NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
IPv6 fully open
If I enable IPv6 on the Orbi RBR50 I notice that my IPv6 network is completely open to the internet! Beyond just pings I can access web servers internal to my network from an external LTE connection (via "https://[2601:XXXXXXXX]").
I have "IPv6 Filtering" set to "Secured", and I do NOT have the debug setting enabled for "Allow external IPv6 hosts ping internal IPv6 hosts".
Is this normal? Am I missing some setting? With this behavior I have no choice but to leave IPv6 disabled, no way i'm going to trust all of my device's security to be open to the internet.
My ISP is Xfinity and my Orbi gets its IPv6 address over DHCP, though I don't think that part matters.
I have tried multiple of the recent FW versions (2.7, 2.6, and 2.5) and they all seem to have the same behavior.
6 Replies
IPv6 is a "Brand New World" for me. So far, I have confirmed that my Orbi router responds to ICMP (ping) on the public IPv6 address.
Attempt to ping my Windows PC failed, but appears to be because I had not opened the Windows Firewall for ICMPv6.
Honestly, I am not certain how much IPv6 has in common with IPv4. I believe the whole point was to eliminate NAT and allow every device to have a unique public address. Perhaps security is the responsibility of the device in this new world?
Glad to have a new adventure. Please be patient as I come up to speed on IPv6.
After opening Windows Firewall to ICMPv6, I was also able to ping my Windows 10 PC through LTE connection (a) to the IPv6 address, (b) to the Temporary IPv6 address, but (c) not to the (deprecated) Temporary IPv6 address. Part of the IPv6 standard is creation of "temporary" IPv6 addresses which Windows stops using after one week. (The SLAAC Protocol)
It seems to me that IPv6 is a bit different than IPv4. In IPv4, the NAT protocol keeps anyone on the internet from learning the actual LAN IP address of a device. When a port is "forwarded" on the router, it is the port number that leads incomming packets directly to the device (server). There can be only one target of port forwarding. That's why doing things like access to multiple servers or IP cameras is such a chore. Each one of them has to be connected to a different external port number.
IPv6 makes it possible to learn the actual IPv6 address of a device but not until it makes a connection. If someone wants to hack my web server on IPv4, they just send a connect request to my public IP, port 80. No response? Try 8080. No response, try 443? Oh, heck, just try to connect to all 65,000 ports. No connection? Move on to a different public IP address.
With IPv6, there are some ungodly number of potential IP addresses. Does somebody try each one ?
But wait, when I make a server available on the internet, then I have to publish the IP address. (Same as IPv4.) Once I publish it, people can connect to it and attempt to log in (or whatever).
Internet security is damned complicated. For me, the "jury is still out" on what sort of a vulnerability it is to allow Orbi to use IPv6.
CrimpOn wrote:After opening Windows Firewall to ICMPv6, I was also able to ping my Windows 10 PC through LTE connection (a) to the IPv6 address, (b) to the Temporary IPv6 address, but (c) not to the (deprecated) Temporary IPv6 address. Part of the IPv6 standard is creation of "temporary" IPv6 addresses which Windows stops using after one week. (The SLAAC Protocol)
It seems to me that IPv6 is a bit different than IPv4. In IPv4, the NAT protocol keeps anyone on the internet from learning the actual LAN IP address of a device. When a port is "forwarded" on the router, it is the port number that leads incomming packets directly to the device (server). There can be only one target of port forwarding. That's why doing things like access to multiple servers or IP cameras is such a chore. Each one of them has to be connected to a different external port number.
IPv6 makes it possible to learn the actual IPv6 address of a device but not until it makes a connection. If someone wants to hack my web server on IPv4, they just send a connect request to my public IP, port 80. No response? Try 8080. No response, try 443? Oh, heck, just try to connect to all 65,000 ports. No connection? Move on to a different public IP address.
With IPv6, there are some ungodly number of potential IP addresses. Does somebody try each one ?
But wait, when I make a server available on the internet, then I have to publish the IP address. (Same as IPv4.) Once I publish it, people can connect to it and attempt to log in (or whatever).
Internet security is damned complicated. For me, the "jury is still out" on what sort of a vulnerability it is to allow Orbi to use IPv6.
Thanks for checking on yours, so it sounds like you are seeing the same as me then, right?
I think what you are describing sounds more like "security by obscurity" to me which isn't really security but I know what you mean. It's definitely less likely someone would brute force find your IPv6 address. I think more likely would be they get your address from you visiting a website (malicious or not). Some sites do log IP's of visitors. If that was the case, and they "got" your IPv6 address somehow I definitely wouldn't want them to be able to directly access my devices.
I'm also pretty new to IPv6, so I'm not familiar with what other brands or enterprise devices do these kinds of IPv6 firewalls. From what I know about IPv6 though, I would thinking you'd be able to configure specific devices (or specific ports on devices) to be accessible from outside the firewall. And since Orbi doesn't have settings like that, I was expecting all connections from outside to be blocked for IPv6.
