AnsweredAssumed Answered

Shaw blocking of some tunneled 6in4 IPv6 traffic

Question asked by robbat2 on Mar 15, 2016
Latest reply on Mar 19, 2016 by phillipsjk

As everybody knows, Shaw still does not provide IPv6 for residential service.


Many people have spoken about using Hurricane Electric's TunnelBroker service, and it generally works very well (in fact I frequently get faster downloads via my tunnel to Seattle than I do directly on Shaw's IPv4).


However, I also run private networking, and recently found that Shaw seems to be blocking some 6in4/SIT tunneled traffic - port 25 outbound even on private ranges.


Test environment:

You need an external server, where you know there are no firewalls of any traffic except your own firewall; In my case, I tested with a host at Peer1's Vancouver facility, as well as a Hetzner dedicated server in Germany. You cannot perform this test on TunnelBroker, as they also block port 25 by default (but will unblock your account if you pass the IPv6 certifications and request unblocking from them)


Test setup:

1. Set up your own 6in4/SIT tunnel, from your home connection to your server; Use the IPv6 ULA private range, pick a /64 inside fc00::/7. I used fd3c:b2e8:93df:f001::/64 per my ULA fd::/8 registration with SixXS (SixXS - IPv6 Deployment & Tunnel Broker).
1.1. With that /64, I have ::1 on my server and ::2 on my home router (Ubiquiti EdgeRouter).

2. Confirm that you can ping in both directions, ICMP6, PASS.

3. Test that you can connect over the tunnel on various ports in both directions:

3.1. Port 80 - PASS, works in both directions

3.2. Port 587 - PASS, works in both directions

3.3. Port 25 - inbound works, outbound is blocked.

4. Repeat the above tests with GRE tunnels.

4.0 ICMP6, pass

4.1. Port 80 - PASS, works in both directions

4.2. Port 587 - PASS, works in both directions

4.3. Port 25 - PASS, works in both directions


I know that Shaw blocks regular IPv4 outbound port 25, and permits IPv4 inbound port 25, and I'm fine with that in doing their part to block zombie spam; however, that they are ALSO blocking outbound port 25 inside 6in4 tunneled traffic to a private address range comes as a huge surprise.


NOTHING on Shaw's support pages says that tunneled traffic is blocked, so I'd like to know Shaw's justification for dropping that tunneled traffic that is clearly destined for a private address range, and nothing to do with the public internet, other than conveying it; that is also is done ONLY on 6in4 tunnels is a surprise.


And then if you have no reasonable justification for blocking clearly private tunnel traffic, I ask that you remove the block immediately.