Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[PacketTracer]

Two days ago I got another message from the german D-Link product manager where he said that besides DIR-857 also the DIR-825 Rev C has an IPv6 Firewall. He even sent me a snapshot of the configuration tab for the IPv6 firewall within the web configuration surface of the DIR-825 Rev C.

Meanwhile I was in contact with a german publishing company for computer magazines (http://www.heise.de or international: http://www.h-online.com/) who was also one of the organizers of the 4th german IPv6 congress, that just has taken taken place in Frankfurt and that I have attended (sorry, german only: http://www.ipv6-kongress.de/events/2012/ipv6-kongress/programm/). Within a BOF session I used the opportunity to ask the Heise representative, if they could do an analysis of the IPv6 capabilities of current CPE devices for home users and publish the results. I also reported about the bad impression I had experienced from a box bearing an IPv6 ready logo but not having an IPv6 firewall. It was the beginning of an interesting discussion amongst the attendant IPv6 experts but the interesting point was the statement from the Heise representative, that they already were planning to do that. They even had already done some tests of those products and especially they knew about the missing IPv6 firewall in the D-Link boxes they had testet ...

In another talk the speaker explained the profiles/logo programs that exist in the world. There are about 5-6 ones, IPv6 ready logo being only one of them. Ripe 501 (http://www.ripe.net/ripe/docs/ripe-501) is another one here in Europe, and for the States there is a separate one which name I can't remember any more. IPv6 ready logo is not of much value and is mainly used for marketing purposes. In a third talk a product manager of a well known german CPE manufacturer said they don't plan to get the IPv6 ready logo for their products because it is not worthwhile for them. Instead they design the IPv6 capabilties of their boxes in conformance with RFC6204 (Basic Requirements for IPv6 Customer Edge Routers) which is a superset of the IPv6 ready logo program. And of course they have a builtin IPv6 firewall from the very beginning according to RFC6092.

[Patrick533]

Two days ago I got another message from the german D-Link product manager where he said that besides DIR-857 also the DIR-825 Rev C has an IPv6 Firewall. He even sent me a snapshot of the configuration tab for the IPv6 firewall within the web configuration surface of the DIR-825 Rev C.

Sir,

Good work! We are still waiting for a response from D-Link management stateside. They have 7 business days left to respond to what we sent them on this end. The response should be public so that would only help you too. I assume that since their headquarters is in Taiwan, they may be the ones responding so it may take a couple of extra days. If there is no response the first time, another query will be sent and another 10 day wait, if they don't respond to the second one, after that the discovery is done and my allegations will be considered valid. Then I can start causing problems. Since you are covering it in the EU and I am covering it in the States, they can't say they weren't told. I have also started discussions in other places I frequent regarding IPV6 and how the roll out should be handled, I always make sure to mention my rude awakening with D-Link and firewalls, ALWAYS scan your ports! I don't care who makes it.

If you read through my posts above, you will see where I found the news release for hardware rev. C-1. I assumed it would be fixed in that version, but if you read what has been posted about the REV. C-1, it is the same description and the same Gold logo. D-link almost always leaves the older hardware in what ever condition it is in when they start on a new hardware REV., so no more firmware fixes for the B-1 rev once C-1 comes out, which will be IPV6 day 2012, I am sure of it.

Since the Dir-655 is said to either have or to be coming out with IPV6, once I am done with the Dir-825, I will be testing the Dir-655 next and going through the same process, then I will return the Dir-655 to the vendor and go buy the new router that will do the job the DIR-825 WAS supposed to do. I need the DIR-825 for a bridge behind a good router so no waste or worries, it will just hopefully work with the next brand I purchase. Or maybe I will sell it on E-bay to one of their Fan Boys, the ones that list every single product they have purchased from D-Link under their signature tab, instead of a signature, and then go buy 2 new dual band routers, 1 for a bridge the other to protect me.

I was reading an interview with another US based manufacturer regarding IPV6, the CEO was saying what a great chance this is for his company to have great income for the next few years, when asked why his company was leaving security out for IPV6 the interview basically ended. It seems like they want to double dip(take 2 servings) on this hardware upgrade that is required, first you get IPV6 for 100E, then you buy another box for another 100E that does the same thing as the first but now has security ENABLED. Also basically filling the garbage landfills with hardware that is still usable. We hard working people MUST keep buying things if we are to keep stuffing the CEO's pockets with cash which keeps the Chinese economy going so hopefully someday the Chinese people will buy lots of stuff from us. But truly the only people getting rich are the CEO's and the companies, I will never live long enough to see the Chinese be able to drop 100E on a router and the way I figure it I still have a good 25 years left on this planet, if not longer.

