• May 25, 2019, 05:01:03 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: IPv6 firewall seems to be totally broken?  (Read 13027 times)

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 423
IPv6 firewall seems to be totally broken?
« on: January 29, 2014, 04:08:40 PM »

HINT: The following contribution was originally posted within this thread and has been excerpted to be placed here (see here and here) because of its superior meaning to provide a survey of cases where IPv6 firewall malfunction is an issue. Future cases I assist will be added here.
----------------------------------------------------------------------------------------------------------


Hi FurryNutz,

Quote
PT, are any of these threads that you've been handling and very helpful in needing additional D-Link review? If any of these need review and in your opinion, changes or modifications, please let me know. I don't know what goes on in the IPv6 section or whom works on it and I'd want to at least make D-link aware of these issues so they can review and make the necessary changes.

Here is a survey of threads with firewall issues I assisted. The "D-Link Cloud Routers" series seems to be affected primarily (3 models) while there is only one minor issue concerning the DIR-657 from "D-Link amPLiFi" series and one model of the "Wireless N/N150" series where firewall failure is assumed to be caused by the uncommon situation that the involved ISP uses the link local prefix (fe80::/64) only (and no global prefix) for addressing the PPPoE WAN uplink.


The details:

[1]
Device: DIR-657
Series: D-Link amPLiFi
Firmware: V 1.01
Thread (2013-03-28): http://forums.dlink.com/index.php?topic=53230.0

Summary:
An active IPv6 firewall operating in mode "Turn IPv6 Firewall ON and ALLOW rules listed" and having configured adequate rules LAN --> WAN indeed protects the LAN network (as it should) but not the router itself. Disabled Router Management is only effective for IPv4 but not for IPv6.

[2]
Device: DIR-868L
Series: D-Link Cloud Routers
Firmware: V 1.01
Thread (2013-08-07): http://forums.dlink.com/index.php?topic=55088.0

Summary:
  • If "Simple Security" is enabled (and IPv6 firewall is disabled) the IPv6 Internet is no longer accessible.
  • If "Simple Security" is disabled and IPv6 firewall is enabled and operating in mode "Turn IPv6 Filtering ON and ALLOW rules listed" having a proper rule LAN (prefix/64) --> WAN (2000::/3) IPv6 Internet cannot be accessed either. This mode of operation could made work correctly only for Source IP Address Ranges that were smaller than a /64 (e.g. a /65).
    Hence instead of one rule for
       LAN (prefix/64) --> WAN (2000::/3)
    two rules for
       LAN (prefix:: - prefix:7fff:ffff:ffff:ffff) --> WAN (2000::/3) and
       LAN (prefix:8000:: - prefix:ffff:ffff:ffff:ffff) --> WAN (2000::/3)
    were needed to make it work.
  • If "Simple Security" is disabled and IPv6 firewall is enabled and operating in mode "Turn IPv6 Filtering ON and DENY rules listed" having a proper (blocking) rule WAN --> LAN the IPv6 Internet is indeed accessible but the firewall does not block unsolicited WAN --> LAN as it should.
  • Specifying the same IP Address Ranges (START - END) for Source and Destination will produce an error telling "The source and destination IP address should not be the same."

[3]
Device: DIR 626L (Hardware: A1)
Series: D-Link Cloud Routers
Firmware: V 1.03
Thread (2013-08-17): http://forums.dlink.com/index.php?topic=55260.0

Summary:
When the IPv6 firewall is operating in mode "Turn IPv6 Firewall ON and DENY rules listed" a blocking rule WAN-->LAN that (explicitly or implicitly) includes TCP destination port 1 or port 65535 will cause a failure of the firewall's TCP state machine: Return traffic of allowed TCP/IPv6 connections initiated LAN-->WAN will be dropped by the FW (instead of being passed).

In addition this thread contains a lengthy discussion about how Simple Security works alone or in combination with the two possible active firewall modes ALLOW or DENY.

[4]
Device: DIR-860L
Series: D-Link Cloud Routers
Firmware: V 1.05
Threads:

Summary:
  • Enabled "Simple Security" has no effect: The LAN network is still unprotected (reachable from Internet).
  • Enabled IPv6 firewall does not work as expected. No matter what mode (DENY or ALLOW with proper rules) is configured it results in either IPv6 not working at all (blocking both inbound and outbound connections) or everything being fully open in both directions.
  • Specifying the same start addresses in the IP Address Ranges (START - END) for Source and Dest will produce an error telling that the source start address has to differ from the destination start address.

