• October 20, 2020, 08:19:47 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DIR-657 IPV6 Firewall Issues  (Read 15706 times)

ziddey

  • Level 1 Member
  • *
  • Posts: 4
DIR-657 IPV6 Firewall Issues
« on: March 28, 2013, 10:28:33 AM »

I'm using he/tunnelbroker for a 6in4 tunnel. Everything is working relatively smoothly, but I do have one major issue with the firewall.

I have the ipv6 firewall on, only allowing outboung traffic (source lan, dest wan, any protocol, :: for ip range). This seems to be working well for my clients. However, the rules do not apply for the router itself. The router is accessible from the outside world both via its wan ipv6 address and lan ipv6 address. Unless I'm missing something, there doesn't look to be a way to firewall these addresses.

So for the meantime, I've immensely stepped up the router password, but I would still much rather it not be visible at all.

Any suggestions here? I'm assuming the router will never see another firmware update again.. On the most recent firmware, 1.01.
« Last Edit: March 28, 2013, 11:53:26 AM by ziddey »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49273
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-657 IPV6 Firewall Issues
« Reply #1 on: March 28, 2013, 11:43:04 AM »

Link>Welcome!
What Hardware version is your router? Look at sticker under router.
Link>What Firmware version is currently loaded? Found on routers web page under status.
What region are you located?


What ISP Service do you have? Cable or DSL?
What ISP Modem Mfr. and model # do you have?
Check ISP MTU requirements, Cable is usually 1500, DSL is around 1492 down to 1472. Call the ISP and ask. Link>Checking MTU Values

Some things to try: - Log into the routers web page at 192.168.0.1. Use IE, Opera or FF to manage the router.
Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options. Advanced/QoS or Gamefuel.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual or under Setup/PARENTAL CONTROL/Set to>None: Static IP or Obtain Automatically From ISP.
Enable Use Unicasting (compatibility for some ISP DHCP Servers) under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting.
Ensure devices are set to auto obtain an IP address.
If IPv6 is an option on the router, select Local Connection Only or Disable IPv6 options under Setup/IPv6.
Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall.
Enable uPnP and Multi-cast Streaming under Advanced/Networking. Disable uPnP for testing Port Forwarding rules. Disable IPv6 Multi-cast Streaming if native IPv6 is not being used.
Turn off WISH, and WPS under Advanced.
WAN Port Speed set to Auto or specific speed? Some newer ISP modems support 1000Mb so manually setting to Gb speeds can be supported by the router. Advanced/Advanced Networking/WAN Port Speed
Set current Time Zone, Date and Time. Use an NTP server feature. Tools/Time.
 
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 435
Re: DIR-657 IPV6 Firewall Issues
« Reply #2 on: March 28, 2013, 02:29:02 PM »

Hi,

if not unchecked please uncheck TOOLS | ADMIN | Enable Remote Management.

PacketTracer
Logged

ziddey

  • Level 1 Member
  • *
  • Posts: 4
Re: DIR-657 IPV6 Firewall Issues
« Reply #3 on: March 28, 2013, 02:31:30 PM »

not checked. remote ipv4 is not accessible.

remote and local ipv6 both accessible with seemingly no way to firewall
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 435
Re: DIR-657 IPV6 Firewall Issues
« Reply #4 on: March 28, 2013, 03:51:56 PM »

I'm afraid you are right and D-Link's firewall implementation is not as sophisticated as desirable.

So perhaps the following may work:

Instead of selecting Turn IPv6 Firewall ON and ALLOW rules listed and specifying an outgoing rule allowing everything, try it the other way round:

Select Turn IPv6 Firewall ON and DENY rules listed and specify a single rule blocking everything coming from outside: Source Interface=WAN, Dest Interface=LAN, IP address range=::, Protocol=Any
« Last Edit: March 29, 2013, 07:13:14 AM by PacketTracer »
Logged

ziddey

  • Level 1 Member
  • *
  • Posts: 4
Re: DIR-657 IPV6 Firewall Issues
« Reply #5 on: March 29, 2013, 12:53:10 PM »

I'll try that sometime, but it would make opening ports very difficult.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49273
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-657 IPV6 Firewall Issues
« Reply #6 on: March 29, 2013, 12:59:28 PM »

What ISP Service do you have? Cable or DSL?
What ISP Modem Mfr. and model # do you have?
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 435
Re: DIR-657 IPV6 Firewall Issues
« Reply #7 on: March 29, 2013, 03:19:28 PM »

... but it would make opening ports very difficult.

