Home internet service IPv6 traffic is all filtered even when using a Netgear LTE router. No port forwarding. Plz fix!

  • 22 January 2021
  • 57 replies
  • 20436 views

Userlevel 4
Badge

My background is in IT / networking and I started using Tmo Home Internet for the past 2 weeks. The router being shipped today to customers is missing very important features for power users - it actually broke my ability to remotely access my home via direct-connection using public IPv6 and IPv4 that I used on comcast. 

Contacting support for help is pretty much useless, although I have raised a few tickets regarding the major issues affecting me since switching ISPs, namely:

  • Unable to ping my IPv6 WAN address given by T-mobile (to remotely monitor my internet connection)
  • Unable to remotely access my home via my VPN server which listens to connections on the WAN IPv6 address (again, T-mobile is filtering ALL my incoming traffic - comcast, att fiber, other major players in the market don’t do this filtering to endpoints except for spam port 25)
  • Connecting to a VPN server hosted on the internet is unreliable and unstable.
  • T-mobile does not offer IPv6 Prefix Delegation (comcast has it, att fiber does too)

I’ve spent the majority of my time trying to figure out ways to make this work. Most folks out there are blaming the Nokia router firmware which is really locked down by T-mobile, so being the IT engineer I pretend to be I purchased a Netgear LAX20 which is T-mobile and AT&T certified - I swapped SIMs for my Home internet service and tested both.

 

Even with a router that I fully control, with firewall disabled and allowing WAN icmp/ping responses T-mobile seems to continue to filter traffic (even pings!) incoming towards my service equipment… to make a fair comparison I got an AT&T SIM card and repeated the tests. On AT&T I can ping and access my device remotely when it is on the AT&T LTE network on the same Netgear LAX20. 

 

Decided to post here to vent and share some findings, as this is somewhat frustrating that other LTE carriers that do not offer ‘home internet’ service do allow you to control and manage your network as you see fit while the new “home internet” service does not give you any control at all. Those users who wish to be able to remotely manage their smart home should perhaps stay away for now until T-mobile decides to do the right thing which is for “home internet” service subscribers to have different security network rules than cellphones on the network.


T-mobile please fix your business model for this new service, starting with adding the ability to request zero network filtering for home internet subscribers and the ability to get IPv6 prefix delegated.


57 replies

Userlevel 4
Badge +1

My background is in IT / networking and I started using Tmo Home Internet for the past 2 weeks. The router being shipped today to customers is missing very important features for power users - it actually broke my ability to remotely access my home via direct-connection using public IPv6 and IPv4 that I used on comcast. 

Contacting support for help is pretty much useless, although I have raised a few tickets regarding the major issues affecting me since switching ISPs, namely:

  • Unable to ping my IPv6 WAN address given by T-mobile (to remotely monitor my internet connection)
  • Unable to remotely access my home via my VPN server which listens to connections on the WAN IPv6 address (again, T-mobile is filtering ALL my incoming traffic - comcast, att fiber, other major players in the market don’t do this filtering to endpoints except for spam port 25)
  • Connecting to a VPN server hosted on the internet is unreliable and unstable.
  • T-mobile does not offer IPv6 Prefix Delegation (comcast has it, att fiber does too)

I’ve spent the majority of my time trying to figure out ways to make this work. Most folks out there are blaming the Nokia router firmware which is really locked down by T-mobile, so being the IT engineer I pretend to be I purchased a Netgear LAX20 which is T-mobile and AT&T certified - I swapped SIMs for my Home internet service and tested both.

 

Even with a router that I fully control, with firewall disabled and allowing WAN icmp/ping responses T-mobile seems to continue to filter traffic (even pings!) incoming towards my service equipment… to make a fair comparison I got an AT&T SIM card and repeated the tests. On AT&T I can ping and access my device remotely when it is on the AT&T LTE network on the same Netgear LAX20. 

