• March 19, 2024, 12:40:17 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: IPv6 Firewall, and Remote Administration  (Read 10831 times)

id2

  • Level 1 Member
  • *
  • Posts: 12
IPv6 Firewall, and Remote Administration
« on: March 06, 2016, 11:54:14 AM »

I have recently discovered that this DIR-family of routers is completely accessible via the IPv6 from the WAN. If the device received an IPv6 from internet provider, then the routers authentication screen is presented, even though it is explicitly configured not to have remote administration under Admin section. In summary the remote administration appears to only secure the IPv4, not the IPv6 side of the router.

the IPv6 page presents the typical admin login page and clearly show the device name hardware version and software version. if users did not change the default admin password the router is completely exposed to the WAN  :o

if secured, when looking through the logs, owners can see failed login attempts from IPv6 side, they will appear as such.

Httpd: remote 3881 login password fail ...

Question:

is there a way to secure remote administration over IPv6 on the DIR-855L and others DIR-* ?

is there a plan to fix this ?

is there a plan to provide IPv6 firewall information, currently the firewall section for the DIR-family routers is blank.
Logged
Cable:30Mb/15Mb > Motorola_SB6121 > pfsense_2.2_(Intel box) > DIR-855L

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 Firewall, and Remote Administration
« Reply #1 on: March 06, 2016, 12:07:42 PM »

Link>Welcome!

  • What Hardware version is your router? Look at sticker under the router case.
  • Link>What Firmware version is currently loaded? Found on the routers web page under status.
  • What region are you located?

Most DIR series routers have IPv6 support. Some older ones don't.

Can you post a picture of what your seeing?
What browser are you using?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

id2

  • Level 1 Member
  • *
  • Posts: 12
Re: IPv6 Firewall, and Remote Administration
« Reply #2 on: March 06, 2016, 12:38:20 PM »

Hardware Version: A1     
Firmware Version: 1.02 
Region: USA
Logged
Cable:30Mb/15Mb > Motorola_SB6121 > pfsense_2.2_(Intel box) > DIR-855L

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 Firewall, and Remote Administration
« Reply #3 on: March 06, 2016, 01:30:57 PM »

Let us know what browser your using and post a capture of what your seeing.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

id2

  • Level 1 Member
  • *
  • Posts: 12
Re: IPv6 Firewall, and Remote Administration
« Reply #4 on: March 07, 2016, 09:51:11 AM »

i used all three different browsers, and results are the same and would be the same for anyone else.

the problem is, the WAN side IPv6 of the Dlink DIR-* wireless router(s), is (are) accessible from the WAN or Internet, because the "ADMINISTRATOR SETTINGS"  and default IPv6 FIREWALL do not seems to apply to the IPv6.

as for the screenshot, it would/does look identical to the 192.168.0.1, for your/owner respective router, for the exception, that the address is the IPv6 address given by the internet provider.  * it is not the link local address with the prefix fe80::/64

I am not talking about connecting to the router via the IPv6 link-local address.

one way to test your own router, is to log in, and see the "WAN IPv6 Address:", then from internet device (not you LAN) connect to the IPv6 of the address given/assigned to your IPv6 WAN side.

 to use type in http://[youripv6goeshere] or https://[youripv6goeshere]
 * note please omit the /128 or/64 from the end of the WAN IPv6 Address of your wireless router.

another way is to scan (at your own risk) the provider side network and discover dlink webcams, among other devices, some are defaulted  ;D
Logged
Cable:30Mb/15Mb > Motorola_SB6121 > pfsense_2.2_(Intel box) > DIR-855L

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 Firewall, and Remote Administration
« Reply #5 on: March 07, 2016, 10:05:29 AM »

So does disabling the IPv4 remote access and HTTPS server features listed under Tools/Admin, the IPv6 version of the remote web page can still be viewed?
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

id2

  • Level 1 Member
  • *
  • Posts: 12
Re: IPv6 Firewall, and Remote Administration
« Reply #6 on: March 07, 2016, 11:15:11 AM »

yes, exactly my point!  :)

disabling the the IPv4 remote access and HTTPS server features, has no impact on the IPv6 version of the remote web page access and view.

"By DEFAULT, subscriber-managed residential gateways MUST NOT offer management application services to the exterior network."
#point 50, http://ipv6friday.org/wp-content/uploads/2012/08/ipv6friday-ipv6-cpe-security.pdf

http://tools.ietf.org/html/rfc6092
« Last Edit: March 07, 2016, 11:43:58 AM by id2 »
Logged
Cable:30Mb/15Mb > Motorola_SB6121 > pfsense_2.2_(Intel box) > DIR-855L

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 Firewall, and Remote Administration
« Reply #7 on: March 07, 2016, 01:20:06 PM »

I'll try and do some digging on this. You may need to phone contact D-Link support, ask for elevated support as I don't think level 1 can help here. Let us now if you find out anything.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.