The Graveyard - Products No Longer Supported > DIR-816L

Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem

<< < (2/2)

network1027:

--- Quote from: PacketTracer on January 10, 2016, 12:40:51 PM ---
EDIT2:
Hi network1027,
how stupid I am, it was just this moment when I realized that it is you who initiated the thread that I referred to at the beginning - hence I copied your own answer. But then: why did you ask again, if you exactly know the reason of your problem?

PT

--- End quote ---

Hi PacketTracer  :D

I instantly suspected an Ingress Filtering problem, but :
. my DIR626L trusty old trick isn't functioning with the DIR818LW
. I'm not sur this is an Ingress Filtering problem here : unlike with the DIR626L, I can un-tick the Ingress Filtering checkbox while keeping IPv6 Simple Security ticked, but it doesn't solve the problem

I post my new tests results just next  :)

network1027:
I made some extensive tests, using a native IPv6 connection ( Global Unicast Address ), testing with both :
. Wan static GUA address
. Wan link-local connection to the Internet Gateway

I always get the same results. Here is the network topology :

                               PC1-----|                   PC3-----|
PC2----------DIR626L-----------|DIR818LW------------|Internet

PC1 is on LAN1, PC2 is on LAN2, I test the Internet IPv6 access
PC3 is used to try to pass through the DIR818LW Wan firewall ( Firewall Wan-Lan leak test )

Here are the results :

[ Test : Lan 1 IPv6 Internet / Lan 2 IPv6 Internet / Firewall Wan->Lan leak test ]

only IPv6 Simple Security : OK / OK / not tested         
IPv6 Simple Security : OK / NO / no security
IPv6 Simple Security+Allow OUT : NO / NO / NA
Allow Out :   NO / NO / NA
IPv6 Simple Security+Deny IN : OK   / NO / no security
Deny IN : OK / OK / no security

Here are the conclusions in understandable english language :

. with IPv6 Simple Security, PC2 can't access the Internet
. The IPv6 Firewall Wan-->Lan protection is never functionning
. The IPv6 firewall Allow mode is never functionning
. The only way to allow PC2 internet access is by disabling IPv6SS, and using firewall deny mode, deny everything in

some explainations abou the tests performed :

Only IPv6 Simple Security = no Ingress Filtering, no spoof check
IPv6 Simple Security = IPv6 Simple Security + Ingress Filtering + spoof check
IPv6 Simple Security+Allow OUT = IPv6 SS+FIrewall ON and allow mode+allow everything out rule
IPv6 Simple Security+Deny IN = IPv6 SS+FIrewall ON and deny mode+deny everything in rule

the catch all rule was made using :
from : 1::1-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
to : 1::1-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
protocol : ANY / 1-65535

What is really worrisome is that the IPv6 firewall is NEVER functionning. each Zenmap penetration test managed to have all its 2003 packets through the Wan firewall ...

Beside, the DHCPv6 doesn't seem to function ( as well as the DHCPv6 part of the SLAAC+Stateless DHCPv6 mode : no DNS received )

Can anybody confirm these strange results ?   ;D

FurryNutz:
I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. Reference this thread.

Navigation

[0] Message Index

[*] Previous page

Go to full version