D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-600 => Topic started by: noyeske on January 29, 2014, 10:07:49 PM
-
Hello, I want to configure my router ipv6 rules, but i cant do what i want...
If I enable ipv6 firewall (Turn ipv6 filtering on and allow rules listed) and I specific a rule for outgoing traffic:
Name AllowAnyOutgoingTraffic
Schedule Always
Source
Interface Lan
IP Address Range 0:0:0:0:0:0:0:0 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Protocol Any
Dest
Interface Wan
IP Address Range :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Every computer, laptop has his own ipv6 ip, but cant access the internet with this rule.(http://s3.postimg.org/oxtm575w3/Clipboard01.jpg)
And I want to access the internet only 2 or 3 computer with ipv6, how can I make this, I don't know enough about ipv6.... in the ipv4 filter/mac address filter/network filter I can control which computer can access the internet
For example:
two computer with ipv4 and network filter ON + and DHCP reservation
192.168.0.100 >>> 36:40:77:sb:b3:46 > can access the internet
192.168.0.101 >>> 87:23:89:6s:l6:66 > can access the internet
any other computer cant access the internet
how to do this with ipv6 in firewall rules
from the DHCP-PD I got these:
2a02:2f08:30e7::3
2a02:2f08:30e7::4
only the :3 and the :4 are fixed and how to make rules to have access only this 2 computer?
Thanks in advance
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=41537.0)
- What region are you located?
Internet Service Provider and Modem Configurations
- What ISP Service do you have? Cable or DSL?
- What ISP Modem Mfr. and model # do you have?
- What ISP Modem service link speeds UP and Down do you have?
-
I am from Romania, I have RDS-RCS, Fibernet/Cable, I dont have modem, and the details: upload 30 Mbps, download 50 Mbps.
-
Hi noyeske,
Every computer, laptop has his own ipv6 ip, but cant access the internet with this rule.
Nothing looks wrong with your rule "AllowAnyOutgoingTraffic", although you might specify the start address of the Source IP Address Range (LAN) as "::" instead of "0:0:0:0:0:0:0:0" as you did for the start address of the Dest IP Address Range.
Question:
Just to be sure that it is not the firewall that prevents your computers and laptops from accessing the Internet: Can they access the IPv6-Internet (Examples for IPv6 only sites look here: http://ipv6.cybernode.com/list-of-ipv6-only-sites (http://ipv6.cybernode.com/list-of-ipv6-only-sites)) if your IPv6 firewall and the "Simple Security" option (if available within your router model) both are switched off/deactivated?
If not, you first have to inspect if all other IPv6 settings are correct.
If yes: There are some IPv6 firewall implementations within D-Link routers known to have problems if "Source IP Address Range" and "Dest IP Address Range" are the same or have the same start address. Is this the case for you either and was this the reason why you selected "0:0:0:0:0:0:0:0" for the start address of the Source IP Address range in order to make it at least syntactically different from the start address of the Dest IP Address Range? If so I would suggest to configure the following IP Address Ranges:
- Source IP Address Range: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- Dest IP Address Range: 2000:: - 3ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
The Dest IP Address Range corresponds to the prefix 2000::/3 which denotes all addresses that are currently used in public IPv6 Internet. Please give it a try if it improves your situation.
And I want to access the internet only 2 or 3 computer with ipv6
...
how to do this with ipv6 in firewall rules
from the DHCP-PD I got these:
2a02:2f08:30e7::3
2a02:2f08:30e7::4
only the :3 and the :4 are fixed and how to make rules to have access only this 2 computer?
If
- (1) the prefix 2a02:2f08:30e7::/64 is static and does never change and
- (2) your computers only have fixed addresses derived from 2a02:2f08:30e7::/64 (e.g. no address due to privacy extensions)
your could specify one IPv6 firewall rule per address per computer with the following Source IP Address Ranges:
- 2a02:2f08:30e7::3 - 2a02:2f08:30e7::3 for 1st computer
- 2a02:2f08:30e7:0:<2nd address> - 2a02:2f08:30e7:0:<2nd address> for 1st computer
- ...
- 2a02:2f08:30e7::4 - 2a02:2f08:30e7::4 for 2nd computer
- 2a02:2f08:30e7:0:<2nd address> - 2a02:2f08:30e7:0:<2nd address> for 2nd computer
- ...
Hence any other computer for which no corrsponding rule exists will have no (IPv6-)Internet access.
BUT: If the prefix you get via DHCP-PD might change, you have no opportunity to select only a subset of your computers for allowed IPv6 Internet access via IPv6 firewall rules.
