ARC connectivity issues with IPv6 due to CGNAT on IPv4 (ref#N7SUBQ)

Network Setup

· I use a single personal router not provided by my ISP

ARC Status

· ARC is *Not Ready*

Roon Error Code

· None of these are listed. It simply says "TIMEDOUT" or similar.

System or third-party *firewalls *or *antivirus software* can sometimes block RoonServer from reaching ARC.

·
Try adding RoonServer and its associated processes to the whitelist of any firewalls or antivirus software you have installed, including the Windows system firewall, if applicable.
[You can learn more about firewall exceptions with Roon here.](https://help.roonlabs.com/portal/en/kb/articles/firewall)

Has the status in Roon -> Settings -> ARC changed after adding exceptions in your firewalls and antivirus software for Roon?
ARC is still *Not Ready*

Don't give up yet.

· I'm stuck. I'd like to create a post to ask Roon Community for help.

Describe the issue

ARC on IPv6 (ISP uses CGNAT on IPv4)

Describe your network setup

* ISP = Buddy Telecom (Aussie Broadband)
* Service speed is 1Gbps down/50Mbps up
* NB: ISP uses CGNAT on IPv4
* Unifi UCG Ultra router
* All Ethernet network
* RoonCore is ROCK on NUC13

Diagnostics:
{
"ipv6_connectivity": {"status":"NetworkError","status_code":504,"error":"error: Error: ETIMEDOUT, response code: undefined, body: undefined connected? undefined"},
"ipv4_connectivity": {"status":"NetworkError","status_code":504,"error":"error: Error: ETIMEDOUT, response code: undefined, body: undefined connected? undefined"},
"external_ip": {"actual_external_ip":"159.ggg.hhh.iii","actual_external_ipv6":"2403:aaa:bbb:ccc:ddd:eee:fff:aaa","router_external_ip":"null"},
"natpmp_autoconfig": {"status":"NotFound"},
"upnp_autoconfig": {"status":"NotFound"}
}

I can get ARC working with Tailscale, but would prefer to fine tune settings to use IPv6 without the VPN.

RoonCore on ROCK appears to have correctly received an IPv6 address - but still doesn't seem to be able to reach through the router.

Do you have a known-good configuration for Unifi router to facilitate ARC functionality?

Do I need to do anything to cause RoonCore (ROCK) to only attempt to use IPv6?

Thanks.

Your router will almost certainly have an IPv6 firewall enabled (if not it should have). This will, by default block all incoming connections to any device on your network including Roon ARC trying to connect to your Roon server apart from icmp (ping) which is necessary to allow in order for ipv6 to work.

You need to open a pin hole in the ipv6 firewall to allow TCP connections (from any ip address) on the Roon ARC port to the ipv6 address of your Roon Server.

Having said that, configuring you router to allow ipv6 connections to your Roon server will only work if you have ipv6 available on your phone/tablet at the time you are trying to use ARC. If, as in the UK, your cellular provider does not offer IPv6, then such a configuration will not be of any use to you unless you can use a WiFi service that supports ipv6. In this case, the Tailscale solution, that you already have working, is your best bet.

Hey @Richard_Neale,

Thanks for writing in! @Wade_Oram makes a great point above - are you able to confirm if IPv6 is available from your ISP?

Outside of that, if you’re able to get Tailscale functioning - nice work!

Hi Wade,

Thanks for the comment. I checked my wireless carrier’s technology before asking the question - no point trying to enable something that will never work.

Telstra (Australia) mobile networks are exclusively IPv6 since around 2020. So I’m hopeful that if I can break out of my home environment with IPv6, I’ll have a workable solution that doesn’t require the interposition of a VPN.

Richard.

Hi Benjamin,

Yes - my ISP supports IPv6. The ISP has allocated me suitable IPv6 addresses, and I can see IPv6 traffic for the services that use it. I think that the diagnostic data shows this - addresses starting 2403 are my ISP.

And to Wade’s very pertinent question, my mobile carrier is FULLY IPv6 now.

Cheers.

Richard.

OK. So you should be good go once you have opened the ARC port in the IPv6 firewall in your router.

