IPV6
Internet Protocol Version 6
Male IT Specialist Holds Laptop and Discusses Work with Female Server Technician. They're Standing in Data Center, Rack Server Cabinet is Open.
LunarG
New Contributor

CG3000DCR IPv6 interferes with my DHCP and DNS

I have a CG3000DCR with hardware version 1.04 and firmware version V3.01.04.

I run my own DHCP and DNS servers.  So I disable the "Enable LAN DHCP" on the "IPv4 setup" page.

But there is no specific setting on the "IPv6 Setup" page for DHCP and DNS behavior.

I found windows and linux systems on the LAN issue ICMPv6 "Router solicitation" packets.

And the CG3000DCR responds with ICMPv6 "Router advertisement" packets.

Those replies include Comcast DNS servers.

ICMPv6 Option (Recursive DNS Server 2001:558:feed::2 2001:558:feed::1)

That had the systems on my LAN sometimes going out to the Comcast IPV6 DNS servers that know nothing of my local DNS.

 

I have banished the cable modem off to a separate LAN behind another router until it learns to play well with others.

0 Kudos
Reply
26 REPLIES 26
Trusted Forum Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Hello LunarG and welcome,

 

So, are you using a static IP in your NetGear3000 (NG3K)? if you are not and if you are running under strictly NG3K DCHP, then you cannot disable either IPV4 or IPV6 DHCP Servers. The reason for this is that your intra-networking DHCP and DNS Servers must have some access to the internet and if you disable the NG3K Lan Server, you are disabling all internal routing for Internet accessibility.  This is , of course, unless your NG3K is running in true bridge mode.

 

Is all of your inter-networking computers, applications, etc. able to operate in both IPV4 and IPV6, incluidng your internal DHCP and DNS server?

 

If you are needing IPV6 LAN setup information check out this forum post.  

 

Hope this helps you out and look forward to hearing from you.

0 Kudos
Reply
LunarG
New Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Hi VBSSP-RICH,

 

I am using only IPv4, with static IPv4 addresses on both the LAN and WAN side of the cable modem.

I disable IPV4 DHCP for the LAN side of the cable modem and use separate systems for DHCP and DNS servers.

I have not taken any steps to start using IPv6.  There is no pressing need to enable it.

 

The problem with this cable modem is that it is announcing itself as an IPv6 router and announcing IPv6 DNS servers.

I don't want it telling the systems on the LAN anything about DNS servers.

I worked around the problem by putting the cable modem on a different LAN segment.

But that should not have been necessary.

0 Kudos
Reply
Trusted Forum Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Hi LunarG,

 

So, if you are ONLY using IPV4, then is it not possible for you to disable you IPV6 LAN environment including User defined Prefix, Unicast, and EUI-64 addressing? I believe this would stop any and all announcing of any IPV6 paramters or devices for you. Try this and let us know if this helps you out.

 

So, your current workaround if to change the IPV4 LAN DHCP server address or subnet mask?

 

Look forward to hearing from you. 

0 Kudos
Reply
LunarG
New Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

I could experiment with changing the IPv6 configuration to get a side effect of making the router advertisement packets stop.

But that really should not be necessary.

I posted here to let folks know that the current cable modem behavior will cause trouble for any site that has its own DNS servers.

That happens without any intentional enabling of IPv6 at all.

Other folks should not have to go through the process of debugging the bad DNS behavior.

 

I already have a workaround that fixes the problem for me.

I moved the cable modem to a LAN segment of its own that does not see any "router solicitation"

ICMPv6 broadcast packets from the systems on the normal site LAN.

It has no chance to reply with bad DNS information in "router advertisement" packets.

0 Kudos
Reply
Trusted Forum Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

That is fine that you have a workaround that keeping your business nettwork up and running. However, Comcast has now introduced the Dual IPV4 abnd IPV6 stack implementation to provide customers the ability to prepare for the near future when IPV6 will be the primary protocol used within the computer industry.  Perhaps your DNS speciality is soemthing that Comcast needs to take a closer look at.

