Firewall and IPv6

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Tue Jul 14, 2020 16:07    Post subject: Firewall and IPv6 Reply with quote
I'm currently nearing the beginning of moving to another place, so I don't have too much time to test (yeah, I did upgrade my R7800 to 43800 today ...), but it seems that on the Firewall page under
Block WAN Requests
...
Filter Multicast becomes somehow enabled where it used to be disabled on my router (as I had working and stable IPv6 ...)
...

I suddenly noticed there is something awry with IPv6 and the Filter Multicast option starting a few recent f/w builds ago (I try them all).

Many builds and perhaps a year ago this same issue of IPv6 becoming blocked after a while of uptime also came up, which is when the Filter Multicast option was pointed out as the culprit.
I disabled it and that was that, I thought.
However, somehow upon upgrading to 43800 and previous upgrades it gets enabled and I didn't do it Wink

This page has a detailed test for IPv6 and ICMP:
ipv6-test.com

The symptoms are working IPv6 after reboot and IPv6 failure after a while.

Anybody else notice this?
Sponsor
siege
DD-WRT User


Joined: 23 Dec 2016
Posts: 90

PostPosted: Tue Jul 14, 2020 20:47    Post subject: Reply with quote
YES!

Like you, I just updated this morning to 43800 (Netgear R7500v2) and left for work after briefly checking that things were alright. After getting home and reading your post, I tried going to the IPv6 test site and couldn't. Then I checked the router and, sure enough, "filter multicast" was flipped on. I know for a FACT that it wasn't on prior to this morning's update.

That's highly irritating. Glad you said something about it.
roadrun777
DD-WRT User


Joined: 24 Jan 2007
Posts: 81

PostPosted: Tue Jul 14, 2020 21:05    Post subject: Same here. Reply with quote
I saw your post and I thought you were in my router, because I checked my ipv6 and sure enough it was down.
At first I thought it was an artifact of the latest build and I was going to rummage through the changelogs, then I noticed your post and checked my settings.

Sure enough, filter multicast was checked and of course this breaks IPV6 for some reason.

I always assumed it was because of the way the firewall code handles multicast. I assumed it was because the code was only designed for IPv4 and filter multicast breaks the way IPV6 broadcasts and manipulates the addresses.

I've asked about this twice over a decade of posts but no one has ever answered me though, I am not an expert on inner workings of the protocol. So many other problems take my focus away from learning it. It would be nice if someone could explain why it breaks it just to educate us.
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Tue Jul 14, 2020 22:07    Post subject: Reply with quote
ICMP ('IPv6 ping') is essential to the working of IPv6. How, I do not know, but there must be plenty of documentation around about IPv6 and ICMP.
Obviously this is in stark contrast with ping for IPv4, which is generally filtered to increase invisibilty on the public internet.

Immediately after rebooting the router, or applying IPv6 settings, IPv6 will work, provided it is set up correctly, whether ICMP packets are accepted or refused.

However, in case ICMP packets are refused by the router, IPv6 will stop working after some time, which can be anything up to maybe half an hour.

This is of course very deceptive.
You reboot your router, test IPv6 using some test page and find all is fine and dandy, only to return much later and find it dead.

I'm not 100% sure, as time has passed since, but I think at this point the IPv6 address given to a client will also have disappeared.

Below is a test page that shows results for each individual part of the test:
https://ipv6-test.com/
At left near the bottom is the ICMP test. It will remain grey, if the Filter Multicast option is enabled for some reason. The overall result in such case also stays below 20/20. Not all tests for IPv6 give this level of detail.
roadrun777
DD-WRT User


Joined: 24 Jan 2007
Posts: 81

PostPosted: Tue Jul 14, 2020 22:46    Post subject: Reply with quote
That is definitely a good clue.

https://blogs.infoblox.com/ipv6-coe/back-to-basics-the-ipv6-address-types-part-2/

I think that helps to explain, but it doesn't explain why it works then fails after a set time.
I would have to delve into the white papers on the protocol specs.
It looks like IPV6 requires multicast for it's linklocal addresses and there may be some code somewhere that assumes it is broken when it doesn't function and turns it off.
The mystery deepens...
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Wed Jul 15, 2020 18:41    Post subject: Reply with quote
1) IPv6 doesn't have Broadcast and use Multicast instead.

2) The IPv6 route will disappear with some ISPs when the Radvd packets are blocked.
siege
DD-WRT User


Joined: 23 Dec 2016
Posts: 90

PostPosted: Fri Jul 17, 2020 2:58    Post subject: Reply with quote
With 43800 and 43813 both, I'm seeing issues where IPv6 works for a bit then stops. It's reminiscent of an issue with multicast being filtered. Are any of you seeing this also? (I'm driving a Netgear R7500v2.)

I think it's more than coincidental that when I updated to 43800 the "filter multicast" switch got flipped on (not by me). Even though I've turned it off again, I wonder if it's actually off. If it's not off, that might explain my issues.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Jul 17, 2020 3:08    Post subject: Reply with quote
You can possibly try 'nvram set block_multicast=0 && nvram commit && reboot' to see if it fixes it. Not sure if it is a junk nvram setting or junk webconfig default, etc.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
siege
DD-WRT User


Joined: 23 Dec 2016
Posts: 90

PostPosted: Fri Jul 17, 2020 23:17    Post subject: Reply with quote
kernel-panic69 wrote:
You can possibly try 'nvram set block_multicast=0 && nvram commit && reboot' to see if it fixes it. Not sure if it is a junk nvram setting or junk webconfig default, etc.

Thanks for the idea. I tried it and it didn't make any difference.

I also tried doing a clean install (nvram erase && reboot) with today's update (43824) and had continued IPv6 issues (though it was hard to fully diagnose that since I also had DHCP issues with DNSMasq).

In the end I rolled back to 43516 (again with a clean install, not from my backup file) and things are solid.
buffalo0207
DD-WRT User


Joined: 30 Apr 2014
Posts: 147
Location: UK

PostPosted: Fri Jul 17, 2020 23:38    Post subject: Reply with quote
kernel-panic69 wrote:
You can possibly try 'nvram set block_multicast=0 && nvram commit && reboot' to see if it fixes it. Not sure if it is a junk nvram setting or junk webconfig default, etc.


I can confirm that this worked for me on my R9000.

Thanks...
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Sat Jul 18, 2020 16:24    Post subject: Reply with quote
After I had noticed the problem of ipv6 stopping to work after a while since having installed recent f/w builds, and subsequently found the filter multicast option to have turned on mysteriously, I just disabled it in the GUI and that was the end of the ipv6 failures.

My router is an R7800. Currently it is running the latest build, but I can't check the number now as I'm moving house. Iirc it is 43824.
Another issue - of my own doing - made me downgrade and restore older settings and after having sorted that out, upgrade to the most recent build again. The filter multicast option hasn't flipped again, though.

And the ipv6 problem hasn't returned.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum