Curious situation - not urgent, but I'd like to know more

Brian E Carpenter brian.e.carpenter at gmail.com
Sat Mar 5 01:35:03 CET 2016


I would suggest:

netsh interface ipv6 6to4 set state state=disabled

You don't want to go near 6to4 these days (http://tools.ietf.org/html/rfc7526).
Use real IPv6 or no IPv6.

Regards
   Brian (co-author of 6to4, but that was 15 years ago)

On 05/03/2016 13:06, Kurt Buff wrote:
> Reviving an old thread, with a new twist.
> 
> I've currently got a similar problem with another user, but with two
> differences:
>      - The connection in this case is ATT, not Comcast
>      - The machine this time is running Win8.1 and not Win7
> 
> What I've zeroed in on is two stanzas from ipconfig /all:
> 
> On my test machine (Also Win8.1), sitting outside of my corporate
> firewall on a public IP address, I see the following:
> 
> Tunnel adapter 6TO4 Adapter:
> 
>    Connection-specific DNS Suffix  . :
>    Description . . . . . . . . . . . : Microsoft 6to4 Adapter
>    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
>    DHCP Enabled. . . . . . . . . . . : No
>    Autoconfiguration Enabled . . . . : Yes
>    IPv6 Address. . . . . . . . . . . : 2002:4332:7632::4332:7632(Preferred)
>    Default Gateway . . . . . . . . . : 2002:4332:7626::4332:7626
>    DHCPv6 IAID . . . . . . . . . . . : 268435456
>    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-45-38-94-00-26-2D-FA-9F-EF
>    DNS Servers . . . . . . . . . . . : 8.8.8.8
>    NetBIOS over Tcpip. . . . . . . . : Disabled
> 
> Tunnel adapter Teredo Tunneling Pseudo-Interface:
> 
>    Connection-specific DNS Suffix  . :
>    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
>    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
>    DHCP Enabled. . . . . . . . . . . : No
>    Autoconfiguration Enabled . . . . : Yes
>    IPv6 Address. . . . . . . . . . . :
> 2001:0:4332:7626:2803:8c2:bccd:89cd(Preferred)
>    Link-local IPv6 Address . . . . . : fe80::2803:8c2:bccd:89cd%9(Preferred)
>    Default Gateway . . . . . . . . . :
>    DHCPv6 IAID . . . . . . . . . . . : 285212672
>    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-45-38-94-00-26-2D-FA-9F-EF
>    NetBIOS over Tcpip. . . . . . . . : Disabled
> 
> On her machine, which is on a wireless connection at her home on ATT,
> I see this:
> 
> Tunnel adapter 6TO4 Adapter:
> 
>    Connection-specific DNS Suffix  . : attlocal.net
>    Description . . . . . . . . . . . : Microsoft 6to4 Adapter
>    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
>    DHCP Enabled. . . . . . . . . . . : No
>    Autoconfiguration Enabled . . . . : Yes
>    IPv6 Address. . . . . . . . . . . : 2002:100:69::100:69(Preferred)
>    Default Gateway . . . . . . . . . :
>    DHCPv6 IAID . . . . . . . . . . . : 553648128
>    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-CC-30-DE-34-E6-D7-13-7E-02
>    DNS Servers . . . . . . . . . . . : 1.0.0.1
>    NetBIOS over Tcpip. . . . . . . . : Disabled
> 
> Tunnel adapter Teredo Tunneling Pseudo-Interface:
> 
>    Media State . . . . . . . . . . . : Media disconnected
>    Connection-specific DNS Suffix  . :
>    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
>    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
>    DHCP Enabled. . . . . . . . . . . : No
>    Autoconfiguration Enabled . . . . : Yes
> 
> 
> 
> She's able to get an IPv4 connection at her location using our SSL
> VPN, and she states that when at her local coffee shop her
> DirectAccess connection works, though I haven't been able to confirm
> that yet.
> 
> I'm going to see next week if I can take a peek at her router/firewall
> configuration and glean any clues from it, and also see if she's
> willing to make a trip to the coffee shop to do some work with me from
> there.
> 
> I'm not certain if prefix policies have anything to do with this
> problem, as I'm not seeing the relevant IPv6 addresses for
> DirectAccess anywhere in her ipoconfig output.
> 
> Any thoughts or comments would be appreciated.
> 
> Kurt
> 
> On Sat, Dec 19, 2015 at 1:37 PM, Kurt Buff <kurt.buff at gmail.com> wrote:
>> All,
>>
>> I ran into an interesting situation some months ago which still
>> baffles me, and though I was able to work around it, I expect it will
>> happen again.
>>
>> We implemented MSFT DirectAcess at our company quite some time ago
>> (using 2008R2 and Forefront 2010), and it works extremely well.
>>
>> At least it worked well for everyone until one of the employees got
>> his Comcast connection upgraded, and then DirectAccess didn't work for
>> that employee any more.
>>
>> We proved that if he tethered to his cell phone, that would work, and
>> if he used an SSL VPN client while on his Comcast connect that would
>> work, but DirectAccess would not work at home.
>>
>> Finally, I discovered that his Comcast-installed router was handing
>> our IPv6 addresses on his home LAN. Turning that off enabled
>> DirectAccess to work again.
>>
>> We do not have an assigned IPv6 block from our ISP, though of course
>> MSFT OSes use it, and auto-assign themselves addresses, but for now
>> we're ignoring it.
>>
>> Has anyone run into this problem and solved it - not by turning off
>> iIPv6 address assignment for the home LAN, but really solved it? If
>> so, how did you do that?
>>
>> Would getting and implementing an IPv6 assignment from our ISP cure
>> the problem, or make it worse?
>>
>> I've found little guidance from MSFT about DirectAccess in an IPv6
>> environment, though I admit I haven't been terribly diligent in my
>> searches.
>>
>> Kurt
> 



More information about the ipv6-ops mailing list