What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Default IPv6 firewall config?

M

mokodi

Occasional Visitor
What's the default firewall configuration for the Asus Merlin FW? For example, I know that it allows IPv6 ICMP traffic by default. Does it allow all kinds of ICMP traffic or only certain types?
 
mokodi said:
What's the default firewall configuration for the Asus Merlin FW? For example, I know that it allows IPv6 ICMP traffic by default. Does it allow all kinds of ICMP traffic or only certain types?
Click to expand...

By default it only allows ICMP traffic which should be allowed as per RFC 4890. See sections 4.3.1 and 4.4.1 of that RFC.
 
mokodi said:
Does that mean all ICMP traffic? Some routers like Vyos allow you to specify specific ICMP types to go through. See last post here.


https://community.ubnt.com/t5/EdgeMAX/ipv6-firewall-question/td-p/1142244
Click to expand...

No, only the ICMP protocols enumerated in the two RFC sections I mentioned are allowed by default, as this is mandatory for proper IPv6 operations. All other ICMP protocols are dropped, unless you create a firewall rule to allow them explicitly. Setting the type to "Other" allows you to enter the protocol number in the port field (same as the IPv4 firewall).
 
RMerlin said:
No, only the ICMP protocols enumerated in the two RFC sections I mentioned are allowed by default, as this is mandatory for proper IPv6 operations. All other ICMP protocols are dropped, unless you create a firewall rule to allow them explicitly. Setting the type to "Other" allows you to enter the protocol number in the port field (same as the IPv4 firewall).
Click to expand...

Thanks RMerlin. I'm glad you're reading the RFC and implementing accordingly. Some vendors like Netgear simply block all IPv6 ICMP without any way to change the settings citing "security issues".
 
mokodi said:
Thanks RMerlin. I'm glad you're reading the RFC and implementing accordingly. Some vendors like Netgear simply block all IPv6 ICMP without any way to change the settings citing "security issues".
Click to expand...

This was done by Asus, not by me. While I did develop the configurable firewall, the default rules were all implemented by Asus.
 
You must log in or register to reply here.

Similar threads

R
ipv6 / firewall on ax86u pro (on latest Merlin)
Replies
6
Views
554
bennor
B
R
IPv6 on GNP using Passthrough
Replies
8
Views
505
rung
R
I
Router can't reach IPv6 despite clients having full connectivity
Replies
9
Views
481
iTheMask
I
C
Skynet SkyNet IPv6?
Replies
2
Views
444
CB7
C
RMerlin
Beta Asuswrt-Merlin 3006.102.5 Beta is now available
10 11 12
Replies
232
Views
26K
David Williams
D
Similar threads
Thread starter Title Forum Replies Date
R Guest Network Pro in FW 3006 - different default DNS Server than in FW 3004? Asuswrt-Merlin 5
Z Change VPN Director to default enabled Asuswrt-Merlin 6
M Solved 2,4G gone after changing SSID from default one Asuswrt-Merlin 12
nospamever RT-AC86U and IPv6 Asuswrt-Merlin 7
John DeLuca GT-BE98 Pro Merlin Version 3006.102.4 IPv6 Issues Asuswrt-Merlin 2
hartacus RT-AX86U Pro running 3006.102.4 dropping IPv6 ULA address Asuswrt-Merlin 19
I Router can't reach IPv6 despite clients having full connectivity Asuswrt-Merlin 9
R IPv6 on GNP using Passthrough Asuswrt-Merlin 8
L Pass ipv6 prefix to downstream router Asuswrt-Merlin 6
C IPv6 GUAs for Isolated Guest Network? Asuswrt-Merlin 20

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 922 (members: 30, guests: 892)
Back
Top