-1

We occasionally restrict internet access on some of our test servers by just quickly removing the default gateway. With the introduction of Windows Server 2016 we decided to test a few of its features and again remove the Default Gateway; although 90% of the internet didn't work, any web site that did use ipv6 worked (google.com, bbc.com) etc.

We are assuming this is because the test servers have some sort of route via ipv6 as when we ping these sites we get replies? Aside from sending a changelog to the network team to restrict access to the internet for these servers, is there a way we can just block them from using the internet completely?

dqnet
  • 305
  • 2
  • 9
  • 1
    I think this is a bad idea, but Instead of removing a route, why not add a more specific route with an invalid gateway? – Zoredache Apr 27 '17 at 17:37
  • But is there simply no option to remove the gateway with ipv6 on windows server 2016? something like "switch off the internet via ipv6" on these machines apart from unchecking the ipv6 protocol in adapter properties? – dqnet Apr 27 '17 at 17:48
  • In IPv6 computers will get typically get their gateway from the route advertisements being multicast out to the network. If you remove a static one, your system will just re-learn it. Unless you also disable RouterDiscovery. – Zoredache Apr 27 '17 at 17:53
  • Is there a link you can provide that will give me an insight as to how all this works in ws2016 etc..? Can we stop these multicast messages being sent? I mean is there no simple way to stop these servers accessing ipv6 addresses like we do with ipv4? Sorry for my ignorance on this.. it's all pretty new to me. – dqnet Apr 27 '17 at 18:05
  • `Can we stop these multicast messages` - Only if you want to seriously hobble IPv6 for the entire network, this is more or less essential for IPv6. See https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol. I already gave you a suggestion. Instead of removing a route, add a new invalid one. Perhaps `0::0/1 via ::1` or something. – Zoredache Apr 27 '17 at 18:27

1 Answers1

0

Your server are most likely getting the IPv6 default route via the neighbor discovery that Zoredache mentions. You can disable the router advertisements on a per subnet level from the router. This will mean that any device on that subnet will need a static or DHCP v6 gateway. Router advertisements are a very base level feature of IPv6.

Cory Knutson
  • 1,876
  • 13
  • 20