This is my ipv6 firewall rule:

image1475×843 78.2 KB

In my case, the ipv6 local ip address looks a bit strange because my ISP issues a dynamic ipv6 prefix (why?) and my (Asus) router (and any probably any other router using an iptables based firewall) allows me to configure just the device part of the ip address by using a format like:

::<ipv6 device part>/::<ipv6 device part mask>

This, combined with the use of stateless ip address allocation (where the device part of the ipv6 address is formed deterministically from the MAC address) instead of DHCPv6, allows me to enter the ip address as shown in the hover text in the image and then I don’t have to keep changing my firewall rule when the ipv6 prefix changes

I recently purhcased a new computer and a new laptop. Both had IPv6 enabled on them with an IP associated with each device. IPv6 caused nothing but issues as I use my main PC also as a file server. I could not see the main PC on my LAN. After some troubleshooting, I disabled on IPv6 on both devices and all my issues went away. To complicate matters even more, I have an AT&T fiber modem with a separate Gateway that controls my LAN. HiFi Rose provided me with a couple for 60 days for the purchase of my RS130 streamer. I was able to set up Roon on my main PC and then found the setting for Roon ARC. The setting on the modem and Gateway took a few hours to figure out how to set up last night. I was able to configure Port Forwarding so I can use Roon ARC. I’ve found that IPv6 causes nothing but issues and have it disable on all my devices. I used Roon’s guide for setting up the Port Forwarding; however, my setup isn’t the typical setup since the Gateway is separate from the Modem. I also have the eero from Amazon but those are set up as a bridge so eero doesn’t issues the IP addresses.

Thanks.

I don’t seem to be making much progress. I’ve created and re-created what I BELIEVE will be an appropriate firewall rule. It’s here (takes a couple of screen shots as it scrolls off the page on the Unifi interface):

image699×1746 61.9 KB

image651×1107 46.5 KB

(I’ve obfuscated the middle part of the IPv6 address…)

For the IPv6 connection, the Roon ARC disgnostics still show:

“ipv6_connectivity": {“status”:“NetworkError”,“status_code”:504,“error”:“error: Error: ETIMEDOUT, response code: undefined, body: undefined connected? undefined”},
…
“external_ip”: {“actual_external_ip”:“159.ggg.hhh.iii”,“actual_external_ipv6”:“2403:aaa:bbb:ccc:ddd:eee:fff:aaa”,“router_external_ip”:“null”},
“natpmp_autoconfig”: {“status”:“NotFound”},
“upnp_autoconfig”: {“server_ip”:“192.168.0.1”,“found_upnp”:true,“error”:”<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/\“><s:Body><s:Fault>s:ClientUPnPError<UPnPError xmlns="urn:schemas-upnp-org:control-1-0">718ConflictInMappingEntry</s:Fault></s:Body></s:Envelope>”}
}

Important (??) bits in bold. (I am not an IPv6 expert - you will have guessed that!)

I’m not at all familiar with the Unify interface but there are a couple of things that, to me at least, are not optimal or possibly even wrong.

On the first image

• Should the ‘Match Opposite Port’ check box be ticked? You have specified that the connection to be allowed comes in on port 55000 but do you also need to specify that the connection on the Roon Server is on port 55000. It looks like you have done this on the next screen. However, checking the ‘Match Opposite Port’ might do the same job and make it easier to administer the rule in future.
• I think that the ipv6 address of the Roon Server should be specified in the ipv6 field of the ‘Destination Zone’ → ‘Internal’ section rather than in the ‘Add Multiple’ section. I’m not sure, but this could be the cause of your issue.

On the second image

• The ‘Protocol’ shoud be set to ‘TCP’ rather than ‘All’. This wouldn’t cause an issue, ‘All’ should work, but it is exposing the Roon Server to more protocols than it needs or can accept. Using ‘TCP’ just makes it a little more secure.

If I’m wrong, hopefully someone more familiar with the way that Unify firewall configuration works can help out (and correct me).

Hi Wade. Thanks for input. Responding to your suggestions…

I don’t think so. The information box explains this feature as follows: “Match all ports except the selected”. I read this as meaning that selecting this box would block the nominated port. There’s no more informative explanation in the documentation.

This took me a while to figure out also. The UI is a little clunky. When entering an IP address in the destination zone, you click ‘Add’ to add the address to the list of addresses to which the rule applies. The added address then appears lower down in the list of IP Addresses and Subnets. ‘Add Multiple’ is a ‘button’ that opens a window to allow the user to add multiple addresses in bulk using a list).

I don’t think that’s the issue.