[5] (added 2014-02-14)
Device: DIR 600 (Hardware: Bx/B5)
Series: D-Link Wireless N / N150
Firmware: V 2.16 b05 (EU region)
Thread (2014-01-30): http://forums.dlink.com/index.php?topic=57708.0

Summary:
  • An active IPv6 firewall operating in mode "Turn IPv6 Filtering ON and ALLOW rules listed" and having configured adequate rules LAN --> WAN does not work as expected. LAN clients can't access the IPv6 Internet any more.
  • The assumption is that IPv6 firewall failure in this case is caused by using the link local IPv6 prefix fe80::/64 for addressing the WAN (PPPoE) link. While this is theoretically feasible it is quite uncommon to not provide a global IPv6 prefix for the WAN link as is the current practice of the involved ISP RCS&RDS driving this "IPV6 TEST".


Finally some remarks (my opinion only):

  • As criticized by other users I would agree that the default configuration of obviously all IPv6 capable D-LINK routers (no IPv6 firewall available at all, or no "Simple Security" option available or if available not active, or IPv6 firewall switched off) is bad because the local networks behind these routers are exposed to the Internet. Users expect to be protected as they are in the case of IPv4 due to NAT. As there is no NAT for IPv6 protection must be achieved via a default IPv6 firewall configuration that allows any traffic going out (and response traffic back in) but blocks any unsolicited traffic WAN --> LAN. This would perfectly be the case if "Simple Security" were implemented and activated by default.
  • The behaviour of "Turn IPv6 Filtering ON and ALLOW rules listed" is unexpected if used together with enabled "Simple Security". Since enabled "Simple Security" already allows any outgoing traffic it is not obvious that you have to specify a firewall rule that explicitly allows this again.
  • In general due to lack of description both in manuals and online help it is not obvious at all how "Simple Security" and the firewall modes ALLOW or DENY operate of their own or cooperate together and when to use which configuration. Instead skilled users have to do some re-engineering in order to reveal the secrets like user "network1027" did in this thread: http://forums.dlink.com/index.php?topic=55260.0.

PacketTracer
« Last Edit: February 27, 2014, 02:20:02 PM by PacketTracer »
Logged

dpanda

  • Guest
Re: IPv6 firewall seems to be totally broken?
« Reply #1 on: March 25, 2014, 05:18:37 AM »

Thanks a lot for summarizing the IPv6 firewall glitches in this forum post! I have the D-Link DIR-868L (Hardware Version: A1, Firmeware Version: 1.01) and had a really hard time getting the IPv6 Firewall to work.

My ISP supports IPv6 (assigns native IPv6 addresses) and I am now running with the following configuration:
Enable IPv6 Simple Security: Selected
Configure IPv6 Filtering below: Turn IPv6 Filtering ON and ALLOW rules listed

I am using the following two rules (part of the IPv6 address masked out with 'X'):
Name: LanToWan_01
Schedule: Always
Source: LAN
IP Adress range: 2404:XXXX:XXXX:XXXX:: - 2404:XXXX:XXXX:XXXX:7fff:ffff:ffff:ffff
Dest: WAN
IP Adress range: 2000:: - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Name: LanToWan_02
Schedule: Always
Source: LAN
IP Adress range: 2404:XXXX:XXXX:XXXX:8000:: - 2404:XXXX:XXXX:XXXX:ffff:ffff:ffff:ffff
Dest: WAN
IP Adress range: 2000:: - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

As described in the post above selecting IPv6 Simple Security without enabling IPv6 Filtering completely broke the IPv6 connectivity to the Internet. As suggested above I also had to split up the source address range 2404:XXXX:XXXX:XXXX::/64 and define two rules to get it working which is rediculous.

I have not investigated what difference IPv6 Simple Security makes but I selected it because threads linked from this post suggest that it may (or may not) add some additional useful rules to the IPv6 firewall for network diagnostic tools such as ping.

I performed IPv6 portscans using nmapv6.packetsize.net/index.php and www6.ipv6.chappell-family.co.uk/cgi-bin6/ipscan-js.cgi to verify that the firewall is blocking requests against IPv6 hosts behind the D-Link DIR-868L. Before enabling the firewall (selecting Enable IPv6 Simple Security and defining the ALLOW rules) some ports on a host behind the router were open. After enabling the firewall no open ports have been detected on any of the hosts behind the router.

