• March 28, 2024, 12:48:06 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: ipv6 firewall rules / fv: 2.17 / hv: bx / b5  (Read 19053 times)

noyeske

  • Level 1 Member
  • *
  • Posts: 11
ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« on: January 29, 2014, 10:07:49 PM »

Hello, I want to configure my router ipv6 rules, but i cant do what i want...

If I enable ipv6 firewall (Turn ipv6 filtering on and allow rules listed) and I specific a rule for outgoing traffic:
Name AllowAnyOutgoingTraffic
   Schedule Always
   
Source
    Interface Lan
   IP Address Range 0:0:0:0:0:0:0:0 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    Protocol Any
Dest
    Interface Wan
   IP Address Range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Every computer, laptop has his own ipv6 ip, but cant access the internet with this rule.

And I want to access the internet only 2 or 3 computer with ipv6, how can I make this, I don't know enough about ipv6.... in the ipv4 filter/mac address filter/network filter I can control which computer can access the internet

For example:
two computer with ipv4 and network filter ON + and DHCP reservation
192.168.0.100 >>> 36:40:77:sb:b3:46 > can access the internet
192.168.0.101 >>> 87:23:89:6s:l6:66 > can access the internet
any other computer cant access the internet

how to do this with ipv6 in firewall rules
from the DHCP-PD I got these:
2a02:2f08:30e7::3   
2a02:2f08:30e7::4

only the :3 and the :4 are fixed and how to make rules to have access only this 2 computer?

Thanks in advance
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #1 on: January 30, 2014, 07:59:25 AM »

Link>Welcome!

  • What region are you located?


Internet Service Provider and Modem Configurations
  • What ISP Service do you have? Cable or DSL?
  • What ISP Modem Mfr. and model # do you have?
  • What ISP Modem service link speeds UP and Down do you have?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #2 on: January 30, 2014, 01:08:48 PM »

I am from Romania, I have RDS-RCS, Fibernet/Cable, I dont have modem, and the details: upload 30 Mbps, download 50 Mbps.
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #3 on: January 30, 2014, 01:50:32 PM »

Hi  noyeske,

Quote
Every computer, laptop has his own ipv6 ip, but cant access the internet with this rule.

Nothing looks wrong with your rule "AllowAnyOutgoingTraffic", although you might specify the start address of the Source IP Address Range (LAN) as "::" instead of "0:0:0:0:0:0:0:0" as you did for the start address of the Dest IP Address Range.

Question:

Just to be sure that it is not the firewall that prevents your computers and laptops from accessing the Internet: Can they access the IPv6-Internet (Examples for IPv6 only sites look here: http://ipv6.cybernode.com/list-of-ipv6-only-sites) if your IPv6 firewall and the "Simple Security" option (if available within your router model) both are switched off/deactivated?

If not, you first have to inspect if all other IPv6 settings are correct.

If yes: There are some IPv6 firewall implementations within D-Link routers known to have problems if "Source IP Address Range" and "Dest IP Address Range" are the same or have the same start address. Is this the case for you either and was this the reason why you selected "0:0:0:0:0:0:0:0" for the start address of the Source IP Address range in order to make it at least syntactically different from the start address of the Dest IP Address Range? If so I would suggest to configure the following IP Address Ranges:

  • Source IP Address Range: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  • Dest IP Address Range: 2000:: - 3ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

The Dest IP Address Range corresponds to the prefix 2000::/3 which denotes all addresses that are currently used in public IPv6 Internet. Please give it a try if it improves your situation.

Quote
And I want to access the internet only 2 or 3 computer with ipv6
...
how to do this with ipv6 in firewall rules
from the DHCP-PD I got these:
2a02:2f08:30e7::3   
2a02:2f08:30e7::4

only the :3 and the :4 are fixed and how to make rules to have access only this 2 computer?

If

  • (1) the prefix 2a02:2f08:30e7::/64 is static and does never change and
  • (2) your computers only have fixed addresses derived from 2a02:2f08:30e7::/64 (e.g. no address due to privacy extensions)

your could specify one IPv6 firewall rule per address per computer with the following Source IP Address Ranges:

  • 2a02:2f08:30e7::3 - 2a02:2f08:30e7::3 for 1st computer
  • 2a02:2f08:30e7:0:<2nd address> - 2a02:2f08:30e7:0:<2nd address> for 1st computer
  • ...
  • 2a02:2f08:30e7::4 - 2a02:2f08:30e7::4 for 2nd computer
  • 2a02:2f08:30e7:0:<2nd address> - 2a02:2f08:30e7:0:<2nd address> for 2nd computer
  • ...

