Hi @Pippi--Grunding, like @Gulleucheusch41 says, the firmware in the Internet Box products does not support that feature, so I doubt that what you ask can be done with these boxes. I am afraid you’ll need to use the extenders that Swisscom provides in order to do what you ask for. Bye, Luca
@SkyBeam wrote: No. Unfortunately a link MTU and local MTU/MSS of 1480 does NOT work for me on swisscom.ch web-pages. Still timing out (not getting any response at all). bizarre. Now it also has stopped working for me. Go figure. Looks like we're still stuck with the issue. Time to put my machine's MTU back at 1472. I wonder why it was working before... L
Good news! I have just tried again by setting the MTU back to the default of 1500, and this time things seem to be working fine! @SkyBeam can you confirm on your side? Maybe the firewall rules set up by IPv6@swisscom needed some tweaking, and now seem to be working fine. I wonder if the issues that some lamented on the SBB/CFF/FFS website are linked to the same problem. I read in other threads that this was a longtime outstanding issue. Maybe the railroads are in the same data center and are suffering from the same too restrictive rules on ICMPv6? Can anyone comment on SBB/CFF/FFS? Thanks all for the great teamwork! 👍🏻 🙏🏻 And Merry Christmas to you all! 🎄 🎁 Ciao, Luca
IPv6@swisscom wrote: A last update on this thread from my side: The firewall configuration was corrected last night, so the problem should no longer be there, even for CPEs that are configured with improper MTU settings. the “problem“ is never there for “for CPEs“, in that their only fault is not to announce the default MTU of 1472 which is what the Swisscom-provided CPEs instead do. But the CPEs are NOT affected by the issue in that they are not going to be acting like clients in any way and won't care nor notice of any changes of firewall configurations. On the other hand, LAN clients who receive their IPv6 via radvd would NOT be affected by the issue if radvd announces an MTU of 1472. Which my Zyxel CPE does NOT do, and that is why I either manually force the MTU on my LAN card, or I am affected by the issue. In short, your last sentence should better be phrased like this: [...]s o the problem should no longer be there, even for those IPv6 clients that are configured with MTU settings above 1472, which is the Swisscom suggested value for the current 6RD/IPv6 setup. Curious to see where the issue is, now! Many thanks for your continuous engagement on this issue! Bye, Luca
I am having the same experience as @SkyBeam. If I keep the MTU of my machine at 1472 or lower, things work. If I set it any higher, then swisscom.ch/.com does not reply. Apparently the changes implemented by IPv6@swisscom and his team do not seem to be having the expected result. Thanks, Luca
I just have one short final reflection on this issue, which came out by re-reading again all the thread and linked messages. IPv6@swisscom wrote: Now, for a problem to occur, two things must happen: The Router has to incorrectly advertise a too large MTU to the client The Firewall in front of the web server has to drop inbound Packet Too Big messages [...] That's why it worked when @lucaberta changed the link MTU directly on the end system. I've asked the firewall in front of the www.swisscom.com web server to be corrected. Rest assured that the IPv6 backbone of Swisscom does not filter ICMPv6 Packet Too Big messages. Eric would be telling me off if we did that, and rightfully so 🙂 clearly point #2 has been addressed correctly by IPv6@swisscom and I look forward to the changes being implemented on the firewalls protecting the webservers. Yet, point #1 falls on to each user's lap, and my reflection follows. I have used the standard Swisscom-provided CPE for years, since 2014, and it was an InternetBox Plus, which worked quite well also as a 6RD tunnel endpoint for my always-successful connection to the IPv4 and IPv6 internet. I never had a single problem with the swisscom.ch/.com website, in spite of the issue mentioned at point #2, simply because the radvd daemon running on the ISP-provided CPE was correctly configured to announce an MTU of 1472. This broke when, two weeks ago, I decided to change CPE and bought a new Zyxel XMG3927-B50A router, which is listed on the BBCS list as an approved CPE by Swisscom for their wholesale service: E_BBCS_Supporting-Document_Proved-Equipment (see page 4 almost at the bottom, where the Zyxel XMG3927-B50A is listed) I have documented the setup of the box which was quite easy for someone as geeky as me, including the DHCP option 60 and 6RD configuration, in this other thread on this community: Report on good VDSL2 experience with Zyxel XMG3927... What I was missing is the fact that the advertised MTU on the Zyxel's implementation of radvd *CANNOT* be changed from the GUI, and most likely it defaults to the LAN MTU since I cannot find any indication of an MTU advertisment done by the Zyxel radvd implementation: So in the end it was the router change, and the inability to announce a smaller MTU by the Zyxel router, that created this whole situation. Had I stayed with the Swisscom-provided CPE, such as the new IB3, I would never have had the issue. And the Swisscom firewalls would NOT have been fixed, like they should... 😜 👍🏻 💪🏻 Thanks everyone, this was a most enjoyable group troubleshooting experience, and I am convinced that we all gained a lot from it, and many users will too as they will access the IPv6 versions of the Swisscom website, without knowing what happened behind the scene! Ciao, Luca