I also scanned the public IPv6 address of the D-Link 868L router which revealed that all ports except for 53/tcp are closed. I am not sure why the DNS port is open, but at least the management port is not reachable via IPv6 from the Internet. I was not able to verify whether 53/tcp is open on IPv4 because I couldn't find a public IPv4 port scanner which allows entering an IPv4 address to scan.

It's shocking that the default configuration does not have any IPv6 filtering / firewall enabled and it is rediculous how difficult it is to setup the IPv6 Firewall. I am planning to contact D-Link to inform them of those shortcomings.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 47394
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #2 on: March 25, 2014, 07:18:38 AM »

Link>Welcome!

  • What region are you located?

Thank you for posting and sharing and giving feed back.

Have you tried the lasted FW version as well?

Please phone contact D-Link support and let them know of your experiences and your information. The more they hear about this issue, the better they will fix this.

Let us know what they say please.

Thanks a lot for summarizing the IPv6 firewall glitches in this forum post! I have the D-Link DIR-868L (Hardware Version: A1, Firmeware Version: 1.01) and had a really hard time getting the IPv6 Firewall to work.

My ISP supports IPv6 (assigns native IPv6 addresses) and I am now running with the following configuration:
Enable IPv6 Simple Security: Selected
Configure IPv6 Filtering below: Turn IPv6 Filtering ON and ALLOW rules listed

I am using the following two rules (part of the IPv6 address masked out with 'X'):
Name: LanToWan_01
Schedule: Always
Source: LAN
IP Adress range: 2404:XXXX:XXXX:XXXX:: - 2404:XXXX:XXXX:XXXX:7fff:ffff:ffff:ffff
Dest: WAN
IP Adress range: 2000:: - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Name: LanToWan_02
Schedule: Always
Source: LAN
IP Adress range: 2404:XXXX:XXXX:XXXX:8000:: - 2404:XXXX:XXXX:XXXX:ffff:ffff:ffff:ffff
Dest: WAN
IP Adress range: 2000:: - 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

As described in the post above selecting IPv6 Simple Security without enabling IPv6 Filtering completely broke the IPv6 connectivity to the Internet. As suggested above I also had to split up the source address range 2404:XXXX:XXXX:XXXX::/64 and define two rules to get it working which is rediculous.

I have not investigated what difference IPv6 Simple Security makes but I selected it because threads linked from this post suggest that it may (or may not) add some additional useful rules to the IPv6 firewall for network diagnostic tools such as ping.

I performed IPv6 portscans using nmapv6.packetsize.net/index.php and www6.ipv6.chappell-family.co.uk/cgi-bin6/ipscan-js.cgi to verify that the firewall is blocking requests against IPv6 hosts behind the D-Link DIR-868L. Before enabling the firewall (selecting Enable IPv6 Simple Security and defining the ALLOW rules) some ports on a host behind the router were open. After enabling the firewall no open ports have been detected on any of the hosts behind the router.

I also scanned the public IPv6 address of the D-Link 868L router which revealed that all ports except for 53/tcp are closed. I am not sure why the DNS port is open, but at least the management port is not reachable via IPv6 from the Internet. I was not able to verify whether 53/tcp is open on IPv4 because I couldn't find a public IPv4 port scanner which allows entering an IPv4 address to scan.

It's shocking that the default configuration does not have any IPv6 filtering / firewall enabled and it is rediculous how difficult it is to setup the IPv6 Firewall. I am planning to contact D-Link to inform them of those shortcomings.
Logged
Cable:200mb/10Mb>NetGear C7800>DIR-882>DGS-1100>HP 24pt Gb Switch. COVR-3902/2202/1203,DIR-2680,890L,882,880L,868L,DNR-202L,DNS-345x2,DCS-933L,936L and 960L.
Go Here>Router Troubleshooting

epanda

  • Level 1 Member
  • *
  • Posts: 1
Re: IPv6 firewall seems to be totally broken?
« Reply #3 on: March 26, 2014, 05:03:52 AM »

Hi FurryNutz,

thanks for your reply.

PacketTracer's post really helped me to get the firewall up and running. It took me quite a while to work out how to configure it 'correctly' so I thought it would be good to share my findings.