 

Decided to post here to vent and share some findings, as this is somewhat frustrating that other LTE carriers that do not offer ‘home internet’ service do allow you to control and manage your network as you see fit while the new “home internet” service does not give you any control at all. Those users who wish to be able to remotely manage their smart home should perhaps stay away for now until T-mobile decides to do the right thing which is for “home internet” service subscribers to have different security network rules than cellphones on the network.


T-mobile please fix your business model for this new service, starting with adding the ability to request zero network filtering for home internet subscribers and the ability to get IPv6 prefix delegated.

Would be really great if you post this over in the Reddit r/tmobileisp forum.  Lots of people there working on the same issue, appears to be their use of CG-NAT.  Agree?

Userlevel 4
Badge

x

Would be really great if you post this over in the Reddit r/tmobileisp forum.  Lots of people there working on the same issue, appears to be their use of CG-NAT.  Agree?


Agree. I’m active there - posted here as I don’t think T-mobile suits care about reddit and I may get someone at actually T-mobile to help raise the awareness of these issues.

 

Here are some of my discussions in r/tmobileisp in:re T-mobile home internet.

 

Netgear LAX20 with ATT SIM card = IPv6 can be pinged and ports forwarded. T-mobile should fix their home internet and remove filtering on IPv6

https://www.reddit.com/r/tmobileisp/comments/l2iipa/netgear_lax20_with_att_sim_card_ipv6_can_be/

 

Unstable or "hung" SSH sessions when using the Nokia?

https://www.reddit.com/r/tmobileisp/comments/l11elv/unstable_or_hung_ssh_sessions_when_using_the_nokia/

 

Xbox One NAT / UPnP results for the Nokia modem for those that asked.

https://www.reddit.com/r/tmobileisp/comments/kxlo2m/xbox_one_nat_upnp_results_for_the_nokia_modem_for/

 

I also posted this issue in DSLreports for those oldtimers like me that remember that site. https://www.dslreports.com/forum/r33010714-Connectivity-Incoming-traffic-filtering-by-Tmo-Home-internet-no-IPv6-DN

Userlevel 5
Badge +5

Agreed... still on the older white box, and it is doubly frustrating because we have access to  the normal features (dmz, forwarding, firewall, etc) but none of the features work.

Can see their v6 details... set up my Asus to link up and try to run v6 instead of v4.  No joy.... appears to work at first, but doesn't.

We are forced through a 464 tunnel.  Any traces run show no nothing once you leave the LAN until you exit that tunnel on the other side.

Even setting up OVPN in the router gets knackered up.

No bridge mode on their devices... no v6 support on the LAN side... no proper way to manage port traversal…

Just so many ways they are missing the boat here.

Don't really need all of that to work right now (though it does suck not having remote access to a couple things)... but when I get around to doing multiplayer on the consoles again it WILL become an issue.  May force me to switch back to a wired service again.

Userlevel 2

T-Mobile come on its been months now. Why do we still not have basic things like prefix delegation and inbound ipv6. This would let us use a real router with things like a guest network, and fix a lot of online gaming and vpn issues.

Userlevel 5
Badge +5

Great report. Does this issue prevent the ability to remotely access Wyze cameras, ring alarm system, Ooma phone and video doorbells.  Thanks


yes.  any unsolicited inbound connection will get blocked.  basically, if an app or device requires a port to be opened/forwarded to work properly, it can knacker it up.  peer to peer games/applications, remote desktops, inbound VPN’s… all manner of things are getting hosed because they are forcing us to use a 464XLAT approach instead of a more proper dual stack--or even full IPv6.

Jumping on this bandwagon too.  As the OP, I made my living for over 40 years in IT and most lately HFC carrier ISP network monitoring.  The Nokia gateway needs to act as an Ethernet bridge (just like cable modems do) so the public IP is handed to my router instead of the gateway and my router can handle VPN, port forwarding and other public facing services.  Port forwarding at the Nokia gateway would be nice, but only after it can reliably provide WiFi and NAT services without overheating and thus affecting ability to connect to the 5G network with more than 1Mbps.