Thanks also to you @c.jaquier together with @SkyBeam, you have given even more information on different scenarios which are still very common, like using an IPv6-in-IPv4 tunnel like that of Hurricane Electric, which I too use in some specific cases, after the sad shutdown of SiXxs, which has been working great for many years. For those who are curios, here is the website: https://www.tunnelbroker.net This thread has become a real gold mine of IPv6-related information, I am very happy to having been the spark, and am even happier to have found great kindling in other IPv6 aficionados such as yourselves. And like IPv6@swisscom said, hey, we are part of a 0.1% of the people having the issue, what an elite! 😜 😄 🤣 Looking forward to seeing the fixes implemented soon on the Swisscom firewalls. Ciao, Luca
IPv6@swisscom wrote: Let me give you some more details on this problem. It actually is a consequence of two mistakes. [...] I've asked the firewall in front of the www.swisscom.com web server to be corrected. Rest assured that the IPv6 backbone of Swisscom does not filter ICMPv6 Packet Too Big messages. Eric would be telling me off if we did that, and rightfully so 🙂 thanks so much for looking into the issue and providing a detailed explanation from the Swisscom side! I will email Éric right away and tell him to look for the updates to this thread, I am sure he will be happy to see that there has been quite a rapid development on this issue! And since he has been an IPv6 pioneer since day 1, I am sure he will be proud of seeing the IPv6 team at Swisscom acknowledging the issue and implementing a solution for it. Back in my Cisco days, as Product Manager in EMEA for the PIX and later ASA firewall, asking the folks in San Jose to implement IPv6 was a very challenging task, let me tell you that! It's been more than 15 years ago, and now we are reaping the benefits of IPv6, finally! Unless some firewalls somewhere in some data centers are kept a little too “tight“, that is! 😜 Again, thanks for looking into this, much appreciated. 👍🏻 🙏🏻 Ciao, Luca
@lucaberta wrote: Meanwhile, I have manually configured to MTU to 1420 on my macOS machine, and I can now access the IPv6 Swisscom website fine. I will experiment with other settings too. just tried with MTU of 1472, and it worked too. Anything above it doesn't work, like it was mentioned before. L
Thanks @LeylaG! I have involved a longtime friend of mine who has been at Cisco for more than twice the years I have been in that company (which is still a good 11 years for me!) and is an IPv6 expert, and he believes that the discussion with @SkyBeam is correct. These are the remarks from my friend Éric, who clearly has read the thread... 👍🏻 Interesting and educated thread BTW. I suspect that it is a MTU issue 😞 either inbound to the server or outbound from the server. You can put your local MTU (on your device) to 1280 and see what happens... Of course, if this is inbound to you, then you would need to set your TCP MSS to 1240 or so... ANYWAY, the issue should be solved by Swisscom, I can forward your email to the Swiss IPv6 Council and/or some Swisscom engineers (but unsure of the result of course) Let's wait for an analysis from the higher level support engineers, and since this is a very easy to repeat issue, only if we don't get the appropriate level of response, we might escalate things outside of the “normal“ chain of command... 😜 Meanwhile, I can access the IPv6 version of the website after having manually lowered the MTU of my Mac's interface to 1420. Bye, Luca
Thanks @SkyBeam for your additional considerations. Yes, the website IPv6 test is a whole different issue compared to what I have mentioned vis-à-vis the swisscom.ch website. It might very well be that some ICMPv6 messages are dropped elsewhere. Surely NOT on my Zyxel box, as I have created explicit rules on the different interfaces to allow such ICMPv6 packets on the local LAN. Rules on the VSDL interface would not matter as the frames would still be encapsulated in the 6RD tunnel. Like you say, the issues are different and could very well be both coming from the Swisscom IPv6 network, or maybe from the firewalls in front on the web servers, at least for what concerns the issue with MTU. Meanwhile, I have manually configured to MTU to 1420 on my macOS machine, and I can now access the IPv6 Swisscom website fine. I will experiment with other settings too. I was not even aware that the MTU setting could be manually configured on macOS via the GUI, I have done from the CLI first, as an experiment! This is the easiest way for me to fix things, as the radvd configurations is fixed on my Zyxel router. I should be running an OPNsense or pfSense box someday, I just don't have time to configure it properly right now! And yes, I have done a few tests myself and most likely the tighter configs for ICMPv6 only seem to affect the swisscom.ch website, so maybe it's a local configuration on that load balancing cluster. Ciao, Luca
