What's new

IPv6 not working. Comcast blames the router.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Basically, all IPv6 traffic gets routed to your LAN, with no firewalling. See this ticket for a discussion on the matter.

Sorry if my lack of knowledge is causing me to ask a silly question, but are you (and the github post) saying that when you enable IPv6 that you do so without any firewall protection for the v6 traffic? My LAN was wide open to v6?
 
Can you tell us more about the open port security issue? What's the problem and how did you fix it? Thanks!

(1) I read about known issues with IPv6 and the router firewall rules so I ran a port scan on this site: http://www.scanipv6.com/index.php

nmap -v -6 ***MY PUBLIC IPv6 ADDRESS***

Nmap Results:
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-05-16 04:45 JST
Failed to resolve given IPv6 hostname/IP: Enter. Note that you can't use '/mask' or '[1-4,7,100-]' style ranges for IPv6. Error code -2: Name or service not known
Failed to resolve given IPv6 hostname/IP: Host. Note that you can't use '/mask' or '[1-4,7,100-]' style ranges for IPv6. Error code -2: Name or service not known
Failed to resolve given IPv6 hostname/IP: or. Note that you can't use '/mask' or '[1-4,7,100-]' style ranges for IPv6. Error code -2: Name or service not known
Failed to resolve given IPv6 hostname/IP: IP. Note that you can't use '/mask' or '[1-4,7,100-]' style ranges for IPv6. Error code -2: Name or service not known
Machine ***MY PUBLIC IPv6 ADDRESS*** MIGHT actually be listening on probe port 80
DNS resolution of 1 IPs took 0.26s.
Initiating Connect() Scan against ***MY PUBLIC IPv6 ADDRESS*** [1680 ports] at 04:45
Discovered open port 80/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 22/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 515/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 5432/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 5000/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 548/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 5001/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 161/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 631/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 111/tcp on ***MY PUBLIC IPv6 ADDRESS***
Discovered open port 873/tcp on ***MY PUBLIC IPv6 ADDRESS***
The Connect() Scan took 14.76s to scan 1680 total ports.
Host ***MY PUBLIC IPv6 ADDRESS*** appears to be up ... good.
Interesting ports on ***MY PUBLIC IPv6 ADDRESS***:
Not shown: 1664 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp open snmp
445/tcp filtered microsoft-ds
515/tcp open printer
548/tcp open afpovertcp
631/tcp open ipp
873/tcp open rsync
5000/tcp open UPnP
5001/tcp open commplex-link
5432/tcp open postgres

Nmap finished: 1 IP address (1 host up) scanned in 15.867 seconds

(2) So then I created a firewall-start script that looks like this (copied from one of Merlins scripts):

#!/bin/sh
ip6tables -A INPUT -j DROP
ip6tables -I FORWARD 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -o br0 -p all -j DROP
ip6tables -A FORWARD -i br0 -o any -p all -j ACCEPT
ip6tables -A FORWARD -i br0 -o eth0 -p all -j ACCEPT
ip6tables -A FORWARD -i any -o br0 -p all -j ACCEPT
ip6tables -A FORWARD -j DROP​


(3) Running the scan again yielded these results:

nmap -v -6 -P0 ***MY PUBLIC IPv6 ADDRESS***

Nmap Results:
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-05-17 09:40 JST
DNS resolution of 1 IPs took 0.27s.
Initiating Connect() Scan against ***MY PUBLIC IPv6 ADDRESS*** [1680 ports] at 09:40
Connect() Scan Timing: About 8.63% done; ETC: 09:46 (0:05:17 remaining)
The Connect() Scan took 347.11s to scan 1680 total ports.
Host ***MY PUBLIC IPv6 ADDRESS*** appears to be up ... good.
All 1680 scanned ports on ***MY PUBLIC IPv6 ADDRESS*** are filtered

Nmap finished: 1 IP address (1 host up) scanned in 347.387 second​

This scan took longer because I used the P0 switch.

(4) Everything seems to be working good. I have not had a single log entry in 2 days. Previously I would see frequent activity in my logs.
 
Last edited:
Sorry if my lack of knowledge is causing me to ask a silly question, but are you (and the github post) saying that when you enable IPv6 that you do so without any firewall protection for the v6 traffic? My LAN was wide open to v6?

That's correct. All IPv6 traffic gets forwarded to your LAN devices. Main reason is Asus didn't implement any webui to configure it. If they were to block all traffic by default, then it would be impossible for someone to host any IPv6-reachable service on their LAN.

IPv6 support in the vast majority of home routers is very basic at this point. Support for IPv6 is progressing at a snail pace, both from device manufacturers and ISPs.
 
