IPv6 Network Services Filter

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

atlantex

Occasional Visitor
Hi there,

till now I used aa AC86 router to connect to the internet via IPv4. I'm using network white listing to open only needed port towards the internet.

I plan to change to IPv6 now but I wonder how I can use network service filtering in the future. Is it done via command line only?

thx
 

dave14305

Part of the Furniture
It should use the same IPv4 rules for outbound IPv6 once IPv6 is enabled.
 

atlantex

Occasional Visitor
Part of a rule ist source-IP/Network, dest-Port, TCP/UDP... When I use now IPv6 addresses, how can match the same rule?
 

dave14305

Part of the Furniture
IPv6 addressing makes my eyes water. I just see that the firewall code for Network Services Filter will write both IPv4 and IPv6 rules. I have no practical experience doing it. :cool:
 

L&LD

Part of the Furniture

dave14305

Part of the Furniture
I’ve enabled IPv6 on Merlin and I see now that the GUI fields won’t accept IPv6 addresses. And further looking at the code, it’s not writing IPv6 rules like I thought since I don’t understand bitwise operations in C.

So maybe you can develop an IPv6 rule for ip6tables based on source MAC address and destination port, if you choose to run Merlin firmware.

Example to block one device from going to port 443/tcp:
Code:
ip6tables -I FORWARD -m mac --mac-source D0:D2:B0:AD:6D:1A -p tcp -m tcp --dport 443 -j logdrop
You would add that to the end of /jffs/scripts/firewall-start on Merlin.
 

atlantex

Occasional Visitor
@dave14305 thx for the info. To use iptables for my needs is no problem, I can use IPv6 client IP's (EUI-64) in the rulset. I just wanted to make sure that I'm not overlooking a GUI function but seems that there is no configuration GUI for IPv6 rules in the GUI yet, like for IPv4.
 

atlantex

Occasional Visitor
Is there a bug in ipv6 dns configuation? The router pushes always it's own ip to the clients as dns server instead of the configured dns ip.
The setting seems to be just ignored.

An hint?
 

Attachments

dave14305

Part of the Furniture
Is there a bug in ipv6 dns configuation? The router pushes always it's own ip to the clients as dns server instead of the configured dns ip.
The setting seems to be just ignored.

An hint?
Those entries become the WAN DNS for IPv6. The IPv6 clients always get the router IP.
 

atlantex

Occasional Visitor
hmmm ok, but name resolution is not working. It works with "nslookup google.com <DNS-IPv6>", from lokal client as well as asus router. It must have something to do with the firewall, name resolution via an external IPv6 dns isn't working, while ping works well. The firewall log is showing nothing.

Everything a bit strange...
 

atlantex

Occasional Visitor
Only the asus router itselfe can resolve domains. When I try to resolve google.com from any client, then it points to the asus router but it fails to resolve the domain.
Only when the dns is set manually in the client, then dns resolution works.

I cannot find where the config error lies.
 

dave14305

Part of the Furniture
In that scenario, DNSFilter would have reconfigured dnsmasq to give out the Quad9 DNS Servers' IPv6 addresses to IPv6 clients via DHCP and created a firewall rule to drop all IPv6 DNS requests going anywhere other than Quad9. Does that match what you saw happening?
 

atlantex

Occasional Visitor
I did not saw an IPv6 FW rule for dns at all, I added one but without success. I just noticed that I could not resolve any domain from any client.
I flushed all IPv6 Firewall rules and set just a -j LOG rule for all 3 main chains, after that I fired a nslookup from a client and saw that the router tried to connect the 9.9.9.9 dns via IPv4 instead of my chosen dns. Nslookups from router itself worked fine at this point but not from clients.
That brought me to the dnsfilter setting...

Now I have the base system running and I can continue with ip6tables. Unfortunately I have to write my own ruleset, I cannot understand why Asus doesn't implement a GUI for these rules. As we don't have nat in IPv6 anymore, firewalling is a lot more important than ever before.
 

atlantex

Occasional Visitor
Is there a way to read the IPv6 dhcp list? Systemprotocol -> IPv6 just says "no ipv6 client", but the router serves addresses to the clients.
 

dave14305

Part of the Furniture
Is there a way to read the IPv6 dhcp list? Systemprotocol -> IPv6 just says "no ipv6 client", but the router serves addresses to the clients.
The router uses this command to determine the IPv6 clients:
Code:
ip -f inet6 neigh show dev br0
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top