I haven't tried the latest firmware version yet. I had a look at the release notes of versions >1.01 and couldn't find anything related to IPv6 or firewall. So didn't bother to give it a try.

I sent a message to D-Link support but haven't heard back from them yet. I will probably send them another message should I not receive any reply by tomorrow.

P.S. Posting with a different user since my dpanda account is inactive for some reason.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 47394
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #4 on: March 26, 2014, 06:47:25 AM »

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.

I'll look in to your dpanda account issue for you....
Logged
Cable:200mb/10Mb>NetGear C7800>DIR-882>DGS-1100>HP 24pt Gb Switch. COVR-3902/2202/1203,DIR-2680,890L,882,880L,868L,DNR-202L,DNS-345x2,DCS-933L,936L and 960L.
Go Here>Router Troubleshooting

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 47394
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #5 on: April 18, 2014, 07:13:57 AM »

Recent DIR-657 issue seen:
http://forums.dlink.com/index.php?topic=58743.0

Update: 04/23/2014
Issue was resolved by downgrading from v1.02 to v1.01. We presume there is an issue with v1.02 that is breaking IPv6 in that build of FW.
« Last Edit: April 23, 2014, 07:35:42 AM by FurryNutz »
Logged
Cable:200mb/10Mb>NetGear C7800>DIR-882>DGS-1100>HP 24pt Gb Switch. COVR-3902/2202/1203,DIR-2680,890L,882,880L,868L,DNR-202L,DNS-345x2,DCS-933L,936L and 960L.
Go Here>Router Troubleshooting

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 47394
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #6 on: May 01, 2014, 10:08:17 AM »

FYI, All of this information is in the hands of D-Link for review and we hope all issues seen can and will be fixed with in the guidelines of IPv6 Specs and Certifications.

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email. While posting issues in this forum is a great means of sharing information with other members and notifying D-Link of issues, D-Link escalates issues for resolution based on the volume of calls received through the official D-Link support desk. If D-Link receives a large number of calls pertaining to the same issue, that issue is more likely to be escalated as a problem for investigation and resolution.
As such, in addition to posting issues in this forum, forum members are encouraged to call the toll free D-Link support desk to report their issue: 1-888-851-6464.

We thank you for your patience.
Logged
Cable:200mb/10Mb>NetGear C7800>DIR-882>DGS-1100>HP 24pt Gb Switch. COVR-3902/2202/1203,DIR-2680,890L,882,880L,868L,DNR-202L,DNS-345x2,DCS-933L,936L and 960L.
Go Here>Router Troubleshooting

robstoon

  • Level 1 Member
  • *
  • Posts: 8
Re: IPv6 firewall seems to be totally broken?
« Reply #7 on: May 20, 2014, 07:34:31 PM »

I did finally get some follow-up from D-Link on this regarding this problem on the DIR-860L. I received a beta firmware 1.08 B04 that at least has some improvement: Setting IPv6 Filtering to "Turn IPv6 Filtering ON and ALLOW rules listed" and creating a rule with source interface LAN, address range :: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, dest interface WAN, address range 2000:: to  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, now seems to have the desired effect of enabling outbound IPv6 connections but blocking incoming connections. But this should be happening with just IPv6 Simple Security enabled, and by default. I've informed D-Link of this and hopefully they will be able to get this actually working as it's supposed to.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 47394
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: IPv6 firewall seems to be totally broken?
« Reply #8 on: May 20, 2014, 07:38:56 PM »

Awesome info. Thanks for sharing. Please keep us posted on progress.  ;)

I did finally get some follow-up from D-Link on this regarding this problem on the DIR-860L. I received a beta firmware 1.08 B04 that at least has some improvement: Setting IPv6 Filtering to "Turn IPv6 Filtering ON and ALLOW rules listed" and creating a rule with source interface LAN, address range :: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, dest interface WAN, address range 2000:: to  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, now seems to have the desired effect of enabling outbound IPv6 connections but blocking incoming connections. But this should be happening with just IPv6 Simple Security enabled, and by default. I've informed D-Link of this and hopefully they will be able to get this actually working as it's supposed to.
Logged
Cable:200mb/10Mb>NetGear C7800>DIR-882>DGS-1100>HP 24pt Gb Switch. COVR-3902/2202/1203,DIR-2680,890L,882,880L,868L,DNR-202L,DNS-345x2,DCS-933L,936L and 960L.
Go Here>Router Troubleshooting