1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Firewall: Drop IPv6 neighbour solicitation broadcasts

Discussion in 'Asuswrt-Merlin' started by dave14305, Oct 22, 2019.

  1. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,331
    Today I switched back over to Merlin 384.13 to test some things and was reviewing my restored settings and saw that on Tools / Other Settings I had once enabled "Firewall: Drop IPv6 neighbour solicitation broadcasts (default: No)" since I am on Comcast/Xfinity. I believe I once saw a bunch of IPv6 traffic in tcpdump on the WAN interface, so decided to try this.

    To get to the point, I went looking to see what this setting does, and expected to find an ip6tables rule in the mangle table, but found nothing.
    Code:
    # ip6tables -t mangle -S
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    The nvram setting ipv6_ns_drop is correctly set to 1. Does this feature work for anyone else? I'm on an AC68U. IPv6 is disabled on the router, but the IPv6 firewall is enabled. I don't see that the code discriminates too much on this setting, but can't figure out why there's no rule, unless it's getting flushed out later in the firewall start.
     
  2. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,331
  3. stuffedtiger

    stuffedtiger Occasional Visitor

    Joined:
    Mar 6, 2015
    Messages:
    16
    Location:
    USA
    apparently i don't know what i'm talking about.
     
    Last edited: Oct 22, 2019
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,586
    Location:
    UK
    My best guess at what is happening...

    ipv6_ns_drop is in mangle_setting() and ipv6_neighsol_drop is in mangle_setting2().

    Both of these are processed just before the following piece of code which effectively wipes them out when IPv6 is disabled.

    https://github.com/RMerl/asuswrt-me...29fa6f/release/src/router/rc/firewall.c#L6186
    Code:
    #ifdef RTCONFIG_IPV6
        if (!ipv6_enabled())
        {
            eval("ip6tables", "-F");
            eval("ip6tables", "-t", "mangle", "-F");
        }
    #endif
     
    dave14305 likes this.
  5. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,331
    This morning I experimented with enabling IPv6 and I still didn’t see the rule created. So probably some firewall voodoo at work.
     
  6. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    251
    I think it only remains active if needed , I noticed my connection for ipv6 has alot less dropped packets when the setting is on due to the solicitation being blocked.