D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-825 => Topic started by: PacketTracer on April 17, 2012, 02:09:45 PM
-
After updating my DIR-825 to firmware version 2.05EUb09 (01/06/2012) it was nice to see the progress IPv6 has taken in this version. For example when selecting PPPoE you can now select to share IPv6 with IPv4 within a single PPPoE session or to create a seperate PPPoE session for IPv6 instead. Sharing IPv6 with IPv4 within a common PPPoE session wasn't possible in former firmware version 2.04EUb02 and I'm happy that this will work now because my ISP (German Telekom) will provide native IPv6 this way. And I hope they'll do it at World IP Launch Day, so that I can get rid of my SixXS tunnel I'm using now as a surrogate for native IPv6 (which works fine too, but native IPv6 would be better of course).
Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it conform to RFC6092 (http://datatracker.ietf.org/doc/rfc6092 (http://datatracker.ietf.org/doc/rfc6092))?
And: If there is an IPv6 firewall implemented, how shall I open a port for an incoming connection if there is no configuration switch for doing that? Will this be made available in future firmware updates?
Thanks for replies in advance!
-
I´m also interested about knowing for sure if there is IPv6 compatible firewall from D-Link for DIR-825 available or not. And if yes how it can be taken into work. And if not is there any plans for that. Unfortunately I don´t see it so interesting getting my homenetwork open to everybody - eventhough it would be only IPv6 space ;).
I´m also using version 2.05EU dated 07, Oct, 2011. Got if from local organisation (Finland).
-
I recommend calling your local DLink sales or support office and ask about this.
-
I guess, this means: No, there is no IPv6 firewall implemented at all! Hm... >:(
-
I recommend tou call DLink to find out. It means that different regions have different options and the best way to find out for your region is to call DLink.
-
Hmmm, my IPV6 ports seemed to be stealthed. There are several servers out there for testing this.
Don't know about the EU firmware, I would assume the only difference would be the WiFi channels.
I guess it depends on what your definition of "firewall" is too. Stealthed ports and NAT do a pretty good job, I am not running a firewall on my Win 7 machine so if the router was wide open a port scanner should find it.
Here is a scanner.
http://laltromondo.dynalias.net/cgi-bin6/ipscan-js.cgi
Scan beginning at: Sat Apr 28 19:20:00 2012 , expected to take up to 12 seconds ...
ICMPv6 ECHO REQUEST returned : ECHO REPLY
Individual TCP port scan results:
Port 7 = STLTH Port 21 = STLTH Port 22 = STLTH Port 23 = STLTH
Port 25 = STLTH Port 37 = STLTH Port 53 = STLTH Port 79 = STLTH
Port 80 = STLTH Port 88 = STLTH Port 110 = STLTH Port 111 = STLTH
Port 113 = STLTH Port 119 = STLTH Port 123 = STLTH Port 135 = STLTH
Port 137 = STLTH Port 138 = STLTH Port 139 = STLTH Port 143 = STLTH
Port 311 = STLTH Port 389 = STLTH Port 427 = STLTH Port 443 = STLTH
Port 445 = STLTH Port 514 = STLTH Port 543 = STLTH Port 544 = STLTH
Port 548 = STLTH Port 631 = STLTH Port 749 = STLTH Port 873 = STLTH
Port 993 = STLTH Port 1025 = STLTH Port 1026 = STLTH Port 1029 = STLTH
Port 1030 = STLTH Port 1080 = STLTH Port 1720 = STLTH Port 1812 = STLTH
Port 3128 = STLTH Port 3306 = STLTH Port 3389 = STLTH Port 3689 = STLTH
Port 5000 = STLTH Port 5100 = STLTH Port 5900 = STLTH Port 8080 = STLTH
Port 9090 = STLTH
Scan is : COMPLETE.
After using several of the utilities that are out there for IPV6, I am showing the Dir-825 is fairly secure.
-
Hi Patrick533,
thank you for providing this information. Since there is no NAT with IPv6, protection by a firewall with stateful inspection is most important. And per default it should block (drop or at least reject) any incoming connection requests in terms of what the connection tracking system of the firewall interprets as a connection. In other words the recommended default behaviour as defined by RFC6092 should be in place.
And as can be seen from your results, except incoming ICMPv6 echo requests anything else (at least TCP) seems to be dropped. That's good news.
-
Ok, after rereading your initial request, I understand why you are asking.
But you say there is no NAT? My IPV6 address to the outside world is different from my internal address, is this not NAT? I did not post my address in the test I did, but my outside IPV6 address to the world is different then the Windows 7 x64 machine that ran the test. The DIR-825 is giving all of the machines that have an IPV6 stack behind the router a different address.
Looking a little closer I do have a IPV6 routing tab but port forwarding is only by IPV4 it seems.
I have been running this configuration for 7 months, in the States the only site that is 100% IPV6 is Facebook, I have even held video chats through Facebook to IPV4 with no problems.
This router in the States has been given gold awards for its IPV6 support and many of the routers still being sold here are still IPV4. The reason I purchased it was for it's native IPV6 support.
The need here for IPV6 in the States is nonexistent, I have only set this up to learn more about the new technology. Now that I am thinking about it, the router is missing a few tabs for configuration, like port forwarding.
I did look at a business dual WAN router recently, but the IPV6 support was non existent so I am staying with the D-link for now. I just have to do a manual switchover if the 1st WAN dies.
-
Hi,
having IPv6 addresses from different ipv6 prefixes at the WAN- and LAN-interface of a router is a premise for a device working as an IPv6 router, isn't it? In no case this means, that the router is doing NAT! And this is the same as with IPv4, where you have a public IPv4 address at the WAN interface and private addresses inside your LAN. As private addresses are not unique, they are not routable within the internet and that's why your Router has to do NAT in case of IPv4. In contrast, with IPv6 you use public addresses within in your LAN, hence your router can (and does so) directly route them to the internet.
While NAT is the standard operation of a CPE in IPv4 (where the use of private IPv4 addresses within the LAN is common), routing without NAT is the default behaviour in IPv6. NAT operation for IPv6 isn't even standardized and hopefully it never will (okay there is a technique called NPTv6, as described by RFC6296, but this is a stateless 1:1 NAT without the need for managing NAT sessions and hence without the side effect of a pseudo protection as is the case with N:1 SNAT/NAPT/PAT/Masquerading in IPv4). While in IPv4 NAT is useful to reduce global IPv4 address consumption because of the scarcity of those addresses, in IPv6 we have enough addresses, and hence, NAT isn't needed any more (at least for saving addresses). That's why we have to migrate to IPv6.
In IPv6 there are different techniques, how the WAN interface of a CPE gets its IPv6 address, as described by RFC6204. It might come from the ISP by DHCPv6 or stateless autoconfigurations (SLAAC), but not within PPP negotiation as is the case with IPv4. In any case an ISP will additionally provide a global IPv6 address block of some size (e.g. /56 or even /48) by DHCPv6-PD (prefix delegation, RFC3633) for use within your LAN, and your CPE will form a /64 block from that and announce it in the LAN, so that your end nodes can form an IPv6 address of their own by doing SLAAC. Some boxes will form a different /64 prefix from the delegated address block for use on the WAN interface, if the ISP doesn't provide an IPv6 address by one of the above mentioned methods.
Back to the firewall question: Are you sure your DIR box has native IPv6 access? Or did you activate 6to4 only (in this case, the IPv6 addresses you use start with 2002:... and the next 32 bits consist of the hex translated octets of your public IPv4 address at the WAN interface of your router). But in either case your portscan results are meaningful, because they prove, there is an IPv6 firewall operating inside your box and it protects you.
-
Thank you for the contrast, I have been using IPV4 for so long I forgot that we had blocks for private networks, versus IPV6 which is all public addresses. I did read most of the IPV6 info in the early days, but that has been almost 5 years. I was out of work for 2 years, that is when I did most of my studying. I found a great job that keeps me busy, 3 years ago, so now I have became and appliance user again instead on an innovator, if I don't get back up to speed this IPV6 is going to bite me. I did not realize I have had this router for so long either.
My provider has given us 6RD(tunneling) for now, they say they are working on native deployment, but that could take a while. I get my client addresses by DHCPv6 issued by the DIR-825. It is giving my clients addresses close to where you stated (2602:0100).
I do not like the "echo reply", stealth is stealth. It may be part of the 6RD function, but I do know with IPV4 you get no response from this router. I hate being a Guinea pig. We in the states get scanned by foreign countries 100+ times a day, I would prefer people not even know I am here. I had purchased a Cisco router before this one, it was wide open on IPV4, but they said they would fix it, Cisco discontinued the line and left all that junk out there, I returned the Cisco to the merchant and purchased the Dir-825, I was later banned by Cisco on their forums for relentlessly asking about the IPV4 problem they never fixed.
You must work in the IT field, asking questions at work from our IT people, they have no clue about IPV6, I work for a very large company I am sure you have heard of but would rather leave their name out, we do have one of the larger networks in the states, but I guess that does not mean our techs have recent education, even though our CEO has mandated IPV6 deployment. Much like the 802.11 N early days, there is so much that needs to be done to get this hammered out and until it becomes more mainstream and "standardized", people like me that have enough knowledge to make us dangerous but not 100% up to speed will exist.
As I had stated earlier, I went to buy a Cisco dual WAN router a few weeks back, but the router still was waiting for IPV6 firmware, as I always tell people, if it does not work out of the box, don't plan on firmware to save the day. If I had a Euro for every time I had been told "firmware will fix that later", we would both be sitting in Amsterdam discussing this with all the beer we could drink, on me!
Unless you know something about the 6RD I do not, I will submit the echo response as a bug to D-Link, if they respond to it this early in the game remains to be seen.
Another slight problem I have run into, I use a DNS filter (Opendns) to keep the kiddies out of trouble, it seems that if a 6 and 4 stack exist in the Windows OS, it will pull from the 6 DNS first, even if you are resolving a 4 address, completely bypassing my DNS filter. I seem to remember having read Windows will go to IPV6 first if the stack is installed, but I did not think it would resolve an IPV4 addresses this early on. This has lead to me removing the 6 stack from all of the computers the kids use.
Any info to help with the IPV6 echo is greatly appreciated, even if it doesn't not get fixed in this hardware revision, they need to know it is a problem. Unless people like you and I bring this up early on, it will take forever to get fixed when 6 goes mainstream.
Cheers!
Pat
-
I was wrong! :-[
I have discovered that Win 7 has 3 IPV6 addresses. The test posted was using my TEMPORARY IPV6 address directly to my machine, that is the firewall that was scanned. It appears that the DIR-825 has NO SPI for IPV6.
Here is the tests with my Win 7 firewall on and off. Too bad, I really liked this router! I can see this really being a problem, with no NAT and no SPI and my trust of windows being ZERO.
WINDOWS firewall OFF:
Scan beginning at: Sun Apr 29 17:20:44 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned : ECHO REPLY
Individual TCP port scan results:
Port 7 = RFSD Port 21 = RFSD Port 22 = RFSD Port 23 = RFSD
Port 25 = RFSD Port 37 = RFSD Port 53 = RFSD Port 79 = RFSD
Port 80 = RFSD Port 88 = RFSD Port 110 = RFSD Port 111 = RFSD
Port 113 = RFSD Port 119 = RFSD Port 123 = RFSD Port 135 = OPEN
Port 137 = RFSD Port 138 = RFSD Port 139 = RFSD Port 143 = RFSD
Port 311 = RFSD Port 389 = RFSD Port 427 = RFSD Port 443 = RFSD
Port 445 = OPEN Port 514 = RFSD Port 543 = RFSD Port 544 = RFSD
Port 548 = RFSD Port 631 = RFSD Port 749 = RFSD Port 873 = RFSD
Port 993 = RFSD Port 1025 = RFSD Port 1026 = RFSD Port 1029 = RFSD
Port 1030 = RFSD Port 1080 = RFSD Port 1720 = RFSD Port 1812 = RFSD
Port 2869 = OPEN Port 3128 = RFSD Port 3306 = RFSD Port 3389 = RFSD
Port 3689 = RFSD Port 5000 = RFSD Port 5100 = RFSD Port 5357 = OPEN
Port 5900 = RFSD Port 8080 = RFSD Port 9090 = RFSD Port 10243 = OPEN
WINDOWS firewall ON:
Scan beginning at: Sun Apr 29 17:22:32 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned : ECHO REPLY
Individual TCP port scan results:
Port 7 = STLTH Port 21 = STLTH Port 22 = STLTH Port 23 = STLTH
Port 25 = STLTH Port 37 = STLTH Port 53 = STLTH Port 79 = STLTH
Port 80 = STLTH Port 88 = STLTH Port 110 = STLTH Port 111 = STLTH
Port 113 = STLTH Port 119 = STLTH Port 123 = STLTH Port 135 = STLTH
Port 137 = STLTH Port 138 = STLTH Port 139 = STLTH Port 143 = STLTH
Port 311 = STLTH Port 389 = STLTH Port 427 = STLTH Port 443 = STLTH
Port 445 = STLTH Port 514 = STLTH Port 543 = STLTH Port 544 = STLTH
Port 548 = STLTH Port 631 = STLTH Port 749 = STLTH Port 873 = STLTH
Port 993 = STLTH Port 1025 = STLTH Port 1026 = STLTH Port 1029 = STLTH
Port 1030 = STLTH Port 1080 = STLTH Port 1720 = STLTH Port 1812 = STLTH
Port 2869 = STLTH Port 3128 = STLTH Port 3306 = STLTH Port 3389 = STLTH
Port 3689 = STLTH Port 5000 = STLTH Port 5100 = STLTH Port 5357 = STLTH
Port 5900 = STLTH Port 8080 = STLTH Port 9090 = STLTH Port 10243 = STLTH
That is just sad! Are there any routers out there with IPV6 SPI? or do I just invest in a good firewall?
-
Hi Pat,
unfortunately I must confirm your results. I switched off my small IPv6 router that I use for my SixXS tunnel and that sits behind my DIR-825 (and that works with OpenWRT that has a SPI-firewall based on ip6tables, that protects me fine).
Then I turned on 6to4 on my DIR-825 and switched off my Windows firewall. After that I visited http://ipv6.chappell-family.com/ipv6tcptest/ to do a tcp port scan, that was aimed directly to the temporary 2002:... IPv6 address of my Windows PC (works with Win Vista x64).
And really unbelievable but true: Ports 21 (I'm operating a local FTP-Server for internal use only), 445 (may I invite you all out in the IPv6 wild to connect to my local shares? You're welcome), 2869 and 5357 were open.
So my statement, I posted earlier is true: DIR-825 doesn't have an IPv6-firewall at all and if you use it for IPv6 internet access of any kind (6to4, 6rd, static tunnel or native via PPPoE) you will be unprotected. So you must rely on the local firewalls at your end nodes, nice if those firewalls are not IPv6 capable as with Windows XP.
So D-LINK: Nice that you praise this box carrying the "gold IPv6 ready logo", but as far as I can see from https://www.ipv6ready.org/db/index.php/public/logo/02-C-000332/ and http://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf, a SPI-firewall, as recommended by RFC6092 is not part of that gold logo. Why don't you say that clearly in the data sheets of your products?
Will you fix this with later firmware versions?
Up to now I would recommend everyone, who is interested in using IPv6 with DIR-825, to use an OpenWRT firmware that is available for that box (http://wiki.openwrt.org/toh/d-link/dir-825).
-
I even tried using a 3rd party program my IP recommends(f-secure), they just out right turn IPV6 off, I opened a ticket with them.
Glad I met you, here I was thinking that I had SPI via hardware for IPV6.
AAAaaaarrggghhh! I feel sick. :'(
-
Yes, it's really annoying. But as long as my ISP (German Telekom) isn't offering native IPv6, IPv6 remains disabled in my DIR-825. And I hope, that D-Link will come up with a firmware update not later than IPv6 launch day at 6 June 2012, where I believe my ISP will start providing native IPv6, too. Hope dies last.
And I really can't imagine that any CPE producer in the world, who wants to sell his products, can take the risk, to sell them without a SPI firewall! Those products would be regarded unsafe, and people wouldn't buy them.
Here are some interesting citations from RFC6092:
Chapter 1, page 3, last paragraph:
"The reader is cautioned always to remember that the typical
residential or small-office network administrator has no expertise
whatsoever in Internet engineering. Configuration interfaces for
router/gateway appliances marketed toward them should be easy to
understand and even easier to ignore. In particular, extra care
should be used in the design of baseline operating modes for
unconfigured devices, since most devices will never be changed from
their factory configurations."
Chapter 2, page 4, last paragraph:
"Prior to the widespread availability of IPv6 Internet service, homes
and small offices often used private IPv4 network address realms
[RFC1918] with Network Address Translation (NAT) functions deployed
to present all the hosts on the interior network as a single host to
the Internet service provider. The stateful packet filtering
behavior of NAT set user expectations that persist today with
residential IPv6 service. "Local Network Protection for IPv6"
[RFC4864] recommends applying stateful packet filtering at
residential IPv6 gateways that conforms to the user expectations
already in place."
So, D-Link: The typical SOHO user who uses your box for access to the IPv6 Internet is not able or willing to configure your box and he simply relies on the box and expects that it will protect him like with NAT for IPv4 in former days. So, please do your job!
In addition, in the current firmware I use for the DIR-825, I'm missing a DS-Lite support. I guess many ISPs in the world will use this technique after switching over to IPv6 as the main protocol and providing access to the IPv4-Internet by tunneling IPv4 over IPv6 to a CGN/LSN they will operate within their provider networks. So please also implement DS-Lite support!
-
While researching this, I came across a news article from D-link advertising the release of the DIR-825 REV. C-1 on June 6th, 2012 for IPV6 day. I know warranties in Europe are completely different then the States, but in the States it usually means there will be no further firmware updates for the old hardware rev., of course there are exceptions to every case, but I do believe the people in the states that have rev A-1 of the DIR-825 have no IPV6 support, it was not introduced until rev B-1. I think this is also true for the DIR-655 too, only the latest version has IPV6 support.
I think I will be writing a letter to the people handing out gold certifications for this equipment. I am a electrical design engineer and based on the previous white papers you quoted, they are certifying incomplete/unfinished equipment. I will have to look up what they call "phase 2" certification. If we go by phases, then horses would be considered phase 1 for transportation, the auto phase 2 and the space shuttle phase 3?
I was able to find another manufacturers router that SPI for IPV6 had a soft switch so you could turn it on and off, so others have implemented it. (Shaking head in disbelief)
-
Here is the test standard. Kind of a joke actually.
http://www.ipv6ready.org/docs/Phase2_DHCPv6_Conformance_Latest.pdf
-
Another slight problem I have run into, I use a DNS filter (Opendns) to keep the kiddies out of trouble, it seems that if a 6 and 4 stack exist in the Windows OS, it will pull from the 6 DNS first, even if you are resolving a 4 address, completely bypassing my DNS filter. I seem to remember having read Windows will go to IPV6 first if the stack is installed, but I did not think it would resolve an IPV4 addresses this early on. This has lead to me removing the 6 stack from all of the computers the kids use.
Hi,
in general the type of dns query (A for IPv4 or AAAA for IPv6) is independent of the protocol you use to transport dns queries and responses. There is no correlation, so you can use both UDP/IPv4 or UDP/IPv6 to ask for both A or AAAA resource records. With Windows 7/Vista (and I checked that doing a packet trace), if it operates dual stacked and if you configured both an IPv6 and IPv4 dns resolver address, UDP/IPv6 is the preferred transport for DNS queries (only a special case of the general preference for using IPv6 if possible), even if you only want to resolve IPv4 addresses.
I don't know how your Opendns DNS filter works, but I guess it operates as a local DNS forwarder just listening on 127.0.0.1:53/udp to catch and filter any DNS requests that use udp/ipv4 transport only. For udp/ipv6 transport this tool should also listen on [::1]:53/udp and then forward allowed DNS queries to the IPv6 dns resolver, obviously it doesn't.
-
Hello,
Thank you for the update, that is what I figured, thank you for verifying it.
OpenDNS is a worldwide company, they are a alternate free resolver/DNS server to my provider, the two resolver server addresses they operate for IPV4 are: 208.67.222.222, 208.67.220.220.
Once you sign up for service, you install a piece of software that tells OpenDNS your external IPV4 address every hour. Then I load those 2 DNS/resolver server addresses into the DIR-825 as the default DNS server address, it of course then forwards the DNS srever address to the client computer when they turn it on, every time a kid tries to go somewhere, it checks the address against the profile I have setup with the OpenDNS server, if they are trying to go somewhere I don't want them to, OpenDNS returns a page informing them they can't go there and it also logs the attempt and informs me, if it is not in the profile it assumes it is safe and returns the resolved address so the browser can proceed to the site they want to go to. OpenDNS also keeps a complete log of where they have went overall(in the paid service).
They are in Frankfurt I see on their map. It is a very fast resolver/DNS service that I use instead of Charter Cables DNS servers, even before I needed DNS/resolver filtering. The reason I used them before I needed filtering is because they are much faster then most ISP DNS/resolver servers. They also offer free IPV6 resolver/DNS servers, but there is no way of filtering IPV6 from them yet. Their services are free unless you want filtering and logs, which costs 10 USD per year.
The kid can change the DNS/resolver server address in the computer, so the computer must have the IP controls locked. It also seems to be safe from proxies and direct address entries too.
I ran logs of my older Son trying to defeat the filtering (he is 21), he could not get around it until I installed IPV6 and it started resolving IPV4 addresses, once I removed the IPV6 stack, he has done.
It is worth every dollar in my opinion. One must also restrict MAC addresses on the network so they just can't plug in a device that they can enter their own DNS/resolver server address in, that has been tried by my oldest also.
This is where the DIR-825 has been so user friendly to me, it is very configurable as some routers are not. The only reason my older kids are still here is to go to college and they don't need to be teaching the younger ones bad habits.
The argument is if you raise your kids properly, then you would not need OpenDNS, that is what I thought until I read the logs of where they were going before I installed the filters.
I tried an alternate firewall last night, it is sold in the States by F-Secure, it is quite weak on IPV6, it showed all the ports blocked as opposed to stealth by the Microsoft firewall. It even left some open, so I uninstalled it.
It is a good thing my kids will be on their own soon, once IPV6 becomes mainstream, filtering will be a nightmare. Thank you for the education.
I really hope D-Link comes up with a better SPI solution for IPV6, but I am not very confident they will fix this version(B-1).
-
Here you can find tons of documents dealing with the IPv6 Ready Logo Program: http://www.ipv6ready.org/docs/ (http://www.ipv6ready.org/docs/). Especially this document gives an overview: http://www.ipv6ready.org/docs/IPv6_Ready_Logo_White_Paper_Final.pdf (http://www.ipv6ready.org/docs/IPv6_Ready_Logo_White_Paper_Final.pdf)
The latest conformance-document in the mentioned folder is dated 23-Sep-2011: http://www.ipv6ready.org/docs/CE_Router_Conformance_Latest.pdf (http://www.ipv6ready.org/docs/CE_Router_Conformance_Latest.pdf).
Here RFC6204 (Basic Requirements for IPv6 Customer Edge Routers) is mentioned, but RFC6092 (Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service) seems to be unknown. Even the term "firewall" seems to be a foreign word in all those documents, at least I didn't find it. "Phase 3" just deals with IPsec.
And finally you can study the history in the release notes of my current firmware:
DIR-825EUB1 Firmware Release Note
Firmware: v2.05EU Build: 09beta07
Hardware: B1
Date: 06, Jan, 2012)
...
Firmware Version: ver2.05EUb07
Firmware Date: 17, Dec, 2010
...
Problems Resolved & Enhancements:
...
3. Support IPv6 Spec v1.14R phase 2 (without IPv6 firewall)
...
Firmware Version: ver2.05EUb06
Firmware Date: 13, Dec, 2010
...
Problems Resolved & Enhancements:
...
2. Support IPv6 Spec v1.14R phase 1. (Do not support IPv6 firewall).
and so on down to:
Firmware Version: ver2.02EUb06
Firmware Date: Fri, 26, Mar, 2010
...
Problems Resolved & Enhancements:
...
2. Support Ipv6 spec v1.08.(Doesn't support IPV6 Firewall)
The listed Ipv6 specs might use version numbers with only internal meaning to D-Link, I didn't find any information about them.
Strange! Do they really want to produce CPE without IPv6 SPI-firewalls? And praise them to be compliant with some strange logo program whose designers have forgotten to specify firewall requirements for?
-
I read some of the documents last night regarding what testing the DIR-825 had to pass to get the gold logo. As you said, no security, none, zip. If you are reading this you should either have a GREAT firewall or DO NOT enable IPV6 on the DIR-825 Rev. B-1.
The documents I read spoke mainly of routing and handshaking. I think that I read about 100 pages regarding how the IPV6 router should route, and testing methods to verify this, nothing else.
I know some people in the states have native IPV6 already, so unless they have went through and tested their equipment for security, they are wide open to the world (most people that use CPE in the States can't even set up security for WiFi properly), it should at least come with a warning that this device does not secure your computer from anything on IPV6. The bloody (DIR-825) thing is bullet proof on IPV4.
