• March 28, 2024, 05:50:25 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: IPv6 firewall seems to be totally broken?  (Read 16156 times)

robstoon

  • Level 1 Member
  • *
  • Posts: 8
IPv6 firewall seems to be totally broken?
« on: January 27, 2014, 09:08:38 PM »

Just got a DIR-860L (running firmware 1.05) and am trying to get it set up with a Hurricane Electric IPv6 tunnel. That part is working, but the firewall seems to be presenting problems:

First of all the default setup seems to have no firewall enabled for IPv6 at all. That seems like a rather serious security hole. Going into the Advanced - IPv6 Firewall settings, and turning on "Enable IPv6 Simple Security" seems to have no effect as far as I can tell. All incoming connections from the WAN into the LAN still seem to be allowed. (I'm testing with web sites like nmapv6.packetsize.net that allow you to port scan an IPv6 address from the Internet).

Following some suggestions on this forum I tried using the various options for IPv6 filtering (OFF, ALLOW, DENY). I also tried setting it to ALLOW and tried to add a default rule that should allow all traffic out from LAN to WAN but not any inbound connections. But I did not have any luck at all - all combinations I tried seem to result in either IPv6 not working at all (blocking both inbound and outbound connections) or everything being fully open in both directions.

Has anyone got the IPv6 firewall to work properly on this router?
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #1 on: January 28, 2014, 06:58:18 AM »

Link>Welcome!

  • What region are you located?

Did this router come with v1.05 or did you up grade it?

Internet Service Provider and Modem Configurations
  • What ISP Service do you have? Cable or DSL?
  • What ISP Modem Mfr. and model # do you have?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: IPv6 firewall seems to be totally broken?
« Reply #2 on: January 28, 2014, 01:47:18 PM »

Hi robstoon,

in another thread (see here) some strange behaviour of the DIR-860L's firewall was observed either. According to that the start addresses of Source- and Dest-IP Address Range should be different. So give it a try to configure an "AllowAllOut" rule (LAN --> WAN) using the

     Source IP Address Range ::/0 = :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (LAN)

and the

     Dest IP Address Range 2000::/3 = 2000:: - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (WAN)

where 2000::/3 denotes the IPv6 address range that is actually used in the Internet.

The details:

  • Switch IPv6 firewall on by selecting Turn IPv6 Filtering ON and ALLOW rules listed.
  • Check the check box (!) for the first (and only) rule in the first column (making this rule active).
  • Name: AllowAllOut (or any other name you like)
  • Schedule: Always
  • Source Interface: LAN
  • Source IP Address Range:
    ::
    -
    ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  • Protocol: ALL
  • Dest Interface: WAN
  • Dest IP Address Range:
    2000::
    -
    3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

In addition you might Enable Simple IPv6 Security whose mode of operation we tried to figure out in this thread.

PacketTracer
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #3 on: January 28, 2014, 02:00:46 PM »

PT, are any of these threads that you've been handling and very helpful in needing additional D-Link review? If any of these need review and in your opinion, changes or modifications, please let me know. I don't know what goes on in the IPv6 section or whom works on it and I'd want to at least make D-link aware of these issues so they can review and make the necessary changes.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

robstoon

  • Level 1 Member
  • *
  • Posts: 8
Re: IPv6 firewall seems to be totally broken?
« Reply #4 on: January 28, 2014, 07:44:16 PM »

I tried the settings that PacketTracer suggested. No success unfortunately - with those in effect, regardless of whether IPv6 Simple Security is enabled or disabled, all IPv6 traffic appears to be blocked in both directions. In the router logs under Router Status, I get entries like this:

Drop TCP packet (src: (my IP address) /48112, dst:2a03:2880:0020:8f08:face:b00c:0000:0001/80) by firewall rule(s).

Clearly this firewall rule should be allowing this packet to go through, so it seems like the rules are simply not being applied properly in this version of the firmware.
Logged

robstoon

  • Level 1 Member
  • *
  • Posts: 8
Re: IPv6 firewall seems to be totally broken?
« Reply #5 on: January 28, 2014, 07:54:07 PM »

Looking at the other thread that was mentioned, it looks like user "v6" saw the same problem. I am not sure why that thread was tagged as Solved, then, since as far as I can tell they fixed their routing issue but never seem to have gotten the firewall to work.

