• October 30, 2020, 01:26:36 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: IPv6 Firewall  (Read 12542 times)

Protonic

  • Level 1 Member
  • *
  • Posts: 7
IPv6 Firewall
« on: August 07, 2013, 12:25:41 PM »

I have an IPv6 connection through an IPv6 in IPv4 tunnel from Hurricane Electric and I had no issues with this when I initially set it up in the router's web interface.

However, if I enable "IPv6 Simple Security" on the IPv6 Firewall page, I can no longer connect to IPv6 websites. For example, http://bin6.it is an IPv6-only website and the connection will simply time out with the option enabled. If I disable Simple Security, then I can connect to the site without any problems.

The main reason I wanted to enable this is because I'd like to stealth/hide ports on my IPv6 addresses in much the same way the router already does for the IPv4 address from my ISP. For instance, an IPv6 firewall test at http://www6.ipv6.chappell-family.co.uk/cgi-bin6/ipscan-js.cgi indicates that ports on my laptop are visible to the outside world. Am I misunderstanding what "Simple Security" is supposed to do or is there perhaps a bug in the firmware (version 1.01)?

I should note that I've also tried using the more advanced IPv6 firewall rules instead of Simple Security to no avail. The configuration I've tried for this is as follows:

Turn IPv6 Filtering ON and ALLOW rules listed
--Rule 1
Source: LAN
IP Address Range Start: 2001:470:1f11:500::
IP Address Range End: 2001:470:1f11:500:ffff:ffff:ffff:ffff
Protocol: ALL
Dest: WAN
IP Address Range Start: 2000::
IP Address Range End: 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

This firewall rule, however, results in the same problem that enabling Simple Security caused. Note that 2001:470:1f11:500::/64 is the IPv6 block that I have for my tunnel connection and that currently global IPv6 addresses fall in the 2000::/3 range. I have also tried firmware version 1.02, but the problem persists.

Does anyone have any ideas on what else I could try with the firewall rules?
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49298
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 Firewall
« Reply #1 on: August 07, 2013, 12:36:14 PM »

How is your IPv6 configured under Setup/IPv6?

I presume that your ISP isn't natively support IPv6?
Could be a compatibility issue with using IPv6/4 Tunneling.

Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

Patrick533

  • Level 3 Member
  • ***
  • Posts: 271
Re: IPv6 Firewall
« Reply #2 on: August 07, 2013, 01:29:22 PM »

The firewall is not configured correctly, let me see is I can get a screen shot I made earlier up here.
Logged

Patrick533

  • Level 3 Member
  • ***
  • Posts: 271
Re: IPv6 Firewall
« Reply #3 on: August 07, 2013, 01:44:29 PM »

Here, give this setup a try. Basically for a firewall the 1st one is all I use and it passes the Chappell test all the time.....

Logged

Protonic

  • Level 1 Member
  • *
  • Posts: 7
Re: IPv6 Firewall
« Reply #4 on: August 07, 2013, 02:18:09 PM »

How is your IPv6 configured under Setup/IPv6?

IPv6 Connection Type: IPv6 in IPv4 Tunnel

IPv6 in IPv4 Tunnel Settings: Filled in with address information from Hurricane Electric Tunnel page

IPv6 DNS Settings: Obtain IPv6 DNS Servers automatically

LAN IPv6 Address Settings
Enable DHCP-PD: Unchecked
LAN IPv6 Address: 2001:470:1f11:500::

Address Autoconfiguration Settings
Enable Automatic IPv6 address assignment: Checked
Autoconfiguation Type: SLAAC+RDNSS
Router Advertisement Lifetime: 20 minutes

Using these settings with all the IPv6 firewall settings OFF works fine for connecting to any IPv6 enabled websites. However, ports on any IPv6-enabled computer are visible to the outside world which is the issue I'm trying to resolve by using the firewall options.

I presume that your ISP isn't natively support IPv6?
Could be a compatibility issue with using IPv6/4 Tunneling.

Yes, that's correct. My ISP (Time Warner Cable) doesn't yet support IPv6 in my area of Southeast Wisconsin. Their DNS servers do return IPv6 addresses along with IPv4 addresses though, and I believe TWC has enabled IPv6 in other parts of the country. So hopefully it will be coming to my area soon. For now, I was hoping to use the tunnel.
Logged

Protonic

  • Level 1 Member
  • *
  • Posts: 7
Re: IPv6 Firewall
« Reply #5 on: August 07, 2013, 02:18:33 PM »

Here, give this setup a try. Basically for a firewall the 1st one is all I use and it passes the Chappell test all the time.....

Thanks for this but I'm having trouble doing this. My firewall page looks slightly different. Yours only has one textbox for each IP Address Range where as I have two, one for a range start and the other for the range end. I also notice on your second unused rule that it shows an asterisk for the Interface, which I assume means any interface. On mine, I only have the choice for WAN or LAN only. Do you have a different firmware version or just a different model perhaps?

