1

I have two routers, one is provided by my isp and has an integrated modem (from now on: "modem"), the other one is a netgear r7000 (from now on: "router") I bought.

I wanted to cascade the router to the modem so I connected the Internet port of the router to the modem and I configured it as follow:

  • Internet static IP: 192.168.1.1
  • Gateway: 192.168.1.254 (this is the modem IP).
  • Lan IP: 192.168.2.1

Then I proceeded to configure the modem as follow:

  • I configured a DMZ pointing to 192.168.1.1 (router internet IP)
  • disabled all DHCP

Everything works as expected (as in: I can browse the internet) but, as I was testing my network using an online ipv6 port scanner, a few things surprised me:

  • If I won't disable the firewall on the modem, the scanner reports that everything is

STLTH (No response was received from your machine in the allocated time period. This is the ideal response since no-one can ascertain your machines' presence at this IPv6 address/port combination.)

which is OK [EDIT: this is actually NOT OK since the DMZ, as configured above, should bypass the modem firewall, right?]

  • if I disable the firewall on the modem I would have expected the very same results since I thought all the traffic would be filtered by my router (which has NAT filtering turned on) BUT that was not the case! The scanner reports

RFSD (A refused indication (TCP RST/ACK or ICMPv6 type 1 code 4) was received when attempting to open this port. Someone can ascertain that your machine is responding on this IPv6 address/port combination, but cannot establish a TCP connection.)

except for the port 22, which is actually open on my machine, where the scanners says OPEN. This is NOT OK

  • Even tho the scanner reports that my 22 is open I cannot make anyone connecting to it from the outside of the network. A friend of mine tried to connect to it with

ssh -6 myipv6

and it receive a host unreachable error BUT when I asked him to try

nmap -6 -p22 -Pn --traceroute myipv6

he actually managed to reach my machine and nmap said the port 22 was "filtered".

To recap my questions are:

  • Why the firewall on the router is not working?
  • Why I cannot connect to my network from the outside?

As @Gordon Davisson points out in a comment the culprit can be IPv6, so I'm updating the question to explain how I configured it:

  • I went to my ISP page and enabled IPv6
  • my ISP rebooted somewhat my modem and enable IPv6 to it (there's also a new configuration section in the modem dashboard, which I left unaltered)
  • I logged in to my router and, in the IPv6 section, I selected the option to auto configure IPv6. The router picked the PassThrough method (there were a lot of other different configuration option it could have choosen from, I don't actually remember and can't check it right now).
    This is suspect. Maybe PassThrough means bypass the firewall as Gordon seems to suggests in the comment?
Improve this question
6
  • Have you tried connecting to your network from outside? You only said that your friend did.
    – Michael Hampton
    Commented Nov 9, 2016 at 21:54
  • @KamilMaciorowski done, would you mind validating my edits? Thank you!
    – user662065
    Commented Nov 10, 2016 at 7:32
  • @MichaelHampton no, I haven't. I used and online ipv6 port scanner which show results I don't fully understand, as I documented in the question. I don't actually have a way to test the network myself from the outside in a sane way (as in: being able to also operate on the router and modem).
    – user662065
    Commented Nov 10, 2016 at 8:03
  • The setup you've described (192.168 addresses, DMZ setting, etc) all apply only to IPv4. Any IPv6 connectivity you have will be largely independent of that. The first thing to do is determine how you are getting IPv6 at all behind 2 routers. My guess would be that you're using teredo, in which case it's tunneling through the firewall. But without more info that's just a guess.
    – Gordon Davisson
    Commented Nov 10, 2016 at 8:19
  • @GordonDavisson oh well, I didn't know about that! I've never heard of teredo (I'll read about it soon, thanks for the link). I've update the answer to include an explanation on how I configured the ipv6 routing.
    – user662065
    Commented Nov 10, 2016 at 8:34

1 Answer 1

Reset to default
0

It's hard to tell without looking at the specifics of the modem and router configs, but it sounds like the modem is probably routing a normal (public) IPv6 subnet, and the "router" is actually acting like a bridge for IPv6 -- that is, it's not routing IPv6 at all, just passing the modem-provided subnet straight through. (This means my guess about teredo is wrong.)

The thing to understand about IPv6, no matter what the exact config is, is that it doesn't use NAT. NAT has been the "normal" option in IPv4 for so long that people tend to think of it as just part of how internet routing works: your ISP gives your router (/modem) a single public address, and your router provides a private subnet (196.168.something, 10.something, or maybe 172.16-31.something) which is hidden behind that single public address. Since your computers don't have public addresses, they're not addressable from the public Internet, unless you set up some sort of forwarding from the router's public address (via DMZ, port mapping, etc settings in the router). This means that everything on the private network is behind what amounts to a basic firewall, automatically, unless you specifically punch holes in that firewall (with DMZ, port mapping, etc settings).

IPv6 doesn't work that way at all. If you're using IPv6 to the Internet, that pretty much means you have at least one public (2xxx:something or maybe 3xxx:something) address and a private (fe80:something) address. Unlike IPv4, your public address(es) are reachable by default from anywhere on the IPv6 Internet.

In other words, IPv6 does not have the automatic firewall that you're used to with IPv4. With IPv4 you're firewalled unless you take steps to punch a hole in it; with IPv6 you're not firewalled unless you take steps to set one up.

Since your "router" is running IPv6 passthrough, it's probably not capable of acting as any sort of IPv6 firewall. The modem might have some sort of IPv6 firewall capability. Or it might not, or it might have some hopelessly weak options, or... Unfortunately, IPv6 is new enough that (at least IMO) we haven't really gotten our act together about security on it. At this point, I think my best recommendation would be to run some sort of software firewall on your computer.

(And for things that don't have software firewall capability, like your Internet-of-things devices, um, you may have a problem.)

Improve this answer
1
  • you are right, switched back to ipv4 and all fell into place. For some reason I thought that ipv6 packets were "automagically mapped" to ipv4 packets when they entered the modem realm (internet ipv6 <-> modem <-> ipv4 router).
    – user662065
    Commented Nov 11, 2016 at 16:48

You must log in to answer this question.