IPv6 security

[maylyn]

Can you test if opening a port also works? If you have any Professional version of Windows for instance, make sure Remote Desktop is enabled, check what the IPv6 is for that PC, and try opening port 3389 for that IPv6. Then, use an online port scanner and see if port 3389 is open.

IPv6 firewalling is (IMHO) a major issue with Asuswrt. Once I know this works well, I will probably try to convince Asus into implementing it in Asuswrt, since right now IPv6 offers zero security in the stock firmware.

Support I have trying to get ASUS to get their routers to go through the IPv6 ready logo certified program as well but somewhat the message isn't getting through

Reason being the ASUS routers are not working properly with at least one of my Internet Fiber provider that uses static IPv6, i have been using the Ubiquiti ERL for the static IPv6.

 

[jlake]

I have AT&T dsl 6rd, but won't be able to test until I get home on Tuesday of next week.

 

[RogerSC]

Can you test if opening a port also works? If you have any Professional version of Windows for instance, make sure Remote Desktop is enabled, check what the IPv6 is for that PC, and try opening port 3389 for that IPv6. Then, use an online port scanner and see if port 3389 is open.

IPv6 firewalling is (IMHO) a major issue with Asuswrt. Once I know this works well, I will probably try to convince Asus into implementing it in Asuswrt, since right now IPv6 offers zero security in the stock firmware.

I opened the port on the IPv6 firewall (3389), rebooted the router, took down my Windows desktop firewall, and scanned the port...it was not open:

The checked port (3389, service ms-wbt-server) is offline/unreachable

Something is blocking this port. The next thing I tried was disabling the IPv6 firewall and my Antivirus app on the router and rebooted the router. The port was still unreachable.

So I'm not sure what's blocking that port at this point...any thoughts?

Thanks.

 

[RMerlin]

I opened the port on the IPv6 firewall (3389), rebooted the router, took down my Windows desktop firewall, and scanned the port...it was not open:

The checked port (3389, service ms-wbt-server) is offline/unreachable

Something is blocking this port. The next thing I tried was disabling the IPv6 firewall and my Antivirus app on the router and rebooted the router. The port was still unreachable.

So I'm not sure what's blocking that port at this point...any thoughts?

Thanks.

Make sure you did use the permanent IPv6 and not the Temporary IPv6 returned by ipconfig.

If you are with the same ISP as TeHashX (he didn't specify what was his ISP) then it could be the ISP modem firewalling things by default. If even with the IPv6 firewall disabled on the router you still can't reach the port, then it's most likely not the router blocking it but something else.

 

[RMerlin]

As a general reminder: remember that when you do a port scan, you must use the IP of the target computer, NOT your WAN or router IP. IPv6 is routed, not NATed.

 

[RogerSC]

Make sure you did use the permanent IPv6 and not the Temporary IPv6 returned by ipconfig.

If you are with the same ISP as TeHashX (he didn't specify what was his ISP) then it could be the ISP modem firewalling things by default. If even with the IPv6 firewall disabled on the router you still can't reach the port, then it's most likely not the router blocking it but something else.

I tried both the permanent and temporary IPv6 addresses. The permanent one first, since I thought that was the right one, then the temporary one just in case that was the right one *smile*. I really did mess around a bunch and could not get that port opened. I even tried disabling the IPv4 firewall, in case that was interacting is some way, but no effect, which was actually reassuring *smile*. Yeah, I just don't know what's blocking that port...

I tried fiddling with remote desktop stuff just to see if that was it, but I didn't expect it to help, since the Windows Firewall was already turned off. It didn't help.

In my later fiddling, I saw that I didn't need to reboot the router after enabling or disabling the firewalls, the router firewalls went up and down fine just using "Apply", so that will save me some time in the future *smile*.

If it's the ISP cable modem, I can't get to the settings on it, only top-level status screens. So I can't really do much there.

 

[RMerlin]

I tried both the permanent and temporary IPv6 addresses. The permanent one first, since I thought that was the right one, then the temporary one just in case that was the right one *smile*. I really did mess around a bunch and could not get that port opened. I even tried disabling the IPv4 firewall, in case that was interacting is some way, but no effect, which was actually reassuring *smile*. Yeah, I just don't know what's blocking that port...

I tried fiddling with remote desktop stuff just to see if that was it, but I didn't expect it to help, since the Windows Firewall was already turned off. It didn't help.

In my later fiddling, I saw that I didn't need to reboot the router after enabling or disabling the firewalls, the router firewalls went up and down fine just using "Apply", so that will save me some time in the future *smile*.

If it's the ISP cable modem, I can't get to the settings on it, only top-level status screens. So I can't really do much there.

Based on their FAQ, Comcast doesn't allocate you a subnet but only a single IP. That would explain why you can't reach the computer remotely - you only get one routable IP, which is terminated on your router.

http://www.comcast6.net/index.php/ipv6-deployment-faq

 

[RocketJSquirrel]

Based on their FAQ, Comcast doesn't allocate you a subnet but only a single IP. That would explain why you can't reach the computer remotely - you only get one routable IP, which is terminated on your router.

http://www.comcast6.net/index.php/ipv6-deployment-faq

I'm getting /64 from Comcast. I think the /128 is only when they detect a single standalone computer behind the modem.

