IPv6 question

[Treadler]

May have to check iptables. Drop means stealth, reject means respond with a refusal.

General rule is always use drop, so not sure why they would be using reject.

Actually are you using native or passthrough mode? The reject may very well be coming from the actual host being scanned and not the firewall. In which case, your IPv6 is a big security hole right now til you configure it right. PCs/servers/etc typically will respond with a refusal, whereas firewalls should always be set to drop, at least on the untrusted side.

Happens when I use native mode. (Never pass through).

I did the port scan with this site.

Online IPv6 Port Scanner, Firewall Tester

IPscan, the online IPv6 port scanner, or firewall tester, which checks responses to an ICMPv6 ping and multiple user-selectable TCP and UDP ports.

ipv6.chappell-family.com

Im ‘normally’ using IPv4 only. Port scan of that is totally stealth, no issues.

I just wonder if the Asus IPv6 firewall isn’t as good as it could be, or whether my scanning method is no good.

 

[archiel]

Happens when I use native mode. (Never pass through).

I did the port scan with this site.

Online IPv6 Port Scanner, Firewall Tester

IPscan, the online IPv6 port scanner, or firewall tester, which checks responses to an ICMPv6 ping and multiple user-selectable TCP and UDP ports.

ipv6.chappell-family.com

Im ‘normally’ using IPv4 only. Port scan of that is totally stealth, no issues.

I just wonder if the Asus IPv6 firewall isn’t as good as it could be, or whether my scanning method is no good.

FWIW I have just used the above site to scan my site from both a device routed directly and another device routed via a Wireguard VPN (using Wireguard manager, not VPN Director) and almost* all the default ports came back as Stealth. I am running dual stack, native, DHCP-PD, Stateless OpenDNS servers. ON the main WAN page I am using DoT with Cloudflare and have no entries in WAN DNS Settings: DNS Server.

* Port 53 shows as open on the VPN routed device, though this is against the VPN provider DNS server address, so only to be expected.

What did you use for IPv4 scanning - ShieldsUP or another service?

 

[Treadler]

FWIW I have just used the above site to scan my site from both a device routed directly and another device routed via a Wireguard VPN (using Wireguard manager, not VPN Director) and almost* all the default ports came back as Stealth. I am running dual stack, native, DHCP-PD, Stateless OpenDNS servers. ON the main WAN page I am using DoT with Cloudflare and have no entries in WAN DNS Settings: DNS Server.

* Port 53 shows as open on the VPN routed device, though this is against the VPN provider DNS server address, so only to be expected.

What did you use for IPv4 scanning - ShieldsUP or another service?

Interesting.
I get only a few ports stealthed, most of them “refused”.
Might have to play some more

Yes, IPv4 scan, ShieldsUP.

 

[archiel]

Although all the ports were showing Stealth, the report did show echo reply (IPv6, not IPv4).

1. Is there a way to disable this?
2. Would I even want to? - the scan is against the device's current Pv6 address which will get rotated due in due course.

 

[archiel]

Interesting.
I get only a few ports stealthed, most of them “refused”.
Might have to play some more

Yes, IPv4 scan, ShieldsUP.

As (I assume) the scan is against the IPv6 address of the device you are using (rather than the router's IP) have you tried running against a different device, it shouldn't make any difference but 'just in case'?

 

[Tech9]

Going off the grid?

Remember the cabin in the woods thread? Cabin on the beach in my case. With this winter here I can't enjoy fully the v8 advantages.

 

[Tech9]

I did the port scan with this site.

AX86U running Asuswrt-Merlin 386.7_2 firmware, IPv6 in Passthrough:

And a firmware bug in GUI:

 

[Tech9]

One IPv6 obsessed iPhone:

This guy is homeless or actively looking for a girlfriend online.

 

[learning_curve]

This thread really does remind me of the VHS / Betamax "which is best" years... & all the resultant / he said / she said / they said type of arguments. If you're anti-IPv6 that's fine. Carry on. People can make their own choices, with or without your option / view. If you're pro-IPv6, you don't need to oversell it, randomly - For exactly the same reasons that apply to the anti-IPv6 rationale, really.

Some quick relevant comments now (not arguments!)

It depends on what country you live in. Most SNB Forum members though have IPv4 available. What we discuss here quite often is very simple - I can demonstrate with real everyday use examples what issues IPv6 enabled may cause, but very few with IPv6 enabled can demonstrate any real benefits.

In the "long thread" that you mentioned previously (which I did post in), the 1st emboldened point above, was proven beyond all reasonable doubt. That, of course, then does have a big effect on the 2nd emboldened point above, when dealing with the quantity of demonstrations. Why? Only because, when you factor in, that a big % of those who could provide a demonstration of this, are either; not native English speakers or, English is only their 2nd or 3rd language. AKA They are not members of this forum, as a result of this...

Seven pages and no one touched a single benefit of IPv6 enabled when public IPv4 is available. Do you want to try your luck?

In this specific thread, maybe, any pro-IPv6 users, possibly... just can't be bothered re-entering the VHS / Betamax Emulation Arena?