@LeylaG wrote: According to our specialist, after an analysis with multiple tests, no IPV6 problems are visible on the swisscom.ch website. I am sorry not being able to provide you more information. this is NOT your fault @LeylaG, it's an issue with the security architecture design which is flawed, as clearly demonstrated by @SkyBeam's excellent analysis. And it's not an issue with the website, rather with the way the Swisscom IPv6 backbone deals with important messages such as ICMPv6. If Swisscom is not willing to implement the best practices on ICMPv6 messages and firewalling, nicely described in RFC4890, then the issue is much higher than the support staff. This sucks, and I am not sure how it could be further escalated, since Swisscom's IPv6 backbone is NOT correctly implementing best practices which will make the network run better. And that's really too bad. 😤 😡 🤬 Bye, Luca
@SkyBeam wrote: In regards to why Swisscom is blocking ICMP all over... I don't know. I guess some "smart" security guy was living in the age where "ping of death" was a real thing and thought "why do we actually need ICMP? We just open TCP port 443, that's enought as the service just listen on this port". Well security engineers are usually not network engineers and I am sure there are many wrongly configured gateways, routers and hosts out there. thanks @SkyBeam, I very much appreciate your comments! Now things have finally clicked on why my score on https://ipv6-test.com could never go above 18/20! Except that it is **NOT** my router or firewall. It's my ISP that's doing it!!! 😤 😡 🤬 I really wonder what can be done to fix this very annoying situation with Swisscom and their faulty IPv6 implementation. I will ping my longtime friend Éric at Cisco, he is an IPv6 and security extraordinaire and author of multiple RFCs, and I should be getting some good comments from him. Would any email thread on Swinog help too? Bye, Luca
Thanks @SkyBeam for shedding a little light on this issue. It looks like changing the MTU down to 1472 did not change things for me. I also tried 1460 in case of additional padding from other (which ones?) tunnels, but no luck, still. Also, I am using a Zyxel router and I don't believe I can change radvd's configuration to advertise a smaller MTU to the clients on the LAN, I am afraid. The question now is, why would Swisscom block important ICMPv6 frames altogether, when it's best practice to allow them? There is an RFC which gives best practices on the topic: https://tools.ietf.org/html/rfc4890 On the other hand, most ICMPv6 error messages traveling end-to-end or
any-to-end are essential to the establishment and maintenance of
communications. These messages must be passed through firewalls and
might also be sent to and from firewalls to assist with establishment
and maintenance of communications. For example, the Packet Too Big
error message is needed to determine the MTU along a path both when a
communication session is established initially and later if the path
is rerouted during the session. I wonder if all these issues I am seeing would simply be solved by implementing the correct best practices at Swisscom, rather than zapping all the ICMPv6 frames altogether... Any further comment is much appreciated. Ciao, Luca
Ah, good @Zellou, you too are a power user, then! Yes, the darned DHCP server in the Internet-Box is really clamped down in the features... The advantage of using an physical ethernet cable is the loss of carrier once the cable is disconnected, and that forces a new DHCP negotiation in most cases. What you say about the IB preventing you from changing its IP address because you used a static IP address kind of makes sense. Because most people will be completely baffled by the sudden loss of connectivity, without realizing that they have created two separate networks without realizing it! 😄 🤣 Sometimes you need to explain things also for the non-power users, you see... 😜 Hope you sorted everything out and that the IB3 is now on the correct subnet and IP address! Ciao, Luca
Adding to what @Biorn1950 correctly says, remember that when you change the IP address and go to a completely different subnet (from 192.168.1.x to 10.10.10.x) the configuration of the DHCP server also changes on the router, and accordingly your computer's IP address will need to be reassigned by the router once the new configuration will have been activated. It is quicker to do these changes over an ethernet cable connected to one of the yellow switch ports. Unplug, wait a few seconds, then plug in again the ethernet cable, and see if your PC gets a new IP address in the 10.10.10.x subnet. If so, you will know that the configuration change went into effect. Let us know how it goes! 👍🏻 Ciao, Luca
