Doubts about R7800 Firmware / IPv6 Support

[WiFiSeeder]

Here is on NG stock firmware

Apparently Stock and Voxel's firmware are using the same rules.
Feel free to try the same procedure if you want to help. In your case, deleting forward rule 1 and 2, as well as FOWARD rules 4 (and maybe rule 1 as well, see bellow) should do the trick.

 

[WiFiSeeder]

Second try:

root@R7800:/$ ip6tables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       tcp      anywhere             anywhere            tcp dpt:www
2    DROP       tcp      anywhere             anywhere            tcp dpt:domain
3    DROP       tcp      anywhere             anywhere            tcp dpt:https
4    DROP       tcp      anywhere             anywhere            tcp dpt:afpovertcp
5    DROP       tcp      anywhere             anywhere            tcp dpt:zebra
6    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       all     !xxxx:xxxx:xxxx::/64  anywhere
2    DROP       tcp      localhost/128        ::2/128             tcp spt:1111 dpt:2222 flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN
3    ACCEPT     udp      ::3/128              ::4/128             udp spt:3333
4    ACCEPT     ipv6-icmp    ::5/128              ::6/128             ipv6-icmp echo-reply
5    DROP       all      ::7/128              anywhere
6    IPv6-CONE  all      anywhere             anywhere            [8 bytes of unknown target data]

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
root@R7800:/$

I'm running Windows 10 64-bit.
Have tried 4 different internet browsers with different results.
The 3 fields Type, ICMP and Hostname are all colored yellow:

• Microsoft Edge 42.17134.1.0 / Internet Explorer v11.590.17134.0:
  

  http://ipv6-test.com/? : 15/20
  IPv6 connectivity:
  Type    6to4
  ICMP    Filtered
  Hostname    None
  
  Browser:
  Default    IPv4
  Fallback to IPv6 in < 1 second

  
  
• Google Chrome Version 72.0.3626.119 (Official Build) (32-bit)
  

  http://ipv6-test.com/? : 14/20
  IPv6 connectivity:
  Type    6to4
  ICMP    Filtered
  Hostname    None
  
  Browser:
  Default    IPv4
  Fallback    to IPv6 in 15 seconds

  
  
• Firefox 65.0.1 64-bit
  

  http://ipv6-test.com/? : 12/20
  IPv6 connectivity:
  Type    6to4
  ICMP     Filtered
  Hostname    None
  
  Browser:
  Default    IPv4
  Fallback    No

Thanks @kamoj . Darn it... Close but no cookie .

Maybe the line that drops all traffic not in the !xxxx:xxxx:xxxx::/64 network is getting in the way.

Finallly, if nothing else works, there is always the shotgun approach:

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

This will purge all firewall rules and allow anything in. (Warning to people coming from search engines: This is unsafe, effectively the same as turning your firewall off).

Kind regards,

 

[KevTech]

By default Win 10 firewall blocks icmp so you need to create custom rule for icmp echo or disable the firewall during testing.

Edit: There are also some rules for icmp in the firewall advanced setting > Inbound rules > file and printer sharing

They are all disabled by default.

 

[WiFiSeeder]

By default Win 10 firewall blocks icmp so you need to create custom rule for icmp echo or disable the firewall during testing.

Edit: There are also some rules for icmp in the firewall advanced setting > Inbound rules > file and printer sharing

They are all disabled by default.

View attachment 16386

Ah, good catch. Totally forgot about it (I use Linux and there was a whole punched in for ICMPv6 by default).

Here's the step by step details on creating a custom rule for Windows 10: https://noobient.com/2018/08/02/passing-icmpv6-on-windows-defender-firewall/

Let me know if you guys have any luck with IPv6 tests.

Cheers,

 

[kamoj]

I tried it all, especially the shotgun approach!
I setup the Windows 10 firewall for both Inbound and
Unfortunately I did not get a higher score than 15/20 anyhow.