Interesting. I have no additional ip6tables than what comes with the router (firmware version 270.26b), and ran this same scan with the same parameters. These are my results:

Nmap Results:
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-05-18 03:46 JST
DNS resolution of 1 IPs took 0.00s.
Initiating Connect() Scan against my public ipv6 addr [1680 ports] at 03:46
Connect() Scan Timing: About 8.63% done; ETC: 03:52 (0:05:18 remaining)
The Connect() Scan took 347.11s to scan 1680 total ports.
Host my public ipv6 addr appears to be up ... good.
All 1680 scanned ports on my public ipv6 addr are filtered

Nmap finished: 1 IP address (1 host up) scanned in 347.125 seconds
 
Interesting. I have no additional ip6tables than what comes with the router (firmware version 270.26b), and ran this same scan with the same parameters. These are my results:

Nmap Results:
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-05-18 03:46 JST
DNS resolution of 1 IPs took 0.00s.
Initiating Connect() Scan against my public ipv6 addr [1680 ports] at 03:46
Connect() Scan Timing: About 8.63% done; ETC: 03:52 (0:05:18 remaining)
The Connect() Scan took 347.11s to scan 1680 total ports.
Host my public ipv6 addr appears to be up ... good.
All 1680 scanned ports on my public ipv6 addr are filtered

Nmap finished: 1 IP address (1 host up) scanned in 347.125 seconds

I do not know if it matters but I pointed the scan at a machine inside the lan. It has a different IPv6 address then the router. I think each machine within the lan has a unique IPv6 address.
 
I do not know if it matters but I pointed the scan at a machine inside the lan. It has a different IPv6 address then the router. I think each machine within the lan has a unique IPv6 address.

That's correct. Remember that IPv6 doesn't work through NAT: You don't have a single IP, with ports being forwarded to devices. Each device gets its own IP. Therefore, to test things out, you need to enter the IPv6 of the device you are testing. And that device (for example, a Windows 7 PC) usually has its own firewall in place that might block inbound connections.

If you really want to test it, enable Remote Desktop on a PC, then do a port scan on the IPv6 IP of that particular computer. If 3389 comes up as open, then you'll get the confirmation there that there is no firewalling done.
 
That's correct. All IPv6 traffic gets forwarded to your LAN devices. Main reason is Asus didn't implement any webui to configure it. If they were to block all traffic by default, then it would be impossible for someone to host any IPv6-reachable service on their LAN.

IPv6 support in the vast majority of home routers is very basic at this point. Support for IPv6 is progressing at a snail pace, both from device manufacturers and ISPs.

So let me ask another possibly stupid question...

What do I lose if just leave IPv6 disabled, at least for the next year or two, until either the firmware support is updated or until I buy the next generation of routers?

While I understand the network side of things, I'm not a Linux coder or scripter, and I certainly don't want to leave my LAN exposed to what is sure to be a growing number of IPv6 exploits.

Am I just being too simplistic?
 
Thanks for all the good info on the IPv6 lack of firewall. As an IPv6 dummy, I appreciate it.

So without any special action on my part, I see 2 open ports as shown below. Do I need to take action?

Code:
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-05-18 05:15 JST
DNS resolution of 1 IPs took 0.00s.
Initiating Connect() Scan against [I]MyIPV6Address[/I] [1680 ports] at 05:15
Discovered open port 554/tcp on [I]MyIPV6Address[/I]
Discovered open port 3389/tcp on [I]MyIPV6Address[/I]
The Connect() Scan took 12.21s to scan 1680 total ports.
Host [I]MyIPV6Address[/I] appears to be up ... good.
Interesting ports on [I]MyIPV6Address[/I]:
Not shown: 1673 closed ports
PORT STATE SERVICE
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
3389/tcp open ms-term-serv

Nmap finished: 1 IP address (1 host up) scanned in 12.841 seconds
 
So let me ask another possibly stupid question...

What do I lose if just leave IPv6 disabled, at least for the next year or two, until either the firmware support is updated or until I buy the next generation of routers?

Currently, not much. So long the world is in the migration phase, almost every service will remain accessible through IPv4. Most people using IPv6 these days are mostly doing so to give them a chance to get more experience with the technology. While the inherent technology does have some advantages in its design, it's currently being offset by the other issues still associated with it (such as the low adoption).
 
Thanks for all the good info on the IPv6 lack of firewall. As an IPv6 dummy, I appreciate it.

So without any special action on my part, I see 2 open ports as shown below. Do I need to take action?

