots.
In other words... the v4 subnets the "normal" cell devices are using have more proper functionality.
So again... they are perfectly CAPABLE of a better dual-stack implementation... but CHOSE otherwise.
I have had the same issue with the geolocation. But, mine occurred on both ipv4 and ipv6. And, it also occurred on my phone when its not connected to TMHI. I called the number listed on the trashcan’s web interface and they fixed the problem for me on home internet . I’m still a little off. But it close enough now.
I agree their dual stack deployment could have been better and probably will get better. Its likely still a work in progress. Its also interesting DNS64 is used on the phone network while it isn’t on home internet. I’m curious why thats different.
As far as inbound connectivity, hopefully thats coming. I do not believe it is disallowed globally as others have said since Calyx customers on the MiFi are able to enable inbound IPv6 traffic, Unfortunately, it doesn’t look like you can manage the traffic by port or address which is a security issue. As such, if inbound traffic is ever allowed, I will probably always keep a personal router between the trashcan and my network.
- djb14336Bandwidth Buddy
Just got home and pulled up the ASN info on my TMO HI.
It is the AS21928 ID I looked at earlier from work…
... the one with 12, 671, 488 v4 IP's assigned.
This particular 172.58.0.0/21 subnet has been reserved/announced since 2016 (was 172.58.0.0/15 for about 10 months beforehand).
So no... they didn't exactly become a V6 only network.
They have been maintaining active v4 IP's for quite a while... this particular subnet since 20160825. The history here dates back into 2012, where it notes a different subnet described as internet backbone.
Their TRANSIT may have moved over to v6... but they have maintained their v4 assignments.
And yes, the gripe includes the inbound traffic.. but there is more to it.
The geo data assigned to my v4 addresses put me out of state... which monkeys up functionality for some services (sometimes Charlotte, other times Atlanta--I live in Florence, SC). It is also monkeying with game traffic as well.
People have posted here those problems go away when going through their phones and/or hotspots.
In other words... the v4 subnets the "normal" cell devices are using have more proper functionality.
So again... they are perfectly CAPABLE of a better dual-stack implementation... but CHOSE otherwise.
Related Content
- 4 months ago
- 4 years ago
- 2 years ago
- 7 years ago