 

 

0 Kudos
Reply
PMcD
New Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Hello.  I'm happy (ish) to find this forum that explains exactley what issue I've been dealing with.  So I have SBS2011 behind the Netgear CG3000CR router- firmware seems to be up to date and all checkboxes under IPV6 LAN are not checked- but the router is still giving out IPv6 address to my LAN.  How can I make it stop?  IPv6 is required for many Microsoft products and desktop OS's WIndows 7 and above will use IPv6 first before IPv4.  The effect of having the IPv6 coming from the router screws up DNS resolution for clients with it checked- on the server side it makes it impossible to sign static IPv6 address.  

 

Does anybody know how I can turn this off?  

 

Thanks! 

Patrick 

0 Kudos
Reply
Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

The NetGear CCR has a bug where we can NOT disable the DHCPv6 server, we are currently working with the vendor to fix this..

 

 

Comcast_Tuska
0 Kudos
Reply
PMcD
New Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Thanks Comcast_Tuska-

 

I was going to try to work around by using the firewall to block udp 546 and 547 but the firewall on the CG3000CR doesn't like any ipv6 range I put in there (with CIDR or without).  Does the CG3000CR support an IPv6 firewall?  Could this work as a workaround?  

 

Are there any alternative modem / routers available from Comcast business?  

 

And finally- what's the ETA on a fix for disabling IPv6 DHCP on the Netgear CG3000CR?  

 

Thanks!

 

-Patrick 

0 Kudos
Reply
LunarG
New Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

PMcD,

 

  I placed the cable modem on a second ethernet card and routed all traffic to it through a system that ignored the IPv6 DNS.

You might get an equivalent effect by putting a simple router between the cable modem and the normal LAN.

It could prevent the ICMPv6 packets from passing between the cable modem and the systems on the LAN.

You would then need to configure firewalls and routing at the intermediate router as well as the cable modem.

That is not a nice fix.  But it could be implemented fairly quickly.

Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS


PMcD wrote: 

Are there any alternative modem / routers available from Comcast business?  You could ask for the Cisco DPC3939B, you can disable the DHCPv6 server

 

And finally- what's the ETA on a fix for disabling IPv6 DHCP on the Netgear CG3000CR?  Working with the vendor on this we have daily calls no ETA at this point

 

 

Comcast_Tuska
0 Kudos
Reply
Trusted Forum Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Sounds like a PITA vendor Smiley Wink

0 Kudos
Reply
PMcD
New Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Thanks Comcast_Tuska,

I  called yesterday and the techs came out and replaced the Netgear with a SMC 3D3G.  There is a box to uncheck IPv6 DHCP on the LAN side and now everything is back to normal.  

 

Regards,

Patrick 

0 Kudos
Reply
Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS


@PMcD wrote:

Thanks Comcast_Tuska,

I  called yesterday and the techs came out and replaced the Netgear with a SMC 3D3G.  There is a box to uncheck IPv6 DHCP on the LAN side and now everything is back to normal.  

 

Regards,

Patrick 


Sweet..

Comcast_Tuska
0 Kudos
Reply
Bernie
New Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Well just to confirm and provide some additional information on this.  We are currently having the exact same problem.  In addition, the problem was set in motion by something Comcast did to our router.

 

We had the CG3000DCR router working perfectly since it was installed about six months ago. 

 

Then just a few days ago, the router starting responding to "DHCPv6/SLAAC" requests and providing all of our client machines IPv6 addresses. 

 

That in itself would be bad enough but managable.

 

HOWEVER, they also provided an IPv6 DNS address to their own DNS servers. 

 

Due to the way the Window based clients work, they use that DNS IPv6 address to resolve names over any IPv4 DNS address. 

 

But we have our own DNS server that resolves local names on our internal network.   Our internal DHCP server provides the internal DNS server address so internal names can be resolved.

The result is Comcast is now intercepting ALL DNS requests in our office, and of course returns "not found" to server names that are in our local domain.  So no client can access any server or service within our local network.

 

As reported earlier, there is no way for a CUSTOMER to turn off IPv6 on this router.  HOWEVER, Comcast is able to turn it on/off and configure it.

 

It is not clear why Comcast is blocking our control of IPv6.

