IPv6 Support

[Dapper]

I added documentation on how to configure a tunnel due to the amount of problems and questions
http://code.google.com/p/wl500g/wiki...Pv6Tunnelhowto
Obviously things still could go wrong, but this makes things easier

Also added the link in the first post of this thread

Thanks for the guide wpte. I haven't had a chance to upgrade the firmware yet, hopefully I'll get to that tomorrow. Just a couple of things to point out about the guide.

The IPv4 server endpoint address is not the same for everyone. In my case it's 216.66.80.30

There are three different /64 used in the connection. in my case:

The Client endpoint - 2001:470:***a:823::2/64 - I believe this should be the WAN Static or local IPv6 address:
The Server endpoint - 2001:470:***a:823::1/64 - I believe this should be the WAN Remote IPv6 gateway:

The Routed /64 for LAN address allocation - 2001:470:***b:823::/64 - I believe this should be the LAN Static IPv6 address:

[wpte]

I'm using the 6to4 tunel (not 6in4)

that's ment for when you only have an IPv6 address and still like to access IPv4 addresses on the internet.
So I suggest the 6in4 tunnel

the rest looks allright
Is this also from HE?

[wpte]

There are three different /64 used in the connection. in my case:

The Client endpoint - 2001:470:***a:823::2/64 - I believe this should be the WAN Static or local IPv6 address:
The Server endpoint - 2001:470:***a:823::1/64 - I believe this should be the WAN Remote IPv6 gateway:

The Routed /64 for LAN address allocation - 2001:470:***b:823::/64 - I believe this should be the LAN Static IPv6 address:

Yes correct
But I believe the LAN Static IPv6 address should be just like the WAN Remote IPv6 gateway.

[maros]

that's ment for when you only have an IPv6 address and still like to access IPv4 addresses on the internet.
So I suggest the 6in4 tunnel

the rest looks allright
Is this also from HE?

No:

6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.

wiki:6to4

The advantage is, that the relay server is in my country and it is quicker.

[Dapper]

Yes correct
But I believe the LAN Static IPv6 address should be just like the WAN Remote IPv6 gateway.

But that's the server address. The client endpoint is ::2

[Dapper]

Finally!

Reset the router to factory defaults
Installed r6214
Reapplied the IPv6 settings described in my post above

Works!

Am I correct in thinking ip6tables are now activated by default with IPv6?

[Dapper]

Following on from my previous post, if, as I suspect from reading this thread, ip6tables are active in the router, once IPv6 has been enabled, I'm a little curious about the results of the HE Ipv6 Port scanner.

When I run the test I get:

Not shown: 991 closed ports
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
5357/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown

I can get my system to filter these and report a clean slate by enabling the Windows 7 firewall.

In terms of what these represent:

135/tcp open msrpc - RPC service

445/tcp open microsoft-ds - SMB over TCP

5357/tcp open unknown - Network Discovery

49152/tcp open unknown - Wininit.exe (Core Windows service)

49153/tcp open unknown - A svchost instance
49154/tcp open unknown - A svchost instance
49155/tcp open unknown - A svchost instance
49156/tcp open unknown - A svchost instance

Each of the svchost containers relate to different services, some of which could be disabled but other not.

49158/tcp open unknown - lsass.exe (Local security authentication server)
This one really needs to be closed.

Because I can filter these using a software firewall, does it mean the ip6tables are opening holes to these services?

Edit: I found another scanner http://www.vikingscan.org/home which also shows ports 134 and 445 as open in the base test against the IPv6 addresses and stealthed against the IPv4 address. On the advanced test the higher number ports were also reported open against the IPv6 address.

[wpte]

Because I can filter these using a software firewall, does it mean the ip6tables are opening holes to these services?

it looks like you're scanning your client pc?
if so: ipv6 does not have NAT, but every ip6 address is unique and can be accessed without forwarding, which means your own computer needs proper protection from the outside
Windows firewall (by the looks you're using windows) should be able to filter IPv6 traffic

If you scan from a local machine, it might access the other computers via the local ipv6 address range starting with "fe80".

Anyway, good stuff you have it working.
Is it the way I said or did you simply use the range you mentioned?

[theMIROn]

firmware has ipv6 auto firewall already, check ip6tables -nvL

[Dapper]

it looks like you're scanning your client pc?
if so: ipv6 does not have NAT, but every ip6 address is unique and can be accessed without forwarding, which means your own computer needs proper protection from the outside
Windows firewall (by the looks you're using windows) should be able to filter IPv6 traffic

If you scan from a local machine, it might access the other computers via the local ipv6 address range starting with "fe80".

The scans were online scans and they were using the IPv6 address of the PC as opposed to the IPv6 tunnel endpoint address, on the router. If I scan the endpoint address, it just finds TCP port 21 (FTP) as closed.

I understand IPv6 goes straight through NAT but I thought the point of the rules in the ip6tables, would be to filter unwanted IPv6 traffic from reaching the LAN?

I am on Windows, XP, 7 and 2008R2 and it's easy enough to create firewall rules that block these ports, providing one uses a firewall that works correctly with IPv6. However, if I'm correct, this means I now have to firewall all my LAN clients to explicitly block IPv6 traffic that comes through the router?

Surely it's possible to filter this at the point of entry?

Anyway, good stuff you have it working.
Is it the way I said or did you simply use the range you mentioned?

I used the blocks I mentioned in my earlier post, with the routed block for LAN allocation.

firmware has ipv6 auto firewall already, check ip6tables -nvL

Thanks for that


I have a feeling I'm missing something fundamental here!

[Dapper]

Am I right in thinking the 2.4 kernel doesn't support 'STATE' for ip6tables? If so, is this the reason why the implemented ip6tables, if I'm understanding correctly, simply forward all tcp packets?

Assuming the aforementioned is correct, what would be the solutions/work-arounds, to provide better inbound security for IPv6?

Thanks

[theMIROn]

Am I right in thinking the 2.4 kernel doesn't support 'STATE' for ip6tables? If so, is this the reason why the implemented ip6tables, if I'm understanding correctly, simply forward all tcp packets?

Assuming the aforementioned is correct, what would be the solutions/work-arounds, to provide better inbound security for IPv6?

Thanks

Unfortunately, linux 2.4 ipv6 stateful firewall isn't finished yet, there're things to be fixed before it gets usable.
linux 2.6-based firmware hasn't this issue, and could be installed into wl500gp/gpv2/w/rt-n10/n12/n16 as well

[lly]

Am I right in thinking the 2.4 kernel doesn't support 'STATE' for ip6tables?

Yes, you are right.

We done experimental backport of IPv6 conntrack from 2.6 kernel, but it still incomplete. Unfortunately, IPv6 stack in 2.4 kernel not fully compatible with netfilter too. So, ip6_conntrack for 2.4 has serious memory leaks for now.

[Dapper]

Thank you both for your replies

[Dapper]

Just curious, what impact, if any, do the latest changes to the firmware

backports from upstream (IPv6, bridge, mm, net, vfs, netfilter, scsi, netlink)

have on the issues we discussed above?

Thanks