What's new

Newbie IPv6 questions

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Nerre

Senior Member
I haven't looked into IPv6 before since my old router couldn't handle it, but now when switching to a RT-AC66U with Asuswrt-Merlin I realised that maybe I can turn on IPv6.

But I am wondering how the router will handle IPv6 if I just "turn it on". (I'm not yet sure what type of IPv6 access I can get, I don't think native works but 6to4 or rd might work.)

First of all, will all my LAN devices capable of IPv6 suddenly become externally accessible? Or will there be default ip6table rules working as a firewall, so I will have to do port forwarding for any servers on the LAN?

When everything is behind NAT that gives an extra level of security, but if that level is removed when using IPv6 the requirements for keeping things shut will increase...

Will I have to set up IPv6 addresses separately in dnsmasq? (I have some static DHCP leases set up, I guess those won't work for IPv6 since they are based on MAC and IPv6 DHCP doesn't seem to support MAC? But will dynamic DHCP addresses work?)
 
I haven't looked into IPv6 before since my old router couldn't handle it, but now when switching to a RT-AC66U with Asuswrt-Merlin I realised that maybe I can turn on IPv6.

But I am wondering how the router will handle IPv6 if I just "turn it on". (I'm not yet sure what type of IPv6 access I can get, I don't think native works but 6to4 or rd might work.)

Depends what your provider offers. If they don't offer any IPv6 type of connectivity, you will have to get a 6in4 tunnel with a broker such as Hurricane Electrics.

First of all, will all my LAN devices capable of IPv6 suddenly become externally accessible? Or will there be default ip6table rules working as a firewall, so I will have to do port forwarding for any servers on the LAN?

If you get a block such as a /64, every device will get both a public and a random IPv6. By default they will be accessible from the outside, you will have to manually configure ip6tables.

When everything is behind NAT that gives an extra level of security, but if that level is removed when using IPv6 the requirements for keeping things shut will increase...

There's no NAT under IPv6 only straight routing, so yes, firewall setting is your responsability then.

Will I have to set up IPv6 addresses separately in dnsmasq? (I have some static DHCP leases set up, I guess those won't work for IPv6 since they are based on MAC and IPv6 DHCP doesn't seem to support MAC? But will dynamic DHCP addresses work?)

IPv6 IP allocation of LAN devices is done by radvd, not by DHCP.

I recommend doing some IPv6 reading before jumping into it, as it can be quite different from standard IPv4. Hurricane Electrics have quite a few primers as a starting point.
 
If you get a block such as a /64, every device will get both a public and a random IPv6. By default they will be accessible from the outside, you will have to manually configure ip6tables.

Ok, I think that is a bit "bad", because then people who just turn on IPv6 will open up their lan completely? One would think that router manufacturers like Asus would follow what I understand (from reading about IPv6 security issues) is supposed to be common practice: Don't let anything in unless initiated from the inside or explicitly forwarded.

The router does a lot of "magic" with the Ipv4 iptables filters without me explicitly telling it to, so why not also for IPv6? Isn't the router supposed to be a consumer product?

IPv6 IP allocation of LAN devices is done by radvd, not by DHCP.

But isn't that still handled by dnsmasq? Because dnsmasq has a lot of stuff that can take IPv6 addresses.
 
Ok, I think that is a bit "bad", because then people who just turn on IPv6 will open up their lan completely? One would think that router manufacturers like Asus would follow what I understand (from reading about IPv6 security issues) is supposed to be common practice: Don't let anything in unless initiated from the inside or explicitly forwarded.

The router does a lot of "magic" with the Ipv4 iptables filters without me explicitly telling it to, so why not also for IPv6? Isn't the router supposed to be a consumer product?

Quite frankly, none of the current consumer products are really ready for widespread IPv6. I don't think any of them expose a firewall configuration interface yet through the webui (or maybe some of the very latest products). Asus's IPv6 support is still being actively developped over the past few months.

To be honest, I haven't taken a close look at the recent Asus changes since I run my own custom firewall script for IPv6. It's possible they might have put a default ruleset that drops forwarded packets, I just haven't really checked.

But isn't that still handled by dnsmasq? Because dnsmasq has a lot of stuff that can take IPv6 addresses.

On the LAN side it's all handled by radvd. That's the proper way to handle IP allocation under IPv6, through router advertising (that's what RA stands for). DHCPv6 exists, but it's labeled as not recommended by RFCs.

Also note that until recently Asus used a fairly old version of dnsmasq.
 
Ok, that kind of sucks... I was happy that with the new router I didn't have to spend time setting up firewall rules for IPV4, I don't even have to set up port forwarding becuase it has uPnP (my old router didn't support uPnP). But this means that to be able to start using IPv6 I'll have to spend hours and hours learning new stuff:(

I'm beginning to understand why IPv6 deployment is so slow... yet everybody is saying that one of the advantages of Ipv6 is that it makes things easier for users...?
 
Ok, that kind of sucks... I was happy that with the new router I didn't have to spend time setting up firewall rules for IPV4, I don't even have to set up port forwarding becuase it has uPnP (my old router didn't support uPnP). But this means that to be able to start using IPv6 I'll have to spend hours and hours learning new stuff:(

Same can be said about IPv4. You had to learn what an IP was, what numbers are allowed or weren't allowed on a LAN IP numbers, what was port forwarding, why you can't put a router-modem combo in front of a router and expect everything to just work, etc...

