• November 24, 2020, 01:15:13 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 [2]

Author Topic: ipv6 firewall rules / fv: 2.17 / hv: bx / b5  (Read 15928 times)

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 439
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #15 on: February 01, 2014, 08:48:44 AM »

Hi again,

so you installed the German version which is not for your region. This may cause problems. So try again with firmware version 2.15 b01 developed for models marketed in your region.

PacketTracer
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 439
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #16 on: February 09, 2014, 05:14:28 AM »

Hi once more,

within your region the EU firmware version seems to be the right one since the download link for the official firmware version 2.15 b01 at your region's D-Link support site points to "dlink.eu".

Looking at this FTP repository you can find a newer firmware version 2.16 b05:

--> ftp://ftp.dlink.eu/Products/dir/dir-600/driver_software/DIR-600_fw_revb5_2-16b05_all_en_20130527.zip

Perhaps it may be helpful to install this version instead of a version 2.17 specific to devices marketed in Germany.

PacketTracer
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #17 on: February 10, 2014, 11:52:14 PM »

I tried many variations of all kinds but no one worked for me ... thank you very much for your help :)
Logged

noyeske

  • Level 1 Member
  • *
  • Posts: 11
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #18 on: February 11, 2014, 12:28:13 AM »

I if disable the firewall everithing works... I am in the same place...
first of all I updated the firmware to 2.16
But when I disable the firewall in my status in ipv6 routing menu looks like:

If I enable with these rule:

the routing status looks like:
 
and cant access the internet over ipv6...
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 439
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #19 on: February 11, 2014, 02:54:49 PM »

Hi again,

there are two observations:

  • Comparing the recent data to the data you posted some time ago it turns out that the LAN prefix you get delegated via DHCP-PD is not fixed but obviously changes  - probably every time a new PPPoE session is established (previous LAN prefix was 2a02:2f08:30e7::/64, present LAN prefix is 2a02:2f08:30d1:8900::/64).

    Hence, your original request to configure IPv6 firewall rules that allow Internet access for a subset of your LAN clients only (identified by their source IPv6 address derived from a changing prefix) is not feasible because the ruleset does not adjust to changing LAN prefixes.

    There are IPv6 firewall implementations in home routers on the market (e.g. the products of a well known German manufacturer) which allow this because they only use the host identifier (the last 64 bits of an IPv6 address) within firewall rules which may be kept constant while the (irrelevant) prefix (the first 64 bits of an IPv6 address) might change.

    Using a D-Link firewall you must ask your ISP for a fixed prefix in order to put your firewall needs into practice. Otherwise within firewall rules you can only use source address ranges that cover any LAN prefixes you might ever get delegated, e.g. :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff or your ISP's address block he got delegated from RIPE, in case of your ISP RCS&RDS the block 2a02:2f00::/28 which corresponds to the range 2a02:2f00:: - 2a02:2f0f:ffff:ffff:ffff:ffff:ffff:ffff.

  • Your ISP obviously doesn't assign a global IPv6 prefix to the PPPoE link that connects your router to your ISP's edge router. Instead the link local prefix fe80::/64 is used for this only. Although unusual this is allowed and works as you can see from the fact that you have IPv6 Internet access - at least when your IPv6 firewall is switched off.

Looking at your IPv6 routing table:

Entries without a gateway (denoted as "::") might specify one of following:
  • A directly attached network, e.g. your LAN 2a02:2f08:30d1:8900::/64
  • An IPv6 address assigned to a local interface - no example available in your table
  • An IPv6 address of another device reachable via the interface listed in the entry, e.g. your LAN PC 2a02:2f08:30d1:8900::4 reachable via the LAN interface or 2a02:2f08:30df:ffff::bc1b:1aca which is your ISP's edge router reachable via INTERNET interface.

And of course you have a default gateway fe80::1 which obviously is the link local address of your ISP's edge router reachable via INTERNET interface.

It is interesting now that the entry for your LAN client 2a02:2f08:30d1:8900::4 disappears as soon as you switch on the IPv6 firewall. This looks as if the router is no more able to discover your LAN clients because the IPv6 firewall seems to block Neighbor Discovery packets (a special type of ICMPv6 packets e.g. used to resolve IPv6 addresses of neighboring nodes to MAC addresses).

Hence I draw the conclusion (but this is a wild guess only) that D-Link's firewall implementation gets confused from the situation that it does not have a global IPv6 address assigned to its WAN interface, and maybe instead of applying rules to the WAN interface it erroneously applies them to the LAN interface (e.g. blocking ICMPv6 ND) because it can't differentiate between them if the WAN interface has been assigned a link local IPv6 address only.

You might perhaps test if my assumption is right by not using the native IPv6 access offered by your ISP but by temporarily configuring a 6to4 tunnel and check if your IPv6 firewall works properly in this case (of course your ISP must not block IPv4 packets that contain IPv6 packets - so called type 41 packets - as is the case with 6to4).

In any case you might ask your ISP if he could assign a global prefix to your PPPoE WAN link - hoping that this might solve your IPv6 firewall problem.

PacketTracer
« Last Edit: February 11, 2014, 03:13:37 PM by PacketTracer »
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 439
Re: ipv6 firewall rules / fv: 2.17 / hv: bx / b5
« Reply #20 on: February 14, 2014, 08:14:13 AM »

... I just added this case of IPv6 firewall failure as case [5] to a list of other cases, see here.

PacketTracer
« Last Edit: March 01, 2014, 04:16:43 AM by PacketTracer »
Logged
Pages: 1 [2]