Thanks for the guide wpte. I haven't had a chance to upgrade the firmware yet, hopefully I'll get to that tomorrow. Just a couple of things to point out about the guide.
The IPv4 server endpoint address is not the same for everyone. In my case it's 216.66.80.30
There are three different /64 used in the connection. in my case:
The Client endpoint - 2001:470:***a:823::2/64 - I believe this should be the WAN Static or local IPv6 address:
The Server endpoint - 2001:470:***a:823::1/64 - I believe this should be the WAN Remote IPv6 gateway:
The Routed /64 for LAN address allocation - 2001:470:***b:823::/64 - I believe this should be the LAN Static IPv6 address:
Last edited by Dapper; 21-02-2011 at 05:29.
Last edited by wpte; 21-02-2011 at 10:35.
No:
The advantage is, that the relay server is in my country and it is quicker.6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.
wiki:6to4
Finally!
Reset the router to factory defaults
Installed r6214
Reapplied the IPv6 settings described in my post above
Works!
Am I correct in thinking ip6tables are now activated by default with IPv6?
Last edited by Dapper; 21-02-2011 at 06:03.
Following on from my previous post, if, as I suspect from reading this thread, ip6tables are active in the router, once IPv6 has been enabled, I'm a little curious about the results of the HE Ipv6 Port scanner.
When I run the test I get:
Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
5357/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
I can get my system to filter these and report a clean slate by enabling the Windows 7 firewall.
In terms of what these represent:
135/tcp open msrpc - RPC service
445/tcp open microsoft-ds - SMB over TCP
5357/tcp open unknown - Network Discovery
49152/tcp open unknown - Wininit.exe (Core Windows service)
49153/tcp open unknown - A svchost instance
49154/tcp open unknown - A svchost instance
49155/tcp open unknown - A svchost instance
49156/tcp open unknown - A svchost instance
Each of the svchost containers relate to different services, some of which could be disabled but other not.
49158/tcp open unknown - lsass.exe (Local security authentication server)
This one really needs to be closed.
Because I can filter these using a software firewall, does it mean the ip6tables are opening holes to these services?
Edit: I found another scanner http://www.vikingscan.org/home which also shows ports 134 and 445 as open in the base test against the IPv6 addresses and stealthed against the IPv4 address. On the advanced test the higher number ports were also reported open against the IPv6 address.
Last edited by Dapper; 21-02-2011 at 13:28.
it looks like you're scanning your client pc?
if so: ipv6 does not have NAT, but every ip6 address is unique and can be accessed without forwarding, which means your own computer needs proper protection from the outside
Windows firewall (by the looks you're using windows) should be able to filter IPv6 traffic
If you scan from a local machine, it might access the other computers via the local ipv6 address range starting with "fe80".
Anyway, good stuff you have it working.
Is it the way I said or did you simply use the range you mentioned?
firmware has ipv6 auto firewall already, check ip6tables -nvL
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
The scans were online scans and they were using the IPv6 address of the PC as opposed to the IPv6 tunnel endpoint address, on the router. If I scan the endpoint address, it just finds TCP port 21 (FTP) as closed.
I understand IPv6 goes straight through NAT but I thought the point of the rules in the ip6tables, would be to filter unwanted IPv6 traffic from reaching the LAN?
I am on Windows, XP, 7 and 2008R2 and it's easy enough to create firewall rules that block these ports, providing one uses a firewall that works correctly with IPv6. However, if I'm correct, this means I now have to firewall all my LAN clients to explicitly block IPv6 traffic that comes through the router?
Surely it's possible to filter this at the point of entry?
I used the blocks I mentioned in my earlier post, with the routed block for LAN allocation.Anyway, good stuff you have it working.
Is it the way I said or did you simply use the range you mentioned?
Thanks for thatfirmware has ipv6 auto firewall already, check ip6tables -nvL
I have a feeling I'm missing something fundamental here!
Last edited by Dapper; 21-02-2011 at 12:10.
Am I right in thinking the 2.4 kernel doesn't support 'STATE' for ip6tables? If so, is this the reason why the implemented ip6tables, if I'm understanding correctly, simply forward all tcp packets?
Assuming the aforementioned is correct, what would be the solutions/work-arounds, to provide better inbound security for IPv6?
Thanks
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / îáñóæäåíèå ïðîøèâêè [RU] / firmware discussion [EN] | fake ident daemon
Thank you both for your replies
Just curious, what impact, if any, do the latest changes to the firmware
have on the issues we discussed above?backports from upstream (IPv6, bridge, mm, net, vfs, netfilter, scsi, netlink)
Thanks