I wanted to share an experience coming from an idea sparked by user @Gulleucheusch41 who did something similar just today, and we exchanged ideas in this thread: Using internetbox2 as WLAN-Box It turned out that my old Internet-Box Plus (and not an IB2 like I mistakenly wrote) can also be used as a wifi access point, with some careful changes in the router configuration. First of all, save yourself time and DO NOT DO A FACTORY RESET of the box, like I did. Because if you do, the IB will need to be re-provisioned again by Swisscom, and you will need to connect it to the ADSL/VDSL line in order to download a configuration from our ISP. Wasted a lot of time doing this, but hey, it was a test! You need to reconfigure the box from its web interface, available either at http://internetbox.home or the old IP address used by the box as a router. You might want to use an ethernet cable to avoid any issue with wifi, should you have the same wifi setting on both the new and old routers, like it was my case (of course!). REMEMBER: use one of the yellow switched ports to connect to your LAN! Since I reprovisioned the box from Swisscom, I also needed to create a new admin password, which is easily done from the login page at: http://192.168.1.1/#login once the box has completely booted, in case it has been restored to factory settings, or kept to the default IP address. Then, you will need to change the IP address of the box to a new address in the same subnet where your new router is. Use a manually assigned IP address, as shown here: Then, to avoid huge issues on your LAN, you MUST make sure that you disable the DHCP server on the old IB box, like so: The LED will keep flashing red, because the box will not have an ADSL/VDSL connection, but that doesn't matter, and the access point works great. As a matter of fact, most of the features in the firmware work well, including the network topology and the wifi details for those stations which are using the IB to connect to wifi: As you can see, IPv6 also works well. The good news is that I now have a free Wi-Fi 5 device I can use. Too bad it doesn't support VLANs! Hopefully this writeup is useful to some, who can benefit from an old router, instead of trashing it or giving it away. Thanks again to @Gulleucheusch41 for the inspiration! Ciao, Luca
Hi everyone, Over the last two/three days, I have been noticing having connection issues with the swisscom.ch website via IPv6, which is my default as I use a 6RD connection from my router, connected to the internet via a Swisscom VDSL2 line. This is independent of the device and OS, since I am experiencing the issue on macOS, Windows, iOS and iPadOS. My macOS laptop with Safari shows this error when trying to connect: If I switch off wifi on my iPad, and pass via the 4G network, the page opens fine, as the 4G connection is only IPv4 as confirmed by the excellent test website: https://ipv6-test.com/ On the other hand, this website https://community.swisscom.ch/ is not affected by the issue, and I can access it regularly over IPv6. Am I the only one experiencing these connection issues with the swisscom.ch website? Many thanks, Luca
Great news @Gulleucheusch41, congrats on reviving the old IB2 box! 😉 The one thing I would suggest you to check is that the LAN IP address on the IB2 does NOT conflict with the one from the new router, as the defaults might overlap, and you would NOT be able to access the web interface to configure wifi on the IB2 box. The DHCP server on the IB2 must also be switched off, as having 2 different DHCP servers on the same LAN is asking for troubles... 😂 🤣 May I ask you what color the LED is now? If it's red, then it represents the status of the WAN link. If it's white, then the IB2 checks to see if there is internet connectivity, which there will be via the new default gateway which is the new router. These are just educated guesses of mine, of course! Anyway, good job! 👍🏻 And thanks for sharing and giving me a new idea! 🙏🏻 Ciao, Luca
You have to have an ethernet port from the new router connected to one of the switched ports of the IB2, first of all. Nothing on the WAN port, especially in parallel with another working router! The LED might remain red, I don't know the logic of that LED, but if it is linked the status of the WAN port, it will remain red as there will be NO connection on the WAN port. Like I said in the message I wrote while you were writing yours, I should be able to test this later today, and will let you know. Bye, Luca
Hi @Gulleucheusch41, You are raising a very interesting point for me too, as I have just retired my old but still working IB2. I have seen this work with other routers, so I will definitely try it out myself. Like @DomiP says, I am sure that you have to have a wired connection between your real router, and one of the switch ports on the old IB2. What remains to be seen is if the IB2 would correctly relay the IP packets received from the switch onto the wifi port. I don't see why it wouldn't work, and if I can find a little time later today, I will go in the cellar and take the IB2 out of the box where I put it just a few days ago, reset it, reconfigure it, and test it. I will report back to you on my testing. Thanks for the great idea! 👍🏻 🙏🏻 Bye, Luca