Here's what mine looks like:



If I try to save the settings as shown above, I get an error telling me that the source and destination address should not be be the same. This was the reason I had been trying to use addresses will the the ffff:ffff:ffff:ffff filled in for the range end in the rule I posted earlier.

I also tried reversing my original rule to DENY with the WAN as the Source, LAN for the Destination, and TCP ports 1-65535. In this case I was able to connect to IPv6 websites, but the firewall test still showed ports as visible. I have no idea what else I can really try at this point.
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 439
Re: IPv6 Firewall
« Reply #6 on: August 07, 2013, 03:22:15 PM »

Hi Protonic,

I guess "Simple Security" has to be understood in terms of RFC6092 and is meant for most people who don't have the skills to configure a firewall: If activated it should allow any traffic initiated from inside to outside (and the return traffic requested, because the firewall is stateful) and block any unsolicited traffic coming from outside. This is what you want but obviously this does not work with your firmware version on your DIR-868L.

Also nothing seems to be wrong to me with all other suggestions presented in this thread. As far as I have observed D-Link uses different methods to specify address ranges in firewall rules: Either specify it as a prefix like 2000::/3 (which is the case with Patrick's box which as far as I know is a DIR-657) or as a range with a start address and end address as is the case with your box.

So may be it's one of these stupid reasons why it doesn't work: Perhaps "2001:470:1f11:500::" or "2000::" is not understood, so try 2001:470:1f11:500:0:0:0:0 and 2000:0:0:0:0:0:0:0

I nothing helps try a new firmware version if available for your box.

PacketTracer
Logged

Protonic

  • Level 1 Member
  • *
  • Posts: 7
Re: IPv6 Firewall
« Reply #7 on: August 07, 2013, 05:51:46 PM »

So may be it's one of these stupid reasons why it doesn't work: Perhaps "2001:470:1f11:500::" or "2000::" is not understood, so try 2001:470:1f11:500:0:0:0:0 and 2000:0:0:0:0:0:0:0

Thanks for the suggestion, but unfortunately that didn't change anything.

I have, however, made some sort of progress, but it's not really ideal. I've turned off Simple Security and turned the IPv6 Filtering option to "ON and ALLOW rules listed". In the Source section, I chose LAN with the current IPv6 address of my laptop for the start and one address above this for the end. For the Destination section, I chose the WAN interface and put in a range of 2000:: to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff. The protocol option was set to ALL.

This allowed me to connect to IPv6 websites and to my surprise, it also passed the IPv6 firewall test. All ports were stealthed.

But the problem with this setup is that I'd basically need separate rules for all my devices along with their IPv6 addresses. To complicate this further, I'd prefer to keep on using IPv6 privacy extensions on my devices which means my outgoing IPv6 connections would have different addresses regularly. Additionally, I can't turn off privacy extensions on some of my devices, such as my iPad, even if I wanted to. What I really need is to be able to specify the whole 2001:470:1f11:500::/64 block, but for whatever reason this fails to work correctly if I try to do this.
Logged

Patrick533

  • Level 3 Member
  • ***
  • Posts: 271
Re: IPv6 Firewall
« Reply #8 on: August 07, 2013, 07:47:34 PM »

Hi PT,

I am using the DIR-827 with the setup you suggested in the picture above months ago, it works perfectly on 6!

I wonder maybe if the firmware is still in the works being this is a fairly newer router then mine.

Maybe we should ask Furry nicely to run it up the ladder and see if they know anything?

I am going to get this router sooner or later, the department I work in has taken a HUGE amount of hits with government furloughs and cutbacks, I will be a civilian again after 10/1/13(unless I get a reprieve), so it may be a while before I can afford it though. :'(

Pat

(which is the case with Patrick's box which as far as I know is a DIR-657) or as a range with a start address and

PacketTracer
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 439
Re: IPv6 Firewall
« Reply #9 on: August 08, 2013, 02:10:02 PM »

Hi Protonic,

in any case, selecting the basic setting "Turn IPv6 Filtering ON and ALLOW rules listed" is the better choice because then it is easier to configure the permissions for traffic you want by adding one rule per allowed traffic flow. As with this basic setting without a rule any IPv6 traffic is blocked you need at least one rule to allow outgoing traffic. This means you have to configure the following for the first rule:

  • Check the box in the left column to activate the rule
  • Name: e.g. "AllowAnyOutgoingTraffic"
  • Schedule: Always
  • Source Interface: LAN
  • Source IP Address Range: <To be discussed>
  • Protocol: All/Any
  • Dest Interface: WAN
  • Dest IP Address Range: <To be discussed>
  • Dest Port Range: <Not configurable/irrelevant if Protocol=All/Any>

This is just for clarification and is what you did.

The only matter of debate left seems to be the somehow mysterious way D-Link wants to get specified the start address and end address of the required IP Address Ranges.

