dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
47
share rss forum feed


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

reply to Mike Wolf

Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

said by Mike Wolf:

How do you know if a router supports DHCP6-PD ?

That is not necessarily easy to know before making a decision to purchase a particular router. The site that whfsdude See Profile pointed to will give you the specs for what is required to get the "IPv6 Ready" gold logo, but that site does not seem to have a current list of equipment that has passed the qualification tests (at least I could not find such a list).

Basically, you just have to trust that a vendor who displays that logo is entitled to use it. The D-Link DIR655 that I currently use had that logo on the retail box, and I looked for that logo in the product descriptions on several on-line retailers before purchasing it (and FWIW, that particular router is also on Comcast's recommended router list at »mydeviceinfo.comcast.net/?homegateway ).

Interestingly, the "IPv6 Ready" gold logo no longer appears on the web site order page of the retailer I used, or on several other sites I just checked, and the logo is not displayed on D-Link's own web pages for the DIR655 (in fact any mention of IPv6 is limited to indirect references in the firmware download page). I don't know what is going on with that; perhaps D-Link had been using that logo without authorization, and had to withdraw it? I do know that it seems to work just fine with Comcast's native dual stack (as illustrated below).






--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

voiptalk

join:2010-04-10
Gainesville, VA

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

To run an IPv6 port scan: »ipv6.chappell-family.com/ipv6tcptest/



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

To run an IPv6 port scan: »ipv6.chappell-family.com/ipv6tcptest/

I had noticed some problems with the 2.10 IPv6 firewall too (including that the manual firewall rules don't seem to work as expected). I tried loading the older 2.07 firmware to see if its IPv6 firewall worked properly, but that required a factory default reset, and manually reentering the router config (a PITA since the 2.07 firmware's "reboot later" function did not seem to work properly), so I aborted that and went back to firmware version 2.10 (I started out at firmware release 2.10 because I followed Comcast's advice and did the automatic firmware update from the factory delivered version 2.00 before I configured it the first time). I had already disabled the DIR655 IPv6 firewall (at least until the next firmware release), and my own PEN testing (from outside my LAN) showed that my local firewall rules seem to be blocking all IPv6 inbound traffic except for the services that I have explicitly allowed.

And thanks for that external scan site; I will be putting that in my bookmarks for future use. That test did in fact find an open service that I had overlooked for one PC, and I have now fixed that (it was a service that required authentication, and also logged access attempts, so it was not a big risk, but I had not intended to leave it open to anything other than LAN/VPN access).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by graysonf:

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/

Thanks, I just tried it and (as expected) the only open services are the ones that I have explicitly left exposed.

That site likes to live dangerously by allowing outsiders to scan other sites from their server.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

Well, like I said, very flexible

I didn't actually try it with IPs that were not mine. I limited it to my router and the machines connected to it.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
reply to voiptalk

said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

This is a followup to my previous reply. Your post prompted me to take another look at the firmware version 2.10 IPv6 firewall settings. I found that the problems I originally saw were caused by using both the "IPv6 Simple Security" settings and the manual IPv6 firewall settings at the same time (and I had originally not created a default outbound rule since that is typically a built-in default for most router based firewalls). With the setup below, the IPv6 firewall rules in my DIR655 with firmware version 2.10 work properly, and I can now control my IPv6 firewall rules in a central place (which was one of my reasons for purchasing the DIR655). My primary problem with the DIR655 is its brain dead requirement to reboot the router after even the most innocuous change in order to have the change activated (and that has always been a D-Link quirk).



--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.