I need to check my work schedule and then find out more about the gold certification board. If they will accept a formal personal query, I will draft a concern letter to the board regarding it's certification of hardware that has no security protocols enabled for IPV6, based on our findings and see if I get a reply. Being IPV6 day is just around the corner it would be perfect timing. The chance of any of the major router manufacturers replying is non existent(They will reply to the company I work for, I just have to wait for someone to request some equipment and then write a minimum specification for IPV6 security, I am sure that will ruffle some feathers when no one can win a contract based on technical short comings, but it would not be the first time I have fought that battle).
When a problem exists they just blame it on your hardware here in the states. I had one customer support rep tell me I needed to format my hard drive to get full speed on my internet connection, pulled my hard drive put another in and did a fresh install of Windows, called them back and said that did not fix it, now what? They finally found the problem on their end.
I just allowed some D-Link equipment here at work to be speced for a large project I was working, based on our findings I have the duty to reject requests for hardware that does not meet security protocols already in place by the company I work for, being we are supposed to be moving towards IPV6 readiness, I would say the equipment fails, security is our number one priority at work. We do sometimes use CPE stuff for small work groups, satellite offices.
I will query some of my IT people too and see if they know anything, that could be why I have not seen much movement here at work regarding IPV6, current security implementations are lacking. Just about the time we bring a web site up, they take it back down, but I have never asked why. Maybe I now know.
If I can get a letter together, I will send it to you private.
Cheers!
Pat
-
PacketTracer,
Sent you a copy of the letter I sent to the people with the Gold certificates.
Also I called D-Link USA, it turns out they are only 30 minutes from me via freeway, if i had your freeway it would only be 15 minutes. The DIR-825 does not have SPI for IPV6, only IPV4(per US tech support). There was a little language barrier but he understood what I was talking about. I asked if this was a feature they planned on adding to the DIR-825(SPI) and he said he did NOT think so.
He recommended I purchase a DIR-857. I asked if there were any other routers with SPI for IPV6 that D-Link made, he said it was the DIR-857. I looked it up, can't even purchase one state-side yet, it has not been released. It shows up as a pre-order for 179USD.
I can't find any hardware specs(chipsets) and do not like the fact it has no external antennas. If I am going to pay that much again just 4 years later, I think I may wait and go full blown Dual WAN, SOHO Cisco with no WiFi, not fond of Cisco but not fond of this either!
I used to work for an "AG" company here in the states, I know you have minimum support times for firmware and warranties. Any hopes of getting a EU update? What language is your firmware in? I have not spoken your language in close to 40 years, if it was not in English I would have a hard time.
Too bad, I really liked D-links firmware. :( :( :(
-
Ahhh! I got rid of the Echo through windows firewall without having to turn security up so high I was loosing functionality. That will work for now! ;D
Scan beginning at: Tue May 1 02:13:59 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned : ECHO NO REPLY
Individual TCP port scan results:
Port 7 = STLTH Port 21 = STLTH Port 22 = STLTH Port 23 = STLTH
Port 25 = STLTH Port 37 = STLTH Port 53 = STLTH Port 79 = STLTH
Port 80 = STLTH Port 88 = STLTH Port 110 = STLTH Port 111 = STLTH
Port 113 = STLTH Port 119 = STLTH Port 123 = STLTH Port 135 = STLTH
Port 137 = STLTH Port 138 = STLTH Port 139 = STLTH Port 143 = STLTH
Port 311 = STLTH Port 389 = STLTH Port 427 = STLTH Port 443 = STLTH
Port 445 = STLTH Port 514 = STLTH Port 543 = STLTH Port 544 = STLTH
Port 548 = STLTH Port 631 = STLTH Port 749 = STLTH Port 873 = STLTH
Port 993 = STLTH Port 1025 = STLTH Port 1026 = STLTH Port 1029 = STLTH
Port 1030 = STLTH Port 1080 = STLTH Port 1720 = STLTH Port 1812 = STLTH
Port 2869 = STLTH Port 3128 = STLTH Port 3306 = STLTH Port 3389 = STLTH
Port 3689 = STLTH Port 5000 = STLTH Port 5100 = STLTH Port 5357 = STLTH
Port 5900 = STLTH Port 8080 = STLTH Port 9090 = STLTH Port 10243 = STLTH
Scan is : COMPLETE.
-
Hallo Patrick,
Sent you a copy of the letter I sent to the people with the Gold certificates.
Thank you very much! Let's hope it will have some impact on them.
I used to work for an "AG" company here in the states, I know you have minimum support times for firmware and warranties. Any hopes of getting a EU update? What language is your firmware in? I have not spoken your language in close to 40 years, if it was not in English I would have a hard time.
Sorry I really don't know the special warranty conditions for this D-Link product, valid here in Germany. I guess they are 1 year standard, but in general it will be difficult to get your money back if you come up with a problem later than half a year after date of purchase (in my case: 04.04.2011, I bought it online from Amazon and paid 92,91 EUR for it). And I don't know if warranty conditions include any claims for firmware updates within some period of time.
I only know that not any firmware update out in the world fits my European DIR-825 edition, so I must be careful which one to use. I usually download them via FTP from here: ftp://ftp.dlink.de/dir/dir-825/driver_software, but up to now only 2 newer versions have been offered there (2.04EUb02 date 2010/08/26 and the present one 2.05EUb09beta07 date 2012/01/06). They are both multilingual, so you can switch the language of the web surface of the DIR box to English if you want.
Don't know if D-Link will offer other firmware updates in the future here in EU for that model. And if so, what's their value, if they don't include a SPI firewall? And from what you reported so far, there is not much hope that it will come.
So I feel like a fool who bought a car without airbags. You better leave it in the garage...
-
Any issues, details, tests details and steps you guys have done including your concerns, Please post them here and I'll forward this on to my contact at DLink. I can't promise anything. I hope some resolution will come of it. Thank you.
-
PacketTracer,
I am going to start a thread on this over on the US support side and see if we can generate any feedback.
Pat
-
Keep it here Patrick...all information is here so lets just keep this thread going for now.
-
After several days of testing on the DIR-825 Rev. B-1, it appears that it does NOT have a Firewall or SPI of any sort to protect the user from malicious intent on the IPV6 layer, though the sales information clearly states that SPI is provided to the USER of the DIR-825. The current sales brochure still advertises Statefull Packet Inspection PERIOD, not just SPI for IPV4. This is leaving thousands of people completely unprotected from intrusive raids once their ISP implements the IPV6 layer on their network. These people are under the impression that they are protected. Being the majority of internet users are not much more then "appliance users" this could go on for years, causing countless people to have their personal information stolen and causing millions of dollars worth of damage in identity theft.
Test configuration: Win 7 X64 SP1, DIR-825 Rev. B-1 w/firmware 2.07 4/04/2012, Motorola SB6120 DOCSIS 3.0 cable modem using Charter 100 x 5 plan and Charter 6RD servers terminated at the DIR-825 using OpenDNS DNS servers. Port scanner used: ipv6.chappell-family.com/ipv6tcptest/
Results: When the Windows firewall is turned OFF and a port scan is run, the scanner shows open service ports on the DIR-825 IPV6 route. This was both observed on the 2.05EU firmware and the 2.07NA firmware installed on a DIR-825 REV. B-1.
The DIR-825 purports to be "IPV6 Ready Gold certified", but how could something as basic as Statefull Packet Inspection be left out with this readiness certification? One would assume that a piece of hardware that is purported to be IPV6 ready would at least have BASIC protection from the outside world that is afforded to IPV4. Being the nature of the IPV6 layer and NOT having any NAT, IPV6 on a DIR-825 is wide open to anyone with an IPV6 connection, so in essence your computer is wide open to the internet IPV6 community for the taking. The problem gets worse when you consider that older operating systems prior to Windows 7 that do NOT have any form of IPV6 firewall built in.
WINDOWS firewall OFF:
Scan beginning at: Sun Apr 29 17:20:44 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned : ECHO REPLY
Individual TCP port scan results:
Port 7 = RFSD Port 21 = RFSD Port 22 = RFSD Port 23 = RFSD
Port 25 = RFSD Port 37 = RFSD Port 53 = RFSD Port 79 = RFSD
Port 80 = RFSD Port 88 = RFSD Port 110 = RFSD Port 111 = RFSD
Port 113 = RFSD Port 119 = RFSD Port 123 = RFSD Port 135 = OPEN
Port 137 = RFSD Port 138 = RFSD Port 139 = RFSD Port 143 = RFSD
Port 311 = RFSD Port 389 = RFSD Port 427 = RFSD Port 443 = RFSD
Port 445 = OPEN Port 514 = RFSD Port 543 = RFSD Port 544 = RFSD
Port 548 = RFSD Port 631 = RFSD Port 749 = RFSD Port 873 = RFSD
Port 993 = RFSD Port 1025 = RFSD Port 1026 = RFSD Port 1029 = RFSD
Port 1030 = RFSD Port 1080 = RFSD Port 1720 = RFSD Port 1812 = RFSD
Port 2869 = OPEN Port 3128 = RFSD Port 3306 = RFSD Port 3389 = RFSD
Port 3689 = RFSD Port 5000 = RFSD Port 5100 = RFSD Port 5357 = OPEN
Port 5900 = RFSD Port 8080 = RFSD Port 9090 = RFSD Port 10243 = OPEN
WINDOWS firewall ON:
Scan beginning at: Sun Apr 29 17:22:32 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned : ECHO REPLY
Individual TCP port scan results:
Port 7 = STLTH Port 21 = STLTH Port 22 = STLTH Port 23 = STLTH
Port 25 = STLTH Port 37 = STLTH Port 53 = STLTH Port 79 = STLTH
Port 80 = STLTH Port 88 = STLTH Port 110 = STLTH Port 111 = STLTH
Port 113 = STLTH Port 119 = STLTH Port 123 = STLTH Port 135 = STLTH
Port 137 = STLTH Port 138 = STLTH Port 139 = STLTH Port 143 = STLTH
Port 311 = STLTH Port 389 = STLTH Port 427 = STLTH Port 443 = STLTH
Port 445 = STLTH Port 514 = STLTH Port 543 = STLTH Port 544 = STLTH
Port 548 = STLTH Port 631 = STLTH Port 749 = STLTH Port 873 = STLTH
Port 993 = STLTH Port 1025 = STLTH Port 1026 = STLTH Port 1029 = STLTH
Port 1030 = STLTH Port 1080 = STLTH Port 1720 = STLTH Port 1812 = STLTH
Port 2869 = STLTH Port 3128 = STLTH Port 3306 = STLTH Port 3389 = STLTH
Port 3689 = STLTH Port 5000 = STLTH Port 5100 = STLTH Port 5357 = STLTH
Port 5900 = STLTH Port 8080 = STLTH Port 9090 = STLTH Port 10243 = STLTH
If anyone has an OS prior to WIN7 is able to run an IPV6 port scan using a DIR-825, I would be very interested in the port scan information. Please be sure to omit your IPV6 address for security reasons. I will further my testing using an OLDER OS next weekend, if possible.
Upon calling D-links Fountain Valley office and querying about firewall support on the DIR-825s IPV6 layer, I was told by tech support it has no form of firewall or filtering for IPV6 and if I wanted these "ADVANCED" features I should upgrade to a DIR-857. They are still selling these routers as of this post knowing that their customers are wide open to invasion by anyone with a IPV6 connection! They are selling them as "GOLD CERTIFIED IPV6 READY". Testing shows they are indeed ready, the router works great, as long as you need NO security on IPV6. As a colleague stated, this is like getting in a wreck with a new car that said it had air bags, only to find out after an accident it really did not, after flying through the windshield.
IF YOU DO NOT HAVE A GREAT FIREWALL, I WOULD URGE YOU TO DISABLE IPV6 ON THIS PRODUCT, FOR YOU OWN SAFETY!
-
Hi Patrick
I am going to start a thread on this over on the US support side and see if we can generate any feedback.
Did the same on the German support side (D-Link Case Number 697023), quoting and linking the threads here in this forum. I'll report the feedback when available...
-
Hi Patrick
Did the same on the German support side (D-Link Case Number 697023), quoting and linking the threads here in this forum. I'll report the feedback when available...
Good job! If it was not for you I would have never done any further testing then the port scans I had done 8 months ago when I went live with 6RD. I have had my router a long time but just started using IPV6, it has been a great router for SOHO/CPE gear, I find it even surpasses some commercial gear in features. So far I have gotten a much better response then I did with Linksys EVER.
Once again thanks for the motivation and education, I had become a lazy appliance user. I am hoping this was just a simple oversight due to the number of products they offer.
-
I just checked and the 655 Rev B, 615 Rev E, DIR 600 and 601 all have IPv6 enabled however no firewall for IPv6 like the new gen routers do. I'm just presuming that this was a feature set that was set up for some of these routers and at the time, IPv6 hadn't been fully implemented on an ISP to client level and was in very early stages and possibly DLink didn't include a firewall since it really wasn't needed at the time and people had not migrated to it.