 

NOTE:

 

 

  1. This is a security issue for any business using Comcast.  As you can see, Comcast was able to come in and intercept ALL our DNS requests.  They are now collecting information about ALL our internal servers/services and sites.  All without our approval.
  2. They provided no warning or notification of such a major change to the router.  If they had notified us of what change they are proposing we could have informed them of this issue.
  3. Support does not see this as a major problem.  Their answer was to "turn off IPv6 on all our clients."  Which is not reasonable when you have clients all over the place. 

 

 

 

At this time we are still waiting for some resolution from Comcast to bring our configuration back to what works. 

 

 

 

Hopefuly this can help someone else be aware of this situation and make the necessary changes to mitigatge these actions.

 

 

0 Kudos
Reply
Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS


@LunarG wrote:

I have a CG3000DCR with hardware version 1.04 and firmware version V3.01.04.

I run my own DHCP and DNS servers.  So I disable the "Enable LAN DHCP" on the "IPv4 setup" page.

But there is no specific setting on the "IPv6 Setup" page for DHCP and DNS behavior.

 


A user can disable IPv6 DHCP via changing the Lease Time to "0", this will disable the DHCPv6 server..  We are working a check box like v4 has and getting the DNS Server IP's changable as well..

Comcast_Tuska
0 Kudos
Reply
dano2004
Occasional Visitor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

This infomation would have been nice two weeks ago when I was pulling my hair out tying to figure out what the heck was going on.  I eventually pushed a GPO to my machines to not use IPv6, excluding my server.  This cost our business several thousand dollars due to end users not being able to connect to exchange or the server.  Really comcast????  

0 Kudos
Reply
Forum Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Realizing you have rogue DHCP servers in an enterprise can be a real bitch even if they are DHCP v4.   I have a client that had network instability for a month when another contractor installed what they THOUGHT was a hub but was actually a router with DHCP enabled.  I only caught it because I had 1 system that just happened to misbehave when I was there and the customer doesen't use 192.168.1.X as their internal subnet - and I'm looking at the status of the interface going "WTF is this machine picking up 192.168.1"

 

I STRONGLY RECOMMEND to Comcast that ALL of their Business gateway routers be FACTORY DEFAULTED to have IPv6 DHCP turned OFF by default.  You do not need to be handing out DHCP IPv6 to tech installers who are just plugging a laptop into the modem and hitting 10.0.10.1 to configure it.

0 Kudos
Reply
dano2004
Occasional Visitor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

UPDATE!!  So now we can't email anyone at googe or that is hosted by google... after a little checking around  the bloody modem is send my emails (we host our own server) with IPv6 address.  This is not acceptable as, you guessed it... our certificates, reverse dns, spf records, etc are not set up for IPv6.  

0 Kudos
Reply
flybynight
Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

If you have IPv6 as well as IPv4 connectivity, IPv6 is preffered. Your only option would be to somehow filter the AAAA records at your DNS server, or configure your mail server as an IPv4 only host.

 

I would recommend advertising only IPv4 MX records at this point anyway, as some sendmail versions have problems cleanly falling back to IPv4 if there is no IPv6 connectivity. 

 

0 Kudos
Reply
dano2004
Occasional Visitor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS


@dano2004 wrote:

UPDATE!!  So now we can't email anyone at googe or that is hosted by google... after a little checking around  the bloody modem is send my emails (we host our own server) with IPv6 address.  This is not acceptable as, you guessed it... our certificates, reverse dns, spf records, etc are not set up for IPv6.  


Finally fixed issues.  Had to create both spf and DKIM for exchange.  This corrected the issue with using IPv6 and emailing google and comcast users.  I did set up AAAA record and added MX record for IPv6 as well as the SPF... wasn't until I did the DKIM that things worked.  Still waiting on Comcast to add my reverse dns recored for IPv6 address, but once that is done then all of the recommended settings should be set. Smiley Happy

 

0 Kudos
Reply
Forum Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

DKIM isn't needed for Gmail.  In fact SPF isn't either - however if they get but a single spam complaint from one of their users from spam that got relayed through your mailserver, they will blacklist you unless you have at least a SPF record.  The main thing they seem to care about is a correct PTR record - and a very high quality spam-to-ham ratio from your server.

