I have two routers, one is provided by my isp and has an integrated modem (from now on: "modem"), the other one is a netgear r7000 (from now on: "router") I bought.
I wanted to cascade the router to the modem so I connected the Internet port of the router to the modem and I configured it as follow:
- Internet static IP: 192.168.1.1
- Gateway: 192.168.1.254 (this is the modem IP).
- Lan IP: 192.168.2.1
Then I proceeded to configure the modem as follow:
- I configured a DMZ pointing to 192.168.1.1 (router internet IP)
- disabled all DHCP
Everything works as expected (as in: I can browse the internet) but, as I was testing my network using an online ipv6 port scanner, a few things surprised me:
- If I won't disable the firewall on the modem, the scanner reports that everything is
STLTH (No response was received from your machine in the allocated time period. This is the ideal response since no-one can ascertain your machines' presence at this IPv6 address/port combination.)
which is OK [EDIT: this is actually NOT OK since the DMZ, as configured above, should bypass the modem firewall, right?]
- if I disable the firewall on the modem I would have expected the very same results since I thought all the traffic would be filtered by my router (which has NAT filtering turned on) BUT that was not the case! The scanner reports
RFSD (A refused indication (TCP RST/ACK or ICMPv6 type 1 code 4) was received when attempting to open this port. Someone can ascertain that your machine is responding on this IPv6 address/port combination, but cannot establish a TCP connection.)
except for the port 22, which is actually open on my machine, where the scanners says OPEN. This is NOT OK
- Even tho the scanner reports that my 22 is open I cannot make anyone connecting to it from the outside of the network. A friend of mine tried to connect to it with
ssh -6 myipv6
and it receive a host unreachable error BUT when I asked him to try
nmap -6 -p22 -Pn --traceroute myipv6
he actually managed to reach my machine and nmap said the port 22 was "filtered".
To recap my questions are:
- Why the firewall on the router is not working?
- Why I cannot connect to my network from the outside?
As @Gordon Davisson points out in a comment the culprit can be IPv6, so I'm updating the question to explain how I configured it:
- I went to my ISP page and enabled IPv6
- my ISP rebooted somewhat my modem and enable IPv6 to it (there's also a new configuration section in the modem dashboard, which I left unaltered)
- I logged in to my router and, in the IPv6 section, I selected the option to auto configure IPv6. The router picked the PassThrough method (there were a lot of other different configuration option it could have choosen from, I don't actually remember and can't check it right now).
This is suspect. Maybe PassThrough means bypass the firewall as Gordon seems to suggests in the comment?