Had enabled IPv6 and noticed that IPv6 LAN devices are accessible from the internet. AX3600 is not filtering and accepting all the IPv6 connections Internet to LAN, exposing all the IPv6 LAN devices to the Internet.
Traced and found the 'zone_wan_dest_REJECT' chain has a rule resulting in all forwards from WAN (before the reject rule). This rule is not in the vanilla OpenWRT and it exposes LAN to the Internet. It is added when IPv6 is enabled and the mode is not NAT (/etc/config/firewall include 'ipv6_masq' ->'/lib/firewall.sysapi.loader ipv6_masq' -> '/usr/sbin/sysapi.firewall ipv6_masq').
root@XiaoQiang:~# ip6tables -L zone_wan_dest_REJECT -n -v
Chain zone_wan_dest_REJECT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all eth1 * ::/0 ::/0
0 0 reject all * eth1 ::/0 ::/0 /* !fw3 */
As a workaround to prevent LAN from being accessible, I had disabled the ipv6_masq and included firewall.user to delete the rule and restart odhcpd.
# Disable ipv6_masq (optional)
uci set firewall.ipv6_masq.enabled='0'
# include custom /etc/firewall.user rules
uci set firewall.firewall_user=include
uci set firewall.firewall_user.path='/etc/firewall.user'
uci commit
cat << "EOF" >> /etc/firewall.user
### Delete the ip6tables rule which forwards WAN -> LAN. It will expose LAN to the global (internet)
ip6tables -D zone_wan_dest_REJECT -i eth1 -j ACCEPT
# need to restart odhcpd for IPv6 to work
/etc/init.d/odhcpd restart
EOF
Anyway @otem@kokesan I opened a paypal moneybox. Don't know if it's right. (if its not I will remove the link and refund any money ASAP)
If someone wants to donate so I can help for the support of this router.
Me and @slh are still searching for a good and quick option to buy the router... If anyone can help us (Italy seems to be problematic for shipping)
7 day delivery to Italy from Spain for € 96,07 + € 6,58 shipping: https://www.aliexpress.com/item/4000955508260.html
There's only 2 left!
It might be € 87,33 + € 6,58 shipping on the 11th November, but there probably won't be any left by then.
But still you have to install 1.0.17 first, get SSH access, after that update manually to this one.
Upd: new link. now it should not ask permission.
Upd2: forgot about declaimer For your own risk and bla-bla-bla....
Upd3: The default root password is password.
In case anyone needs Mi stock functionality: https://www112.zippyshare.com/v/9Z0MFiYm/file.html
The same as miwifi_r3600_all_6510e_3.0.22_INT+SSH.zip above, geekman xqrepack scripts used here as well, but with this "cleaning" part commented out in the patching script:
# dont start crap services
for SVC in stat_points statisticsservice \
datacenter \
smartcontroller \
plugincenter plugin_start_script.sh cp_preinstall_plugins.sh; do
rm -f $FSDIR/etc/rc.d/[SK]*$SVC
done
# prevent stats phone home & auto-update
for f in StatPoints mtd_crash_log logupload.lua otapredownload wanip_check.sh; do > $FSDIR/usr/sbin/$f; done
rm -f $FSDIR/etc/hotplug.d/iface/*wanip_check
sed -i '/start_service(/a return 0' $FSDIR/etc/init.d/messagingagent.sh
# cron jobs are mostly non-OpenWRT stuff
for f in $FSDIR/etc/crontabs/*; do
sed -i 's/^/#/' $f
done
# as a last-ditch effort, change the *.miwifi.com hostnames to localhost
sed -i 's@\w\+.miwifi.com@localhost@g' $FSDIR/etc/config/miwifi
P.S. I myself can't test it since my router is still in the process of shipping.
P.P.S. Use at your own risk as usual
On another note, I have a international version, is there any way to get ssh? I've been reading al ax3600 topics from the beginning and I believe you have nothing, right?
The original INT firmware was okay, at least I did not felt that the tx was weak. China firmware is also good. But the 3.0.22 INT firmware definitely had some problems with the max 16 dBm, which caused problems with my phone. Tried to work around with different regdomain country and nvram country, no success. Flashed back the latest chinese one, this one works the best to me.
I did not wiped the device config or reset the device between flashes.