Some strange things:
1
root@R7800:/$ ip6tables -t nat -F
ip6tables v1.4.10: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

2.
root@R7800:/$ ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
IPv6-CONE all anywhere anywhere [8 bytes of unknown target data]

Chain FORWARD (policy ACCEPT)
target prot opt source destination
IPv6-CONE all anywhere anywhere [8 bytes of unknown target data]

root@R7800:/$
root@R7800:/$ ip6tables -S
Can't find library for target `IPv6-CONE'
-A INPUT -i sit1 -j IPv6-CONE

The IPv6 connection type can be set to different types:

"Advanced, Advanced Setup, IPv6": "Internet Connection Type":
Auto Detect =>
Microsoft Edge: http://ipv6-test.com/?     Result: 14/20
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
Microsoft Edge: http://ipv6-test.com/?     Result: 15/20


"Advanced, Advanced Setup, IPv6": "Internet Connection Type":
Auto Config =>
Microsoft Edge: http://ipv6-test.com/?     Result: 4/20
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
Microsoft Edge: http://ipv6-test.com/?     Result: 4/20

"Advanced, Advanced Setup, IPv6": "Internet Connection Type":
6to4 Tunnel =>
Microsoft Edge: http://ipv6-test.com/?     Result: 14/20
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
Microsoft Edge: http://ipv6-test.com/?     Result: 15/20

"Advanced, Advanced Setup, IPv6": "Internet Connection Type":
6rd (Not easy: 6rd (IPv6 Rapid Deployment) Configuration)
Pass Through =>
Microsoft Edge: http://ipv6-test.com/?     Result: 4/20
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
Microsoft Edge: http://ipv6-test.com/?     Result: 4/20

"Advanced, Advanced Setup, IPv6": "Internet Connection Type":
Fixed => (Not easy: Configuration)

"Advanced, Advanced Setup, IPv6": "Internet Connection Type":
DHCP =>
Microsoft Edge: http://ipv6-test.com/?     Result: 4/20
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
Microsoft Edge: http://ipv6-test.com/?     Result: 4/20
PPPoE => (Not tested)

The net-wall source code is not public.

Other things to investigate are:
network port/switch settings (ethtool a.o.)

Router settings:
WAN setup:
NAT Filtering Secured Open
Disable SIP ALG

LAN setup:
RIP Version

Security:
Services Blocking: -> Never?!

https://docs.microsoft.com/en-us/pr...ows-server-2008-R2-and-2008/cc749323(v=ws.10)
PS
I've updated directly with "ip6tables" commands,
and I have not seen them being changed (as Voxel has seen with ipv4 iptables).

Thanks @kamoj Finallly, if nothing else works, there is always the shotgun approach:

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

This will purge all firewall rules and allow anything in.

 

[WiFiSeeder]

Oh bummer! Thanks @kamoj, your efforts are much, much appreciated.
The NAT error is probably alright. My guess is that NG is not including standard support for NAT rules over IPv6. I don't know what IPv6 CONE is, but if I have to guess I would say that it is probably some custom kernel module implementing NAT support the way that they want it to be (not that NAT is widely used with IPv6 anyway).
Given that you are accepting all incoming connections, ICMP requests should have worked.
I somewhat doubt that Windows is the culprit here. You seen to have setup everything fine. If you want to be 100% sure you can always ping6 your PC from inside your LAN.

Although IPv6 firewall rules are not "resurrecting" themselves as IPv4 ones, you are right, ICMPv6 is still getting blocked somehow.

My next attempt would probably be to enable logs for ICMP (e.g.,
ip6tables -A INPUT -p icmpv6 -j LOG) and investigate with tcpdump (e.g., tcpdump -n -i [name if the interface] icmp6).

However, at this stage I'm already convinced that ICMPv6 has been locked pretty tight by NG. I don't want to make you waste your time any further in what's now a troubleshooting exercise.

Anyway, thank you for all of the info and sorry for the hassle.

 

[KevTech]

I did not mess with any of the ip6tables but was able to be reachable for ICMPv6.

I did not create any rule in Windows firewall either.

All I did was enabled respond to ping on the WAN page of the router.

 

[WiFiSeeder]

I did not mess with any of the ip6tables but was able to be reachable for ICMPv6.

View attachment 16403


I did not create any rule in Windows firewall either.

All I did was enabled respond to ping on the WAN page of the router.


View attachment 16405

Wow! With an R7800? What firmware and where can I find the Respond to Ping on Internet Port option?