Userlevel 1
Badge

Great report. Does this issue prevent the ability to remotely access Wyze cameras, ring alarm system, Ooma phone and video doorbells.  Thanks

Userlevel 1

Wow, That’s really bad.

I already signed up for TMO Home Internet, but the routers are backordered until March.

Now I am reading so many bad things about the service, I guess I should cancel the order. Too good to be true to think I could get 5G speeds for $50/month.

Userlevel 2
Badge

I’ve had nothing but problems with T-Mobile and the new cylindrical router since I got it.  It works on  most websites but for gaming services its really hit or miss.  Sometimes it works sometimes it does not.  I think it’s due to lack of port forwarding.  I keep T-Mobile because it is so fast in my area, 200-400mbps typical.  But I just use it for uploads and downloads really.  I have Verizon for any real internet use even though its limited to 50 Mbps.  

 

T-Mobile does not work with most set top boxes or streaming internet devices, it does not work for most gaming sites via pc or console most of the time.  It’s fast for uploads and downloads on sites that are compatible with it.  I wish they would fix it to be a general purpose internet but I have no idea who to contact to get anything done.

 

I have spoken to the advanced tech support people and they say limitations of the network mean it won’t really work as general purpose home internet unless major changes are made to the T-Mobile network itself on their end, and that they have no plans to do it in the near future.

 

 

Userlevel 2

This post I found seems related and comments have been disabled. (link below) I have had my gateway for three days now and just attempting the gateway settings and noticed port forwarding is missing. It looks like this has been an issue for some time and there are no plans to address it. So we were sold home internet, but got a wifi hotspot. I am sad that my only option now is to return the unit to T-Mobile and pay triple what T-Mobile was offering to get the same speeds with Cox. :-(

 

T-Mobile is an IPv6 network.  Port forwarding is for ipv4 networks.  So, its unlikely you will ever have port forwarding.  For ipv6, right now T-Mobile blocks all unsolicited inbound traffic.  This may be a global network configuration or it may be on the gateway.  At any rate, there is no inbound traffic allowed at this time.  If you need a work around, you can connect up your own router to the gateway and use a VPN service for about $5.00 a month.

 

What a dumpster fire. No Ipv6 or Ipv4. Might as well call this one way internet. This breaks multiple internet standards and expectations for an internet provider. Ipv4 is still crucial in 2021. Borking Ipv6 is not acceptable. 

You can still buy/rent IPV4 space. If Tmobile has that defeatist attitude this service wont sell well…. 

Maybe it won’t.  Maybe they are counting on there being enough customers who don’t need inbound connectivity.  Who knows.  So far, they are on track with their home internet additions for the year.  For me, I’m saving $720 a year with better speed.  I don’t care about having to use a VPN to fix the inbound connection issue especially since, even with the VPN, that traffic is faster than what it was before.  I agree:  Its not ideal.  But its a better solution than what I had with Comcast.

Userlevel 5
Badge +5

IDK about that angle of them not having/not able to use IPV4.

A Basic dig on their ASN's shows they have a crap ton of IPV4 registered.  Over 12 million on just ONE of their USA ID's (AS21928).  Granted, some (like AS393494, that appears to be tied to TVision) only have 60-70k... but who is to say how much is actively in use, and how much could be repurposed?

But they DO in fact have and use IPv4.  The question is why is it not implemented for home internet instead of the screwy XLAT464 crap.

 

Userlevel 4
Badge +1

I’ve read much on the IPv4 / IPv6 and the 464XLAT versus dual layer etc.  What nobody has specifically stated is, why do the VPN’s work when using the Franklin T9 LTE hotspot or the ASKEY LTE Gateway but NOT when using the Nokia 5G gateway.  What is different about the implementation?  Isn't the 464XLAT used on the network side regardless of the gateway?

