TP-Link Archer A6(US)_V2 IPv6 firewall doesn't work
TP-Link Archer A6(US)_V2 IPv6 firewall doesn't work
Before I mention about the IPv6 firewall issue.....I would like to give a feedback on Archer A6 Internet LED refuses to change from orange/red to green after enabling IPv6 and router IPv6 firewall doesn't work. Steps to reproduce, begin by logging into the router:
1) Advanced, Network, Internet, IPv4, Internet Connection type :PPPoE............Next, expand the 'Advanced' and enter custom Primary and Secondary DNS (in my case, I select cloudflare DNS 1.1.1.1 and 1.0.0.1), Save
2) Advanced, Network, IPTV/VLAN, Settings, check "Enable IPTV/VLAN", select Mode: Malaysia-Unifi (my ISP).
3) Advanced, Security, Settings, ensure SPI Firewall is enabled. Both 'Ignore Ping Packet From WAN Port' and 'Forbid Ping Packet From LAN Port' are checked.
4) Advanced, UPnP......disabled UPNP
5) Advanced, IPv6, enable IPv6, selecting PPPoE, checked 'Use the same session with IPv4 connection. Expand 'Advanced', Select SLAAC at 'Get IPv6 Address', enable 'Prefix Delegation', using custom IPv6 DNS 2606:4700:4700::1111 and 2606:4700:4700::1001. Finally Save.
6) Reboot the router.
Now then, problems. As I wrote before, the Internet LED refuse to change from orange/red to green after enabling IPv6 (I verified IPv6 Internet connectivity is successfully established). In addition, with IPv6 enabled, the 'Check for upgrade' section at System Tools, Firmware Upgrade will always return 'No Internet Connection'. Please fix these issue.
Note: I had upgraded the Archer A6 v2.0 firmware to 1.1.2 Build 20190403 rel.65811(5553) in which the changelog mentioning something about Improve the security of device that doesn't fix the IPv6 firewall at all......
Moving on to IPv6 firewall......
Instead of the A6 router IPv6 firewall filtering out the uninitiated inbound connection, my software firewall (Comodo firewall) is hit with port scans by random devices. I run a port scan test using https://ipv6.chappell-family.com/ipv6tcptest/ and my Comodo firewall is receiving and blocking all those port scan attempts. You can see the comodo log in picture below.
Comodo firewall is sure doing a good job here.
If I use my previous C1200, the Comodo Firewall will not even be hit by IPv6 port scans at all as the C1200 router will filter it off before reaching my devices.
Thing is looking bad for my android based phones with Archer A6:
If I use Archer C1200, the page will show all green STLTH on my android phones on IPv6 connection.
It get worse. I run another IPv6 port scans on Archer A6 Global IPv6 Address (the router IPv6 address) directly using http://www.ipv6scanner.com/cgi-bin/main.py and this is what I found out.
Seriously? Port 22 and 53 are open?
Compare the result above with Archer C1200 below;
This is clear Archer A6 IPv6 firewall doesn't not function properly. I sent an email to TP-Link support on 4 April 2019, but there is no further reply other than automated message with "TPLINK SUPPORT #182050". The latest firmware published on 2019-04-17 Archer A6(US)_V2_190403 1.1.2 Build 20190403 rel.65811(5553) doesn't fix the IPv6 firewall and the Internet LED status.
Any idea what should I do next?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Bumping the topic to highlight the security vulnerability on PPPoe WAN6 IPv6:
Note: Since Archer A6 is using same firmware base as Archer C6, expect the same vulnerability for C6.
As I wrote before, port 22 (SSH) and port 53 (DNS) of the router itself are shown as "open" on IPv6.
Everything is fine on IPv4.
Servers with port 22 open are prone to brute-force attacks, now that is a risk no one willing to take.
Complete router takeover is possible risk.
To begin with, this port 22 shouldn't be visible or made available at WAN side.
DNS port 53 --> To be honest, this is an open vector for botnet DNS amplification attack if bad actor is able to abuse it.
I don't want my ISP or some organization to file a legal complaint on me if my device is being used for DDOS or proxy.
@Kevin_Z , could you create a ticket for this A6/C6 security vulnerability? I believe my previously created tickets had been "cleared".
This time, the focus is getting/setting a proper IPv6 firewall rules for A6/C6 PPPoE WAN6 IPv6.
I believe a new firmware will be necessary.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@JohnLai Hi, have you ever found a way to turn on the IPv6 SPI Firewall?
- Copy Link
- Report Inappropriate Content
Have A7 and hitting same thing.
SPI on, inbound IPv6 from the internet are not blocked. how do i enable blocking and only allow
whitelist inbound ipv6 to specific ports/addrs behind my router?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 6266
Replies: 15