IPV6

GenitronicsGenitronics Member Posts: 3
First Comment Photogenic
Dear Fing friends,
I'll post this IPV6 issue I encountered. 
IPV6 seems to allow passthrough the firewall if activated on your router.Ther where before you had to configure a NAT (IPV4) translation based on a dedicated or chosen port for your devices on the LAN.
With IPV6 it seems the router let communication pass even if no NAT translation is configured in the firewall of the router.To us this a risk for all CCTV, Alarm, IoT, NAS and remote accessible devices. IPV6 should only be used by the internet providers and turned off in your router and all clients on the LAN.
It seems that windows tunrs on IPV6 after updates, so checking those settings on all NICS is needed.
From what I red IPV6 contains in a header off each communication packet the needed information to reach its IPV6 end point if IPV6 on that device is active.
UPNP and P2P are also high risks, for us most safe so far is IPV4 with NAT translation.
[email protected] if people not agree on this analyse. 


Tagged:

Comments

  • PerolinPerolin Member Posts: 2
    Photogenic First Comment

    Excuse me, but first read up on IPv6 and understand the new concepts. That it doesn't need NAT anymore is one of the big advantages of IPv6!


    By the way: there are hardly any iot devices that are ready for IPv6

  • ProTecKProTecK Member Posts: 55
    10 Comments First Anniversary 5 Agrees First Answer
    ✭✭
    Yeah, your ip6 understanding is way off. 
    The entire concept is based on end to end communication. Using end to end addressing.  
    There are ip6 firewall settings for devices (routers, firewalls, etc) that support it. 
    Doesn't matter how many times windows turned on ip6 if its disabled on your router.
    I'm fine with leaving this info here for everybody to learn from and have no interest in emailing you.


  • KyleTseKyleTse Member Posts: 1
    Photogenic First Comment
    I dont know if it is the trend of ipv4 to ipv6, however, my devices seems got the same problem as Genitronics mentioned. 
    As my ISP doesnt have the ipv6 services, and there is no reason why everything once connected to the router, it will be given at least 3 ipv6 address. And my camera is seems under someone's control coz I saw it was turning the camera angle one night, and it turned back after I noticed it. Moreover, all the loT devices is in the remote status, shouldnt it be local instead? So I think we should look deeper and see is there any security problems when applying ipv6 on the internet or intranet. 
  • TudorTudor Member Posts: 1
    First Comment
    The better routers have IPv6 firewall since long ago. E.g. (now) cheap Asus routers flashed with AsusWRT Merlin or John's fork have it. You could buy such an used router and employ it.
  • RainCasterRainCaster My deskMember, Beta Tester Posts: 54
    10 Comments First Anniversary 5 Agrees 5 Awesomes
    ✭✭
    If there is any segment between you and the Internet that is not IPv6, then you are stuck in IPv4 land. That means your ISP, too.
  • W_T_FW_T_F On EarthMember Posts: 33
    10 Comments 5 Likes Name Dropper Photogenic

    I'm curious about IPv6 also because my Fingbox V2 keeps telling me to disable IPv6 in order to block a few devices. I am not tech savvy and don't know what to choose if I do. If anyone wants to assist and need more info just let me know and I can add a screenshot of my choices. I'll be searching for the answer around here somewhere but I never have any luck. 🤷‍♀️

  • RobinRobin Administrator, Fing Team Posts: 4,239
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    W_T_F said:

    I'm curious about IPv6 also because my Fingbox V2 keeps telling me to disable IPv6 in order to block a few devices. I am not tech savvy and don't know what to choose if I do. If anyone wants to assist and need more info just let me know and I can add a screenshot of my choices. I'll be searching for the answer around here somewhere but I never have any luck. 🤷‍♀️

    he following Fingbox features are compatible with networks that use either IPv4 or IPv6 or both:

    • Digital Presence
    • Intruder and hacker alerts
    • Vulnerability and threat detection
    • Network and device alerts
    • Wi-Fi speed tests
    • ISP Ranking
    • Digital Fence

    Due to technical differences between the IPv4 and IPv6 protocols the following features may provide unexpected results in networks where IPv6 and IPv4 are both enabled. They will not function in networks that are solely IPv6:

    • Internet blocking & pausing
    • Bandwidth analysis

    The majority of modem routers can use either IPv4 or IPv6. We recommend disabling IPv6 on your internal network in order to fully utilize all the features of your Fingbox. Please consult your routers user guide for information on how to do this on your network.

    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides("Helping Hand"). HAPPY POSTING!!!
  • PerolinPerolin Member Posts: 2
    Photogenic First Comment

    There are also good reasons why horse carriages are better than cars. It is a question of the point of view and whether one is open to the next step. 

    NAT is and remains a crutch, as a one-legged person you just got used to it because there was nothing better.

  • GenitronicsGenitronics Member Posts: 3
    First Comment Photogenic
    IPV6 active on the router and behind is a treat.
    IPV6 as provided today is not secure on you local network.
    To explain to non technical people, you can leave your frontdoor from your house open so nobody needs to use the key to open it.
    It makes it easy, but not sure you will enjoy someone in your house that was not invited :) .
    Only actual advantage of  IPV6 is that internet providers have more IP addresses than before.
    The end to end communication allowed by IPV6 is a treat.
    And yes as some people suggested after our post, you don't need IPV6 on your LAN turn it off in the router and on all local devices.
  • ProTecKProTecK Member Posts: 55
    10 Comments First Anniversary 5 Agrees First Answer
    ✭✭

    @Genitronics you are flat out wrong. I was going to say misinformed, but that would require you to actually do some research into the subject. This info your passing off is probably just something you heard somebody else- who did no research- say and your just repeating it.

    Your idea that the only advantage is adding more IP addresses shows how limited your grasp of networking is as a whole. Posting on a subject where you don't even have a basic grasp on the concept isn't helping anybody. You haven't even gone as far as a Google search for the ip6 benefits over ip4.

    I'm not going to explain it to you here, do your own research. I doubt you will bother. People have corrected you from your original post in this thread, and it doesn't look like a single bit of that was processed, because your still way off track.

    There are just as effective ways of controlling io6 traffic as ip4. Anything can be blocked or allowed to pass and it's a much more effective transport protocol with added security.

  • VABelleVABelle Member Posts: 68
    10 Comments First Anniversary 5 Likes Name Dropper
    ✭✭

    I’m sure I’m not the only person using Xfinity’s “Xfi” router/modem so if anyone else has figured out how to disable IPV6, please post. I have IPV4 set on the highest security but IPV6 options are either disable the entire firewall or block certain ports. I’d like to do SOMETHING so my Fingbox will stop scolding me when I try to block an unknown intrusive device. It easily gets through anyway, in spite of Fingbox.

  • GenitronicsGenitronics Member Posts: 3
    First Comment Photogenic
    It is obvious some members are not agreeing with our findings based on real time experience.
    But they don't want to explain... which is the meaning of this kind of forum I thought.
    So people believe who you want...

    "im not going to explain it to you here, do your own research. I doubt you will bother. People have corrected you from your original post in this thread, and it doesn't look like a single bit of that was processed, because your still way off track."
    Proteck be more specific who corrected what...


Sign In or Register to comment.