IPv6 isn't that complicated. It's just another learning process that you already had to go through with IPv4.
 
Yes, I know I had to learn it for IPv4, but that was years ago. The old router has just been running and running. And it also had a GUI, so I didn't have to mess with iptables syntax. And it also already had default rules for NAT, so I just had to set up forwarding for the few ports I needed to have forwarded.

Looking at ip6tables it seems as if there's a lot of more to mess with because you can not block icmp. I tried googling and found several different suggestions on "default rules" blocking inbound traffic, so I will still have to spend a few hours comparing the differences and then I have to find out how to get those rules to be applied to the router when it boots...


At least I know I have to do it, I'm thinking of all regular consumers who just turn on IPv6 and open up their LAN without realizing it.
 
No need to go that far - I have a basic firewall script for IPv6 on my website.

Keep in mind it's not THAT bad having the whole block routed by default. There is so many different IPs within a /64 that one would have to be VERY patient to track down a device's IP.
 
I ran across an IPv6 port scanner test site the other day (http://ipv6.chappell-family.com/ipv6tcptest/) that tells you how your router responds when probed at various ports.

I found that for the default IPv6 configuration on this router, all the results are "Stealth" (No response was received from your machine in the allocated time period. This is the ideal response since no-one can ascertain your machines' presence at this IPv6 address/port combination), which seems to me to be what I'd want. A little reassuring, anyways *smile*.
 
My biggest concern really is my 13 yo son who plays a lot of multiplayer games. His computer is where I would expect the highest threat if he installs some "cool addon" that opens up a backdoor. He is a bit frustrated by always having to call for me when something is going to be updated, so I am thinking of giving him the admin password for his computer (I can't understand why most modern games still need to be run as an administrator...)

On the other hand he runs Hamachi from time to time and that opens up quite a lot too, but at least it can be turned off when not used. That's not the case for IPv6.

I'll have a look at what the default rules are saturday morning (I wake up before the rest of the family, I can't mess with the router when they are awake because they would scream at me each time I restart it and they lose internet access for a few seconds:).
 
I ran across an IPv6 port scanner test site the other day (http://ipv6.chappell-family.com/ipv6tcptest/) that tells you how your router responds when probed at various ports.

I found that for the default IPv6 configuration on this router, all the results are "Stealth" (No response was received from your machine in the allocated time period. This is the ideal response since no-one can ascertain your machines' presence at this IPv6 address/port combination), which seems to me to be what I'd want. A little reassuring, anyways *smile*.

Try scanning ports of one of your devices. IPv6 usually involves a whole routed block, not just a single IP. So if you have a Windows computer with Remote Desktop enabled, try scanning that computer's IPv6.
 
I think that if the scan is run from a computer behind the router it will scan the IP of the computer and not the router. Because the scanner will see the IP of the computer, not the one of the router.
 
Ok, I ran some quick tests.

There seems to be some default ip6tables rules applied (more than a screenfull).

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT ipv6-nonxt anywhere anywhere length 40
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 130
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 131
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 132
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-solicitation
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 141
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 142
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 143
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 148
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 149
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 151
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 152
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp type 153
DROP all anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
DROP all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT ipv6-nonxt anywhere anywhere length 40
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp destination-unreachable
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp packet-too-big
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp time-exceeded
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp parameter-problem
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-reply

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0

Chain PControls (0 references)
target prot opt source destination

Chain logaccept (0 references)
target prot opt source destination
LOG all anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP'
DROP all anywhere anywhere


The bad thing is that the good rules seems to be only for INPUT, not for FORWARD.

I tried the Chappell port scanner. From my Windows laptop I got Stealth on all scanned ports, however when scanning from my MythTV backend (a machine where I know I have services running) I got "Open" on ports like 22, 80 and even 139 (which I think is one of the Windows networking ports?) and a few more. And I got "yellow" on all the other ports (I think yellow is "connection refused".

So, if I turn on IPv6 now I will open upp my MythWeb web interface, MySQL serverand most likely also my samba shares on that machine for the world. Not very good... Ok, I know the probability of someone finding out my IPv6 address is low, but I would say it's neglible if the machines makes connections to the outside (no need to scan for an address if you have it in your logs or can see it from netstat).

I guess what "saved" my Windows machine was the Windows firewall and not the router.

So I guess my next step will be to have a look at how to modify the default ruleset.
 
Last edited:
Your script looks a lot shorter than the default rules? But maybe they are just an addition to it?

And then comes the important part: From your site it says I have to apply those rules manually?? So if the router reboots it's suddenly all open again? (In my case maybe I can just put it in wan-start...?)
 
Your script looks a lot shorter than the default rules? But maybe they are just an addition to it?

And then comes the important part: From your site it says I have to apply those rules manually?? So if the router reboots it's suddenly all open again? (In my case maybe I can just put it in wan-start...?)

That howto was written long before I implemented the custom user scripts. So just put them into firewall-start.

My script doesn't replace the existing rules, it merely adds to them.
 
Try scanning ports of one of your devices. IPv6 usually involves a whole routed block, not just a single IP. So if you have a Windows computer with Remote Desktop enabled, try scanning that computer's IPv6.

Don't have any Windows computers that are "remote desktop capable", all 3 are "Home Premium" editions.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top