The Graveyard - Products No Longer Supported > DIR-816L

Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem

(1/2) > >>

Model/Firmware : DIR-818LW_REVB_FIRMWARE_PATCH_2.05.B01.ZIP

Network topology : PC1-----DIR626L------DIR818LW-----Internet

Hi  :D

The DIR818LW doesn't allow PC1, which is behind the DIR626L, to access the Internet using IPv6 ( See Network topology above ).
It seems to be caused by the DIR818LW IPv6 firewall : If I disable IPv6 Simple Security, PC1 can access Internet using IPv6.

Disabling IPv6 Simple Security on the DIR 818LW is the only functioning workaround I did find yet :
disabling anti-spoof checking or ingress filtering did not solve the problem

I have had that same issue with my DIR626L, which was caused by the Ingress Filtering that was only
implementing Interface subnet check instead of Reverse Path Forwarding check. I could solve it on the DIR626L by setting :
. IPv6 simple security : ON
. Firewall : ON and allow out rules
. Rule 1 : Allow everything out from Lan to Wan

Sadly, this isn't functioning with the DIR818LW.

I need IPv6 Simple Security.
If this can't function, I'll have to remove my DIR818LW from its core-router role. Sad ... :'(

Any help or clue are welcomed, I really need to use several subnets  :D

PS: ( Beside, they seem to have give up the :: wildcard, so the IPv6 rules seem to require whole ranges, like 1::1-FFFF::FFFF as catch all rules. Is there a new wildcard for IPv6? anybody knows it ? )

I think the only thing you can do is the set up the 818LW as a wired 2nd AP and let the 826L be the main host router:
Turning a router into an AP.

Hard Harry:
What type of IPv6 are you using?


please have a look at this thread, where we lengthy discussed what 'Simple Security' might mean, especially if it is combined with any non switched off ipv6 firewall settings.  Can you tell me the answer? Wouldn't it be enough if you configured

* IPv6 simple security : OFF
* Firewall : ON and allow out rules
* Rule 1 : Allow everything out from Lan to Wan
on your DIR818LW?

For your second question (how to specify IPv6 ranges): Yes there are several tastes how they have to be configured in the D-Link boxes. For your device it looks like you have to configure the range from :: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, in order to express 'any ipv6 address'.

For a survey of problems found with D-Link's ipv6 firewalls also look here.



The reason for your problem is probably the same as described somewhere in the 1. thread I mentioned above, and I copy it here (just exchange '626l' with your device DIR818LW) :

--- Quote ---Ingress Filtering in this case is an option in the firewall, that defeats spoofed source address packets to leave our  network and enter the ISP network. ( RFC 2827 / RFC 3704 )
the problem is the implementation : as the 626L is a consummer product, it just compares for each outgoing packet the source IP to the Lan interface subnet. In case of mismatch, the packet is dropped.
If you link up two routers, packets from the innermost subnet are dropped by the outter router.

The only solution : to create an 'allow out ' rule on the outtermost Router to override the ingress filter.
Beside, IPv6 Simple Security automatically turns on Ingress Filter, which is logical.
--- End quote ---

Hi network1027,
how stupid I am, it was just this moment when I realized that it is you who initiated the thread that I referred to at the beginning - hence I copied your own answer. But then: why did you ask again, if you exactly know the reason of your problem?



--- Quote from: Hard Harry on January 10, 2016, 11:51:32 AM ---What type of IPv6 are you using?

--- End quote ---

I'm using native IPv6. I tried both link-local and static Global Unicast Address IPv6 for the DIR818LW Wan setting during the tests.


[0] Message Index

[#] Next page

Go to full version