This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Hello. Is there a way to un-filter ICMP messages using IPV6 on the R7800 router?
I’ve tried BOTH stock firmware and Voxels firmware to no avail. My previous Asus routers did this automatically but I can’t seem to get it to work or manually adjust the settings to get it to work in the R7800.
I’m getting the following message when running an IPV6 test:
[quote] 1. Reconfigure your firewall Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.[/quote]
Any help or guidance is greatly appreciated. Thanks in advance.
A Netgear engineer replied to my inquiry about this issue with the following: ———————————————— As per our router specification "An implementation MUST NOT send out the ICMPv6 echo reply on the router’s WAN interface if the “Respond to Ping on Internet Port” option is not enabled” for security reasons. So that means in order to allow this user must enable respond to ping on internet port. R7800 should have an option for IPv6 ping on the debug page. If you go to debug page you should see an option called “Allow external IPv6 hosts ping internal IPv6 hosts” and user need to enable this if he wants external IPv6 address to ping internal ones."
To access the debug page, just type this address on your browser 192.168.1.1/debug.htm or routerlogin.net/debug.htm and login using the router's credentials. Scroll down to the bottom and look for Allow external IPv6 hosts ping internal IPv6 hosts and enable it. ——————————————- Should I try this or is this a security concern? Not sure what to make of this. Thanks
Nope. There is no luck getting Netgear to change this. It's been hashed for years. Netgear considers responding to ICMPv6 echo requests as a security threat and will not change. There firewall is closed source so Voxel can't fix it either. At this point if you want properly running IPv6 use a Asus router or router from another source. I know sad but true....
Thanks for your prompt reply. Too bad that Netgear won’t implement a fix. I’ve tried Asus routers and while their firmware is top notch (especially Merlins) - their hardware and wireless performance is not on-par with others. Pick your poison I guess.
In regards to firmware for the R7800 - is the general consensus to stick with stock Netgear firmware or use Voxels firmware?
I would stay with Voxel's. He just released a new version today for the 7800. 1.0.2.70SF. He keeps all the behind the scenes packages updated were Netgear continues to use old and outdated packages even with new firmware releaes. I can say with certainty that my R7800 will be my last purchase from Netgear there firmware is just to old, crusty, unstable and outdated to be relevent in late 2019.
On my R7800 with .63 firmware, NETGEAR has only opened ICMPv6 ping requests so when you go testing your IPv6, it fools the test sites that you have fully open ICMPv6. This is not the case as I can see with "ip6tables -vL" when I log in with telnet that only ICMPv6 ping is passed through. The rest, mandatory ICMPv6 settings are filtered out.
So in short, at least on the R7800, you're fooled in beleiving that they finally stopped filtering ICMPv6. I've created a thread(1) at the Ideas forum but it seems NG will not change its mind about ICMPv6
NETGEAR is the only commercial router manufacturer that does this sh*t. All others correctly pass all of the required ICMPv6
Also, keep in mind that Windows 10 by default filters out ICMPv6 too. You have to open it in your Windows 10 firewall. I'm on Linux so have full controll on what I filter and what not. The same can be done on Windows
A Netgear engineer replied to my inquiry about this issue with the following: ———————————————— As per our router specification "An implementation MUST NOT send out the ICMPv6 echo reply on the router’s WAN interface if the “Respond to Ping on Internet Port” option is not enabled” for security reasons. So that means in order to allow this user must enable respond to ping on internet port. R7800 should have an option for IPv6 ping on the debug page. If you go to debug page you should see an option called “Allow external IPv6 hosts ping internal IPv6 hosts” and user need to enable this if he wants external IPv6 address to ping internal ones."
To access the debug page, just type this address on your browser 192.168.1.1/debug.htm or routerlogin.net/debug.htm and login using the router's credentials. Scroll down to the bottom and look for Allow external IPv6 hosts ping internal IPv6 hosts and enable it. ——————————————- Should I try this or is this a security concern? Not sure what to make of this. Thanks
it's not really a security issue as NG's firewall throttles ping replies after a certain amount. For IPv6, ICMPv6 is crucial for the correct working of IPv6. The following below must be passed