 

[RogerSC]

Based on their FAQ, Comcast doesn't allocate you a subnet but only a single IP. That would explain why you can't reach the computer remotely - you only get one routable IP, which is terminated on your router.

http://www.comcast6.net/index.php/ipv6-deployment-faq

The cited document refers to a single computer connected directly to the cable modem. We have 3 desktop computers connected to a router, so I don't think that we fall under that minimal rule. Each computer has separate, distinct IPv6 addresses (temporary and permanent).

I was going to look at my Comcast account and see if there's some sort of firewall associated with it...haven't had time yet.

 

[RMerlin]

I'm getting /64 from Comcast. I think the /128 is only when they detect a single standalone computer behind the modem.

Ok, so it should be similar to what I get with my HE tunnel then.

 

[saintdev]

I'm getting /64 from Comcast. I think the /128 is only when they detect a single standalone computer behind the modem.

I get a /64 also. The FAQ is from March 2012, so maybe they have changed their policy since then.

 

[BMWDude49120]

I loaded this beta and all seems to be working well, so far.

Router: RT-AC66U
ISP: Comcast
Conn: Native with DHCP-PD

I use the following site to test multiple ports at once. It also does a ping response test. Kind of like a "Shields UP!" type of port scanner, but for IPV6.

http://ipv6.chappell-family.com/ipv6tcptest/

 

[TeHashX]

I loaded this beta and all seems to be working well, so far.

Router: RT-AC66U
ISP: Comcast
Conn: Native with DHCP-PD

I use the following site to test multiple ports at once. It also does a ping response test. Kind of like a "Shields UP!" type of port scanner, but for IPV6.

http://ipv6.chappell-family.com/ipv6tcptest/

As a general reminder: remember that when you do a port scan, you must use the IP of the target computer, NOT your WAN or router IP. IPv6 is routed, not NATed.

This changes all, I thought was like ipv4 port forwarding
I open port 3389 and after running a scan on http://ipv6.chappell-family.com/ipv6tcptest result opened.

But why my ip is changing every reboot?
I'm on a laptop with wifi connection, maybe that's why I don't have temporary ipv6 address.

 

[RMerlin]

This changes all, I thought was like ipv4 port forwarding
I open port 3389 and after running a scan on http://ipv6.chappell-family.com/ipv6tcptest result opened.

There we go. Can you also confirm that the port is closed if you remove the rule?

But why my ip is changing every reboot?
I'm on a laptop with wifi connection, maybe that's why I don't have temporary ipv6 address.

Could be, I never tested IPv6 over wireless. I would have expected to still get an IP derived from the MAC, could be different in the case of wireless. Unless it's something related to your ISP and how they allocate you the IPs.

 

[TeHashX]

I confirm,
after deleted the rule, ports was closed (tried with 3389 & 43962)
after disabled ipv6 firewall, all ports are open

 

[RMerlin]

I confirm,
after deleted the rule, ports was closed (tried with 3389 & 43962)
after disabled ipv6 firewall, all ports are open

Excellent. Who's your ISP, and what type of IPv6 connection are you using?

 

[RogerSC]

Interesting, this is one of the port scanners that I used, and the router port 3389 never showed "open" for me. Glad that this is confirmed, that ports should be able to be opened then. I just hope that I don't need to open an IPv6 port. The best it got was with the router's new IPv6 firewall down, and my computer firewall down, then I did have 3 open ports:

2869
5357
10243

with a lot of "yellow" (RFSD, connection refused) ports, and a few "stealth" ports. With the router's IPv6 firewall back up, all ports are "stealth", so the new router firewall definitely has the desired effect on this port scanner.

I also checked that with the router's IPv6 firewall down, and the computer's firewall up, all ports are "stealth", so our computers are doubly protected. This also confirms for me that the port scanners are directly scanning the computer, not just the router, confirming my original thought. Since we do have IPv6 enabled devices that are not computers (don't have firewalls), I'm really glad to have the router firewall. Thanks again for that.

Note that the 3389 port has been marked "open" on the router's IPv6 firewall the whole time I've been doing all this testing *smile*.

 

[TeHashX]

Excellent. Who's your ISP, and what type of IPv6 connection are you using?

ISP: RDS România
PPPOE connection (no external modem)
IPV6 Native with DHCP-PD
Interface PPP

Sent from my HTC One S using Tapatalk 4

 

[TeHashX]

Note that the 3389 port has been marked "open" on the router's IPv6 firewall the whole time I've been doing all this testing *smile*.

That because remote desktop service is running.
My 43962 port is opened by uTorrent and if I close uTorrent program the port result closed even if I create a rule in ipv6 firewall.


Sent from my HTC One S using Tapatalk 4

 

[RogerSC]

That because remote desktop service is running.
My 43962 port is opened by uTorrent and if I close uTorrent program the port result closed even if I create a rule in ipv6 firewall.


Sent from my HTC One S using Tapatalk 4

I did the same tests on a Windows 7 Home Premium system with no remote desktop server, same results, port 3389 could not be opened.

On the other hand, the script that sets the "gc_*" threshold files does apparently stop the "neighbour table overflows" for me. I was getting them regularly, twice a day. Added the script, and no recurrence. Could be a coincidence, but I think not *smile*. So while my ports aren't doing what I'd like them to do, at least it seems that I've killed one problem here:

#!/bin/sh
echo 512 > /proc/sys/net/ipv6/neigh/default/gc_thresh1
echo 1024 > /proc/sys/net/ipv6/neigh/default/gc_thresh2
echo 2048 > /proc/sys/net/ipv6/neigh/default/gc_thresh3
touch /tmp/init-start.ran

Just waiting to see if these are large enough numbers of table entries, but no recurrence for several days now is promising.