I go agree, there probably should be some form of security in IPv6 layer and hope Dlink can offer up something too upgrade. These routers are still great routers and should continue be used well with out having to go by something new.
-
I have had my router a long time but just started using IPV6, it has been a great router for SOHO/CPE gear, I find it even surpasses some commercial gear in features.
Just to stay fair: As long as IPv6 is not yet available in native form by the majority of ISPs, I would accept a missing IPv6 firewall in a CPE implementation, but I expect that missing but important features are provided in time by later firmware updates. Being an early adopter it is okay if not everything is perfect from the beginning, but if things turn to standard operation the fun stops. And I don't want to hear from the manufacturer: Sorry, this feature will not be made available by a firmware update for your device, instead we recommend to buy our new brilliant device called DIR-XXX that has all that advanced features you want. This is a good method to make customers look for other vendors who make things better and are more trustworthy.
If you read http://www.dlink.com/ipv6 (http://www.dlink.com/ipv6), you'll find the following proud citation: "In the February 2011 Network World article "Most IPv6-certified home network gear is frightfully buggy," D-Link was cited as the only vendor shipping IPv6 consumer equipment that was ready for ISP field trials."
That's not true, even in February 2011. There is a german company, having a 3 letter acronym starting with "A", sitting in Berlin and producing widespread used CPE, that are even better concerning IPv6 capabilities:
- They support SixXS-Tunnels in heartbeat mode. DIR-825 doesn't, what a pity!
- If public IPv4 address at the WAN-Link changes (every 24 hours, normal at least for german internet access based on DSL), their CPE is able to form a new 6to4 prefix, advertising it in the LAN and advertising the old one with a valid lifetime of 0 and thus starting the clients to form a new IPv6 address. The DIR-825 is not able to do this. So 6to4 is useless for me (but it is useless anyway, see RFC6343)
- Of course they have a stateful IPv6 firewall in place allowing to open ports for incoming connections
- With their latest firmware update they support DS-Lite. This is as least as important as having an IPv6 firewall, if your ISP chooses to select this technique for access to the IPv4 internet after switchover to IPv6 as standard internet protocol (in a future not too far away).
If you ask me now: Why did you buy this D-Link device and not the other one: I'm living in the country, where the physical quality of my DSL line is that bad, that the other device didn't manage to synchronize (it has a built in modem not yielding an uplink port, so I couldn't use another DSL modem instead), so I had to look for another device and found that D-Link apparatus, being praised because of its promising IPv6 ready logo...
-
I just checked and the 655 Rev B, 615 Rev E, DIR 600 and 601 all have IPv6 enabled however no firewall for IPv6 like the new gen routers do. I'm just presuming that this was a feature set that was set up for some of these routers and at the time, IPv6 hadn't been fully implemented on an ISP to client level and was in very early stages and possibly DLink didn't include a firewall since it really wasn't needed at the time and people had not migrated to it.
I go agree, there probably should be some form of security in IPv6 layer and hope Dlink can offer up something too upgrade. These routers are still great routers and should continue be used well with out having to go by something new.
Which routers have SPI/firewall on the IPV6 layer with Gigabit ports? Tech support only mentioned 1, that one is hard to find. Not in the market for an upgrade at the moment, Mothers Day, Wifes birthday and a medium to large size SSD are in line near the top right now, plus the 12 year old laser printer that smoked last night! Just curious. Do the new revs of the Dir-655 and DIR-825(C-1) support SPI on the IPV6 layer?
Thx,
Pat
-
So far All next gen Amplify routers have IPv6 Firewall options. I haven't found a current older generation router with any options, only IPv6 layer options.
-
So far All next gen Amplify routers have IPv6 Firewall options. I haven't found a current older generation router with any options, only IPv6 layer options.
Too bad, the reviews are still showing buggy firmware for those at independent reviewers, was hoping for legacy products. I did notice that the IPV6 features are not really being advertised, like IPV6 port forwarding and advanced routing, just that the Amplifi line has some IPV6 support.
Me thinks I will sit this one out until IPV6 is more prevalent unless there is a fix for the DIR-825.
The IPV6 society/consortium never got back with me regarding the lack of security for the DIR-825 and the other products it certifies, but it does carry the same IPV6 ready logo as the Amplfi series routers, which we know now does not mean a lot and seems to be nothing more then a sham to get people to part with their money based on a false sense of security(literally).
I guess it could be a couple of design cycles before we see IPV4 and IPV6 features identical in products.
Me thinks it is time for a 256Mb SSD ;)
-
I think it's a good idea to wait. IPv6 is still in it's infancy and still isn't supported on all ISPs let alone to the ISP clients. It's not a show stopper or reached a critical point where IPv6 and the features are really needed or being used. I presume at some point all Mfrs will be addressing IPv6 in the future. When will be up to them. We can only voice our concerns and give feed back. IMO, i don't see DLink doing anything with these older products and are probably more focused on the next gen products coming out and even then maybe they won't do anything with those by the time IPv6 gets out to more people and becomes the standard that everyone is waiting to use. Just seems that IPv6 and or ISPs are dragging there feet in getting it going. There is some support for it, it's not spotty right now. Dlink is on the game for IPv6, just don't know what will happen going forward. For security on IPv6, I would investigate using a 3rd party Firewall program that supports IPv6 in meantime if you really feel the need to.
Were still waiting on 4G or LTE were I live at. Still no idea when thats coming. ::)
-
Were still waiting on 4G or LTE were I live at. Still no idea when thats coming.
See where Australia just put the brakes on a couple of American cell companies from marketing 4G products that were only 3G? I guess in other countries false advertising is actually pursued by the government, what we call 4G here is not even close to meeting the standards of true 4G.
I guess in some countries the marketing actually has to live up to the claims a company makes, in other countries they just outright shut you down instead of making their population sue you for your false statements, then pay you off to keep your mouth shut. I like the truth policy much better. Either live up to your claims or go do business somewhere else, like the USA. So far I have been a technical witness for the prosecution in 3 suits against wireless telcos, all 3 were won and the government levied huge fines against the telcos, two of those suits barely even broke the news even though both companies were fined in the tens of millions of dollars. They just pass the cost on to us and consider it part of doing business. I was a customer of one of the companies, afterwords I called and complained about coverage, they asked me if I wanted out of the contract for no ETF, funny how that works!
That is my job here at work, to make sure we procure quality products that do what they say they can out of the box, this day and age too many companies fail under the type of scrutiny I provide.
Caveat emptor!
Burn me once, shame on you, Burn me twice, shame on me!
-
;)
-
I was out leaving some feedback on a vendors site regarding this router when I ran across this, I just about choked: ???
IPV6 Ready: Get Ready for the Future
With the growing number of Internet-enabled applications requiring IP addresses, the supply of IP addresses under the current Internet Protocol version 4 (IPv4) system has already been exhausted. The IPv6 protocol solves this network addressing exhaustion by creating more IP addresses, but migration from IPv4 to IPv6 is not necessarily automatic. But, you don't need to worry about service interruption if you go with D-Link products that are IPv6 Certified. Your network will be automatically IPv4 and IPv6 ready when you use an IPv6-certified D-Link product like his one. With D-Link products, you can rest assured that you'll be covered for the current and the new standards without any hassle to you.
-
You can't choke too much Patrick, it is IPv6 supporting. ::)
Just how much is left up to debate.
-
Did the same on the German support side (D-Link Case Number 697023), quoting and linking the threads here in this forum. I'll report the feedback when available...
I got the following feedback today:
2012-05-01 20:06:00 100 Unassigned/New
2012-05-04 15:53:00 10000678 Berlin, Stockholm, Rome, Bern
2012-05-07 09:45:00 10000580 Berlin, Stockholm, Rome, Bern 100 Unassigned/New 105 Escalated
2012-05-07 09:46:00 10000580 Berlin, Stockholm, Rome, Bern 105 Escalated 110 Open/Active
2012-05-07 11:42:00 10000569 Berlin, Stockholm, Rome, Bern 105 Unassigned/New 999 Complete
Sehr geehrter Herr XXXX,
vielen Dank für die ausführliche Beschreibung der Sachlage.
Wir haben Ihre Anfrage an das Produktmanagemant weitergeleitet. Die Kollegen werden sich zeitnah um Ihren Fall kümmern.
Mit freundlichen Grüßen,
Ihr D-Link Support Team
---->
Dear Mr. XXX,
thank you for your detailed description of the circumstances.
We forwarded your request to the product management team. The colleagues will take care of your case as soon as possible.
Kind Regards,
Your D-Link Support Team
-
Today I also got an answer from a German D-Link product manager. In short, he stated that present routers (e.g. DIR-857) have new chip sets that include an IPv6 firewall.
He also said, when DIR-825 Rev B was developed, RFC6092 didn't exist, and that IPv6 was only implemented afterwords as a best effort to allow customers access via IPv6.
Then he argued, that in former days when Windows XP was current and PCs used to connect to the Internet via modems, they also had to be protected by software.
He also said that operating systems like Windows 2000 and Windows XP, which Microsoft doesn't support any more for years(*) regrettably can't keep up with IPv6, that changes one fundament of the Internet.
------------------------ end of summary -------------------------
He didn't say anything about future firmware updates for DIR-825 Rev B, that might include an IPv6 firewall. (*) By the way, Windows XP SP3 is still supported by Microsoft up to 2014.
If you visit the german D-Link website to see the current products (http://dlink.de/cs/Satellite?c=Product_P&childpagename=DLinkEurope-DE%2FDLProductFamily&cid=1197318677527&p=1197318958248&packedargs=locale%3D1195806663795&pagename=DLinkEurope-DE%2FDLWrapper (http://dlink.de/cs/Satellite?c=Product_P&childpagename=DLinkEurope-DE%2FDLProductFamily&cid=1197318677527&p=1197318958248&packedargs=locale%3D1195806663795&pagename=DLinkEurope-DE%2FDLWrapper)) you'll find both DIR-825 and DIR-857, and the data sheets of both products state the same IPv6 capabilties:
"IPv6 ready
This router is ready for the future of the Internet with support for the upcoming
move from IPv4 to IPv6. It carries the IPv6 Ready Gold Logo, meaning that
it not only supports the IPv6 protocol, but is also compatible with IPv6
equipment from other manufacturers. Using a dual-stack architecture, this
router can handle routing for both IPv4 and IPv6 networks at the same time,
so you can be assured that your router is forward and backward compatible."
They do not say, that DIR-857 has an IPv6 firewall and DIR-825 has not.
-
Ups, I didn't read the IPv6 capabilities in the data sheets carefully enough. There is as difference: In the DIR-825 datasheet you find the following additional clause:
"This transition allows users to change to a 128-bit addressing system and directly connect to anybody in the world using a unique IP address."
This sentence is missing in the data sheet for DIR-857. Now it is clear: Yes, everybody in the IPv6 Internet can connect to my LAN-PC because of its global IPv6 address, because DIR-825 doesn't protect me by a firewall! It is a feature!
-
That makes sense, If the RFC didn't exist back then, then there wasn't a requirement to implement it I presume. ::) Going forward and after RFC was supported then it was probably some form of decision to implement it on the next gen routers instead of trying to implement it on current gen routers. Not sure what's all involved in doing that, however I presume if the RFC calls for additional development and chip sets, I might think that implementing RFC on current routers may not be feasible or from a marketing stand point, there looking at the new gen routers for the support and it makes me think that we wont see any IPv6 firewalls on older gen routers. :-\ Kind of a shame though. There are really good routers and do work well for what they are. And we have to keep in mind what the routers are too, HOME users routers. Ya, need to provide a level of protection for home users. I guess we'll have to use them until IPv6 becomes main stream and users will need the RFC protections that the new gen routers have. Would be interesting to see if they would add the RFC to these routers, however, it's their code so, we must choose to either follow or find other solutions.
I presume that there are some SW firwall solutions that support IPv6?
Thanks for the information PT.
-
As I mentioned in my reply to the product manager, the security demands were already published in 2007 within RFC4864 (Local Network Protection for IPv6), and RFC6092 only makes security things more precise for so called CPE (customer premise equipement), better known as home routers. The demand for a firewall with stateful inspection within the border router of a network (even more in home networks) should be well known since 2007, especially by the developers of such CPE devices.
And it is not okay, that even now D-Link sells CPE like DIR-825 without saying clearly, that these boxes don't have an IPv6 firewall. These devices are not safe for use in a near future, when ISPs start offering IPv6 to customers (I guess this will happen this year).
What would you think about a car seller who sells you a new car without saying that it doesn't have airbags?
Concerning me, if my provider comes up with IPv6 in June this year (I hope), I can throw away my DIR-825 after having used it for 14 month only and have to buy a new one, that has an IPv6 firewall. And a customer who buys this product now will have even less fun with it. I guess he will be D-Link's best friend after he finds out this missing basic feature of his device.