Yes, it would be hard but not impossible. For example, if your LAN has IPv6 address 2001:db8::/64 and you want to allow access to a webserver (80/tcp) at 2001:db8::100, you have to define 6 deny rules with Source Interface = WAN, Dest Interface = LAN and Source IP Address Range = ::

1 rule to block UPD completely (Dest IP Address Range = :: )
1 rule to block ICMP completely  (Dest IP Address Range = :: )
1 rule to block TCP to Port Range 1-79 (Dest IP Address Range = :: )
1 rule to block TCP to Port Range 81-65535 (Dest IP Address Range = :: )
1 rule to block TCP to Port 80 (Dest IP Address Range = 2001:db8:: - 2001:db8::ff)
1 rule to block TCP to Port 80 (Dest IP Address Range = 2001:db8::101 - 2001:db8::ffff:ffff:ffff:ffff)

This leaves only port 80/tcp at 2001:db8::100 open to the internet as desired.

If you wanted to open port 80/tcp for a second machine you would have to change one of the above listed rules and add another one.

If you wanted to open a second TCP port on this or another machine (e.g. 443/TCP for HTTPS) you would have to change one of the above listed rules and add 3 others.

Unfortunately you are limited to a maximum of 20 deny rules.

Of course this solution is ugly and moreover useless if it doesn't solve your problem. In any case the problem you discovered is a vulnerability of this firmware version that should be fixed by D-Link as soon as possible.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49273
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-657 IPV6 Firewall Issues
« Reply #8 on: March 29, 2013, 03:45:59 PM »

If this is the case, please phone contact DLink support directly for quick and fast resolution and information.

Please let us know how it goes.
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

ziddey

  • Level 1 Member
  • *
  • Posts: 4
Re: DIR-657 IPV6 Firewall Issues
« Reply #9 on: April 08, 2013, 04:57:03 PM »

As expected, not even dignified with a response.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49273
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-657 IPV6 Firewall Issues
« Reply #10 on: April 08, 2013, 04:59:55 PM »

 ???
We are volunteer help for D-Link and here to help out with set up and problems that are posted by users here in the forums. If we can not resolve those issues here or if there are problems with anything beyond our capabilities here in the forums, we ask the users please contact D-Link directly for continued help and information. Problems with HW/FW and documentation fall under this reasoning as we do not have the ability to effect any changes. As for D-Link support, if they don't know what customers needs as desires are then it's kind of hard for them to make improvements to there products with out someone helping them out and telling them.  Yes, of course please feel free to post and talk about it here, however there is little or no review by any official D-Link support or engineering personnel here in the forums. It's the users responsibility to help notify D-Link support of un-resolved problems and concerns they have, that we can't fix here in the forums.

Good Luck
« Last Edit: April 10, 2013, 12:45:20 PM by FurryNutz »
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49273
  • D-Link Global Forum Moderator
    • Router Troubleshooting
« Last Edit: May 06, 2013, 08:38:01 AM by FurryNutz »
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49273
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DIR-657 IPV6 Firewall Issues
« Reply #12 on: May 06, 2013, 08:42:54 AM »

Any status on this?  ???
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 435
Re: DIR-657 IPV6 Firewall Issues
« Reply #13 on: February 15, 2014, 07:20:43 AM »

... this case of IPv6 firewall failure has been added as case [1] to a list of other cases, see here.

PT
« Last Edit: March 01, 2014, 04:13:41 AM by PacketTracer »
Logged