While

  • 2001:470:1f11:500:: - 2001:470:1f11:500:ffff:ffff:ffff:ffff
  • 2000:: - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

seems to be unique for IPv6 insiders this may not be the case for D-Link's implementation of IPv6 address range discovery. So try some variations, for example:

  • Source IP Address Range: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  • Dest IP Address Range: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

  • Source IP Address Range: 2001:470:1f11:500::/64 - 2001:470:1f11:500:ffff:ffff:ffff:ffff/64
  • Dest IP Address Range: 2000::/3 - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/3

  • Source IP Address Range: 2001:470:1f11:500::/128 - 2001:470:1f11:500:ffff:ffff:ffff:ffff/128
  • Dest IP Address Range: 2000::/128 - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

... any further acceptable ideas?

If nothing helps, ask D-Link how they want to get specified the start and end addresses of IPv6 address ranges.

PacketTracer
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49298
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 Firewall
« Reply #10 on: August 08, 2013, 02:12:40 PM »

Thanks for the nice info PT and P553, I'll forward this to D-Link and seen if there is some information on this available.

Keep us posted Pro.
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

Protonic

  • Level 1 Member
  • *
  • Posts: 7
Re: IPv6 Firewall
« Reply #11 on: August 08, 2013, 03:49:32 PM »

Thanks once again for the suggestions, PacketTracer. But I'm afraid none of those range ideas worked. I wasn't even able to to save the settings with them due to error messages.

  • Source IP Address Range: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  • Dest IP Address Range: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

In this case, the error that popped up was as follows: "The source and destination IP address should not be the same."

With that in mind I tried a slight variation and changed the starting destination address to ::1 instead. This was accepted and saved, but still resulted in all IPv6 traffic being blocked in either direction.

  • Source IP Address Range: 2001:470:1f11:500::/64 - 2001:470:1f11:500:ffff:ffff:ffff:ffff/64
  • Dest IP Address Range: 2000::/3 - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/3

  • Source IP Address Range: 2001:470:1f11:500::/128 - 2001:470:1f11:500:ffff:ffff:ffff:ffff/128
  • Dest IP Address Range: 2000::/128 - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128

Both of these resulted in the same error message: "Incorrect source IP address. Invalid format of the start IP address."

Just for the lack of any better ideas, I tried removing the prefix length from the starting source address and the new error message indicated that the format of the ending source IP address was incorrect. I then removed it from the other addresses, one after the other, and the error message changed appropriately along with it. So it seems pretty clear it will not accept any addresses with the prefix length after it.

I also made sure to try the same ranges with all zeros filled in rather than the double colons, but that made no difference anyways.

The only luck I seem to have had with this is when the source IP range is fairly narrow.
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 439
Re: IPv6 Firewall
« Reply #12 on: August 08, 2013, 04:08:08 PM »

Hi Protonic,

just another idea: perhaps there is a problem, if one address range is part of the other. So try 2 outgoing rules with the following Source and Dest IP Ranges:

1. Rule:

  • Source IP Address Range: 2001:470:1f11:500:: - 2001:470:1f11:500:ffff:ffff:ffff:ffff
  • Dest IP Address Range: 2000:: - 2001:470:1f11:4ff:ffff:ffff:ffff:ffff

2. Rule:

  • Source IP Address Range: 2001:470:1f11:500:: - 2001:470:1f11:500:ffff:ffff:ffff:ffff
  • Dest IP Address Range: 2001:470:1f11:501::3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

PacketTracer
Logged

Protonic

  • Level 1 Member
  • *
  • Posts: 7
Re: IPv6 Firewall
« Reply #13 on: August 08, 2013, 08:24:49 PM »

Hi PacketTracer,

Unfortunately, those ranges did not work either, but it was a very good thought. So thanks again for trying.

That said, your post did spark another idea. Since it seems like the problem lies in having a large Source IP Address Range, I wondered what would happen if I split the 2001:470:1f11:500::/64 block in half to make up two rules while leaving the destination 2000::/3 block the same for both.



And what do you know, this actually worked! :D Outgoing IPv6 connections are now working fine from all of my devices. Any unsolicited incoming traffic is also being dropped, so the IPv6 firewall test now passes to my satisfaction.

I find it interesting that the router would have a problem with the address space of the source IP range but not have any issue with the destination one. The destination range (2000::/3) is much much larger than the source. Hopefully a future firmware update will allow me to condense this into a single rule, but this setup should work just fine in the meantime.

Thank you again, PacketTracer. I don't think I would have had this sudden insight if you didn't suggest using two rules. And thank you to everyone else (Patrick533 and FurryNutz) who tried to help me.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49298
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 Firewall
« Reply #14 on: August 12, 2013, 09:29:38 AM »

I have passed this along to D-Link. I would recommend that you phone contact D-Link support, ask for level 2 or higher support and see if you can get anymore information on this.
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!
Pages: [1] 2