The only chance I see in this case is if the configuration settings of your router allow to select other criteria than IPv6 source addresses (e.g. MAC addresses) in order to specify selective rules for Internet access.
Unfortunately I don't know the configuration possibilities of your device, hence I can't be helpful in this concern. Maybe the configuration possibilities within D-Link routers for IPv6 are not yet developed to the satisfying level as is the case for IPv4.
PacketTracer
-
First of all: here its my firewall settings menu, I don't have simple security option or whatever
(http://s29.postimg.org/4y8eb3v3r/Clipboard03.jpg)
I modified settings, now it look like:
(http://s22.postimg.org/5aqiqmpy9/Clipboard02.jpg)
I cant insert this: 3ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, but if I modified to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff its okey but nothing changes, I cant access the internet, I left the address on ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff but the same...
Its important, when I turn ipv6 filtering OFF, I can access the internet, my firewall is ipv6 compatible, and everything it okay and working.
I have a question, the first firewall rule required if I want only to access the internet only 2 computer ? Its not enough to make 2 rules for two computer to access the internet with ipv6?
On the second picture you can view, I had to modify the addressees because the router says its incorrect ..., but no internet from ipv6
And thanks your reply :)
-
Hi noyeske,
I cant insert this: 3ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, but if I modified to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff its okey but nothing changes, I cant access the internet, I left the address on ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff but the same...
well, one "f" too much, it was already late yesterday evening...
According to the settings of your first screenshot it should work meaning it should be possible to access the Internet and to be protected against unsolicited traffic WAN-->LAN.
Obviously your firewall is broken as in some other D-Link routers.
I remember one case, where the firewall worked only if the Source IP Address Range was smaller than a /64, look here (http://forums.dlink.com/index.php?topic=55088.0). Given it is the same problem in your case and that your LAN prefix 2a02:2f08:30e7::/64 you get via DHCP-PD is fixed (=never changes), you could solve the problem via the following two rules:
Turn IPv6 Filtering ON and ALLOW rules listed
(1st active rule):
Name: AllowLowerHalf
Schedule: Always
Source Interface: LAN
Source IP Address Range:
2a02:2f08:30e7::
-
2a02:2f08:30e7:0:7fff:ffff:ffff:ffff
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
2000::
-
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
(2nd active rule):
Name: AllowUpperHalf
Schedule: Always
Source Interface: LAN
Source IP Address Range:
2a02:2f08:30e7:0:8000::
-
2a02:2f08:30e7:0:ffff:ffff:ffff:ffff
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
2000::
-
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
I have a question, the first firewall rule required if I want only to access the internet only 2 computer ? Its not enough to make 2 rules for two computer to access the internet with ipv6?
On the second picture you can view, I had to modify the addressees because the router says its incorrect ..., but no internet from ipv6
Yes, of course the first rule is not required! In contrast it has to be deleted or at least deactivated if you want the second and third rule to become effective! However you specified a wrong Dest IP Address Range 2a02:2f08:30e7:0:: - 2a02:2f08:30e7:0:: in both rules which makes no sense!
To be precise you would have to configure the following:
Turn IPv6 Filtering ON and ALLOW rules listed
(1st active rule):
Name: AllowComputer1
Schedule: Always
Source Interface: LAN
Source IP Address Range:
2a02:2f08:30e7::3
-
2a02:2f08:30e7::3
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
2000::
-
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
(2nd active rule):
Name: AllowComputer2
Schedule: Always
Source Interface: LAN
Source IP Address Range:
2a02:2f08:30e7::4
-
2a02:2f08:30e7::4
Protocol: ALL
Dest Interface: WAN
Dest IP Address Range:
2000::
-
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
But once again as I already said in my first post: You have to make sure that 2a02:2f08:30e7::3 for Computer 1 and 2a02:2f08:30e7::4 for Computer 2 are the only global addresses these computers can use to communicate with the IPv6-Internet! This means:
- Otherwise, for any other global but fixed IPv6 address one of these computers has (e.g. resulting from SLAAC) you would have to specify an additional rule as described above configuring a Source IP Address Range that corresponds to this other fixed IPv6 address.
- The computers you want to allow Internet access must not have dynamically changing additional addresses because you can't configure IPv6 firewall rules for changing source addresses. Those dynamically changing addresses may result from active "Privacy Extensions" and they are preferred when the computers initiate communication. Hence this case wouldn't be covered by your firewall rules. So if active please deactivate Privacy Extensions on your computers you want to allow Internet Access. E.g. for a Windows PC you can do this via the command
netsh int ipv6 set priv dis
within a command prompt you started with administrative rights (run as administrator).