Make sure you keep a copy of this thread in the EU in case it disappears!  
  

[Patrick533]

There it is! The Dir-655, IPV6 READY!  http://www.dlink.com/DIR-655

My work NEVER ends!

[FurryNutz]

The dir-655 Rev B1 has had IPv6 since last year or before. Again like the 825 and 615, do not have the firewall in addition.

[Patrick533]

The dir-655 Rev B1 has had IPv6 since last year or before. Again like the 825 and 615, do not have the firewall in addition.

You have an Airport Extreme(3rdGen) listed on your signature. That was one of the routers that was listed on the NTIA Government site as originally not having a IPV6 firewall, but after consumer complaints it was added. In reading, I guess Apple was bombarded by outcry that it did NOT have a native IPV6 firewall, even after customer complaints they resisted adding it. When they ran across someone like me with a bad attitude and enough knowledge to be dangerous that laid out the test scenario and how it could be a liability for a customer, they fixed it within 60 days(funny how that works), no redesign required.

How do you like that router/AP? Looks like a nice design? Much better then the Hearshys Kisses looking old design! No external antennas, but 10 minutes with a drill and a soldering iron I could fix that and make it look like it grew there! Even have the connectors and cable in my desk drawer here. Ever hook 2 together in a router/ bridge mode configuration?

Reading the tech specs http://www.apple.com/airportextreme/features/wi-fi.html it even has a higher WiFi output then the DIR-655 which has legendary WiFi range. Reading the Dir-655 review compared to the Dir-825 you would swear that it was 2 different companies.

I considered DD-WRT on the 825 which has a native IPV6 firewall, but in my line of work we are not supposed use 3rd party firmware(even at home, no jail broken, rooted, dd-wrt, can't even have a trigger job on my Glock or Sig! Can't even have a picture of myself on facebook!). So I need a company that supports me and what I want to do, out of the box. Though I THOUGHT I had done this the first time, it goes back to the shame on me shame on you rule.

Time to feed the animals and walk the fence and make sure there are no creepy crawlers (slithering or 2 legged) to ruin either me or my animals day.

Later!

[FurryNutz]

Even though I have the AE 3rd Gen router and it does have the IPv6 firewall, I don't agree with your comparison as that router is a completely different router and I would presume that the SW, HW and chipset used between Apple and DLink are different and it would be up to Apple and Dlink to know weather or not if the HW would support any continued upgrades and developments.

I actually have the 1st gen AE and it worked just as good as the 3rd Gen. Only thing I don't care for is that you can't turn off 2.4Ghz radio on the router and you can't set single modes. Maybe they allowed that in follow on gens. I'm not going to raise an outcry for it.

I'm sure DLink is aware of this issue and it will be up to them weather or not they are doing to do anything with the current router Revs out there. Since the next gen routers out there and the 857 has been released. I wouldn't put alot of wishful thinking in to hoping that DLink will do anything with these current old gen routers. I presume that maybe that they might and satisfy those limted users of IPv6 having this major concern with no IPv6 native firewall, however on the other hand, if marketing has anything to do with it, they might just push for new development and current work on the next gen routers, leaving the old gen routers behind. I would keep this in mind.

Overall, if your looking for a quick fix from DLink or response back from them, I wouldn't hold your breath. I would research alternatives to getting IPv6 security in place now, either with a different router or a SW solution. These forums are a place to voice feedback and concerns however were also here to try and find quick resolutions with routers and other DLink products. It gets to a point where our suggestions and help probably come to an end during the course of feedback. Thus we want to suggest finding other alternative solutions, weather it be with DLink or other Mfrs. We do hope that Dlink will read, review, and consider the feedback and concerned voiced here and come up with some resolution, however, it's there business, they call the shots. We are only a few in the bog pool of Dlink users and I presume they want to satisfy everyone, however I'm sure they might not be able to do just that all the time. 

Weather or not your private or secret life effects you and Dlink products is inconclusive, irrelevant and has no barring on what goes on here or at DLink. Dlink may have specific customers they support and thats there business we'll never know about and aren't supported here. And if it includes the work you do then thats between Dlink and your work. I wold suggest that if your working in a place that frowns upon sharing any IP information that you keep it at work. It doesn't belong here and I would hate to see anyone get into trouble at work for it. I know all about NDAs and IP.

