Time Warner has gradually rolled out IPv6 connectivity to their Road Runner customers over the past couple of years and it started appearing on my home network earlier this year. I had some issues getting the leases to renew properly after they expired (TWC’s default lease length appears to be seven days) and there were some routing problems that cropped up occasionally. However, over the past month, things seem to have settled down on TWC’s San Antonio network.
Do you have IPv6 yet?
Before you make any adjustments to your network, I’d recommend connecting your computer directly to the cable modem briefly to see if you can get an IPv6 address via stateless autoconfiguration (SLAAC). You’ll only get one IPv6 address via SLAAC, but we can get a bigger network block later on (keep reading). Check your computer’s network status to see if you received an IPv6 address. If you have one, try accessing ipv6.google.com. You can always check ipv6.icanhazip.com or ipv6.icanhaztraceroute.com as well.
There’s a chance your computer didn’t get an IPv6 address while directly connected to the cable modem. Here are some possible solutions:
- Power off the cable modem for 30 seconds, then plug it back in and see if your computer gets an address
- Ensure you have one of TWC’s approved modems. (Bear in mind that not all of these modems support IPv6.)
- Verify that your computer has IPv6 enabled. (Instructions for Windows, Mac and Linux are available.)
But I want more addresses
If you were able to get an IPv6 address, it’s now time to allocate a network block for yourself and begin using it! We will request an allocation via DHCPv6. Every router is a little different, but the overall concept is the same. Your router will request an allocation on the network and receive that allocation from Time Warner’s network. From there, your router will assign that block to an interface (most likely your LAN, more on that in a moment) and begin handing our IPv6 addresses to devices in your home.
By default, TWC hands out /64 allocations regardless of what you request via DHCPv6. I had some success in late 2013 when I requested a /56 but it appears that allocations of that size aren’t available any longer. Sure, a /64 allocation is gigantic (bigger than the entire IPv4 address space), but getting a /56 would allow you to assign multiple /64 allocations to different interfaces. Splitting /64’s into smaller subnets is a bad idea.
Let’s talk security
IPv6 eliminates the need for network address translation (NAT). This means that by the time you finish this howto, each device in your network with have a publicly accessible internet address. Also, bear in mind that with almost all network devices, firewall rules and ACL’s that are configured with IPv4 will have no effect on IPv6. This means that you’ll end up with devices on your network with all of their ports exposed to the internet.
In Linux, be sure to use ip6tables (via firewalld, if applicable). For other network devices, review their firewall configuration settings to see how you can filter IPv6 traffic. This is a critical step. Please don’t skip it.
On my Mikrotik device, I have a separate IPv6 firewall interface that I can configure. Here is my default ruleset:
/ipv6 firewall filter /ipv6 firewall filter add chain=input connection-state=related add chain=input connection-state=established add chain=forward connection-state=established add chain=input in-interface=lanbridge add chain=forward connection-state=related add chain=input dst-port=546 protocol=udp add chain=input protocol=icmpv6 add chain=forward protocol=icmpv6 add chain=forward out-interface=ether1-gateway add action=drop chain=input add action=drop chain=forward
The first five rules ensure that only related or established connections can make it to my internal LAN. I allow UDP 546 for DHCPv6 connectivity and I’m allowing all ICMPv6 traffic to the router and internal devices. Finally, I allow all of my devices inside the network to talk to the internet and block the remainder of the unmatched traffic.
Configuring the router
It’s no secret that I’m a big fan of Mikrotik devices and I’ll guide you through the setup of IPv6 on the Mikrotik in this post. Before starting this step, ensure that your firewall is configured (see previous section).
On the Mikrotik, just add a simple DHCPv6 configuration. I’ll call mine ‘twc':
/ipv6 dhcp-client add add-default-route=yes interface=ether1-gateway pool-name=twc
After that, you should see an allocation pop up within a few seconds (run
ipv6 dhcp-client print):
# INTERFACE STATUS PREFIX EXPIRES-AFTER 0 ether1-gat... bound 2605:xxxx:xxxx:xxxx::/64 6d9h15m45s
Check that a new address pool was allocated by running
ipv6 pool print:
# NAME PREFIX PREFIX-LENGTH EXPIRES-AFTER 0 D twc 2605:xxxx:xxxx:xxxx::/64 64 6d9h13m33s
You can now assign that address pool to an interface. Be sure to assign the block to your LAN interface. In my case, that’s called lanbridge:
/ipv6 address add address=2605:xxxx:xxxx:xxxx:: from-pool=twc interface=lanbridge
By default, the Mikrotik device will now begin announcing that network allocation on your internal network. Some of your devices may already be picking up IPv6 addresses via SLAAC! Try accessing the Google or icanhazip IPv6 addresses from earlier in the post.
Checking a Linux machine for IPv6 connectivity is easy. Here’s an example from a Fedora 20 server I have at home:
$ ip -6 addr 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000 inet6 2605:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 scope global mngtmpaddr dynamic valid_lft 2591998sec preferred_lft 604798sec inet6 2605:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 scope global deprecated mngtmpaddr dynamic valid_lft 1871064sec preferred_lft 0sec
If you only see an address that starts with fe80, that’s your link local address. It’s not an address that can be accessed from the internet.
If you run into some problems or your router can’t pull an allocation via DHCPv6, try the troubleshooting steps from the first section of this post.
Getting assistance from Time Warner is a real challenge. Everyone I’ve contacted via phone or Twitter has not been able to help and many of them don’t even know what IPv6 is. I was even told “we have plenty of regular IPv4 addresses left, don’t worry” when I asked for help. Even my unusual methods haven’t worked:
@TWC_Help I'll buy one of your engineers a six pack of beer if they can enable IPv6 for my internet connection. ;)
— Major Hayden (@majorhayden) August 9, 2014
My old SBG6580 that was issued by Time Warner wouldn’t ever do IPv6 reliably. I ended up buying a SB6121 and I was able to get IPv6 connectivity fairly easily. The SB6121 only does 172mb/sec down — I’ll be upgrading it if TWC MAXX shows up in San Antonio.