Joined: 05 Oct 2008 Posts: 666 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Tue Jul 14, 2020 16:07 Post subject: Firewall and IPv6
I'm currently nearing the beginning of moving to another place, so I don't have too much time to test (yeah, I did upgrade my R7800 to 43800 today ...), but it seems that on the Firewall page under
Block WAN Requests
...
Filter Multicast becomes somehow enabled where it used to be disabled on my router (as I had working and stable IPv6 ...)
...
I suddenly noticed there is something awry with IPv6 and the Filter Multicast option starting a few recent f/w builds ago (I try them all).
Many builds and perhaps a year ago this same issue of IPv6 becoming blocked after a while of uptime also came up, which is when the Filter Multicast option was pointed out as the culprit.
I disabled it and that was that, I thought.
However, somehow upon upgrading to 43800 and previous upgrades it gets enabled and I didn't do it Wink
This page has a detailed test for IPv6 and ICMP:
ipv6-test.com
The symptoms are working IPv6 after reboot and IPv6 failure after a while.
Like you, I just updated this morning to 43800 (Netgear R7500v2) and left for work after briefly checking that things were alright. After getting home and reading your post, I tried going to the IPv6 test site and couldn't. Then I checked the router and, sure enough, "filter multicast" was flipped on. I know for a FACT that it wasn't on prior to this morning's update.
That's highly irritating. Glad you said something about it.
Posted: Tue Jul 14, 2020 21:05 Post subject: Same here.
I saw your post and I thought you were in my router, because I checked my ipv6 and sure enough it was down.
At first I thought it was an artifact of the latest build and I was going to rummage through the changelogs, then I noticed your post and checked my settings.
Sure enough, filter multicast was checked and of course this breaks IPV6 for some reason.
I always assumed it was because of the way the firewall code handles multicast. I assumed it was because the code was only designed for IPv4 and filter multicast breaks the way IPV6 broadcasts and manipulates the addresses.
I've asked about this twice over a decade of posts but no one has ever answered me though, I am not an expert on inner workings of the protocol. So many other problems take my focus away from learning it. It would be nice if someone could explain why it breaks it just to educate us.
Joined: 05 Oct 2008 Posts: 666 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Tue Jul 14, 2020 22:07 Post subject:
ICMP ('IPv6 ping') is essential to the working of IPv6. How, I do not know, but there must be plenty of documentation around about IPv6 and ICMP.
Obviously this is in stark contrast with ping for IPv4, which is generally filtered to increase invisibilty on the public internet.
Immediately after rebooting the router, or applying IPv6 settings, IPv6 will work, provided it is set up correctly, whether ICMP packets are accepted or refused.
However, in case ICMP packets are refused by the router, IPv6 will stop working after some time, which can be anything up to maybe half an hour.
This is of course very deceptive.
You reboot your router, test IPv6 using some test page and find all is fine and dandy, only to return much later and find it dead.
I'm not 100% sure, as time has passed since, but I think at this point the IPv6 address given to a client will also have disappeared.
Below is a test page that shows results for each individual part of the test:
https://ipv6-test.com/
At left near the bottom is the ICMP test. It will remain grey, if the Filter Multicast option is enabled for some reason. The overall result in such case also stays below 20/20. Not all tests for IPv6 give this level of detail.
I think that helps to explain, but it doesn't explain why it works then fails after a set time.
I would have to delve into the white papers on the protocol specs.
It looks like IPV6 requires multicast for it's linklocal addresses and there may be some code somewhere that assumes it is broken when it doesn't function and turns it off.
The mystery deepens...
With 43800 and 43813 both, I'm seeing issues where IPv6 works for a bit then stops. It's reminiscent of an issue with multicast being filtered. Are any of you seeing this also? (I'm driving a Netgear R7500v2.)
I think it's more than coincidental that when I updated to 43800 the "filter multicast" switch got flipped on (not by me). Even though I've turned it off again, I wonder if it's actually off. If it's not off, that might explain my issues.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Jul 17, 2020 3:08 Post subject:
You can possibly try 'nvram set block_multicast=0 && nvram commit && reboot' to see if it fixes it. Not sure if it is a junk nvram setting or junk webconfig default, etc. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
You can possibly try 'nvram set block_multicast=0 && nvram commit && reboot' to see if it fixes it. Not sure if it is a junk nvram setting or junk webconfig default, etc.
Thanks for the idea. I tried it and it didn't make any difference.
I also tried doing a clean install (nvram erase && reboot) with today's update (43824) and had continued IPv6 issues (though it was hard to fully diagnose that since I also had DHCP issues with DNSMasq).
In the end I rolled back to 43516 (again with a clean install, not from my backup file) and things are solid.
You can possibly try 'nvram set block_multicast=0 && nvram commit && reboot' to see if it fixes it. Not sure if it is a junk nvram setting or junk webconfig default, etc.
I can confirm that this worked for me on my R9000.
Joined: 05 Oct 2008 Posts: 666 Location: Helsinki, Finland / nr. Alkmaar, Netherlands
Posted: Sat Jul 18, 2020 16:24 Post subject:
After I had noticed the problem of ipv6 stopping to work after a while since having installed recent f/w builds, and subsequently found the filter multicast option to have turned on mysteriously, I just disabled it in the GUI and that was the end of the ipv6 failures.
My router is an R7800. Currently it is running the latest build, but I can't check the number now as I'm moving house. Iirc it is 43824.
Another issue - of my own doing - made me downgrade and restore older settings and after having sorted that out, upgrade to the most recent build again. The filter multicast option hasn't flipped again, though.