I believe that the OP is asking whether it is possible to repurpose an old Internet-box 2 and use it just as an wireless access point, and not as a router. It could be interesting for me too, as I have just retired my IB2 and replaced it with a brand new Zyxel XMG3927-B50A, as written in this forum already. Bye, Luca
Thanks to you @Tux0ne for providing good insights on the 6RD configuration. In spite of my little knowledge of German, your article proved quite helpful, and so I decided to share my experience with others so they could use this as a reference, hopefully! Vielen Dank! Luca
Hello everyone! Luca here, with a report on the good experience I am having since this morning, as I swapped my old Internex-Box 2 replacing it with a brand new Zyxel XMG3927-B50A. I have enough experience with networking, TCP/IP and configuration of devices, and I wanted a device which would support VLAN, something the Internet-Box 3 doesn't do, so I decided to go the 3rd party way and got the Zyxel. The setup was quite fast, and the DHCP option 60 was the only thing that needed to be activated on the WAN/VDSL2 port. The content was already populated, so I simply needed to check the box: The connection to the VDSL2 network I have here worked immediately, and I have a full 120M down and 40M up, which is slightly faster than what I had with the IB2. The other issue I had was that of IPv6 support. The default setting for the 6rd tunnel configuration taken from DHCPC did not work, and browsing the internet here and there I found some very interesting documents related to 6RD and the way Swisscom uses it, which was a good technical reading which helped me to find the correct parameters to manually configure 6RD. In order to do so, I had to change the "IPv4/IPv6 Dual Stack“ which is the default setting to “IPv4 Only“: Changing this setting allows the 6RD configuration to show up on the right side of the configuration panel, and the correct configuration parameters are those shown here: 6RD needs the Border Relay IPv4 Address in order to work, and the current configuration for the Swisscom network is 18.104.22.168 The IPv4 Mask Length is 0, which means that the whole IPv4 address (32 bits) is mapped in the IPv6 address. The Service Provider IPv6 Prefix is used as the main supernet in which 6RD maps the IPv4 32 bits plus the local interface addresses. More information on IPv6, 6RD and some details of the Swisscom configuration can be found in these great articles: https://www.swinog.ch/wp-content/uploads/2018/07/01_Martin_Gysi.pdf https://www.tuxone.ch/2012/06/pfsense-21-mit-swisscom-access.html https://www.netsniffing.ch/download/NetCloud_IPv6-Launch-Day_Discovering-IPv6-with-Wireshark.pdf Hopefully these information can be useful to others. So far the experience with the Zxyel XMG3927-B50A is excellent. Any questions or comment, feel free to write! Ciao a tutti! Luca
Hier werden erstellte Inhalte angezeigt
An Italian living in the French-speaking part of Switzerland
Fragen, liken, antworten, Lösungen finden: Für deine Aktivitäten in der Swisscom Community zeichnen wir dich mit unseren Aktivitäts-Badges aus. Hast du alle Badges eines Levels erreichst, steigst du die Community-Leiter hoch.
WelcomeDu bist eine/r von 165917
Cool, hast du dich in der Swisscom Community registriert!
BeantworterDu bist eine/r von 34763
Mit deiner 1. Antwort gibt's auch den 1. Badge - oder hast du schon ein Like vergeben? Das wäre sonst der Zweite!
Like-SchenkerDu bist eine/r von 14011
Du hast dein 1. Like vergeben. Du bist jetzt ein Like-Schenker.
Antwort-LieferantDu bist eine/r von 7412
Du hast deine 5. Antwort gegeben. Gratulation!
High-FiveDu bist eine/r von 1911
Fünf vergebene Likes geben ein High-Five für dich.
Erstes Like-ErhalterDu bist eine/r von 9470
Du hast dein erstes Like bekommen. Wir gratulieren herzlich!
Mutiger FragestellerDu bist eine/r von 32395
Der mutigste Schritt ist getan, du hast deine 1. Frage gestellt. Herzlich Willkommen in der Community.
Profi-AntwortgeberDu bist eine/r von 3175
So viel Einsatz für die Swisscom Community! Du verdienst den nächsten Badge.
Kleiner DäumlingDu bist eine/r von 928
Du hast schon 10. Likes vergeben. Deshalb gibt's für dich den kleiner Däumling Badge.
Beliebter TypDu bist eine/r von 1919
Dein 5. Like: Deine Kommentare scheinen beliebt zu sein.
GwundernaseDu bist eine/r von 2713
Jetzt bist du aber gwundrig. Deshalb gibt's den Gwundernase-Badge für dich.
Schlauer FuchsDu bist eine/r von 4123
So ein schlauer Fuchs! Mit deiner Antwort hast du ein Problem gelöst und damit einem anderen Community Mitglied geholfen. Vielen Dank!
26 von 50 Beiträge
31 von 50 Likes vergeben
Mr. Nice-GuyDu bist eine/r von 942
Hello Mr. Nice-Guy! Du und deine Antworten sind beliebt.
Lernwilliger LehrlingDu bist eine/r von 1111
Nur wer fleissig Fragen stellt, schafft es weiter im Leben. Du bist unser lernwilliger Lehrling.