Klaus' Log

So 29 September 2019

How to expose an IPv6 port with MNet ISP and FritzBox 7430

Posted by Klaus Eisentraut in review   

I'm a DSL customer of the German ISP MNet with a FritzBox 7430 as router. MNet is not giving out proper IPv4 addresses to private customers anymore because of the IPv4 address exhaustion. Instead, they are using DSLite with dynamic prefixes.

MNet DSLite FritzBox 7430

Therefore, I'm behind a carrier-grade NAT and can't expose any IPv4 service from my home network into the internet. However, it should be possible to expose an IPv6 service.

I was struggling quite a lot when i actually tried this. My pitfalls were the following:

  • For testing, I opened a port with nc -6lvvp 1337 on my Arch Linux laptop. However, I had used the wrong netcat because I had the package extra/gnu-netcat installed. This one does not support IPv6, so I wasn't actually listening on IPv6 but only on IPv4. After replacing it with openbsd-netcat, this problem was solved.
  • IPv6 privacy extensions: It's useful to have the IPv6 privacy extensions enabled because otherwise you can get tracked by your globally unique IPv6 Interface ID (which is usually derived from your MAC address). I did this by adding net.ipv6.conf.all.use_tempaddr=2 to the file /etc/sysctl.d/40-ipv6.conf. However, NetworkManager seems to ignore the system-wide settings and uses its own ones instead. I had to configure the NetworkManager settings like the following: MNet NetworkManager IPv6 settings
    After configuring it like this, my laptop will use a dynamic IPv6 address for outgoing traffic while still being able to listen on the IPv6 address with a static interface id.
  • I configured my laptop as an "Exposed Host" in the FritzBox settings: MNet FritzBox 7430 Port Forwarding IPv6
  • After fixing all the problems above, I was able to open a service on my laptop on port 1337 and was able to successfully connect from a remote server over IPv6:
    [klaus@laptop-klaus ~]$ nc -6lvvp 1337
    Listening on [::] (family 10, port 1337)
    Connection from server.XXXX.de 50606 received!
    This is a test!
    [klaus@laptop-klaus ~]$

    On the server, I had to execute:

    [user@server ~]$ nc -6v 2001:a62:XXXX:XXXX:caff:28XX:XXXX:XXXX 1337
    Connection to 2001:a62:XXXX:XXXX:caff:28XX:XXXX:XXXX 1337 port [tcp/menandmice-dns] succeeded!
    This is a test!
    [user@server ~]$

Please be aware that exposing the service alone is usually not enough. MNet assigns a non-static /56 IPv6 network to non-business customers, therefore the first 56 bits of your IPv6 address will change every day. You usually want to use an additional dynamic DNS service, too. The FritzBox 7430 can do this for you, but it was not necessary for what I tried to achieve and therefore is not documented here.