Hence any other computer for which no corrsponding rule exists will have no (IPv6-)Internet access.

BUT: If the prefix you get via DHCP-PD might change, you have no opportunity to select only a subset of your computers for allowed IPv6 Internet access via IPv6 firewall rules.

The only chance I see in this case is if the configuration settings of your router allow to select other criteria than IPv6 source addresses (e.g. MAC addresses) in order to specify selective rules for Internet access.

Unfortunately I don't know the configuration possibilities of your device, hence I can't be helpful in this concern. Maybe the configuration possibilities within D-Link routers for IPv6 are not yet developed to the satisfying level as is the case for IPv4.

PacketTracer
« Last Edit: January 30, 2014, 03:02:13 PM by PacketTracer »
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #4 on: January 31, 2014, 12:15:26 AM »

First of all: here its my firewall settings menu, I don't have simple security option or whatever


I modified settings, now it look like:

I cant insert this: 3ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, but if I modified to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff its okey but nothing changes, I cant access the internet, I left the address on ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff but the same...

Its important, when I turn ipv6 filtering OFF, I can access the internet, my firewall is ipv6 compatible, and everything it okay and working.

I have a question, the first firewall rule required if I want only to access the internet only 2 computer ? Its not enough to make 2 rules for two computer to access the internet with ipv6?

On the second picture you can view, I had to modify the addressees because the router says its incorrect ..., but no internet from ipv6

And thanks your reply :)
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #5 on: January 31, 2014, 12:56:19 PM »

Hi noyeske,

Quote
I cant insert this: 3ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, but if I modified to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff its okey but nothing changes, I cant access the internet, I left the address on ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff but the same...

well, one "f" too much, it was already late yesterday evening...

According to the settings of your first screenshot it should work meaning it should be possible to access the Internet and to be protected against unsolicited traffic WAN-->LAN.

Obviously your firewall is broken as in some other D-Link routers.

I remember one case, where the firewall worked only if the Source IP Address Range was smaller than a /64, look here. Given it is the same problem in your case and that your LAN prefix 2a02:2f08:30e7::/64 you get via DHCP-PD is fixed (=never changes), you could solve the problem via the following two rules:

Turn IPv6 Filtering ON and ALLOW rules listed

(1st active rule):
Name: AllowLowerHalf
Schedule: Always
Source Interface: LAN
Source IP Address Range:
     2a02:2f08:30e7::
     -
     2a02:2f08:30e7:0:7fff:ffff:ffff:ffff
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
     2000::
     -
     3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

(2nd active rule):
Name: AllowUpperHalf
Schedule: Always
Source Interface: LAN
Source IP Address Range:
     2a02:2f08:30e7:0:8000::
     -
     2a02:2f08:30e7:0:ffff:ffff:ffff:ffff
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
     2000::
     -
     3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Quote
I have a question, the first firewall rule required if I want only to access the internet only 2 computer ? Its not enough to make 2 rules for two computer to access the internet with ipv6?

On the second picture you can view, I had to modify the addressees because the router says its incorrect ..., but no internet from ipv6

Yes, of course the first rule is not required! In contrast it has to be deleted or at least deactivated if you want the second and third rule to become effective! However you specified a wrong Dest IP Address Range 2a02:2f08:30e7:0:: - 2a02:2f08:30e7:0:: in both rules which makes no sense!