Relying only on IPv6 firewalls in the end nodes of the LAN is no solution, even more for home uses who in most cases don't know or care about these things and expect with IPv6 to be protected by their router as was taken for granted for IPv4 before. And they are right! And any CPE producer who doesn't meet this expectation is wrong.
-
As I mentioned in my reply to the product manager, the security demands were already published in 2007 within RFC4864 (Local Network Protection for IPv6), and RFC6092 only makes security things more precise for so called CPE (customer premise equipement), better known as home routers. The demand for a firewall with stateful inspection within the border router of a network (even more in home networks) should be well known since 2007, especially by the developers of such CPE devices.
And it is not okay, that even now D-Link sells CPE like DIR-825 without saying clearly, that these boxes don't have an IPv6 firewall. These devices are not safe for use in a near future, when ISPs start offering IPv6 to customers (I guess this will happen this year).
What would you think about a car seller who sells you a new car without saying that it doesn't have airbags?
Concerning me, if my provider comes up with IPv6 in June this year (I hope), I can throw away my DIR-825 after having used it for 14 month only and have to buy a new one, that has an IPv6 firewall. And a customer who buys this product now will have even less fun with it. I guess he will be D-Link's best friend after he finds out this missing basic feature of his device.
Relying only on IPv6 firewalls in the end nodes of the LAN is no solution, even more for home uses who in most cases don't know or care about these things and expect with IPv6 to be protected by their router as was taken for granted for IPv4 before. And they are right! And any CPE producer who doesn't meet this expectation is wrong.
Packet Tracer,
Check your private mail, I have been busy on this behind the scenes, I have an update for you. You are making some very good points that have helped me immensely.
For everyone else, it could be a week to 45 days before I can post anything, or I could get slapped with a gag order and not be able to say anything public. Time will tell.
Later,
Pat
-
Two days ago I got another message from the german D-Link product manager where he said that besides DIR-857 also the DIR-825 Rev C has an IPv6 Firewall. He even sent me a snapshot of the configuration tab for the IPv6 firewall within the web configuration surface of the DIR-825 Rev C.
Meanwhile I was in contact with a german publishing company for computer magazines (http://www.heise.de (http://www.heise.de) or international: http://www.h-online.com/ (http://www.h-online.com/)) who was also one of the organizers of the 4th german IPv6 congress, that just has taken taken place in Frankfurt and that I have attended (sorry, german only: http://www.ipv6-kongress.de/events/2012/ipv6-kongress/programm/ (http://www.ipv6-kongress.de/events/2012/ipv6-kongress/programm/)). Within a BOF session I used the opportunity to ask the Heise representative, if they could do an analysis of the IPv6 capabilities of current CPE devices for home users and publish the results. I also reported about the bad impression I had experienced from a box bearing an IPv6 ready logo but not having an IPv6 firewall. It was the beginning of an interesting discussion amongst the attendant IPv6 experts but the interesting point was the statement from the Heise representative, that they already were planning to do that. They even had already done some tests of those products and especially they knew about the missing IPv6 firewall in the D-Link boxes they had testet ...
In another talk the speaker explained the profiles/logo programs that exist in the world. There are about 5-6 ones, IPv6 ready logo being only one of them. Ripe 501 (http://www.ripe.net/ripe/docs/ripe-501 (http://www.ripe.net/ripe/docs/ripe-501)) is another one here in Europe, and for the States there is a separate one which name I can't remember any more. IPv6 ready logo is not of much value and is mainly used for marketing purposes. In a third talk a product manager of a well known german CPE manufacturer said they don't plan to get the IPv6 ready logo for their products because it is not worthwhile for them. Instead they design the IPv6 capabilties of their boxes in conformance with RFC6204 (Basic Requirements for IPv6 Customer Edge Routers) which is a superset of the IPv6 ready logo program. And of course they have a builtin IPv6 firewall from the very beginning according to RFC6092.
-
Two days ago I got another message from the german D-Link product manager where he said that besides DIR-857 also the DIR-825 Rev C has an IPv6 Firewall. He even sent me a snapshot of the configuration tab for the IPv6 firewall within the web configuration surface of the DIR-825 Rev C.
Sir,
Good work! We are still waiting for a response from D-Link management stateside. They have 7 business days left to respond to what we sent them on this end. The response should be public so that would only help you too. I assume that since their headquarters is in Taiwan, they may be the ones responding so it may take a couple of extra days. If there is no response the first time, another query will be sent and another 10 day wait, if they don't respond to the second one, after that the discovery is done and my allegations will be considered valid. Then I can start causing problems. Since you are covering it in the EU and I am covering it in the States, they can't say they weren't told. I have also started discussions in other places I frequent regarding IPV6 and how the roll out should be handled, I always make sure to mention my rude awakening with D-Link and firewalls, ALWAYS scan your ports! I don't care who makes it.
If you read through my posts above, you will see where I found the news release for hardware rev. C-1. I assumed it would be fixed in that version, but if you read what has been posted about the REV. C-1, it is the same description and the same Gold logo. D-link almost always leaves the older hardware in what ever condition it is in when they start on a new hardware REV., so no more firmware fixes for the B-1 rev once C-1 comes out, which will be IPV6 day 2012, I am sure of it.
Since the Dir-655 is said to either have or to be coming out with IPV6, once I am done with the Dir-825, I will be testing the Dir-655 next and going through the same process, then I will return the Dir-655 to the vendor and go buy the new router that will do the job the DIR-825 WAS supposed to do. I need the DIR-825 for a bridge behind a good router so no waste or worries, it will just hopefully work with the next brand I purchase. Or maybe I will sell it on E-bay to one of their Fan Boys, the ones that list every single product they have purchased from D-Link under their signature tab, instead of a signature, and then go buy 2 new dual band routers, 1 for a bridge the other to protect me.
I was reading an interview with another US based manufacturer regarding IPV6, the CEO was saying what a great chance this is for his company to have great income for the next few years, when asked why his company was leaving security out for IPV6 the interview basically ended. It seems like they want to double dip(take 2 servings) on this hardware upgrade that is required, first you get IPV6 for 100E, then you buy another box for another 100E that does the same thing as the first but now has security ENABLED. Also basically filling the garbage landfills with hardware that is still usable. We hard working people MUST keep buying things if we are to keep stuffing the CEO's pockets with cash which keeps the Chinese economy going so hopefully someday the Chinese people will buy lots of stuff from us. But truly the only people getting rich are the CEO's and the companies, I will never live long enough to see the Chinese be able to drop 100E on a router and the way I figure it I still have a good 25 years left on this planet, if not longer.
Make sure you keep a copy of this thread in the EU in case it disappears! ::)
-
There it is! The Dir-655, IPV6 READY! http://www.dlink.com/DIR-655
My work NEVER ends!
-
The dir-655 Rev B1 has had IPv6 since last year or before. Again like the 825 and 615, do not have the firewall in addition.
-
The dir-655 Rev B1 has had IPv6 since last year or before. Again like the 825 and 615, do not have the firewall in addition.
You have an Airport Extreme(3rdGen) listed on your signature. That was one of the routers that was listed on the NTIA Government site as originally not having a IPV6 firewall, but after consumer complaints it was added. In reading, I guess Apple was bombarded by outcry that it did NOT have a native IPV6 firewall, even after customer complaints they resisted adding it. When they ran across someone like me with a bad attitude and enough knowledge to be dangerous that laid out the test scenario and how it could be a liability for a customer, they fixed it within 60 days(funny how that works), no redesign required.
How do you like that router/AP? Looks like a nice design? Much better then the Hearshys Kisses looking old design! No external antennas, but 10 minutes with a drill and a soldering iron I could fix that and make it look like it grew there! Even have the connectors and cable in my desk drawer here. Ever hook 2 together in a router/ bridge mode configuration?
Reading the tech specs http://www.apple.com/airportextreme/features/wi-fi.html it even has a higher WiFi output then the DIR-655 which has legendary WiFi range. Reading the Dir-655 review compared to the Dir-825 you would swear that it was 2 different companies.
I considered DD-WRT on the 825 which has a native IPV6 firewall, but in my line of work we are not supposed use 3rd party firmware(even at home, no jail broken, rooted, dd-wrt, can't even have a trigger job on my Glock or Sig! Can't even have a picture of myself on facebook!). So I need a company that supports me and what I want to do, out of the box. Though I THOUGHT I had done this the first time, it goes back to the shame on me shame on you rule.
Time to feed the animals and walk the fence and make sure there are no creepy crawlers (slithering or 2 legged) to ruin either me or my animals day.
Later!
(http://www.speedtest.net/result/1946770323.png)
-
Even though I have the AE 3rd Gen router and it does have the IPv6 firewall, I don't agree with your comparison as that router is a completely different router and I would presume that the SW, HW and chipset used between Apple and DLink are different and it would be up to Apple and Dlink to know weather or not if the HW would support any continued upgrades and developments.
I actually have the 1st gen AE and it worked just as good as the 3rd Gen. Only thing I don't care for is that you can't turn off 2.4Ghz radio on the router and you can't set single modes. Maybe they allowed that in follow on gens. I'm not going to raise an outcry for it.
I'm sure DLink is aware of this issue and it will be up to them weather or not they are doing to do anything with the current router Revs out there. Since the next gen routers out there and the 857 has been released. I wouldn't put alot of wishful thinking in to hoping that DLink will do anything with these current old gen routers. I presume that maybe that they might and satisfy those limted users of IPv6 having this major concern with no IPv6 native firewall, however on the other hand, if marketing has anything to do with it, they might just push for new development and current work on the next gen routers, leaving the old gen routers behind. I would keep this in mind.
Overall, if your looking for a quick fix from DLink or response back from them, I wouldn't hold your breath. I would research alternatives to getting IPv6 security in place now, either with a different router or a SW solution. These forums are a place to voice feedback and concerns however were also here to try and find quick resolutions with routers and other DLink products. It gets to a point where our suggestions and help probably come to an end during the course of feedback. Thus we want to suggest finding other alternative solutions, weather it be with DLink or other Mfrs. We do hope that Dlink will read, review, and consider the feedback and concerned voiced here and come up with some resolution, however, it's there business, they call the shots. We are only a few in the bog pool of Dlink users and I presume they want to satisfy everyone, however I'm sure they might not be able to do just that all the time. ::)
Weather or not your private or secret life effects you and Dlink products is inconclusive, irrelevant and has no barring on what goes on here or at DLink. Dlink may have specific customers they support and thats there business we'll never know about and aren't supported here. And if it includes the work you do then thats between Dlink and your work. I wold suggest that if your working in a place that frowns upon sharing any IP information that you keep it at work. It doesn't belong here and I would hate to see anyone get into trouble at work for it. I know all about NDAs and IP.
We deal in current relevant issues here on the forum, again, were here to help out as much as we can for people. If we can find resolution or come to a quick fix for someone then we do recommend finding other solutions or alternatives now and not waiting.
-
And if it includes the work you do then thats between Dlink and your work. I wold suggest that if your working in a place that frowns upon sharing any IP information that you keep it at work. It doesn't belong here and I would hate to see anyone get into trouble at work for it. I know all about NDAs and IP.
That Sir is what we call a thinly veiled threat, would you like to talk to my Supervisor, Director or the Office of the Inspector General for my service? What would you tell them? That I said in a private message I speced a handful of switches and I was now concerned about their quality because I have caught the manufacturer making misleading statements? Or I post from work and you logged a public IP? Ha! Your a funny guy! ::) I have a copy of the rule book (my postings from work are FULLY within legal protocol for my position, I just went through that YEARLY training LAST WEEK and I do have a lunch hour and take breaks and have a PERSONAL OPINION), furthermore, my supervisor reads my posts often(take a look at the hit counter for this thread, I am not checking it by the minute for your attempt at a witty response, so someone else is reading it too). He likes the fact that I am getting my feet wet with a new layer, being IPV6. He also likes the fact that I have a stomach for posting on live forums, he says they usually de-generate into a mess when one person does not like what the other is saying, is this the case here? Don't even play work games, a lot of people get involved because someone got their feelings hurt. This is NOT like playing games with your employer or your mate, this would be of epic proportions and you will be at the center, not me(I already have hard copies to cover myself).
Looking a little closer, you have proabally never have held a position of authority except here, because if you had you would know that is NOT how you deal with a situation like this or a person like me, now wouldn't ya?
Thank you for giving me your thoughts on the Apple router. I was not making a comparison, they use Marvell chipsets(you know a little about them don't you? ;) ) and the Ver. 5 has Broadcom radios, but they are NOT at all forthcoming about IPV6 features, that is what I wanted to know. I will go post those questions in the Apple forums. Even after reading the manual, Apple is not forthcoming about advanced IPV6 functions. I want to see software page screen shots to VERIFY the vendors claims this time.
Furry, can you provide any information on the specs on the new Dir-825 C-1? It was conveyed by a real Product Manager for D-Link to Packet Tracer that it has a SPI firewall on IPV6 plus a host of other IPV6 features that I find exciting, it even has external antennas! He even received screen shots but they are in German, my German is weak, I would love to see an English version, do you know any product managers that could provide this information? I could provide an E-mail address if you don't already have mine for such info. I do have the contact info for the head guy in the states, but that seems like it would be a waste of his time. Can ya provide it, Please, please, wink wink?
The Dir-857 is a nice piece of hardware, if it where in a DIR-825 package, here is my credit card number! It has not been reviewed by any major review sites and it is getting mixed reviews in non D-Link controlled forums(the firmware will catch up). The fact that it has USB 3.0 rocks, out of all my friends I am the only one that even has USB 3.0 on my desktop, and I use it pretty close to the fullest, it is now finally a toss up between Firewire 400 and USB(not Firewire 800 though), it only took a decade, similar to the whole SCSI fiasco.
Now back to the Dir-825 C-1, the reason I am interested in this hardware, the initial specs I have seen leaked shows it is a continuation on of a router I like very much, just a few weeks back I was telling you how much I like this hardware before the whole IPV6 firewall thing broke loose, but security is needed for the GENERAL POPULATION, THAT IS THE POINT, I have an advanced firewall I have purchased and installed and have not posted it public, just needed to talk to my security buds at work. The reasoning behind the C-1 vs the DIR-857, most of the bugs have been worked out in the 2 previous releases, the fact that it proabally won't have USB 3.0 is a downside, but I am very interested in advanced routing features on the IPV6 layer of the DIR-825 C-1. Please share any info on the router you have.
You wanted to move this from the Euro side to this side. You wanted us to contact our local offices and take this up with them. You wanted us to express our feelings and concerns so D-link could see them here. We did and we are sharing our responses from a European user to a North American user waiting for replies from D-Link management and sharing information as it is trickled out by D-Link(and doing a little prodding to get an answer, from my side too so we don't duplicate efforts). Why is it we can get a trickle of info from the Euro side and NOTHING but YOUR opinion from this side, I honestly am no longer interested in you SKEWED OPINION, FACTS PLEASE. Packet Tracer got info from the Euro side and shared it, which I consider to be some good stuff (Dir-825 REV. C-1). How about some info from this side besides trying to discourage us? This is not personal in the slightest way. But going out and switching out my router now only to only get an firmware update in 45 days, that is a total waste of money. Unlike you and your mate, I have a Wife and family to support, purchases are strategic unlike when I was single and had every new wizz bang item and a pile of firearms(my other hobby) that money could buy. I have to make financial decisions ahead of time, you have clearly stated you have no IPV6 need, my ISP provides it, FREE. No tunnel brokers or setup nightmares. If you are only going to discourage and not be proactive, don't bother. Packet Tracer and myself have technical issues, you do not have the knowledge to fix it and clearly don't have the same technical issues or the resources to get answers. It is actually come to the point, even if you did come up with answers I would question their origin. Since you don't even have IPV6 experience, could you go find us someone that does PLEASE?
I wish I could speak German fluently, at least THEY get real answers!
Man, like a infamous LA resident said, "can't we JUST get along" even despite differences in opinion.
Internet speed through a DIR-825 with one kid streaming 1080P and the other on X-box live playing games:
(http://www.speedtest.net/result/1947490295.png)
Later!
-
Here is a great link, they take PUBLIC feedback, don't have to be a Junior G-Man to file an incident here! That's what they are there for! Government for the people!
;D ;D ;D National Vulnerability Database (USA) ;D ;D ;D
A normal every day person reported Apple to these people, no government contacts, Zero, Zip, Nada! Apple shortly there after added the firewall to the Airport. There are some D-link products here too (soon to be more unless they get a clue).
http://nvd.nist.gov/
-
Good luck.
-
"Heise Verlag", a German publishing company, has just published an article in the latest edition 11/2012 (p. 57) of their computer magazine "c't", where they report the results of tests, they had done with D-Link DIR-857. Also see here: http://heise.de/-1542395 (http://heise.de/-1542395) (but this online version says nothing about the IPv6 firewall and it is German only, sorry. But there are some images.)
-
"Heise Verlag", a German publishing company, has just published an article in the latest edition 11/2012 (p. 57) of their computer magazine "c't", where they report the results of tests, they had done with D-Link DIR-857. Also see here: http://heise.de/-1542395 (http://heise.de/-1542395) (but this online version says nothing about the IPv6 firewall and it is German only, sorry. But there are some images.)
I was able to read most of it, too bad I would have really liked to see the IPV6 screens. I am also sorry to hear about the firewall tests. I have been asking around on other manufacturers sites about IPV6, so if you go to one and see in depth IPV6 questions, a good chance it is me. Please do not post the magazine pages, very tight copyright laws in the US. I have a couple of gigabits of unused web space, I have been thinking about posting a page regarding all of this IPV6 research that is NOT valid here. Last time I did something like that, the updating time was excessive.
In a recent US Consumer Reports magazine, they went over firewalls, I have tried 3 of the top 5 listed in the magazine, IPV6 support is POOR for the top 3 I have tried so far, I have always went back to my new one.
No hardware or software support for IPV6 but a good majority of sites I frequent at home are now IPV6 enabled. They have a widget for Firefox that shows the site's address type, the route and of course your client's address type (4 or 6). This works very good!
In the article about the DIR-857 he talked about using DSL, is the majority of internet in the EU via DSL (PPoE)? ADSL2+?
LG,
-
No hardware or software support for IPV6 but a good majority of sites I frequent at home are now IPV6 enabled. They have a widget for Firefox that shows the site's address type, the route and of course your client's address type (4 or 6). This works very good!
Yes, I'm using a Firefox addon that provides a similar function. And since I use SixXS' DNS resolvers that are whitelisted at Google, the Google/Youtube universe gets resolved to IPv6 addresses for me. I guess about half my Internet traffic is IPv6 now.
In the article about the DIR-857 he talked about using DSL, is the majority of internet in the EU via DSL (PPoE)? ADSL2+?
Can't say it for EU in general but for Germany that's true: PPPoE via DSL (ADSL, ADSL2+, VDSL) dominates, followed by cable modems (DOCSIS) as there is a well developed TV cable infrastructure in Germany. And in the country there still exist some despaired people using extraordinary expensive ISDN lines for just 64 or 128 kBits, so there is some market for Internet access via satellite and (slowly coming up) via LTE. And finally FTTH is still "EXPERIMENTAL".
-
PacketTracer,
Check out this Emulator that was sent to me in regards to the research I have been doing on my side. It appears that this is the interface you were sent screen shots of, it is interactive so you can go into all the menus including the IPV6 firewall. It appears to be English only. I could care less about the WiFi, I actually would prefer that they just omit WiFi(15 Miliwatts is useless!). They might have the same thing on the Euro side?
http://support.dlink.com/Emulators/dir657/100/index.html
I am interested in your feedback, either via P/M or E-mail, if it is positive, post it here.
Might be worth my time ordering one from Amazon to give it a try as the replacement for the DIR-825 and beat the heck out of it on IPV6, if it don't work I will send it back as "not as advertised"(Have to love Amazon). Hopefully it works better then the half dozen soft firewalls I have tested.
Looks promising if it works, that just means the DIR-825 is getting closer to the skeet launcher, time to put some LEAD in the DIR-825 design! 8)
I will have construction people crawling all over for the next week at least, so take your time.
LG,
Patrick
How to screw up your Kids Xbox game:
(http://www.speedtest.net/result/1960787481.png)
-
Actually, looking deeper, here is a whole truck load of emulators for D-Link!
But the only one with IPV6 is the one I sent you (I think, at least that I could find).
http://www.dlink.com/support/faq/?prod_id=1457
And the Xbox's lag out again.......... :o
(http://www.speedtest.net/result/1960800556.png)
-
Check out this Emulator that was sent to me in regards to the research I have been doing on my side. It appears that this is the interface you were sent screen shots of, it is interactive so you can go into all the menus including the IPV6 firewall. It appears to be English only. I could care less about the WiFi, I actually would prefer that they just omit WiFi(15 Miliwatts is useless!). They might have the same thing on the Euro side?
http://support.dlink.com/Emulators/dir657/100/index.html
I am interested in your feedback
Hi Patrick,
no, what the emulator shows is not quite the same as the screen shot of the DIR-825 rev. C I was sent. The difference is an additional configuration switch called "Enable IPv6 Simple Security". According to the c't article about the DIR-857 I mentioned earlier, I guess the IPv6-firewall of the DIR-657 emulator corresponds to the version 1.00 IPv6 firewall of the DIR-857, which was reported to work incorrectly (LAN hosts were accessible from outside although no ports had been explicitly openend for incoming connection requests, and also the web configuration surface was accessible from outside even though remote management was switched off).
The c't guys were sent a new beta firmware version (1.00b15 - 03/26/2012) that fixed the IPv6 firewall and that also featured the above mentioned switch "Enable IPv6 Simple Security". They reported that if you enable this switch and leave the full firewall switched off this protects you as expected: Incoming connection requests get blocked (with the exception that LAN-hosts are pingable from the IPv6 Internet) while everything else is allowed. But otherwise, if you switch off simple security and switch on the full firewall, the c't guys reported that any IPv6 traffic is blocked completey so that you have to define a default rule that at least allows outgoing IPv6 connections.
So if you buy that DIR-657 device now and it has a firmware installed that corresponds to the emulator you take the risk that the IPv6 firewall will not work in a correct manner (if the c't test results are also applicable to DIR-657). The c't guys closed their article with the following recommendation: If you don't need IPv6, you can buy the box, otherwise it is better to wait for the next firmware version.
Maybe the same is true for the DIR-657, so ask your vendor, if the IPv6 firewall in DIR-657 features the additional simple security switch, because this might indicate that the firewall will work correctly.
Another question is if this IPv6 firewall configuration surface is user friendly. I guess no, not really. Only if you don't want to have incoming connections at all it is easy enough just to switch on simple security and well done (but then you have to accept, that your LAN hosts are pingable from the IPv6 Internet). And that meets the demands of the overwhelming majority of people.
But woe you want to open just a single port for incoming connections! I guess you then have to switch off simple security, switch on the full firewall instead, select the mode "Turn IPv6 Firewall ON and ALLOW rules listed", add a default rule for outgoing traffic (as mentioned above) and finally a second rule for the port and protocol you want to open for incoming connections. I guess, that's too difficult for most people.
Other manufacturers do that job better: They only have a kind of simple security always active (without a possibility to switch it off or activate a full mode firewall instead) that even disallows to ping end nodes from the IPv6 Internet (what is this good for?), and if you really want to open a port for incoming connections they offer this as an additional function only asking for the minimum of needed information (selecting reasonable defaults for anything else) and providing the best possible guidance to the user, to keep it simple for normal non-expert users.
PacketTracer
-
I wonder if all this applies to the DIR-815 and 655 Rev B since I noticed it has a IPv6 Firewall. Out of all the old generation models with IPv6 support, only the DIR-655 Rev B and DIR-815 seems to have the firewall option aside the Amplifi routers. :-\
-
Thank you PacketTracer, I will shoot you an E-mail in the next day or two to discuss this more in depth. A lot of work went in the house last week/this weekend, I just want to plant myself on the couch and let the pain fade away. The emulator looked to be a pain to setup vs just setting up a simple SPI check box and maybe a ICMP Echo disable, that is why I asked. It has been 35C here when I get home for the last couple of days, the pain and heat are NOT mixing! I keep forgetting, I have a FCC test proctoring gig this Saturday in downtown LA too, large college campus, hopefully I will be able to walk to the testing! Finally a Holiday, 3 day weekend! ;D
Furry,
How Ironic would that be, I purchased the DIR-655 originally after I dumped ABC company and it's inferior BUSINESS class products, but no IPV6 support on the DIR-655, so I paid Newegg to return it and purchased the DIR-825 for it's IPV6 support locally. There seemed to be other problems with the DIR-655 but I am too tired to remember. I do remember it had killer range for WiFi though and great throughput. I may have been Beta testing WINDOZ 7 X64 at the time and needed IPV6 DHCP.
D-link management got back with me today, they said they were going to look into the DIR-825 B-1 IPV6 firewall issue, they said they forwarded it to a Product Manager for review, they are supposed to be contacting me privately/offline to figure out what we will do to move forward. I need to think without pain before I respond to them. The conversation between D-Link and I is still private and they are looking to see if the DIR-825 B-1 can have a firewall added(hopefully the chipset supports it). Should know more soon, if it will be private is another issue. But I do believe in not kicking someone while they are trying and they have extended a friendly hand, for now lets see if that buys anything!
And the gamers lag out:
(http://www.speedtest.net/result/1966495337.png)
-
Was your 655 a Rev A? Rev As never supported and wont support IPv6. I believe that they just added IPv6 firewall in v2.02 or 03 for the 655. I havent check mine yet to confirm. I noticed it was on the 655 emulator. Hope DLink can add it to the 825.
-
Yes, I had a DIR-655 A-4. Today at lunch time here on this forum, reading through all my posts from day one (so I could figure out when I bought the DIR-825 so I can get the receipt for D-Links management), the wireless on the DIR-655 kept rebooting. I tried all of the fixes for it, but none worked. I then returned it for a replacement DIR-655 A-4, but that router had the same problems too, endless reboots when a wireless client was connected, so I returned it to Newegg and they charged me a 20% re-stocking charge for wanting my money back(for a router that rebooted regularly when you used WiFi). The only reseller I could find local only had DIR-655 A-4s, but the B-1 was said to fix the rebooting problem, I could not find one for the life of me and no mail order houses would even confirm they had a DIR-655 B-1.
It appears I posted in the DIR-825 forum asking if they had any problems like the re-booting when a wireless client was connected and they did not. So needing a router ASAP, I went and purchased the DIR-825 from Office Depot for a premium. That is when testing the Wifi on the DIR-825 I realized I had about half the range of the DIR-655 A-4, so enter the 1Watt A/P and happiness, sort of.
Funny, but reading my posts before you came along, it seems I had a lot of problems with the DIR-825, then one day I was fighting a firmware install that would not complete, I did the 30/30/30 thing and it has been working great ever since. The reason I did not return the DIR-825 is because Office Depot would only do an exchange, not a refund after I ran into a myriad of problems with it too(inside the 30 day return period, maybe the store manager knew something I did NOT?). I guess in the end I am glad I had to stick around because they finally fixed most of the problems. And it was a great little router for a little less then a year after I added the 1Watt A/P and disabled the WiFi in the DIR-825, but even 18 months ago when I purchased the DIR-825 I was asking about IPV6 stability.
I seen a post off of this site with a lady you were talking with a few months back, she said she really did NOT want to change the DIR-825 because she had been through the ringer with all the problems on the DIR-825 and now that it finally was stable she did not want a NEW router to go through all the nightmares again. That is my feeling 100%, I just want the silly thing to work and not all of the headaches with the stupid firmware upgrades and being an unpaid Beta tester for 18 months. If it was not for my background I would just swallow what they tell everyone else, IT IS MY EQUIPMENT or setup, bad cable, wrong WiFi adapter, bad NIC. Reading back to one guy that went over to DSL REPORTS and posted over there after Lycan banned him for aggressively posting repair requests on the DGL-4500 forum and also questioning why problem reports were being deleted, he took the same route as me but he would only accept a refund, him and his friends got it but it took like 60 days and he had to play a lot of games with the same people I am dealing with. There is no need for that but it seems to be the NEW way, "we will fix it after you buy it!"
I guess I found a business model, make routers here in the US that work from day 1, out of the box, it seems no one else can. Reading the threads today was like a nightmare flashback. 1. Make sure you disable DST, 2. Turn off QOS, 3. Stand on your head until your ears turn red, 4. Put it on a shelf for a year while they debug the firmware, 5. PRAY it will only take a year! ???
But the DIR-825 fits the business model for Asian manufactures, abandon the last rev for the newest and leave the problems behind every 18 months. I don't think that will ever catch on here, no matter how hard they try! Too bad, a little more work and the DIR-825 could be a legendary product!
-
It sounds like you have had some problems with your router. Seems like we have crossed paths in our forum reviews and people we talk with too. ;)
Ya there was some issues in the 4500 forum back in the day, however the one time I had issues with the 4500 was with v1.21 FW. The other versions were stable and I should have stayed with what came in the box. However after a time, v1.21 was fixed. Yes I remember the guy who was banned. I do believe there was some user configuration at fault and probably some misunderstanding about how to set these routers up and get them to work well. Just a bit more understanding and troubleshooting and help from some of us on here seems to help gain a better experience and seems to get most of these routers working well.
After I bought my 825 from a guy here on the forums, he sold it to me because his MAC filter address needs exceeded what was allotted by the router, he thought that the 825 wasn't worth it. After I got it in hand and up and running. I thought, wow, this is a great router. Even holds a candle to the 4500. Has a few more features and can do both WiFi at the same time while the 4500 can't. Gaming was just as good on the 825 and the 4500 and enjoyed the zippyness of the UI. I really could not find any faults with it, aside having the router having to reboot after saving changes every time and doesn't have the Reboot Later option like the 4500 and some other routers have. After working with the 825 for a time, I ranked it as one of the best routers I had along side the 4500.
I do feel the 825 is a great router. Yes, Like all models and mfrs, there are certain times when the code isn't done well as it should be. DLink is not alone in this as all Mfrs seem to have some faults with there code at times. Go have a look at the Net Gear forums. I was watching the 3700 forum for a while. Had one too. Thats at my buddys place now. Ya, I wish all Mfrs would have a better out of the box experience. I think Dlink is trying, as getting the DIR-857 and 645 routers to work with, I've had a great experience with them. Easy of setup out of the box and little configuration needed for gaming and other access. I believe and do hope that the next generation routers that I've experienced, will give a better out of the box experience for everyone and the code during the life of these routers will be better and users won't have to be beta tests by proxy. LOL. I think the 825, 4500, 655, 857 and 645 are great routers. They do work, however sometimes it seems there is a bit of additional help needed to effect a better experience. I still feel that most problems seen in the forums is user, configuration and environment related. Yes, at some level, there is some coding issues as well.
My 2 cents
-
Their was a piece of firmware for the DIR-655 A-x series that just destroyed it, the stock firmware would not allow you to go back, someone figured out a way to go back, I did, and a Gentleman with a handle of "The Creator" actually called me up after a few P/M's, he walked me through the "tweaks" needed to make it work right, it was almost like a "spell" that you had to perform properly to get the thing to work. And really the little tweaks needed meant nothing to me, no loss of function. I guess that is what always kept me going with D-Link, there was always someone to get me through the major problems and sooner or later there was a fix.
I think in the end, the reason the DIR-655 went back was because I realized the A-4 was the end of the road and it would not get the IPV6 that I needed. It did work great after we went back a firmware rev or three. Once I learned how to switch firmware I even went back and forth trying my own "voodoo magic", but the firmware was just toast.
Yeah, this for the most part has been a good user group, you can usually get a answer. I was a Cisco business customer here at home for a while, that "membership only forum" devolved fairly quick along; with a 100 other users egging me on. Problem: Me: IPV4 firewall is wide open please advise how to enable; Them: You have a bad cable; Me: Huh?????; Them: You have a bad cable, please replace your cable and re-test; Me: Ok, cable replaced with Cat-5E, still have no active firewall; Them: Ok, that did not solve the problem, you have a virus, please reformat your hard drive and reinstall OS; Me: I have 4 computers, they all show no active firewall on XYZ router; Them: They all need to have their OS's reinstalled after formatting the hard drive; Me: Really?, you have to be joking?; Them: Have you reformatted your hard drive?; Me: What country are you in?; Them: Why does that matter, please reformat your hard drive; Me: Well I was wondering where you got your degree at?; Them: Why does that matter, please reformat your hard drive and reload the OS; Me: Well, I am thinking you got your degree out of a Cracker jack box and your cutting and pasting from a script, furthermore I think English is not even close to your native language because if you think for a second that reformatting my hard drive is going to effect a hard firewall, you are an IDIOT, now quit wasting my time and go get me someone that can count in Hexadecimal(Base 16), preferably with a degree and a NATIVE English speaker that can help me with my firewall problem. The crowd goes wild pelting the idiot with comments! And I get banned, so I return the Cisco BUSINESS junk, and move on to D-Link.
I was considering just returning the DIR-825 to management after I find the receipt, after I verify that I can do 6RD from my computer and my old faithful nameless Unix based router that still gets firmware updates 5 years after it was made in spite of newer better hardware revs coming out, and ending this cluster. Don't have much time to worry about anything right now, several corporate branches just dumped huge piles of money on me so I have to go find out what this years newest buzz words are and compare them to legacy equipment and make several million worth of "Informed decisions" for them. I should crawl out around January if I am lucky.
Maybe I will get lucky and they will roll back IPV6 and I will have the best router and user group on the planet! ;D
-
I heard and seen some stories about Rev A 655s. I guess they fixed most of that in Rev B. My Rev B has been very stable until of recently with v2.07 and 2.08 Beta. They broke Shareport in .07, fixed it in beta .08 however is now causing some odd behavior as all activity on the LAN side to be constantly ON and doing something. Latest and greatest stable is v2.03 and enjoy it.
Ya, seems like some people just don't know really how to understand and troubleshoot problems and find it easier to push problems to other areas rather than actually getting dirty and digging down to find the problem. Ya, you just don't reformat PCs if the problem is located else where. Why do you think I post that scripted response when I post...theres IS a reason. ::)
Well if you can't return the unit, maybe someone on here might buy it. ;) I would however I got one. Hehe. I suppose I could and just find a owner too.
-
I just bypassed the agency I was using to respond to management, they were only giving me 1200 characters to respond. If you look at the DSL reports thread regarding the 4500, the D-link managers name was all over it. I gave them enough to keep the case open though!
I had to track down my receipt, I paid 141 bucks for this thing! I remember now why I went with the Dir-825, IPV6 and a Gigabit switch. I was looking at loading the old routers I have up with DD-WRT and enabling IPV6 but I forgot about the 100mbps ports on them. Doing some other testing, I locked the port to the Ubee modem I am now using to 100Mbps by accident and only was getting 70-80Mbps down on my internet connection. Back when I bought the DIR-825 I had a server for E-Mail and PC backup with RAID drives and was using GigE, it was maxing those hard drives out. I have been looking hard at a large SSD, those puppies scream with SATA 3. Now my ISP would max out the 100Mbps fast Ethernet ports alone!
Since you support the Amplifi line, what is the difference between the 2 dual banders? The only bummer is no way to test IPV6, I seen the feedback you left for your ISP, same boat I was in with Time Warner, I was going to setup a tunnel until I moved and walked into 6RD which is much easier. But I have opened up a can of worms for my ISP, a lot of people are now trying it after I gave it 5 stars in a thread, people are running into problems. But the ISP seem to be doing well fixing the problems on IPV6!
-
Is there a link to that specific thread about the 4500?
The differences are 450Mb WiFi, USB 3.0, IPv6 Firewall, 20/40Mhz Coexistance, Next Gen QoS or HD Fuel as they call it, to name a few.
Ya I asked my ISP when native IPv6 is coming, no idea yet. :-\
I suppose I could test out IPv6 is some one could help me get the Hurricane tunnel doing. ::) I tried once with the 825 however I don't think it was able to get it going as the test results on the Hurricane site kept saying the connection wasn't passing.
-
I was asking about the Amplifi line, there is the 2000 and the 3000, they look to be pretty close to the same? Dual band, IPV6, maybe a little slower on wifi, but I prefer my wifi solution to 15Mw of power and with regards to the speed I have, my high power stuff tops out at 70Mbps +/- because of the 10/100Mbps only connection on my WiFi A/P. I will proabally down grade speeds, no need for 100Mbps as of yet!
Here is one of the links, but really there are numerous and newer, this is like the longest anti "INSERT COMPANY" rants I have ever seen.
http://www.broadbandreports.com/forum/r22572439-D-Link-Banning-Users-and-Deleting-Posts-Critical-Of-D-Link
I got one of my loaner routers back because the family member went with FIOS finally, vs 1.5Mbps x 384Kbps. I looked at going with DD-WRT or open WRT. Honestly, I just want to use the darn thing and not make a career out of this any longer.
My 24yo daughter is moving back home, she usually needs a lot of my attention vs me playing with this internet stuff, I just want to be an appliance user. I just ran a CAT-6 cable to her computer and removed IPV6, she is going for an advanced degree, her luck she will get hacked and loose something important.
Seriously, all horse hockey aside, what is your opinion of the 2000 line or should I bite the bullet and go with the 3000. My daughter because of her school/work hours streams a lot of video, I was going to loose the 100Mbps ISP plan today until I found out she was coming back home.
The D-Link manager was leaning towards a warranty return and swap, but who know what I will get. I just need to be done ASAP now that my oldest is back. She takes after me a lot, first time my 18yo or 21yo boy gives her lip I can see me being needed as a referee in short order! Or one of the boys will end in the hospital! 6'4" tall, athletic and vicious with no patients, yup, just like me. The boys don't stand a chance. :o
Later,
Pat
(http://www.speedtest.net/result/1974867937.png)
-
Sounds a lot going to happening at your house.
Ya I remember that. I feel that was a situation that some of the users were being a little bit on the demanding side and again, not fully understanding there routers and capabilities and the problems at hand and just were too demanding of what they wanted from DLink. One of the posters said that there only seem to be a handful of users with the purported problems and some of these users were probably blowing the situation far beyond what it really needed to be. This one only during one phase of FW build on the router which was fixed. I personally think that the users involved were just too impatient and not professional enough to talk to Dlink on the forums, Mods and Admins to wait for the fix that did come. I was apart of testing during that phase and remember the problems of v1.2x introduced. Yes I'll give the devil some due however users don't need to act in a inappropriate manor either. That was a long time ago and thing have changed for the better since then. THe DGL-4500 is still a SOLID and Stable router. Just like the 825 is. Moving along now. ::)
Honestly, the 825 should handle any thing you and your daughter do specially on a 100Mb down ISP. Really? I have a 50/2 here and it works just great for me and 2 others. And I do all of the gaming.
I don't see why the 825 wont handle anything beyond the IPV6 firewall abilities.
I don't have the 2000 series router, I haven't had a chance to pick on up, I currently have the 1000, Whole Home 1000 and the 3000. I must say each one has been very good. The 1000 routers are great follow on's to the DIR-655. The Whole Home 1000 is just like the 655 however has multimedia abilities that the 655 doesn't and has a different QoS engine and SmartBeam technology and a round case housing. You can see an example in a 645 QoS setup for XBL in the FAQ Library. Up until yesterday, I had been using it and enjoying it. I have switch back to the 3000 to test out new FW. I believe the 2000 router is a great follow-on to the 825. I believe has more multimedia abilities than the 825 has however all Amplifi routers are internal antenna based. Both have same WiFi speeds I think, where the 3000 does 450Mb WiFi connections. I have tested it using a TrentNet 450Mb adapter. Very nice. Will be nicer when client side Mfrs start supporting the higher Wifi connection speeds as some of my HW will become out dated as more higher speeds become more prominent.
Soon as I'm done testing the 3000 out for a while, I'm putting the 825 back online to enjoy it's abilities. Maybe see if I can get IPv6 tunnel going with Hurricane. :-\
If your really needing IPV6 and the firewall, one of the Amplifi line of routers will do you well. I do like the 3000 model the best.
Let us know what you go with.
Enjoy your fatherly duties of fending off suiters for your daughter. ::)
Good Luck.
-
Why would you use the DIR-825 vs the 3000 to go with IPV6? I looked over the manual for the 3000 and it looks like it will do everything that the DIR-825 will do plus security.
I know PacketTracer has experience with the DIR-825 and HE I believe. I use 6RD which from all the reading is close to 6in4. I would suppose since you get the ISP's IP addresses with 6RD you would have to be on one of their IPV4 addresses so you could not piggy back on 6RD. I know Charter is hiding it's IPV6 addresses, traceroutes don't work once you get local, they just don't respond to pings until you get on the backbone, why, I have no clue. I tried to do a tracert to another Charter user, no go, but I could ping him and the ping time was very fast for half way across the country. I even went to a couple of looking glass sites and still could not get to myself, but I could ping myself.
I guess I don't get the whole 450 WiFi thing unless it is being used to transfer files. The fastest ISP right now is FIOS and in some markets you may get 150Mbps but even then I rarely see over 40Mbps. I was downloading Nvidia drivers today and actually was getting 85Mbps, but that is rare and the first time I have really seen over 20-40Mbps. I guess then again you could put more people on a 450 connection. I even turned my 300 channel off, I think it is at 150, trying to be neighbor friendly.
One of the 4500 rants I was reading was over the firewall only blocking a port VS stealth. I know the reason people want stealth, no response and no brute force attacks. But on IPV6 for it to work in some cases you need at least an Echo for it to work. Heck, on IPV6 I would settle for a "please leave a message" response as opposed to "come on in" like I am getting now.
Eh, maybe I will get a direct response next week and it will all be over with, for now I just turn off the IPV6 stacks in everyone elses computer, my understanding is this disables a part of windows that has to do with media sharing, for whatever reason Win 7 uses IPV6 for something that has to do with media sharing and homegroups. I know when I wired the daughter up this morning, Win 7 was very insistent on having IPV6 turned on, but I still could discover the other Win 7 machines on my network, so who knows! ??? Perhaps a feature I am not using....
Hmmm, looks like one of the big twirps is using some band width ???
(http://www.speedtest.net/result/1975106936.png)
-
Cuz the 825 it's still a great router and I dont have a need for IPv6, Yet!
-
Back in August 2011, I asked D-Link support "Port 80 is open on my computer according to an IPv6 port scanner. How do I enable packet filtering with IPv6?"
I received this reply: "DIR-825_Rev B1 does not support IPv6 firewall thats why Port 80 shows open on your computer. Thank you for networking with D-Link."
Like others, I'm waiting for a firmware version that supports an IPv6 firewall. In the meantime, I have been using the DIR-825 with OpenWRT firmware, which supports an IPv6 firewall.
-
D-Link is one of only five home router vendors mentioned on "world ipv6 launch day" website (yes, it's today!): http://www.worldipv6launch.org/participants/?q=3 (http://www.worldipv6launch.org/participants/?q=3).
If you follow the D-Link link given there (http://www.dlink.com/ipv6#4 (http://www.dlink.com/ipv6#4)) in order to see their IPv6-certified products, the DIR-825 is mentioned but now restricted to "Hardware Revision C1" (don't know if this restriction was in existence before the start of this forum thread).
-
I have DIR-652 rev. B1 and it has IPv6 firewall (and all ports are gigabit, incl. wan)
Here is gui:
IPv6 SIMPLE SECURITY
Enable IPv6 Simple Security: [checkbox]
IPv6 FIREWALL
Configure IPv6 Firewall below: [dropdown]
Turn IPv6 Firewall OFF
Turn IPv6 Firewall ON and ALLOW rules listed
Turn IPv6 Firewall ON and DENY rules listed
Remaining number of firewall rules that can be configured:
(max 20 rules)
No idea what "IPv6 Simple Security" means thou, and no idea what it means if I enable simple security AND select "Turn IPv6 Firewall ON and ALLOW rules listed". Will turning on the firewall will invalidate simple security, OR will they work together and be more secure than if just enabling "Turn IPv6 Firewall ON and ALLOW rules listed"? The manual says nothing about the details, so who knows...
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=41537.0)
Where did you get his router from?
Link>What Firmware (http://forums.dlink.com/index.php?topic=47512.0) version is currently loaded? Found on routers web page under status.
What region are you located?
Can you post a screen capture of this by chance?
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=41537.0)
Where did you get his router from?
Link>What Firmware (http://forums.dlink.com/index.php?topic=47512.0) version is currently loaded? Found on routers web page under status.
What region are you located?
Can you post a screen capture of this by chance?
I got it from D-Link United Kingdom (RMA of my DIR-652 rev. A1, got B1 back).
It has firmware 2.00.
My region is EU.
Firewall screen looks exactly like here (DIR-857):
http://www.foxnetwork.ru/index.php/en/component/content/article/124-d-link-dir-857.html
and here (DHP-1565):
http://www.dlink.com/us/en/home-solutions/connect/routers/-/media/Consumer_Products/DHP/DHP%201565/Manual/DHP1565manrevA1euv100.pdf
DIR-652 A1 did not have ipv6 firewall at all, so it was a nice upgrade:-)
The only annoying is they removed WISH from B1 (it existed in A1). Not that I ever used it, but don't like stuff being removed.
-
Haha, WISH is actually present, it's just not visible\selectable in GUI, but if I enter http://192.168.0.1/adv_wish.asp I get there. A GUI bug?
Also weird things in the manual DIR-652_B1_Manual_v2.01(EU).pdf:
-WISH is visible in screenshots but is not mentioned anywhere.
-IPv6 firewall is visible in screenshots, but screenshot is wrong: it only show IPV6 FIREWALL RULES, not IPv6 SIMPLE SECURITY, so this screenshot must be from an unreleased version.
-
Hmm, must be some special build they did over there as other 825 U.S. and some EU Rev B units do not have IPv6 Firewall included and there was a limited run on Rev C I believe that came out with IPv6 Firewall. Rev Bs had a certain limited memory so I presume the reason they removed WISH was to make room for the IPv6 Firewall programming.
The UI might be hidden or they wanted to hid it since they probably have removed the WISH code from the FW so even if you attempt to enable it from the hidden menu, WISH might not work at all. ::)
I recommend contact DLink support and ask them if there is going to be any other FW for this unit has the most current FW version on the UK web site is:
2.05EUB09 Firmware 06/01/2012
Your FW seems special and the version is not matching to what is listed on the web site. Make sure there is future support for it if needed. The could present problems in the future should one attempt to load FW code thats on the current web site. That could blow away what you have since I presume those versions do not included the IPv6 firewall programming.
Most older gen Xtreme Rev A class routers did not support IPv6, at least here in the U.S.
The screen shots and that PDF are probably for what is currently released on the market for EU Rev B routers. Again, IPv6 Firewall was not an option on Rev B models up to this point. I presume that you have a special build of FW they did for some reason.
Well, good for you. Hope it works out well for you.
Enjoy.
-
I think you are confused, I have DIR-652 rev. B1, not DIR-825:-)
-
Ah I read it as you sent in a DIR-652 and got back a 825 since you posted here in the 825 forum. LOL. OK, my bad. ::)
Still don't see any Rev B 2.xx FW on the UK web site. I presume they would post it sooner or later. I do see v2.00b40 listed on the TSD web site so thats probably what this has loaded. Dated 2012/10/18
I presume that the hidden WISH still stands though, had to make room for IPv6 Firewall. :-\
Well hope it works well for you.
-
In a post someone was asking for any d-link gigabit router with ipv6 firewall and thought I could help, but I see the confusion now:-P
-
Sorry about that. I get stuck in a one track mind sometimes.
You might also post this over on the DIR-655 forum as well. Would be helpful and thank you for sharing.
All info is appreciated.
;)
-
Here is gui:
IPv6 SIMPLE SECURITY
Enable IPv6 Simple Security: [checkbox]
IPv6 FIREWALL
Configure IPv6 Firewall below: [dropdown]
Turn IPv6 Firewall OFF
Turn IPv6 Firewall ON and ALLOW rules listed
Turn IPv6 Firewall ON and DENY rules listed
Remaining number of firewall rules that can be configured:
(max 20 rules)
No idea what "IPv6 Simple Security" means thou, and no idea what it means if I enable simple security AND select "Turn IPv6 Firewall ON and ALLOW rules listed". Will turning on the firewall will invalidate simple security, OR will they work together and be more secure than if just enabling "Turn IPv6 Firewall ON and ALLOW rules listed"? The manual says nothing about the details, so who knows...
I am not sure about this but I guess that IPv6 SIMPLE SECURITY is D-Link's implementation of RFC6092 (http://tools.ietf.org/html/rfc6092) ("Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service").
So if you enable IPv6 simple security and leave the IPv6 firewall off, you should have a stateful filtering behaviour as described in RFC6092 (http://tools.ietf.org/html/rfc6092) which tries to establish the same degree of a default security as users are used to with IPv4 behind a NAT-Box where NAT isn't available with IPv6.
RFC6092 (http://tools.ietf.org/html/rfc6092), chapter 2:
Prior to the widespread availability of IPv6 Internet service, homes
and small offices often used private IPv4 network address realms
[RFC1918] with Network Address Translation (NAT) functions deployed
to present all the hosts on the interior network as a single host to
the Internet service provider. The stateful packet filtering
behavior of NAT set user expectations that persist today with
residential IPv6 service. "Local Network Protection for IPv6"
[RFC4864] recommends applying stateful packet filtering at
residential IPv6 gateways that conforms to the user expectations
already in place.
RFC6092 (http://tools.ietf.org/html/rfc6092), chapter 2.3:
The general operating principle is that transport layer traffic is
not forwarded into the interior network of a residential IPv6 gateway
unless it has been solicited explicitly by interior transport
endpoints, e.g., by matching the reverse path for previously
forwarded outbound traffic, or by matching configured exceptions set
by the network administrator. All other traffic is expected to be
discarded or rejected with an ICMPv6 error message to indicate the
traffic is administratively prohibited.
In contrast if you disable simple IPv6 security and turn IPv6 firewall on, there are no default rules as predefined with simple security according to RFC6092 (http://tools.ietf.org/html/rfc6092). Instead you have to define the rules of your own.
For example if you activate "Turn IPv6 Firewall ON and ALLOW rules listed" all inbound and outbound traffic is completely blocked. In this situation you have to define at least one rule that allows outgoing traffic of any kind (which implicitely allows inbound response traffic due to the firewall's stateful inspection feature).
In this respect "Enable IPv6 Simple Security" and "Turn IPv6 Firewall ON ..." should exclude each other.
PacketTracer