We deal in current relevant issues here on the forum, again, were here to help out as much as we can for people. If we can find resolution or come to a quick fix for someone then we do recommend finding other solutions or alternatives now and not waiting.

[Patrick533]

And if it includes the work you do then thats between Dlink and your work. I wold suggest that if your working in a place that frowns upon sharing any IP information that you keep it at work. It doesn't belong here and I would hate to see anyone get into trouble at work for it. I know all about NDAs and IP.

That Sir is what we call a thinly veiled threat, would you like to talk to my Supervisor, Director or the Office of the Inspector General for my service? What would you tell them? That I said in a private message I speced a handful of switches and I was now concerned about their quality because I have caught the manufacturer making misleading statements? Or I post from work and you logged a public IP? Ha! Your a funny guy!   I have a copy of the rule book (my postings from work are FULLY within legal protocol for my position, I just went through that YEARLY training LAST WEEK and I do have a lunch hour and take breaks and have a PERSONAL OPINION), furthermore, my supervisor reads my posts often(take a look at the hit counter for this thread, I am not checking it by the minute for your attempt at a witty response, so someone else is reading it too). He likes the fact that I am getting my feet wet with a new layer, being IPV6. He also likes the fact that I have a stomach for posting on live forums, he says they usually de-generate into a mess when one person does not like what the other is saying, is this the case here? Don't even play work games, a lot of people get involved because someone got their feelings hurt. This is NOT like playing games with your employer or your mate, this would be of epic proportions and you will be at the center, not me(I already have hard copies to cover myself).

Looking a little closer, you have proabally never have held a position of authority except here, because if you had you would know that is NOT how you deal with a situation like this or a person like me, now wouldn't ya?

Thank you for giving me your thoughts on the Apple router. I was not making a comparison, they use Marvell chipsets(you know a little about them don't you? ) and the Ver. 5 has Broadcom radios, but they are NOT at all forthcoming about IPV6 features, that is what I wanted to know. I will go post those questions in the Apple forums. Even after reading the manual, Apple is not forthcoming about advanced IPV6 functions. I want to see software page screen shots to VERIFY the vendors claims this time.

Furry, can you provide any information on the specs on the new Dir-825 C-1? It was conveyed by a real Product Manager for D-Link to Packet Tracer that it has a SPI firewall on IPV6 plus a host of other IPV6 features that I find exciting, it even has external antennas! He even received screen shots but they are in German, my German is weak, I would love to see an English version, do you know any product managers that could provide this information? I could provide an E-mail address if you don't already have mine for such info. I do have the contact info for the head guy in the states, but that seems like it would be a waste of his time. Can ya provide it, Please, please, wink wink?

The Dir-857 is a nice piece of hardware, if it where in a DIR-825 package, here is my credit card number! It has not been reviewed by any major review sites and it is getting mixed reviews in non D-Link controlled forums(the firmware will catch up). The fact that it has USB 3.0 rocks, out of all my friends I am the only one that even has USB 3.0 on my desktop, and I use it pretty close to the fullest, it is now finally a toss up between Firewire 400 and USB(not Firewire 800 though), it only took a decade, similar to the whole SCSI fiasco.

Now back to the Dir-825 C-1, the reason I am interested in this hardware, the initial specs I have seen leaked shows it is a continuation on of a router I like very much, just a few weeks back I was telling you how much I like this hardware before the whole IPV6 firewall thing broke loose, but security is needed for the GENERAL POPULATION, THAT IS THE POINT, I have an advanced firewall I have purchased and installed and have not posted it public, just needed to talk to my security buds at work. The reasoning behind the C-1 vs the DIR-857, most of the bugs have been worked out in the 2 previous releases, the fact that it proabally won't have USB 3.0 is a downside, but I am very interested in advanced routing features on the IPV6 layer of the DIR-825 C-1. Please share any info on the router you have.