Point taken. For security, I’ll make the change.

For the record, following the change (protocol = TCP) I have no better outcome (and that’s entirely expected).

I tried one more thing: a corresponding rule for outgoing traffic - in case the selection to allow return traffic didn’t work. No change.

And because I have a t-shirt with ‘Have you tried turning it off and on again’ printed on it, I tried that too (rebooted the ROCK device). No change. Sad face.

Current state of diagnostics:

{
“ipv4_connectivity”: {“status”:“NetworkError”,“status_code”:502,“error”:“error: Error: connect ENETUNREACH 159.ggg.hhh.iii:55000, response code: undefined, body: undefined”},
“ipv6_connectivity”: {“status”:“NetworkError”,“status_code”:504,“error”:“error: Error: ETIMEDOUT, response code: undefined, body: undefined connected? undefined”},
“external_ip”: {“actual_external_ip”:“159.ggg.hhh.iii”,“actual_external_ipv6”:“2403:aaa:bbb:ccc:ddd:eee:fff:aaa”,“router_external_ip”:“null”},
“natpmp_autoconfig”: {“status”:“NotFound”},
“upnp_autoconfig”: {“status”:“NotFound”}
}

If anyone has managed to break out of a Unifi-controlled IPv6 environment for Roon ARC, I’d love to hear how.

OK. That is not what I would have expected from the display and, this being the case, it is entirely correct to not have ‘Match Opposite Port’ selected.

OK. Again, a mis-reading on my part. It would appear that what you have done is fine.

OK. The ENETUNREACH is, I believe, just saying that the WAN side IPv4 address of your router is not reachable from the internet - which we already know because we know that CG-NAT is in play so, in respect of your IPv6 connectivity nothing has changed - which, as you say is what would be expected.

Are you sure you have got the correct IPv6 ip address for your Roon Server? The address required is the one desplayed under (if I remember correctly) ‘Advanced’ on the Roon ARC settings page (where you obtained the diagnostic text).

Other than that, I’m afraid that I am out of ideas short of continuing to use Tailscale.

Yes. I copied from the ‘Advanced’ data in the Roon ARC test box. Also compared this with the address shown in the Unifi network management interface.

For now, I am giving up on this exercise. I noticed that Roon itself was having trouble connecting when IPv6 is enabled in the network (Metadata Improver stopped). One of the recommended fixes for ‘Metadata Improver stopped’ is to disable IPv6 in the network - so I did that and the Metadata Improver immediately sprang back to life.

To my mind, this all points to some misconfiguration on my side in the IPv6 settings. (I gather that your Roon (not ARC, but Roon on premises) works fine in an IPv6-enabled environment.) So I’ll keep IPv6 disabled, buy a textbook and do some study. When I’m better educated about IPv6 and its vagaries, I’ll return to the exercise and see what can be done. Clearly IPv6 is the future of networks, and Roon needs to (and does - but not properly for me) work in the IPv6 world.

Time to hit the books.

(And many thanks for your insights and advice.)

Hi @Richard_Neale,

Thank you for your patience.

A consideration we might have missed earlier is the conflictinmappingentry listed under the initial attempt to connect via IPv6 here. Distinct from the NAT layer blocking port forwarding, this error indicates that the UPnP stack detected other software that was competing for the 55000 port range on this network. Even in an IPv6 environment, Roon might not be able to reach the internet through a pinhole referring to that port.

Try changing the port to a completely different range. I’d first see if Aussie Broadband has any specific port ranges they’ve reserved for their own activity. I believe the publish a list at the bottom of this page.

Otherwise, the built-in Tailscale interface in the ROCK will provide long-term reliable NAT traversal, as you’re aware.

Thanks!

Hey Connor,

Thanks for getting back to me.

Thanks for the hint. I’ll do some more research and see what I can uncover. For now, I’ve disabled IPv6 in my network. I was having some ‘metadata improver stopped’ issues. I have cleared these now, but I am not 100% sure whether the solution was disabling IPv6 or changing the DNS addresses.

Still waiting for my IPv6 textbook to arrive.

Richard.

Hi @Richard_Neale,

The Tailscale network interface in ROCK will always provide a reliable fallback. End-to-end IPv6 can be tricky to configure, and you’ll be subject to the slings and arrows of ISP implementation should Aussie Broadband change anything.

Let us know if we can help out further.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.