If you don't want these machines to be remotely accessible over IPv6, you could implement a very basic IPv6 firewall by following what I posted on my website last year (note: I haven't reviewed this in the past few months, so I'm not 100% sure it's still accurate with the current FW release).

Note that these rules are specific to a 6in4 tunnel. You will probably need to adjust the rules for native IPv6 support (not 100% sure on what rules should be applied then, I don't have native IPv6 support here to test it).
 
If you don't want these machines to be remotely accessible over IPv6, you could implement a very basic IPv6 firewall by following what I posted on my website last year (note: I haven't reviewed this in the past few months, so I'm not 100% sure it's still accurate with the current FW release).

Note that these rules are specific to a 6in4 tunnel. You will probably need to adjust the rules for native IPv6 support (not 100% sure on what rules should be applied then, I don't have native IPv6 support here to test it).

For the script I am using all I did was substitute v6in4 with eth0.
 
I do not know if it matters but I pointed the scan at a machine inside the lan. It has a different IPv6 address then the router. I think each machine within the lan has a unique IPv6 address.

The ipv6 address that I used was my desktop computer's, not the router's.

So it goes.
 
Currently, not much. So long the world is in the migration phase, almost every service will remain accessible through IPv4. Most people using IPv6 these days are mostly doing so to give them a chance to get more experience with the technology. While the inherent technology does have some advantages in its design, it's currently being offset by the other issues still associated with it (such as the low adoption).

What still isn't clear to me is whether or not this poses a security risk. If I can get v6 running with the .270.26 build (or the stock .270 build), what is risk to hosts on my LAN? Does Asus plan to fix their v6 implementation?
 
What still isn't clear to me is whether or not this poses a security risk. If I can get v6 running with the .270.26 build (or the stock .270 build), what is risk to hosts on my LAN? Does Asus plan to fix their v6 implementation?

They'd better do, because it's not acceptable to disable the firewall along with the (no longer needed) NAT. That's two different sets of functionality for different purposes.

It's certainly a security risk to have all your devices effectively open to the general internet when you think you have a hardware firewall protecting you.

You guys already using IP6 should be logging faults with Asus support about this. Once it hits the tech sites Asus will be getting some pretty poor publicity (and rightly so) for a network security device that silently leaves all the doors open when running under IP6
 
Last edited:
The basic fix is as simple as adding three iptable rules, so it shouldn't be hard to fix.

Might be best to have a new webui switch however to disable that feature for people who actually want their IPv6 block routed to the LAN. This is the plan I might eventually implement myself once I have time to look into this particular issue.
 
It's certainly a security risk to have all your devices effectively open to the general internet when you think you have a hardware firewall protecting you.

You guys already using IP6 should be logging faults with Asus support about this. Once it hits the tech sites Asus will be getting some pretty poor publicity (and rightly so) for a network security device that silently leaves all the doors open when running under IP6

Agree with you here, ipv6 should never have been implemented on AsusWRT without a fully functional firewall and a GUI to configure it. As feature rich as the firmware is I find it hard to believe it was ignored. I know its still in development but even my older Linksys had a nice ipv6 firewall. Would be a nice project for Merlin :)
 
Last edited:
Fully agree as well, they should fix the global settings on the current FW webgui page and make rule exceptions under WAN with a new tab for ipv6.
Maybe they can also show the ipv6 address under the "internet status" as 2001:db8::/32" and with the client status ip's.
 
That's correct. Remember that IPv6 doesn't work through NAT: You don't have a single IP, with ports being forwarded to devices. Each device gets its own IP. Therefore, to test things out, you need to enter the IPv6 of the device you are testing. And that device (for example, a Windows 7 PC) usually has its own firewall in place that might block inbound connections.

Very important point. When I enabled IPv6 I first tested from my desktop computer running Windows 7 and got "Stelath" on all ports. But then I realised that on the router port2 80 and 22 were supposed to be responding... And testing from a Linux machine I got several ports open...

Then I realised there is no NAT or firewalling for IPv6 by default, but thank's to Merlin I was able to set up ip6tables rules to block incoming connection attempts.

So any talk of "public IP" when you are talking of IPv6 is wrong, ALL your IPs will be public when using IPv6. That's the whole point of IPv6! :)
 
So any talk of "public IP" when you are talking of IPv6 is wrong, ALL your IPs will be public when using IPv6. That's the whole point of IPv6! :)

IPs being public are related to the lack of (now unnecessary) NAT. That doesn't mean you shouldn't use a hardware firewall at your router to scan and block incoming traffic.

AFAICT, though IP6 is supposed to do away with the need to NAT for reasons of sharing a single IP, there's nothing to stop you subnetting for security, admin or convenience purposes.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top