Tech —

Airport Extreme update breaks IPv6 tunnels, but here’s how to fix it

The fix shouldn't be intimidating for those committed to their IPv6 tunnels.

Apple recently released firmware version 7.6.3 for its line of Airport Extreme Wi-Fi base stations. Assuming the release notes are accurate, the update barely warrants a bump after the second decimal point. The update adds the ability to extend a guest network or add a WPS-capable Wi-Fi printer, and it improves "international support." However, it does something else, too: it breaks IPv6 tunnels. But don't panic—this is easily fixed by changing a setting in the Airport Utility.

How Apple handles IPv6

The Airport Extreme base stations (AEBS) have a long and checkered past when it comes to supporting IPv6, which is the next version of the Internet Protocol that we now need more and more of as the world runs out of IP(v4) addresses.

Recent versions of the AEBS can provide IPv6 connectivity to the devices connected to them in four different ways: with and without tunnels, and automatically versus configured manually. Ideally, ISPs would just provide IPv6 connectivity the same way they provide regular IPv4 service. But most ISPs aren't quite there yet. As such, those of us who want to be on the bleeding edge, Internet Protocol-wise, have to put our IPv6 packets inside IPv4 packets in order to skip over the IPv4-only part of the network. Such a connection is called a tunnel.

IPv6-in-IPv4 tunneling.
IPv6-in-IPv4 tunneling.

There are two main ways to tunnel. You can let the AEBS handle everything automatically, or you can configure it to send packets to a tunnel broker—which is basically an IPv6 ISP. The automatic tunneling is called 6to4. Unfortunately, 6to4 doesn't always work reliably, so OS X—and most other operating systems—try to avoid using it. But despite that, if you have 6to4 enabled on your AEBS, don't worry—the 7.6.3 update doesn't break it.

The update does, however, break manually configured tunnels. I use one of those toward Hurricane Electric's free tunnelbroker.net service, and indeed, after the upgrade my home network was IPv4-only. The AEBS reported an IPv6 tunnel error. Unfortunately, the error message in the Airport Utility didn't go into any detail about the issue. Inspection with the ifconfig command in the Terminal showed that the AEBS wasn't giving out IPv6 addresses.

Getting your IPv6 back

According to Jeroen Massar, one of the operators of the free SixXS tunnel broker service, updated AEBSs send back error messages in response to the ping packets sent by the tunnel broker to determine whether the tunnel is operational.

One way to return a tunnel to working order is to downgrade to version 7.6.1 of the Airport Extreme firmware. With the latest version of the Airport Utility (6.2, also released last week) this is done by clicking on the AEBS, then on "edit," and then hovering the mouse pointer over the version number while holding the option key. This turns the version number into a drop-down menu with access to several older firmware versions. Be careful, though: once you click on a firmware version, the process starts, and there are no opportunities to stop it.

However, there's an easier way to get your tunnel back to working order. In version 5.6 and earlier of the Airport Utility, you need to enter four items to set up a tunnel:

  • The remote IPv4 address
  • The WAN IPv6 address
  • The IPv6 default route
  • The LAN IPv6 address

The AEBS would then assume that the prefix length used on your LAN is 64, allowing for 264 addresses. In theory, a different prefix length is possible, but in practice that doesn't work very well, so this is a pretty safe assumption. But you know what they say about assuming, so in the new and improved Airport Utility, there's a new field when you go to Internet > Internet Options to find the IPv6 tunnel settings.

The new field is "IPv6 delegated prefix"—in other words, the range of IPv6 addresses that the tunnel broker has given you for use on your LAN. (Unlike with IPv4, these are bona fide public addresses, so enable the IPv6 firewall through "block incoming IPv6 connections" as desired in Network > Network Options.)

If your tunnel broker gave you a prefix in CIDR/prefix notation ending in /64, just enter that prefix in the box, click update, drink a beverage of your choice while the AEBS reboots, and all will be right with the world.

I can't test this myself because I have a /64 prefix, but I suspect that if your prefix length is not /64, things will not work right. If you have a prefix longer than /64 (i.e., 65 or higher), go complain to your tunnel broker. If your prefix is shorter, for instance, a /56 or /48, you may want to change it to /64 for consumption by the AEBS. This way, you're only using a small part of the IPv6 addresses available to you, but otherwise entering a longer prefix is not problematic.

Apparently the Airport Utility doesn't check whether the AEBS' LAN IPv6 address falls within the specified prefix, but things will probably work better if it does. Also, the IPv6 WAN address displayed below these settings is incorrect, but that doesn't seem to get in the way of anything. You can check whether your IPv6 connectivity works at test-ipv6.com.

Listing image by Sean MacEntee

Channel Ars Technica