 

[Deleted member 22229]

Wow! With an R7800? What firmware and where can I find the Respond to Ping on Internet Port option?

Stock and Voxel routerlogin/debug.htm Be advised that setting wont stick it works for awhile then reverts back to blocking even though its still checked in the UI.

 

[WiFiSeeder]

Stock and Voxel routerlogin/debug.htm Be advised that setting wont stick it works for awhile then reverts back to blocking even though its still checked in the UI.

Interesting. Well, I think that this pretty much clears up the current state of things. Is there a bug open for it somewhere?
Do you know if there is some kind of UI for custom IPv6 firewall rules as well (e.g., accept TCP traffic for IP 201b:xxxx:xxxxx on port 80)?

@kamoj, I'm very sorry for sending you on a wild-goose chase. I wasn't aware about the UI option.

 

[kamoj]

It´s at:
http://www.routerlogin.net/WAN_wan.htm

Stock and Voxel routerlogin/debug.htm Be advised that setting wont stick it works for awhile then reverts back to blocking even though its still checked in the UI.

 

[Deleted member 22229]

Yes sorry that is correct. Like I said though unfortunately the setting does not remain intact. After some time it reverts back to blocking pings once again. I have no idea why. Maybe Voxel could modify the way this functions.

 

[avtella]

Stock and Voxel routerlogin/debug.htm Be advised that setting wont stick it works for awhile then reverts back to blocking even though its still checked in the UI.

I complained to NG about this many months back, about this issue. They never followed up about that setting not sticking. I even showed them images from IPv6 test site etc. It’s sad that this issue is there even in newer firmwares.

I even told them the setting belongs in the IPv6 settings section and not debug.

 

[L&LD]

I complained to NG about this many months back, about this issue. They never followed up about that setting not sticking. I even showed them images from IPv6 test site etc.

I even told them the setting belongs in the IPv6 settings section and not debug.

I hope that Voxel can fix this issue then? NG makes some great hardware and terrible software and support choices.

 

[Sizzlechest]

I hope that Voxel can fix this issue then? NG makes some great hardware and terrible software and support choices.

Can the setting be done from the command line? If so, I wonder if adding it to a firewall-start.sh script in the /root directory would ensure it always gets set?

 

[L&LD]

Can the setting be done from the command line? If so, I wonder if adding it to a firewall-start.sh script in the /root directory would ensure it always gets set?

My understanding is that to set it is not the issue. The issue is even when set it stops working after an indeterminate time frame.

 

[KevTech]

I even told them the setting belongs in the IPv6 settings section and not debug.

Setting is at Advanced > Setup > WAN Setup

 

[kamoj]

There is also the "avtella" setting in the debug.htm: Allow external IPv6 hosts ping internal IPv6 hosts

I have tried this but still only get 15/20 points on the test.

If I can get the 20/20 I'll try to make a fix for it to not stop working.
But for me, the 2 Ping settings does not change the result.

Can anyone confirm you get 20/20, and what settings do you use.
E.g: "Advanced, Advanced Setup, IPv6": "Internet Connection Type": ???

 

[avtella]

Yeah that IPv6 setting on the debut page is a hit or miss, even when it works it works only sometimes and oddly at times some devices get a low score while others don’t when the setting is finicky. I’ve honestly stopped trying to push for a fix, they responded once by phone; asked me to send settings and images of clients where sometimes some would suddenly start getting like 15/20 while others would get 20/20.

Kamoj try a few restarts, it may get the setting to stick at least that’s what I had to do.

Sorry KevTech I should have clarified I was talking about the setting in debug.htm that Kamoj mentioned above. I did enable respond to ping as well but the other setting was what fixed the issue for me when it sometimes decided to work.

 

[Deleted member 22229]

I have tried this but still only get 15/20 points on the test.

If I can get the 20/20 I'll try to make a fix for it to not stop working.
But for me, the 2 Ping settings does not change the result.

When I tick the box in the debug page for allow ipv6 pings I get a 19/20 pass until it reverts back. It would be a 20/20 pass but my isp does not send a hostname from witch I understand is normal and not impacting. With the box not ticked or when it reverts back I only get a 17/20 pass.