It's totally unacceptable for a router to ship with no firewall enabled on IPv6 by default, let alone one where it's not possible to even enable one properly. This is a major security issue for anyone that has IPv6 enabled on these routers.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #6 on: January 29, 2014, 06:52:19 AM »

I recommend that you phone contact your regional D-Link support office. Ask for level 2 or higher support and talk to someone about this. If this IS a problem, this is beyond forum help and needs to be addressed by D-Link development.

Please let us know what they say.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

v6

  • Level 1 Member
  • *
  • Posts: 15
Re: IPv6 firewall seems to be totally broken?
« Reply #7 on: January 29, 2014, 07:10:22 AM »

Hi FurryNutz and robstoon

robstoon as you mention my immediate problem was about routing which got solved. That is why I changed the status of the thread.
I happen to use a software firewall.
However just like you I experienced the odd firewall behavior with firmware 1.05, but it does not pose an immediate problem for me, but yes it would of course be nice if it got fixed.

- v6
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #8 on: January 29, 2014, 07:18:19 AM »

v6, I changed the status of your thread to (WORK AROUND) as it's not a native solution to the problem on these routers.

I'll forward this on to D-Link for review.

I recommend that those involved, Please phone contact D-Link support and let them know this issue with IPv6. The more they know about users having problems, the better information they will have and get a fix put into place.

I'll post back if I hear anything. Please let us know if you get any information from phone support.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

v6

  • Level 1 Member
  • *
  • Posts: 15
Re: IPv6 firewall seems to be totally broken?
« Reply #9 on: January 29, 2014, 08:54:41 AM »

Hi FurryNutz and robstoon

It turned out that the problem in the other thread (that I started) was about the router that comes before the DIR-860L. Meaning the DIR-860L has no problem in that regard.

The flaw was in the ISP-router regarding 1) a missing route + 2) an adjustment to the subnet prefix of the ISP-router LAN   (seen as the WAN of the DIR-860L).

I hope to have (now) cleared that up. That is why I set the thread to solved, because it was more related to my specific problem (and not caused by the DIR-860L.) So as such it was a misconfiguration and not a work around. But I will leave it to you FurryNutz to define what it is and what you prefer.

Regarding the firewall settings I'm not sure if I'll contact dlink (by phone), but if at some time I make up my mind and contact dlink it will be through e.g. http://www.dlink.com/dk/da/support/contact and eSupport because I will typically be at work or travelling when there is telephone support at dlink in Denmark.

But robstoon please post if you get in contact with dlink support.

- v6
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #10 on: January 29, 2014, 09:11:15 AM »

Let us know if you find out anything as well.

Good Luck.

Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #11 on: January 29, 2014, 04:35:20 PM »

Wow. I must say I wish we had more users like you who could be as detailed. Thank you for taking the time to put all this together. I forwarded an earlier email today. I'm going to forward this as well so they can review it and they'll have the information. I sincerely hope good things will come from all this.

Again, thank you for your time and efforts. I may move this thread into a different are and maybe combine all the IPv6 issues into one area. I think it might be time for IPv6 to have it's own forum.

Thank you for sharing, being apart of the D-Link forums and have a great evening.

Furry  ;)
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

robstoon

  • Level 1 Member
  • *
  • Posts: 8
Re: IPv6 firewall seems to be totally broken?
« Reply #12 on: February 03, 2014, 10:38:41 PM »

Just to update, I've been emailing back and forth a few times with D-Link support, but they've been a bit slow in responding. Hopefully that means that someone who actually knows what's going on is looking into the problem.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #13 on: February 04, 2014, 08:48:24 AM »

FYI, PactetTracer sent me a detailed summary about all the various IPv6 issues seen on various model routers. I have forwarded that information to D-Link for there review. I presume it will be looked at and hopefully changes will come about. I don't know if, when or where. Please be patient and if you are in contact with D-Link support. Keep the communications going as best as possible. The more people get in contact with support, the better D-Link will be aware of all this and should effect some changes.

Furry.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

robstoon

  • Level 1 Member
  • *
  • Posts: 8
Re: IPv6 firewall seems to be totally broken?
« Reply #14 on: February 13, 2014, 09:17:43 AM »

Well, as a non-update update, I have not heard anything back from D-Link since they last asked me for more info on Jan. 31. I asked for an update on Feb. 7 and haven't gotten a response either. Not super impressed.
Logged
Pages: [1] 2