 

I don't allow companies with so-called "opt in" (or so they claim) mailing lists on our systems so our ham-to-spam ratio is excellent - Gmail is very forgiving to us as a result, we only get blacklisted when one of our users lets a password go though a phish email and the bad guys start relaying, even though we shut them down pretty quick.  And the block never lasts more than a few hours after I close the hole.

 

Unfortunately, SPF and DKIM both seem to have become worthless judging by the amount of spam I get in our honeypots that have valid SPF & DKIM.

0 Kudos
Reply
convergentcap
New Member

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

Was this issue properly resolved for disabling IPv6 DHCP on the Netgear CG3000DCR? I just received the unit as a replacement for a SMCD3G and am in a similar position where the unit is handing out DHCP/DNS information to my local SBS network. I have tried (1) unchecking the Enable DHCPv6 checkbox and (2) settings the Valid Lifetime to 0 under User defined prefix, but neither setting actually disables the v6 LAN functionality.
0 Kudos
Reply
LunarG
New Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

 

I acknowledged this as 'solved' when the firmware was upgraded to have a
checkbox to disable IPV6. But I left my workaround in place so the CG3000DCR
was not on the site LAN.

I just connected a system directly to it and watched with wireshark.
With firmware version V3.01.05, the DHCPv6 checkbox is not actually working.
IPV6 remains fully active.
With DHCPv6 unchecked the CG3000DCR still responds ICMPv6 router advertisement.
And that response still includes the Comcast DNS servers.
I am not going to test the "Assign DNS Manually" settings.
Those might work to point to some local IPV6 DNS server.
But testing the corner cases of this chronically buggy firmware is not worthwhile use of my time.

0 Kudos
Reply
Trusted Forum Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS


@LunarG wrote:

 

I acknowledged this as 'solved' when the firmware was upgraded to have a
checkbox to disable IPV6. But I left my workaround in place so the CG3000DCR
was not on the site LAN.

I just connected a system directly to it and watched with wireshark.
With firmware version V3.01.05, the DHCPv6 checkbox is not actually working.
IPV6 remains fully active.
With DHCPv6 unchecked the CG3000DCR still responds ICMPv6 router advertisement.
And that response still includes the Comcast DNS servers.
I am not going to test the "Assign DNS Manually" settings.
Those might work to point to some local IPV6 DNS server.
But testing the corner cases of this chronically buggy firmware is not worthwhile use of my time.


Well, keep in mind that DHCPv6 and ICMPv6 router advertisements (RAs) are actually 2 different things. With DHCPv6 on, a packet trace SHOULD show periodic UDP packets on port 546/547 being broadcast from the Netgear, alongside the RAs. With DHCPv6 off, a packet trace SHOULD just show the RAs.

 

To completely disable IPv6 on the Netgear, you would need a way to disable both DHCPv6 AND announced RAs. I don't have this gateway, so I can't comment on whether it gives you this capability.

 

I will say that in my experience, Netgear products tend to have pretty awful firmware, and Netgear in my experience typically takes a "don't care" attitude to this. I see firmware-related problems across all ranges of Netgear devices that remain unsolved, and I have seen them make pretty egregious, basic mistakes numerous times. I personally don't recommend them as a brand. Just my 2cents

0 Kudos
Reply
smschulz
Visitor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

What about just setting in bridge mode (or equivilant) and placing a different router between the Comcast unit and the LAN shielding from IPV6 DHCP?

 

0 Kudos
Reply
Forum Contributor

Re: CG3000DCR IPv6 interferes with my DHCP and DNS

smschulz, bridge mode makes a static IP impossible.  There is a fix for his problem.  That is this.  If he only has a dynamic IP then send the netgear back to Comcast and use his own cable modem (save on rental costs) and his own router and he can configure them how he likes.   If he has a static then put a second router behind the cable modem and configure it how he likes.  The fact the netgear is handing out dns server ip addresses is NOT a bug.  That's what RA on an ipv6 device is supposed to do it's part of the standard.  The netgear needs a button to disable ipv6 but given the push for IPv6 I understand why Comcast doesn't want to disable it.  He has options.

0 Kudos
Reply