PacketTracer
-
Hello :)
I tried everything but nothing worked for me ...
(http://s30.postimg.org/immk792z5/Clipboard04.jpg)
(http://s28.postimg.org/xlzc7wwfx/Clipboard05.jpg)
(http://s9.postimg.org/ynn5tru8v/Clipboard06.jpg)
(http://s17.postimg.org/wkcx84iq7/Clipboard07.jpg)
(http://s18.postimg.org/pvo0u1c1l/Clipboard08.jpg)
If these pictures can help... I can reach the internet only in one way, if I turn of the firewall...
-
Hi, could you please post the output of "ipconfig /all" within a command prompt of your Windows PC?
-
Hello,
http://pastebin.com/vudXNdGA (http://pastebin.com/vudXNdGA)
I posted here :)
-
I forget this:
(http://s29.postimg.org/54loid7if/Clipboard09.jpg)
-
Hi noyeske,
Hello,
http://pastebin.com/vudXNdGA
I posted here
Looking at that, I can't see where this PC has its IPv6 configuration? Neither a global IPv6 address 2a02:2f08:30e7::3 nor the default gateway of your D-Link router (fe80::baa3:86ff:feab:3e63) is configured. Hence this PC is not able to talk to the Internet via IPv6. Wrong PC?
PacketTracer
-
Hello,
oupsss, I forget, when you answer for this, I was not at home, no no wrong pc, only the wrong network :D
A few minutes, I go home, and I will do it again, sorry for this
-
Hi, here its in the home network:
http://pastebin.com/LN1mZYsZ (http://pastebin.com/LN1mZYsZ)
-
Hi noyeske,
Hi, here its in the home network:
http://pastebin.com/LN1mZYsZ
Well, looks perfect. Was just for me to see if there is really only the one and only global IPv6 address 2a02:2f08:30e7::4 active. Looking at the other information you posted it's clear now that it stems from the stateful DHCPv6 configuration of your DIR-600.
Just a comment on this: Since there is no option to configure DHCPv6 reservations it is not guaranteed that any of your computers will always get assigned the same IPv6 address again. For example it might be different after a reboot of your DIR-600 because it then forgets its DHCPv6 cache. Hence your IPv6 firewall rules for "Computer 1" and "Computer 2" may now refer to two other computers (those now having these addresses) and this is probably not what you want...
But this is a more theoretical discussion now because in practice I'm afraid you have to accept that the IPv6 firewall implementation seems to be broken.
As far as I can see from your region's D-Link support site (http://www.dlink.com/ro/ro/support/product/dir-600-wireless-n-150-home-router?revision=deu_revb5) the latest official firmware version for your hardware revision B5 is V 2.15 b01, so your firmware version 2.17 seems to be a beta one? If the manual (http://www.dlink.com/-/media/Consumer_Products/DIR/DIR%20600/Manual/DIR_600_revb5_man_en_Manual.pdf) refers to firmware version 2.15 b01, there is no IPv6 firewall at all and if true your firmware version 2.17 will include the first IPv6 firewall implementation for your router model which may be susceptible to errors.
Hence I suggest that you contact D-Link support.
PacketTracer
-
I updated the firmware from this page http://www.dlink.com/de/de/support/product/dir-600-wireless-n-150-home-router?revision=de_revb5b6 (http://www.dlink.com/de/de/support/product/dir-600-wireless-n-150-home-router?revision=de_revb5b6)
Downloaded from here ftp://ftp.d-link.de/dir/dir-600/driver_software/ (http://ftp://ftp.d-link.de/dir/dir-600/driver_software/)
I dont know if firmware is the problem, but I can try to update to 2.15
-
Hi again,
so you installed the German version which is not for your region. This may cause problems. So try again with firmware version 2.15 b01 developed for models marketed in your region.
PacketTracer
-
Hi once more,
within your region the EU firmware version seems to be the right one since the download link for the official firmware version 2.15 b01 at your region's D-Link support site (http://www.dlink.com/ro/ro/support/product/dir-600-wireless-n-150-home-router?revision=deu_revb5) points to "dlink.eu".
Looking at this FTP repository you can find a newer firmware version 2.16 b05:
--> ftp://ftp.dlink.eu/Products/dir/dir-600/driver_software/DIR-600_fw_revb5_2-16b05_all_en_20130527.zip (ftp://ftp.dlink.eu/Products/dir/dir-600/driver_software/DIR-600_fw_revb5_2-16b05_all_en_20130527.zip)
Perhaps it may be helpful to install this version instead of a version 2.17 specific to devices marketed in Germany.