It seems like the carrier made a decision to filter with this particular gateway to avoid people setting up servers etc. due to the “unlimited data” but this has also hampered work from home for some people and also crippled XBOX party chat.  If it’s a decision that will never change, fine but TMO needs to be up-front about it.

I am having these same issues and I dont think the service is well developed enough yet to cut the cord. They need to resolve these 464xlat issues and provide people with a real internet service not a watered down version. VPN stability and incoming ports are a necessity with work from home these days..

Well that's tough cookies cuz that is what it's like to be a home internet provider in 2021. I wish I had somone who would come up with excuses for me everytime I mad poor choices at work.

I’m not making excuses.  I’m just stating the reality of running out of IPv4 addresses.  I’m sorry you don’t like reality.  Being on an IPv6 network shouldn’t be a problem.  However, if your real concern is you cannot have inbound connections, that I understand.  Its a brand new service.  Hopefully, T-Mobile is listening and working on that.  In the meantime, there are workarounds.  If you don’t want to use the workarounds until T-Mobile allows more flexibility, I would suggest you use another service until T-Mobile does.

EVERYONE is missing the point. Tmobile does NOT WANT END USERS TO HAVE THE CONTROL AT ALL. If they did, they’d have worked it in.

This post I found seems related and comments have been disabled. (link below) I have had my gateway for three days now and just attempting the gateway settings and noticed port forwarding is missing. It looks like this has been an issue for some time and there are no plans to address it. So we were sold home internet, but got a wifi hotspot. I am sad that my only option now is to return the unit to T-Mobile and pay triple what T-Mobile was offering to get the same speeds with Cox. :-(

 

T-Mobile is an IPv6 network.  Port forwarding is for ipv4 networks.  So, its unlikely you will ever have port forwarding.  For ipv6, right now T-Mobile blocks all unsolicited inbound traffic.  This may be a global network configuration or it may be on the gateway.  At any rate, there is no inbound traffic allowed at this time.  If you need a work around, you can connect up your own router to the gateway and use a VPN service for about $5.00 a month.

Im searching for a way to setup IPv6 on my router so it runs smoothly with t-mobile's gateway. 

If you're looking for a simple way to connect remotely to your home devices, I got that working yesterday. I was using Google's Remote Desktop pre T-mobile home internet but could not get it wor

king correctly after the switch. Then tried the "Set up via SSH" option on the Crome Remote Desktop login page. Had to take the commands provided to my PC and input. Now it actually works better than before!

Badge

Is this issue only with the new (Nokia) gateway? I still have the original gateway and I’m able to access a local camera from the public internet. 

Userlevel 5
Badge +5

Is this issue only with the new (Nokia) gateway? I still have the original gateway and I’m able to access a local camera from the public internet. 

Beginning to wonder if it isn't market specific.  Seeing a few posts where people got it working somewhat.

I am still on the the white box here inFlorence, SC and could not get ports forwarded even when wired directly to their device, much less on the Asus router behind it regardless how I tried.  Even direct wired and DMZ'ed things didn't work.  Oddly enough, the PS4 reports NAT2 when I was expecting NAT3-even when double-NAT'ed through the Asus.

Just plain weird.

They really need to get away from this 464XLAT they are using.

Userlevel 4
Badge +1

x

Would be really great if you post this over in the Reddit r/tmobileisp forum.  Lots of people there working on the same issue, appears to be their use of CG-NAT.  Agree?


Agree. I’m active there - posted here as I don’t think T-mobile suits care about reddit and I may get someone at actually T-mobile to help raise the awareness of these issues.

 

Here are some of my discussions in r/tmobileisp in:re T-mobile home internet.