To be precise you would have to configure the following:

Turn IPv6 Filtering ON and ALLOW rules listed

(1st active rule):
Name: AllowComputer1
Schedule: Always
Source Interface: LAN
Source IP Address Range:
     2a02:2f08:30e7::3
     -
     2a02:2f08:30e7::3
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
     2000::
     -
     3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

(2nd active rule):
Name: AllowComputer2
Schedule: Always
Source Interface: LAN
Source IP Address Range:
     2a02:2f08:30e7::4
     -
     2a02:2f08:30e7::4
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
     2000::
     -
     3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

But once again as I already said in my first post: You have to make sure that 2a02:2f08:30e7::3 for Computer 1 and 2a02:2f08:30e7::4 for Computer 2 are the only global addresses these computers can use to communicate with the IPv6-Internet! This means:

  • Otherwise, for any other global but fixed IPv6 address one of these computers has (e.g. resulting from SLAAC) you would have to specify an additional rule as described above configuring a Source IP Address Range that corresponds to this other fixed IPv6 address.
  • The computers you want to allow Internet access must not have dynamically changing additional addresses because you can't configure IPv6 firewall rules for changing source addresses. Those dynamically changing addresses may result from active "Privacy Extensions" and they are preferred when the computers initiate communication. Hence this case wouldn't be covered by your firewall rules. So if active please deactivate Privacy Extensions on your computers you want to allow Internet Access. E.g. for a Windows PC you can do this via the command

        netsh int ipv6 set priv dis

    within a command prompt you started with administrative rights (run as administrator).

PacketTracer
« Last Edit: January 31, 2014, 03:38:35 PM by PacketTracer »
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #6 on: February 01, 2014, 01:06:39 AM »

Hello :)

I tried everything but nothing worked for me ...










If these pictures can help... I can reach the internet only in one way, if I turn of the firewall...

Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #7 on: February 01, 2014, 01:56:38 AM »

Hi, could you please post the output of "ipconfig /all" within a command prompt of your Windows PC?
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #8 on: February 01, 2014, 02:05:22 AM »

Hello,

http://pastebin.com/vudXNdGA

I posted here :)
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #9 on: February 01, 2014, 02:12:00 AM »

I forget this:



Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #10 on: February 01, 2014, 02:41:05 AM »

Hi noyeske,

Quote
Hello,

http://pastebin.com/vudXNdGA

I posted here

Looking at that, I can't see where this PC has its IPv6 configuration? Neither a global IPv6 address 2a02:2f08:30e7::3 nor the default gateway of your D-Link router (fe80::baa3:86ff:feab:3e63) is configured. Hence this PC is not able to talk to the Internet via IPv6. Wrong PC?

PacketTracer
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #11 on: February 01, 2014, 03:08:47 AM »

Hello,

oupsss, I forget, when you answer for this, I was not at home, no no wrong pc, only the wrong network :D

A few minutes, I go home, and I will do it again, sorry for this
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #12 on: February 01, 2014, 06:08:48 AM »

Hi, here its in the home network:

http://pastebin.com/LN1mZYsZ
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #13 on: February 01, 2014, 07:48:10 AM »

Hi noyeske,

Quote
Hi, here its in the home network:

http://pastebin.com/LN1mZYsZ

Well, looks perfect. Was just for me to see if there is really only the one and only global IPv6 address 2a02:2f08:30e7::4 active. Looking at the other information you posted it's clear now that it stems from the stateful DHCPv6 configuration of your DIR-600.

Just a comment on this: Since there is no option to configure DHCPv6 reservations it is not guaranteed that any of your computers will always get assigned the same IPv6 address again. For example it might be different after a reboot of your DIR-600 because it then forgets its DHCPv6 cache. Hence your IPv6 firewall rules for "Computer 1" and "Computer 2" may now refer to two other computers (those now having these addresses) and this is probably not what you want...

But this is a more theoretical discussion now because in practice I'm afraid you have to accept that the IPv6 firewall implementation seems to be broken.

As far as I can see from your region's D-Link support site the latest official firmware version for your hardware revision B5 is V 2.15 b01, so your firmware version 2.17 seems to be a beta one? If the manual refers to firmware version 2.15 b01, there is no IPv6 firewall at all and if true your firmware version 2.17 will include the first IPv6 firewall implementation for your router model which may be susceptible to errors.

Hence I suggest that you contact D-Link support.

PacketTracer
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #14 on: February 01, 2014, 08:39:32 AM »

I updated the firmware from this page http://www.dlink.com/de/de/support/product/dir-600-wireless-n-150-home-router?revision=de_revb5b6

Downloaded from here ftp://ftp.d-link.de/dir/dir-600/driver_software/

I dont know if firmware is the problem, but I can try to update to 2.15
Logged
Pages: [1] 2