What's new

IPv6 Network Services Filter

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

atlantex

Occasional Visitor
Hi there,

till now I used aa AC86 router to connect to the internet via IPv4. I'm using network white listing to open only needed port towards the internet.

I plan to change to IPv6 now but I wonder how I can use network service filtering in the future. Is it done via command line only?

thx
 
Part of a rule ist source-IP/Network, dest-Port, TCP/UDP... When I use now IPv6 addresses, how can match the same rule?
 
IPv6 addressing makes my eyes water. I just see that the firewall code for Network Services Filter will write both IPv4 and IPv6 rules. I have no practical experience doing it. :cool:
 
I’ve enabled IPv6 on Merlin and I see now that the GUI fields won’t accept IPv6 addresses. And further looking at the code, it’s not writing IPv6 rules like I thought since I don’t understand bitwise operations in C.

So maybe you can develop an IPv6 rule for ip6tables based on source MAC address and destination port, if you choose to run Merlin firmware.

Example to block one device from going to port 443/tcp:
Code:
ip6tables -I FORWARD -m mac --mac-source D0:D2:B0:AD:6D:1A -p tcp -m tcp --dport 443 -j logdrop
You would add that to the end of /jffs/scripts/firewall-start on Merlin.
 
@dave14305 thx for the info. To use iptables for my needs is no problem, I can use IPv6 client IP's (EUI-64) in the rulset. I just wanted to make sure that I'm not overlooking a GUI function but seems that there is no configuration GUI for IPv6 rules in the GUI yet, like for IPv4.
 
Is there a bug in ipv6 dns configuation? The router pushes always it's own ip to the clients as dns server instead of the configured dns ip.
The setting seems to be just ignored.

An hint?
 

Attachments

  • asus-dns.PNG
    asus-dns.PNG
    10.9 KB · Views: 195
Is there a bug in ipv6 dns configuation? The router pushes always it's own ip to the clients as dns server instead of the configured dns ip.
The setting seems to be just ignored.

An hint?
Those entries become the WAN DNS for IPv6. The IPv6 clients always get the router IP.
 
hmmm ok, but name resolution is not working. It works with "nslookup google.com <DNS-IPv6>", from lokal client as well as asus router. It must have something to do with the firewall, name resolution via an external IPv6 dns isn't working, while ping works well. The firewall log is showing nothing.

Everything a bit strange...
 
Only the asus router itselfe can resolve domains. When I try to resolve google.com from any client, then it points to the asus router but it fails to resolve the domain.
Only when the dns is set manually in the client, then dns resolution works.

I cannot find where the config error lies.
 
I found the problem. The dnsfilter function was switched on in my system, dns resolution workes fine when switched OFF.
 

Attachments

  • asus-dnsfilter.PNG
    asus-dnsfilter.PNG
    397.4 KB · Views: 194
In that scenario, DNSFilter would have reconfigured dnsmasq to give out the Quad9 DNS Servers' IPv6 addresses to IPv6 clients via DHCP and created a firewall rule to drop all IPv6 DNS requests going anywhere other than Quad9. Does that match what you saw happening?
 
I did not saw an IPv6 FW rule for dns at all, I added one but without success. I just noticed that I could not resolve any domain from any client.
I flushed all IPv6 Firewall rules and set just a -j LOG rule for all 3 main chains, after that I fired a nslookup from a client and saw that the router tried to connect the 9.9.9.9 dns via IPv4 instead of my chosen dns. Nslookups from router itself worked fine at this point but not from clients.
That brought me to the dnsfilter setting...

Now I have the base system running and I can continue with ip6tables. Unfortunately I have to write my own ruleset, I cannot understand why Asus doesn't implement a GUI for these rules. As we don't have nat in IPv6 anymore, firewalling is a lot more important than ever before.
 
Is there a way to read the IPv6 dhcp list? Systemprotocol -> IPv6 just says "no ipv6 client", but the router serves addresses to the clients.
 
Is there a way to read the IPv6 dhcp list? Systemprotocol -> IPv6 just says "no ipv6 client", but the router serves addresses to the clients.
The router uses this command to determine the IPv6 clients:
Code:
ip -f inet6 neigh show dev br0
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top