I'm just curious about router-advertisements (RAs). Since I'm not using IPv6 cause my ISP never gives me a IPv6 address other than /64, I just want to minimize the attacking vector just for fun and learning purposes.
Lets assume: device sending RS Messages, Router answers with RA message. Since I'm not using IPv6 after the ISP router at all, I want to disable IPv6 functionality completely.
So I did:
set off the IPv6 in br-lan
set off everything regarding IPv6 in lan
My Questions now is:
Since I have disabled IPv6 on br-lan completely, the RA Messages will never be send, right?
Since I deactivated in lan settings, the same, right?
What is about the ICMPv6 firewall rules: does it makes sense to deactivate them, too?
As long I deactivated IPv6 in br-lan, the risk for fake RA messages is null, and even if I'd allow icmpv6 messages, the router/devices never act upon this, correct?
And finally: can I send fake RAs by myself in my network to fake an ipv6 gateway to test if packets will get dropped?
When I'm not using IPv6 in my entire network, dual stack hosts wait for RA messages to organize IPv6 adressing, right? That could be used to send fake RA messages, what makes the hosts configure IPv6 with a fake gateway, what leads to mim-attack vectors. Did I understand that correctly?
Do you think that's a credible or likely attack vector for your network? If you are really concerned about it and have no intention of using ipv6 then you would be better disabling it (where possible) on clients.
Stopping the router sending RAs isn't going to stop a rogue device within the LAN doing the same. I also don't think the firewall would get involved unless the RAs were passing between distinct networks.
Is that a valid assumption for your network and a likely attack? What would going down that rabbit hole achieve in a real sense for your network security?
I'm not the attacking target, the possibility is (open ports, fake RAs, and so on). Yes and maybe my creepy uncle want to know everything I do on web. Lets assume, he have access to my wifi network.
I'd prevent mim-attacks this way, right? Thats enough for me and a good reason to consider counter measurements.
I think you didnt read the entry post. I want to learn hows it going, not if such an attack is likely or not. Assume that it is likely. But nevermind, the questions is already answered. The router is not involved with the attack vector of rogue devices. Fair enough.
Ok, I'm still interested in what others think. And if the router will be involved since the communication between two devices are crossing router networks, my option would be ... what? Setting off ipv6 entirely but also change fw4 rules? (Sorry for repeating my questions from the first post!)
Whatever is on your (flat) network, is on your network - ethernet (and with that wireless, to a large extent) is a peer to peer network, your router isn't involved in any of that (beyond providing internet access and convenience features like dhcp and dns). If you want to block or filter anything, you need to keep the unwanted actors off your network (at the very least off to a restricted guest network) -- and/or run a zero trust network (but the later implies doing all the filtering on each and every client, again).
Not with OpenWrt easily.
Cisco, juniper, Aruba and the others provide various layer2 and access port restrictions. With these, these kind of attacks can be stopped.
Regarding your uncle
Either kick him out of your network and home.
Or isolate him and a guest network.
And if you want to learn: the please do it open minded and don't jump fast to bullshit conclusions especially if you have no prior knowledge of the technology.
Sorry but it gets really frustration that the same questions are asked over and over every single day and new users seam to have completely forgotten how to use a search engine.
Oh, I can feel your frustration about that! That's frustration maybe all forum members feel from time to time, huh?
To be fair: maybe then it could be a good way to consider if you answer at all. Because you don't really need to feel responsible for all the annoying noob questions outside and answering the same questions over and over again until exhausted.
Technically: I'll prevent IMCPv6 Packages to cross network boundaries by deactivating it via the firewall.
Technically: I'll prevent that the router will have IPv6 functionality on br-lan and lan (no slaac, no ipv6 advertisements). On the routerside this is all what makes sense, since the devices configure IPV6 on their own.
Various layer2 access port restrictions could be done, but hardly with openwrt.
The human factor: prevent creepy uncles to use your non-zero-trust networks. Or let him loose on guest-wifi with isolated device options.
Ask chatGPT to know if a question is really stupid before writing a forum post for a half of an hour. Saves time and is more healthy on both sides.
If you show some self search upfront nobody has an issue with answering the same question 100 times. Everybody starts somewhere and nobody learns the same.
What might help to lurk for a while here in the forum and follow other threads too ....
You won't be able to access the internet in case you don't use it unless you fall back to some legacy protocol such as IPv4. In that case you'd likely be using IP masquerading to deal with the limits of having just a single /32. If you consider a /64 too limiting, you could similarly use IP masquerading with a single address out of that /64.