You wanted to move this from the Euro side to this side. You wanted us to contact our local offices and take this up with them. You wanted us to express our feelings and concerns so D-link could see them here. We did and we are sharing our responses from a European user to a North American user waiting for replies from D-Link management and sharing information as it is trickled out by D-Link(and doing a little prodding to get an answer, from my side too so we don't duplicate efforts). Why is it we can get a trickle of info from the Euro side and NOTHING but YOUR opinion from this side, I honestly am no longer interested in you SKEWED OPINION, FACTS PLEASE. Packet Tracer got info from the Euro side and shared it, which I consider to be some good stuff (Dir-825 REV. C-1). How about some info from this side besides trying to discourage us? This is not personal in the slightest way. But going out and switching out my router now only to only get an firmware update in 45 days, that is a total waste of money. Unlike you and your mate, I have a Wife and family to support, purchases are strategic unlike when I was single and had every new wizz bang item and a pile of firearms(my other hobby) that money could buy. I have to make financial decisions ahead of time, you have clearly stated you have no IPV6 need, my ISP provides it, FREE. No tunnel brokers or setup nightmares. If you are only going to discourage and not be proactive, don't bother.  Packet Tracer and myself have technical issues, you do not have the knowledge to fix it and clearly don't have the same technical issues or the resources to get answers. It is actually come to the point, even if you did come up with answers I would question their origin. Since you don't even have IPV6 experience, could you go find us someone that does PLEASE?

I wish I could speak German fluently, at least THEY get real answers!

Man, like a infamous LA resident said, "can't we JUST get along" even despite differences in opinion.

Internet speed through a DIR-825 with one kid streaming 1080P and the other on X-box live playing games:





Later!

[Patrick533]

Here is a great link, they take PUBLIC feedback, don't have to be a Junior G-Man to file an incident here! That's what they are there for! Government for the people!

  National Vulnerability Database (USA)

A normal every day person reported Apple to these people, no government contacts, Zero, Zip, Nada! Apple shortly there after added the firewall to the Airport. There are some D-link products here too (soon to be more unless they get a clue).

http://nvd.nist.gov/

[FurryNutz]

Good luck.

[PacketTracer]

"Heise Verlag", a German publishing company, has just published an article in the latest edition 11/2012 (p. 57) of their computer magazine "c't", where they report the results of tests, they had done with D-Link DIR-857. Also see here: http://heise.de/-1542395 (but this online version says nothing about the IPv6 firewall and it is German only, sorry. But there are some images.)

[Patrick533]

"Heise Verlag", a German publishing company, has just published an article in the latest edition 11/2012 (p. 57) of their computer magazine "c't", where they report the results of tests, they had done with D-Link DIR-857. Also see here: http://heise.de/-1542395 (but this online version says nothing about the IPv6 firewall and it is German only, sorry. But there are some images.)

I was able to read most of it, too bad I would have really liked to see the IPV6 screens. I am also sorry to hear about the firewall tests. I have been asking around on other manufacturers sites about IPV6, so if you go to one and see in depth IPV6 questions, a good chance it is me. Please do not post the magazine pages, very tight copyright laws in the US. I have a couple of gigabits of unused web space, I have been thinking about posting a page regarding all of this IPV6 research that is NOT valid here. Last time I did something like that, the updating time was excessive.

In a recent US Consumer Reports magazine, they went over firewalls, I have tried 3 of the top 5 listed in the magazine, IPV6 support is POOR for the top 3 I have tried so far, I have always went back to my new one.

No hardware or software support for IPV6 but a good majority of sites I frequent at home are now IPV6 enabled. They have a widget for Firefox that shows the site's address type, the route and of course your client's address type (4 or 6). This works very good!

In the article about the DIR-857 he talked about using DSL, is the majority of internet in the EU via DSL (PPoE)? ADSL2+?


LG,

[PacketTracer]

No hardware or software support for IPV6 but a good majority of sites I frequent at home are now IPV6 enabled. They have a widget for Firefox that shows the site's address type, the route and of course your client's address type (4 or 6). This works very good!

Yes, I'm using a Firefox addon that provides a similar function. And since I use SixXS' DNS resolvers that are whitelisted at Google, the Google/Youtube universe gets resolved to IPv6 addresses for me. I guess about half my Internet traffic is IPv6 now.

In the article about the DIR-857 he talked about using DSL, is the majority of internet in the EU via DSL (PPoE)? ADSL2+?

Can't say it for EU in general but for Germany that's true: PPPoE via DSL (ADSL, ADSL2+, VDSL) dominates, followed by cable modems (DOCSIS) as there is a well developed TV cable infrastructure in Germany. And in the country there still exist some despaired people using extraordinary expensive ISDN lines for just 64 or 128 kBits, so there is some market for Internet access via satellite and (slowly coming up) via LTE. And finally FTTH is still "EXPERIMENTAL".

[Patrick533]

PacketTracer,

Check out this Emulator that was sent to me in regards to the research I have been doing on my side. It appears that this is the interface you were sent screen shots of, it is interactive so you can go into all the menus including the IPV6 firewall. It appears to be English only. I could care less about the WiFi, I actually would prefer that they just omit WiFi(15 Miliwatts is useless!). They might have the same thing on the Euro side?

http://support.dlink.com/Emulators/dir657/100/index.html

I am interested in your feedback, either via P/M or E-mail, if it is positive, post it here.

Might be worth my time ordering one from Amazon to give it a try as the replacement for the DIR-825 and beat the heck out of it on IPV6, if it don't work I will send it back as "not as advertised"(Have to love Amazon). Hopefully it works better then the half dozen soft firewalls I have tested.

Looks promising if it works, that just means the DIR-825 is getting closer to the skeet launcher, time to put some LEAD in the DIR-825 design!

I will have construction people crawling all over for the next week at least, so take your time.

LG,

Patrick

How to screw up your Kids Xbox game:

[Patrick533]

Actually, looking deeper, here is a whole truck load of emulators for D-Link!

But the only one with IPV6 is the one I sent you (I think, at least that I could find).


http://www.dlink.com/support/faq/?prod_id=1457


And the Xbox's lag out again..........

[PacketTracer]

Check out this Emulator that was sent to me in regards to the research I have been doing on my side. It appears that this is the interface you were sent screen shots of, it is interactive so you can go into all the menus including the IPV6 firewall. It appears to be English only. I could care less about the WiFi, I actually would prefer that they just omit WiFi(15 Miliwatts is useless!). They might have the same thing on the Euro side?

http://support.dlink.com/Emulators/dir657/100/index.html

I am interested in your feedback

Hi Patrick,

no, what the emulator shows is not quite the same as the screen shot of the DIR-825 rev. C I was sent. The difference is an additional configuration switch called "Enable IPv6 Simple Security". According to the c't article about the DIR-857 I mentioned earlier, I guess the IPv6-firewall of the DIR-657 emulator corresponds to the version 1.00 IPv6 firewall of the DIR-857, which was reported to work incorrectly (LAN hosts were accessible from outside although no ports had been explicitly openend for incoming connection requests, and also the web configuration surface was accessible from outside even though remote management was switched off).

The c't guys were sent a new beta firmware version (1.00b15 - 03/26/2012) that fixed the IPv6 firewall and that also featured the above mentioned switch "Enable IPv6 Simple Security". They reported that if you enable this switch and leave the full firewall switched off this protects you as expected: Incoming connection requests get blocked (with the exception that LAN-hosts are pingable from the IPv6 Internet) while everything else is allowed. But otherwise, if you switch off simple security and switch on the full firewall, the c't guys reported that any IPv6 traffic is blocked completey so that you have to define a default rule that at least allows outgoing IPv6 connections.

So if you buy that DIR-657 device now and it has a firmware installed that corresponds to the emulator you take the risk that the IPv6 firewall will not work in a correct manner (if the c't test results are also applicable  to DIR-657). The c't guys closed their article with the following recommendation: If you don't need IPv6, you can buy the box, otherwise it is better to wait for the next firmware version.

Maybe the same is true for the DIR-657, so ask your vendor, if the IPv6 firewall in DIR-657 features the additional simple security switch, because this might indicate that the firewall will work correctly.

Another question is if this IPv6 firewall configuration surface is user friendly. I guess no, not really. Only if you don't want to have incoming connections at all it is easy enough just to switch on simple security and well done (but then you have to accept, that your LAN hosts are pingable from the IPv6 Internet). And that meets the demands of the overwhelming majority of people.

But woe you want to open just a single port for incoming connections! I guess you then have to switch off simple security, switch on the full firewall instead, select the mode "Turn IPv6 Firewall ON and ALLOW rules listed", add a default rule for outgoing traffic (as mentioned above) and finally a second rule for the port and protocol you want to open for incoming connections. I guess, that's too difficult for most people.

Other manufacturers do that job better: They only have a kind of simple security always active (without a possibility to switch it off or activate a full mode firewall instead) that even disallows to ping end nodes from the IPv6 Internet (what is this good for?), and if you really want to open a port for incoming connections they offer this as an additional function only asking for the minimum of needed information (selecting reasonable defaults for anything else) and providing the best possible guidance to the user, to keep it simple for normal non-expert users.

PacketTracer