 

Netgear LAX20 with ATT SIM card = IPv6 can be pinged and ports forwarded. T-mobile should fix their home internet and remove filtering on IPv6

https://www.reddit.com/r/tmobileisp/comments/l2iipa/netgear_lax20_with_att_sim_card_ipv6_can_be/

 

Unstable or "hung" SSH sessions when using the Nokia?

https://www.reddit.com/r/tmobileisp/comments/l11elv/unstable_or_hung_ssh_sessions_when_using_the_nokia/

 

Xbox One NAT / UPnP results for the Nokia modem for those that asked.

https://www.reddit.com/r/tmobileisp/comments/kxlo2m/xbox_one_nat_upnp_results_for_the_nokia_modem_for/

 

I also posted this issue in DSLreports for those oldtimers like me that remember that site. https://www.dslreports.com/forum/r33010714-Connectivity-Incoming-traffic-filtering-by-Tmo-Home-internet-no-IPv6-DN

Yes, I recognize you, I’m over there too, different ID.  Keep fighting the good fight!

Question: I noticed that the APN on the Nokia gateway is fbb.home while the APN on the Franklin hotspot is fast-tmobile.com.  The fbb.home appears to be blocking most things (VPN’s, XBOX Party chat, etc) while the fast-mobile.com does not, i.e. corporate VPN works fine on the Franklin hotspot, the ASKEY gateway etc. 

The APN is not selectable but is it possible that this APN is the source of all the issues and not the 464XLAT?

 

Nokia Gateway

 

Franklin T9

Userlevel 5
Badge +5

Unfortunately it is a snafu with the 464 in general... was documented as far back as at least 2013 (RFC-6877):

https://tools.ietf.org/html/rfc6877

It gets noted right at the start in the introduction:

"1. Introduction

With the exhaustion of the unallocated IPv4 address pools, it will be difficult for many networks to assign IPv4 addresses to end users. This document describes an IPv4-over-IPv6 solution as one of the techniques for IPv4 service extension and encouragement of IPv6 deployment. 464XLAT is not a one-for-one replacement of full IPv4 functionality. The 464XLAT architecture only supports IPv4 in the client-server model, where the server has a global IPv4 address. This means it is not fit for IPv4 peer-to-peer communication or inbound IPv4 connections. 464XLAT builds on IPv6 transport and includes full any-to-any IPv6 communication."

Some potential to skirt around some issues this approach takes, but in all honesty there are better ways to set this up.

Userlevel 2
Badge

@Reblog I have been holding off with this observation and thought you might have some insight into the problem. I am responsible for posting documents/pictures, etc. from home to a remote server. Over the years I have used FTP to easily transfer these files. However, since I switched from a slow DSL connection to T-Mobile HI (ASKEY), I no longer can move the files. I used Windows 10 File Explorer in split screen mode (remote on one screen and local files on second) and simply clicked and dragged the files from one screen to the other. Now when I try to connect with T-Mobile HI, I get the following error message...any thoughts? I have permissions on the remote FTP server.

 

Userlevel 5
Badge +5

Could be tied into poor implementation of, or lack of  access to firewall configiration options.

Usually a section dedicated to managing passthrough for various protocols used by VPN's as well as file servers and such.

Even on routers that give you options for managing them, they don't always behave right.

Userlevel 4
Badge +1

@ReblogI have been holding off with this observation and thought you might have some insight into the problem. I am responsible for posting documents/pictures, etc. from home to a remote server. Over the years I have used FTP to easily transfer these files. However, since I switched from a slow DSL connection to T-Mobile HI (ASKEY), I no longer can move the files. I used Windows 10 File Explorer in split screen mode (remote on one screen and local files on second) and simply clicked and dragged the files from one screen to the other. Now when I try to connect with T-Mobile HI, I get the following error message...any thoughts? I have permissions on the remote FTP server.

 

I suggest that you log into the ASKEY interface and check the ALG settings first and see that the FTP and TFTP are allowed.  Details if you need are in the user manual: https://www.t-mobile.com/isp/lte-wifi-gateway-digital-user-guide

There are other settings that could be preventing the FTP transfer but this would be first check.

 

Reply