How do I secure my ipv6 on DD-Wrt

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Tue Dec 27, 2022 17:19    Post subject: How do I secure my ipv6 on DD-Wrt Reply with quote
Router Model Linksys WRT1900ACS
Firmware Version DD-WRT v3.0-r51043 std (12/19/22)
I use ipv6 on my network but i see that its not secure at all,
how do i secure it using firewall?

https://ipv6.chappell-family.com/ipv6tcptest/

_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Dec 27, 2022 17:37    Post subject: Reply with quote
I assume you are running this from your Windows PC, so you are testing the firewall of your Windows PC and not from the router.

As IPv6 has no NAT your clients are directly connected to the internet (that does not mean the router has no firewall).

But the results are not bad, no open ports, so not much to complain, if you want more safe then do not use IPv6 Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Tue Dec 27, 2022 17:54    Post subject: Reply with quote
this problem can be solved in openwrt:

Alternatively, add the following lines to /etc/config/network and restart the network service:

config interface 'wan_6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option device '@wan'
added a traffic rule as the LAST rule : From WAN, any protocol, IPv4 and IPv6, destination any zone, action DROP. All green now. You just need to decide if you want to filter or drop (Stealth).

That's because I had the default policy set to "accept". Alternatively, not using the rule and setting the default policy to "drop":

_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results


Last edited by oliver44 on Tue Dec 27, 2022 17:57; edited 1 time in total
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Tue Dec 27, 2022 17:55    Post subject: Reply with quote
Same result, all green removed echo request from the allowed ICMP incoming rule, and now Ping goes stealth as well:
_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Dec 27, 2022 18:13    Post subject: Reply with quote
If you drop all traffic it is like disabling IPv6.

DDWRT also has a DROP rule in place, but if you add a drop rule it will be placed on top basically disabling everything:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
23M 27G ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
61890 30M ACCEPT all * eth0 ::/0 ::/0
1 168 ACCEPT icmpv6 * * ::/0 ::/0 limit: avg 30/min burst 5
3395 231K REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited

ICMPv6 is necessary for a proper functioning of IPv6 (that does not mean allowing all types is necessary)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Tue Dec 27, 2022 18:48    Post subject: Reply with quote
I was thinking how for ipv4 you can assign some rules, as is the case with OpenWrt which standard does not come set with the following rules, but I respect ddwrt which passes the test https://www.grc.com/x/ne.dll?rh1dkyd2 with standard settings ....

Honestly, I'm not a network specialist, I thought I could bring certain things in your attention, maybe some implemented things can work for ddwrt too..

_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Tue Feb 21, 2023 17:42    Post subject: Reply with quote
Finally, DD-wrt takes important steps in implementing IPV6, the test is passed with the default settings, I just wanted to update this topic!
_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results
o2bad455
DD-WRT User


Joined: 08 Oct 2015
Posts: 252

PostPosted: Tue Feb 21, 2023 20:14    Post subject: Reply with quote
oliver44 wrote:
Finally, DD-wrt takes important steps in implementing IPV6, the test is passed with the default settings, I just wanted to update this topic!


Interesting, thanks! I tried that port test link ( https://ipv6.chappell-family.com/ipv6tcptest/ ) with IPV6 disabled and got an expected error for accessing with an IPV4 address. Then I tried enabling IPV6, but could no longer access the page at all. I had the DHCPv6 type enabled. Was your green result with a different type enabled? If not, I guess I must have an incompatibility with my firewall and/or VPN.

_________________
My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Wed Feb 22, 2023 3:42    Post subject: Reply with quote
My only setting in the ipv6 tab is the choice of IPv6 connections Type DHCPv6 with Prefix Delegation
_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results
oliver44
DD-WRT Guru


Joined: 01 Jun 2016
Posts: 504

PostPosted: Sun Feb 26, 2023 18:20    Post subject: Reply with quote
I have a question, do you think it is possible for ICMPv6 ECHO REQUEST returned to also receive ECHO NO REPLY in the test?

In openwrt removed echo request from the allowed ICMP incoming rule, and now Ping goes stealth as well..

I recently visited a friend who bought a tplink router and I noticed that it passes the test without problems with the original software, with the default settings!

_________________
Internet provider https://en.wikipedia.org/wiki/RCS_%26_RDS 1Gbps
WDR3600 rev.1.5 - DD-Wrt
Linksys WRT1900ACS v.2 DD-Wrt/-OpenWrt



https://ipv6.chappell-family.com/ipv6tcptest/
https://en.internet.nl/connection/e91f490fe1c54cb2b78145c0ab0d2b5a/results
http://www.dnssec-or-not.com/
https://dnscheck.tools/#results
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum