« Back to all recent discussions

VMG8825-B50B IPv6 firewall not working

af7567af7567 Posts: 4  Junior Member
edited January 14 in Questions
Hi,
Our router has just been replaced with a VMG8825-B50B firmware V5.13(ABNY.2)C0 which seems to be the latest. We have a web server and mail server which need the ports 25 and 443 open. I have done this OK for the IPv4 address with NAT, but I can't open the ports on the firewall for IPv6.
Firstly when adding an ACL rule it doesn't understand ::/0 as an IPv6 address and if I leave it blank it adds /32 to the end as if it is an IPv4 (Any/32).
I tested only opening port 25 for a specific source address and this seemed to work, but then I noticed that it had opened ALL incoming ports to the server not only 25. When deleting the ACL rule, all the ports were still open.
I had to set the master firewall settings back to Low then Medium again to fix it.
Is this router meant to support IPv6 firewall? It seems to be very unpredictable and unfinished.


#SP_Jan_2020

Best Answer

  • af7567af7567 Posts: 4  Junior Member
    Accepted Answer
    I have just found that in my last test the results were wrong because I had restarted the router, and this caused the PCs to forget their default IPv6 gateway. After restarting the PCs and testing again with allowing the router to add /32 to the end of the addresses I can see that the incoming connection is working on port 25.
    I also added a port 80 protocol for http and allowed that to the server IPv6 address. This also worked for the server.
    Unfortunately it also works for every other PC on the network which is running IIS (which a lot seem to be doing now in windows 10).
    I know this is because of the /32 which was added. In IPv6 this means it is trying to allow incoming connections to anyone on my ISP, including my LAN.
    After adding /128 to the destination address it seems to be OK and not opening up the whole network, but I can't trust it. I also don't believe it is really allowing incoming connections from any IPv6 address but just some /32 subset.
    I will have to forget about using IPv6 with this router for now because it is unpredictable and this is not good when you have to prove that your customers data is protected :)

    Thanks for all your help with this problem though.

Answers

  • HummelHummel Posts: 168  Warrior Member
    @af7567,
    How did you configure it for IPv6 in your test? A screenshot would be better to understand your settings.
  • af7567af7567 Posts: 4  Junior Member
    I have created a test again for allowing port 25 in to the server IPv6 address to take screenshots. While doing it I also tested with IPv4 and found out that a source address of 0.0.0.0/0 is an invalid IPv4 address too? Anyway here are my IPv6 screenshots. I first created a protocol, then the ACL and left the source IP blank because ::/0 isn't accepted.
    As you can see on the firewall page this is the only ACL created.
    It automatically sets the source IP to Any/32 which is weird.
    This rule is not working. If I set the firewall level to low on the router then the incoming connection works fine (but also opens up the whole local network)

  • HummelHummel Posts: 168  Warrior Member
    edited January 15
    @af7567,
    I tried it with similar settings.
    I don't have a smtp server so I use FTP server instead.
    When I created the ACL rule, I only input the IPv6 address of the server in Dest IP field and it added /32 in the end automatically. I don't modify it to /128 as your rule.
    As you can see, the 21 port for FTP server is open when I used online scan tool to scan it. So it works correctly in my test.
  • af7567af7567 Posts: 4  Junior Member
    @Hummel Thanks for testing.
    I tried the same as you and didn't add /128 so my ACL list shows Src as Any/32 and Dest as the IPv6 address/32 but it's still not working. Do you have your firewall level set to medium, and also using firmware V5.13(ABNY.2)C0?
    If I set my firewall level to low then the incoming connection works ok.

  • HummelHummel Posts: 168  Warrior Member
    @af7567,
    Yes. I am using the default firewall settings and the level is set to medium.
Sign In or Register to comment.