ER605 doesn't block ping from WAN when using IPv6

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 doesn't block ping from WAN when using IPv6

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 doesn't block ping from WAN when using IPv6
ER605 doesn't block ping from WAN when using IPv6
2024-01-27 12:47:51 - last edited 2024-02-02 02:39:39
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 20240119

Hi, it appears that both the router and the devices behind it can be pinged from outside when using IPv6, the firewall ACL do not allow to block ICMPv6 traffic, is this a bug? how can i solve it? thanks

  0      
  0      
#1
Options
1 Accepted Solution
Re:ER605 doesn't block ping from WAN when using IPv6-Solution
2024-01-29 01:31:38 - last edited 2024-02-02 02:39:39

Hi @Daves_ 

Thanks for posting in our business forum.

If you are making such a comment, please add the pictures of your config. It would not waste another day to get a reply.

 

Daves_ wrote

Hi, it appears that both the router and the devices behind it can be pinged from outside when using IPv6, the firewall ACL do not allow to block ICMPv6 traffic, is this a bug? how can i solve it? thanks

Do you have a screenshot of your ACL?

Have you done a verification about your ACL is correct?

 

Supposedly, in IPv6, this is expected.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
5 Reply
Re:ER605 doesn't block ping from WAN when using IPv6-Solution
2024-01-29 01:31:38 - last edited 2024-02-02 02:39:39

Hi @Daves_ 

Thanks for posting in our business forum.

If you are making such a comment, please add the pictures of your config. It would not waste another day to get a reply.

 

Daves_ wrote

Hi, it appears that both the router and the devices behind it can be pinged from outside when using IPv6, the firewall ACL do not allow to block ICMPv6 traffic, is this a bug? how can i solve it? thanks

Do you have a screenshot of your ACL?

Have you done a verification about your ACL is correct?

 

Supposedly, in IPv6, this is expected.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:ER605 doesn't block ping from WAN when using IPv6
2024-01-29 18:21:56 - last edited 2024-01-29 18:29:46

  @Clive_A 

It appears that the behavior has changed, i can no longer ping internal devices from outside, but i can still ping the ER605, only on IPv6 though.

 

here's my setup:

 

Server behind ER605: IPv4 (10.0.0.2) IPv6 (2a07:7e81:XXXX:XXXX:XXXX:XXXX:XXXX:8183)

ER605: IPv4(195.XX.XX.77) IPv6 (2a07:7e83:XXXX:XXXX:XXXX:XXXX:XXXX:a57d) LAN Facing IPv6 (2a07:7e81:XXXX:XXXX:XXXX:XXXX:XXXX:7ecc)

 

There are 5 VLANs, of which only 1 (called LAN, ID:5) has IPv6 access.

 

There are 3 IPv4 Port Forwardings toward the server for RDP, HTTP and HTTPS.

 

Here are my Firewall ACLs

Yellow Rules are the ones that block inter-vlan routing between the different VLANS, The Red Rule is to allow access to the ER605 Web UI only from the LAN network, The Green Rule is to block access to the Web UI from any network that isn't LAN, while the blue rules are to allow HTTP and HTTPS traffic to reach the Server over ipv6.

The "IP_GROUP_LAN_ACTUAL" is an IPv4 Group that contains the subnet 10.0.0.0/24, while the "Server" group contains the Server's IPv6.

 

I should clarify that IPv4 ICMP blocking is working as intended.

 

here are a few pings executed from OUTSIDE my network.

(Sorry for italian in screenshots)

 

Pinging my router's public IPv4 Address:

4 Packets Transmitted, 100% Lost, as intended.

 

Pinging Server's IPv6:

4 Packets Transmitted, 100% Lost, as intended.

 

Pinging Router's WAN IPv6:

4 Packets Transmitted, 4 Received, 0% Lost, I'd like this to be blocked ideally.

 

Pinging Router's LAN Facing IPv6:

4 Packets Transmitted, 100% Lost, as intended.

  0  
  0  
#3
Options
Re:ER605 doesn't block ping from WAN when using IPv6
2024-02-02 02:39:27

Hi @Daves_ 

Thanks for posting in our business forum.

Daves_ wrote

  @Clive_A 

It appears that the behavior has changed, i can no longer ping internal devices from outside, but i can still ping the ER605, only on IPv6 though.

 

here's my setup:

 

Server behind ER605: IPv4 (10.0.0.2) IPv6 (2a07:7e81:XXXX:XXXX:XXXX:XXXX:XXXX:8183)

ER605: IPv4(195.XX.XX.77) IPv6 (2a07:7e83:XXXX:XXXX:XXXX:XXXX:XXXX:a57d) LAN Facing IPv6 (2a07:7e81:XXXX:XXXX:XXXX:XXXX:XXXX:7ecc)

 

There are 5 VLANs, of which only 1 (called LAN, ID:5) has IPv6 access.

 

There are 3 IPv4 Port Forwardings toward the server for RDP, HTTP and HTTPS.

 

Here are my Firewall ACLs

Yellow Rules are the ones that block inter-vlan routing between the different VLANS, The Red Rule is to allow access to the ER605 Web UI only from the LAN network, The Green Rule is to block access to the Web UI from any network that isn't LAN, while the blue rules are to allow HTTP and HTTPS traffic to reach the Server over ipv6.

The "IP_GROUP_LAN_ACTUAL" is an IPv4 Group that contains the subnet 10.0.0.0/24, while the "Server" group contains the Server's IPv6.

 

I should clarify that IPv4 ICMP blocking is working as intended.

 

here are a few pings executed from OUTSIDE my network.

(Sorry for italian in screenshots)

 

Pinging my router's public IPv4 Address:

 

4 Packets Transmitted, 100% Lost, as intended.

 

Pinging Server's IPv6:

 

4 Packets Transmitted, 100% Lost, as intended.

 

Pinging Router's WAN IPv6:

 

4 Packets Transmitted, 4 Received, 0% Lost, I'd like this to be blocked ideally.

 

Pinging Router's LAN Facing IPv6:

 

4 Packets Transmitted, 100% Lost, as intended.

If you don't wanna ping to IPv6 WAN, set up the ACL and block the access then.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:ER605 doesn't block ping from WAN when using IPv6
2024-02-02 22:06:00

  @Clive_A The problem is though, that the router does not allow me to block ICMPv6, When ICMP_ALL is selected in an ACL, only IPv4 can be chosen

 

  0  
  0  
#5
Options
Re:ER605 doesn't block ping from WAN when using IPv6
2024-04-30 10:45:17 - last edited 2024-04-30 10:46:06

You should not block all ICMP on IPv6. I am not sure if you are allowed to block PING only in the router but other ICMP features are useful to IPv6.

 

Check out shouldiblockicmp dot com.

  0  
  0  
#6
Options