~ I think you are just trying to nitpick at something here just to support your dislike of IPv6 ~

Yes; If the cap fits, wear it - As could be said to all those that might fall into this category. There's surely room for all points of view on IPv6 here?

 

[Tech9]

I just maintain the position "don't enable firmware features you don't need or know little about". It applies for most home router users. I don't agree to "enable it to test and report the issues". This is not serious and exposes less knowledgeable users to potential threats they have no way to know about.

 

[RMerlin]

Is there a way to disable this?

No. RFCs makes ICMP echo replies mandatory for IPv6 (and for a few other ICMP types). Asuswrt's firewall closely follow RFC requirements.

 

[SomeWhereOverTheRainBow]

No. RFCs makes ICMP echo replies mandatory for IPv6 (and for a few other ICMP types). Asuswrt's firewall closely follow RFC requirements.

Also keep in mind ipv6 is designed for multicast including neighbor solicitation, where as ipv4 is strictly unicast. Certain types of icmp are necessary for ipv6 to function, whereas ipv4 doesn't have this same limitation.

 

[Treadler]

No. RFCs makes ICMP echo replies mandatory for IPv6 (and for a few other ICMP types). Asuswrt's firewall closely follow RFC requirements.

Many thanks, good to hear from someone who knows!

 

[bluepoint]

No. RFCs makes ICMP echo replies mandatory for IPv6 (and for a few other ICMP types). Asuswrt's firewall closely follow RFC requirements.Is

Is IPV6 icmp echo enabled by default in RtAX88U? I don't see any option in the WEBUI to enable/disable it but for IPV4 only.

 

[SomeWhereOverTheRainBow]

Is IPV6 icmp echo enabled by default in RtAX88U? I don't see any option in the WEBUI to enable/disable it but for IPV4 only.

It is by default. If your router did not have icmp6 of certain types enabled for your router, you would not be able to obtain a dhcp lease from your isp. The router relies on multicast and neighbor solicitation to communicate with modem to get the correct ipv6 lease and prefix assignment. Also, clients on the network connecting over ipv6 rely on icmp6 to at a minimum to happen locally within the network to be able to obtain connection as well. Keep in mind, the icmp6 only applies if you have ipv6 turned on. Ipv4 is not as needy when it comes to icmp. In order to achieve icmp echo on ipv4, only one variation of icmp is required to be present on the firewall.

 

[SomeWhereOverTheRainBow]

One IPv6 obsessed iPhone:

View attachment 45407

This guy is homeless or actively looking for a girlfriend online.

That is the new speed dating for ipv6. Or the tender of apple ipv6 clients....

 

[SomeWhereOverTheRainBow]

AX86U running Asuswrt-Merlin 386.7_2 firmware, IPv6 in Passthrough:

View attachment 45401

And a firmware bug in GUI:

View attachment 45404

That looks normal for a healthy ipv6. While ipv6 is complex and rather complicated for most to understand, this is one of its security strengths. It's a double edge sword, for most it serves to create confusion. However, when the ipv6 is configured correctly by either you or your isp that means the added complexity can typically be a security advantage. I am not saying to everyone this means go turn it on.

 

[SomeWhereOverTheRainBow]

I just maintain the position "don't enable firmware features you don't need or know little about". It applies for most home router users. I don't agree to "enable it to test and report the issues". This is not serious and exposes less knowledgeable users to potential threats they have no way to know about.

I don't think people should turn it on just to find issues ,however I believe if you are someone who does use it and do determine there is a issue introduced by the firmware, it doesn't hurt to report it. How else will it ever get fixed.

Case and point, let us say asus decides to add a new detection mechanism to their ipv6 lease update methods that aid a specific isp protocol for lease obtainment. Consider you are a user who knows how ipv6 works and have it enabled and secured. You discover after the next firmware update, you are no longer able to update your ipv6 lease. May be the recent change in logic at the firmware level cause a break in your lease renewal request.

This is a rather vague example, but it shows how if you do not report the issue, how does asus ever know it existed in the first place.

 

[bluepoint]

It is by default. If your router did not have icmp6 of certain types enabled for your router, you would not be able to obtain a dhcp lease from your isp. The router relies on multicast and neighbor solicitation to communicate with modem to get the correct ipv6 lease and prefix assignment. Also, clients on the network connecting over ipv6 rely on icmp6 to at a minimum to happen locally within the network to be able to obtain connection as well. Keep in mind, the icmp6 only applies if you have ipv6 turned on. Ipv4 is not as needy when it comes to icmp. In order to achieve icmp echo on ipv4, only one variation of icmp is required to be present on the firewall.

I can get ipv6 assigned prefixes which according to you icmp6 is required. There are icmp6 test sites that are not reliable then, it shows mine is not responding to icmp6 requests.

 

[SomeWhereOverTheRainBow]

I can get ipv6 assigned prefixes which according to you icmp6 is required. There are icmp6 test sites that are not reliable then, it shows mine is not responding to icmp6 requests.

Only local neighbors of your ipv6 would be able to see the icmp6 echo request of the above mentioned, that site is not able to achieve that since only your isp or modem can do such. any other icmp features are also ratelimited by the firewall.