My Edge Router X with OpenWrt 18.06.5 is connected to my VDSL2 modem in bridge mode.
My ISP use DHCP for IPv4 and the DHCP Option 212 6RD for IPv6.
I installed 6rd package and after the ER-X reboot the 6RD tunnel with interface wan_6 go up and work without any manual configuration.
Does 6rd package automatically get the configuration form DHCP option 212 by default?
Should I change something on my actual network configuration?:
# uci show network.lan
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.1'
# uci show network.wan
network.wan=interface
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='1.1.1.1 1.0.0.1'
network.wan.ifname='eth0.2'
# uci show network.wan6
network.wan6=interface
network.wan6.proto='none'
network.wan6.ifname='eth0.2'
network.wan6.auto='0'
Is the IPv6 traffic WAN - LAN managed by firewall? I haven't wan_6 zone in the firewall configuration, there are lan, wan and wan6 only. My worry is that IPv6 traffic may not me filtered by the firewall and that my LAN and router are exposed to internet.
The 6rd tunnel go automatically up at boot, how can I prevent the tunnel to auto start at boot if I need to temporary disable it?
For may personal understanding, where can see that interfaces wan_6 and 6rd-wan_6 belong to firewall-zone wan/wan6 in the firewall configuration?
What is logical interface wan_6 and why have been automatically created instead to use wan6 that seems unused?
I did some IPv6 nmap test with http://www.ipv6scanner.com/ monitoring on eth0.2 the IPv6 traffic with tcpdump|wireshark.
Seems that the OpenWRT preconfigured firewall drop the nmap connections to the router IP xx:xx:xx:xx::1 (router doesn't replay, same beavur IPv6 and IPv4) but doesn't drop nmap connections to the PC IP xx:xx:xx:xx::2 (the PC replay with [RST, ACK, NS, Reserved]).
Unfortunately I haven't a secondary IPv6 connection to do better tests on my primary connection....
I have read somewhere on this forum that by default the firewall in OpenWrt allows computers connected to the LAN zone to connect outbound, and does not allow inbound connections from WAN to LAN for either ipv4 or ipv6. I what this but I'm not sure that is my router behavior.
What I'm trying to do is verify that my LAN is secure under IPv6 and my devices IPv6 address in the LAN can't be connected from internet, IPv6 ports open on my LAN devices are closed to internet and devices on my LAN can't be IPv6 scanned from internet.
Do you have any suggestion on how I can check this?
This in my actual pretty standard configuration
# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
option drop_invalid '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config include
option path '/etc/firewall.user'
This means that you have opened the port. I have the default rules for wan->lan and everything is dropped in this ipv6scanner.
To leave the default configuration. It is by default leaving only essential ingress traffic.
If you are so concerned about scans, use privacy extensions and avoid using sequential addresses like ::1, ::2 etc.
Not too pretty and definitely not standard.
You have disabled rules which obviously you don't know why are there, so I suggest you revert them as they were or you'll be facing weird issues. For example the Allow-DHCP-Renew is necessary for receiving replies from the dhcp server on dhcp renew requests, otherwise the lease will time out, IP will be cleared, and full dhcp procedure will begin from scratch.
I did this by commenting this network and firewall sections, correct?
#config interface 'wan6'
# option proto 'none'
# option ifname 'eth0.2'
config zone
option name 'wan'
list network 'wan'
# list network 'wan6'
.......
After some more tests I realized that the different behavior of ipv6scanner between router IP xx:xx:xx:xx::1 and PC IP xx:xx:xx:xx::2 is that the packets to the router are dropped (scanner report FILTERED) and packets to PC are rejected (scanner report CLOSED).
So seams that the firewall config option drop in wan section act only on the traffic to the router IP and not to the traffic to PC IP (that maybe reject and don't drop the packet as consequence of some other rule, but the result is that ports like 22 result as CLOSED in ipv6scanner).
config zone
option name 'wan'
list network 'wan'
# list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
Thank you for the appreciated suggestion, I removed option enabled '0' in the rule sections.
Can I use DROP instead the standard REJECT in the input and forward option of firewall wan zone section and in the forward option in the default section?
If you plan to use Luci, better remove them completely. If not they should be fine commented out. If I remember well Luci is removing the # every time it parses or applies changes.