[OpenWrt-Devel] OpenWRT IPv6 firewall

Gui Iribarren gui at altermundi.net
Wed Jul 16 16:41:07 EDT 2014

On 16/07/14 16:21, Bill Moffitt wrote:
> I'd like to chime in to this thread as someone who has spent a fair bit
> of time supporting end users (primarily home and small office users)
> setting up and using "consumer grade" routers.
> All these routers today, of course, necessarily come NATted, meaning no
> ports are open to the Internet. Users are accustomed to being able to
> connect their computers to the router's network and be shielded from
> unwanted intrusions from outside by the NAT "firewall." I believe the
> default behavior of an IPv6 "consumer-grade" router should be the same:
> all ports blocked.

Does TP-Link routers qualify as "consumer-grade"?

I've just went back to stock firmware on a tl-wdr3500 to confirm, and
the result is attached in the screenshot.

tl;dr: TP-Link ships SOHO devices with a default-open ipv6 firewall.

"nogal" (top xterm) is on 2a00:1508:1:f002::/64, a network set up with
RA SLAAC. That network is connected to the WAN port of the stock
tl-wdr3500, which correctly gets the RA and autoconfigures
2a00:1508:1:f002:a2f3:c1ff:fe46:2837/64 on its WAN port.

then, i connected my laptop to a LAN port and set up the 2001:db8::/64
test network that can be seen in the webgui.

added a static route on nogal ("the Internet")
# ip -6 r add 2001:db8::/64 via fe80::a2f3:c1ff:fe46:2837 dev br-lan

and an static ip on guipc ("my personal device")
# sudo ip a add dev eth0 2001:db8::1/64

no port filtering on incoming ipv6 traffic WAN->LAN is done by TP-Link
stock firmware.

i can open inbound connections with nc on ports both <1024 and >1024
from outside to my laptop.

stock firmware is demoed at:

> I expect that, over time, users will become accustomed to the
> "end-to-end" nature of the v6 Internet and may demand that the firewall
> be "open" by default, and I would certainly propose that we have a
> simple checkbox in LUCI that allows the firewall to be changed from "all
> closed except explicitly open ports" to "all open" in one action. At
> some point we would probably change the default behavior from "all
> closed" to "all open."

What about... at *this* point? :) (i.e. before BB rc2 freeze)

> However, for the moment, I would argue that the "rightness" of following
> expected behavior is greater than the "rightness" of delivering the true
> "end-to-end" nature of v6.

At least Swisscom (according to Baptiste) and TP-Link seem to have
solved the dilemma by defining "expected behaviour" = the true
end-to-end nature of v6 :P hurray!


> -Bill Moffitt
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TLWDR3500_IPv6_test_2014-07-16.png
Type: image/png
Size: 187815 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140716/b06af274/attachment.png>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list