PacketTracer
-
I tried many variations of all kinds but no one worked for me ... thank you very much for your help :)
-
I if disable the firewall everithing works... I am in the same place...
first of all I updated the firmware to 2.16
But when I disable the firewall in my status in ipv6 routing menu looks like: (http://s15.postimg.org/60xxoq0iz/Clipboard01.jpg)
If I enable with these rule: (http://s18.postimg.org/78oqjlcfd/Clipboard02.jpg)
the routing status looks like: (http://s9.postimg.org/kv8fcyg6n/Clipboard03.jpg)
and cant access the internet over ipv6...
-
Hi again,
there are two observations:
- Comparing the recent data to the data you posted some time ago it turns out that the LAN prefix you get delegated via DHCP-PD is not fixed but obviously changes - probably every time a new PPPoE session is established (previous LAN prefix was 2a02:2f08:30e7::/64, present LAN prefix is 2a02:2f08:30d1:8900::/64).
Hence, your original request to configure IPv6 firewall rules that allow Internet access for a subset of your LAN clients only (identified by their source IPv6 address derived from a changing prefix) is not feasible because the ruleset does not adjust to changing LAN prefixes.
There are IPv6 firewall implementations in home routers on the market (e.g. the products of a well known German manufacturer) which allow this because they only use the host identifier (the last 64 bits of an IPv6 address) within firewall rules which may be kept constant while the (irrelevant) prefix (the first 64 bits of an IPv6 address) might change.
Using a D-Link firewall you must ask your ISP for a fixed prefix in order to put your firewall needs into practice. Otherwise within firewall rules you can only use source address ranges that cover any LAN prefixes you might ever get delegated, e.g. :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff or your ISP's address block he got delegated from RIPE, in case of your ISP RCS&RDS the block 2a02:2f00::/28 which corresponds to the range 2a02:2f00:: - 2a02:2f0f:ffff:ffff:ffff:ffff:ffff:ffff.
- Your ISP obviously doesn't assign a global IPv6 prefix to the PPPoE link that connects your router to your ISP's edge router. Instead the link local prefix fe80::/64 is used for this only. Although unusual this is allowed and works as you can see from the fact that you have IPv6 Internet access - at least when your IPv6 firewall is switched off.
Looking at your IPv6 routing table:
Entries without a gateway (denoted as "::") might specify one of following:
- A directly attached network, e.g. your LAN 2a02:2f08:30d1:8900::/64
- An IPv6 address assigned to a local interface - no example available in your table
- An IPv6 address of another device reachable via the interface listed in the entry, e.g. your LAN PC 2a02:2f08:30d1:8900::4 reachable via the LAN interface or 2a02:2f08:30df:ffff::bc1b:1aca which is your ISP's edge router reachable via INTERNET interface.
And of course you have a default gateway fe80::1 which obviously is the link local address of your ISP's edge router reachable via INTERNET interface.
It is interesting now that the entry for your LAN client 2a02:2f08:30d1:8900::4 disappears as soon as you switch on the IPv6 firewall. This looks as if the router is no more able to discover your LAN clients because the IPv6 firewall seems to block Neighbor Discovery packets (a special type of ICMPv6 packets e.g. used to resolve IPv6 addresses of neighboring nodes to MAC addresses).
Hence I draw the conclusion (but this is a wild guess only) that D-Link's firewall implementation gets confused from the situation that it does not have a global IPv6 address assigned to its WAN interface, and maybe instead of applying rules to the WAN interface it erroneously applies them to the LAN interface (e.g. blocking ICMPv6 ND) because it can't differentiate between them if the WAN interface has been assigned a link local IPv6 address only.
You might perhaps test if my assumption is right by not using the native IPv6 access offered by your ISP but by temporarily configuring a 6to4 tunnel and check if your IPv6 firewall works properly in this case (of course your ISP must not block IPv4 packets that contain IPv6 packets - so called type 41 packets - as is the case with 6to4).
In any case you might ask your ISP if he could assign a global prefix to your PPPoE WAN link - hoping that this might solve your IPv6 firewall problem.
PacketTracer
-
... I just added this case of IPv6 firewall failure as case [5] to a list of other cases, see here (http://forums.dlink.com/index.php?topic=58287.msg226285#msg226285).
PacketTracer