Archer AX10/1500 Blocks ALL incoming IPv6 connections
Hello guys,
I'm using archer ax10 since March and I have some problems with IPv6. At home, I have a personal web server/cloud, sometimes I need to use it over IPV6 but ax10 blocks all ipv6 incoming connections, I tried all available firmware builds, I disabled the SPI firewall but nothing happens. In traceroute last ip accessible is always the ax 10 and then nothing. My server can connect to ipv6 servers so outgoing works. I tried another old ASUS router with openwrt installed and ipv6 incoming connections works so my ISP isn't blocking any ports.
Why a IPv6 advertised router has no settings for ipv6 port forwarding, ipv6 subnet config, (ipv6 local ip does not appear in lan connected devices) or any in depth settings for ipv6? Looks like ipv6 is just a side project on this router...
Anyone has any ideas, maybe in the next update, I mean is the new generation of routers so incompatible with next gen internet??
I understand that in some situations allowing incoming ipv6 is a security problem, but all I need is a check box somewhere in the menu with "allow incoming ipv6, I understand the risk".
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Fist of all you need a linux enviroment.
You can also use linux subsystem on windows. open terminal or ssh and:
1. sudo apt update && sudo apt install golang
2. download this somewhere on your linux. link https://github.com/knownunown/tpl-c900-openwrt-install
3. download your router config and save it as "backup.bin"
4. backup.bin put it in the folder "tpl-c900-openwrt-install-master"
5. rename .encryption_params.sample into .encryption_params. Paste the key and the IV in .encryption_params
(export KEY="2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836" export IV="360028C9064242F81074F4C127D299F6")
6.run extract.sh from that folder. now you sould have a new created by the script "data" folder. open that folder.
7. open config.xml, go to firewall tag and add your custom ipv6 rules inside firewall tags. example to open port 80 on ipv6:
<rule>
<proto>tcp</proto>
<dest_port>80</dest_port>
<name>Forward-IPv6-80</name>
<target>ACCEPT</target>
<dest>lan</dest>
<family>ipv6</family>
<src>wan</src>
</rule>
8. save modified config.xml
9. run package.sh
10. now you have a new file created "backup_final.bin"
11. restore that config file done. now your router supports ipv6 incoming traffic.
if you want to gain root access, you can edit the dropbear section to look like this
<dropbear>
<dropbear>
<RootPasswordAuth>on</RootPasswordAuth>
<SysAccountLogin>on</SysAccountLogin>
<Port>22</Port>
<PasswordAuth>on</PasswordAuth>
</dropbear>
</dropbear>
and after you can connect with putty with user root and your router interface password and you can add firewall rules directly via ssh, no need to edit the config for every change.
- Copy Link
- Report Inappropriate Content
Thank you for posting on the TP-Link Community.
We TP-Link understand that you want to have the network permission to access the local IPv6 server/service from outside, that is currently not supported on the Archer AX10 and AX1500 routers. We have confirmed this with the dev team there will be new firmware in the near future to add the support for IPv6 firewall on/off, you will then be able to access the local IPv6 server by disabling the IPv6 firewall on the router. There is currently no estimated time for the new firmware for the AX10, please pay attention on your router web or on the official website for any new firmware updates in the future.
One more important note, we understand that @sickplanet wants to provide guide and help others who want to access their local IPv6 server, however, we do also consider this as a great risk that some "hackers" may make config file that ruin your device or even hijack the network. TP-Link will not be able to help those who install this kind software on your device and suffer from any loss for your personal info or property. So we strongly suggest our customer DON'T install this kind of software on your router to protect your network security.
- Copy Link
- Report Inappropriate Content
Hello,
As far as I know, there is an IPv6 firewall on the AX10 router which blocks the external access to the server automatically to protect your internal network and ensure its security.
Currently, there is no way to disable that firewall. We will see how to improve this in the future.
Thanks for your understanding.
- Copy Link
- Report Inappropriate Content
@Kevin_Z
Is there anything planned in the near future of fixing this? It was advertised as an ipv6 router, so I thought it's capable of basic ipv6 related stuffs
- Copy Link
- Report Inappropriate Content
Yes it's possible. I can make a tutorial how to decrypt the config file and gain root access via ssh.
- Copy Link
- Report Inappropriate Content
Fist of all you need a linux enviroment.
You can also use linux subsystem on windows. open terminal or ssh and:
1. sudo apt update && sudo apt install golang
2. download this somewhere on your linux. link https://github.com/knownunown/tpl-c900-openwrt-install
3. download your router config and save it as "backup.bin"
4. backup.bin put it in the folder "tpl-c900-openwrt-install-master"
5. rename .encryption_params.sample into .encryption_params. Paste the key and the IV in .encryption_params
(export KEY="2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836" export IV="360028C9064242F81074F4C127D299F6")
6.run extract.sh from that folder. now you sould have a new created by the script "data" folder. open that folder.
7. open config.xml, go to firewall tag and add your custom ipv6 rules inside firewall tags. example to open port 80 on ipv6:
<rule>
<proto>tcp</proto>
<dest_port>80</dest_port>
<name>Forward-IPv6-80</name>
<target>ACCEPT</target>
<dest>lan</dest>
<family>ipv6</family>
<src>wan</src>
</rule>
8. save modified config.xml
9. run package.sh
10. now you have a new file created "backup_final.bin"
11. restore that config file done. now your router supports ipv6 incoming traffic.
if you want to gain root access, you can edit the dropbear section to look like this
<dropbear>
<dropbear>
<RootPasswordAuth>on</RootPasswordAuth>
<SysAccountLogin>on</SysAccountLogin>
<Port>22</Port>
<PasswordAuth>on</PasswordAuth>
</dropbear>
</dropbear>
and after you can connect with putty with user root and your router interface password and you can add firewall rules directly via ssh, no need to edit the config for every change.
- Copy Link
- Report Inappropriate Content
@Kevin_Z What do you think Kevin ? Apparently there's a way :))) #tplinksecurity
- Copy Link
- Report Inappropriate Content
@sickplanet How can I do this on the TP-Link AX6000?
- Copy Link
- Report Inappropriate Content
@JeanRodrigues Yes you can, just change the KEY and IV accordingly to your router. you can use binwalk on ubuntu/linux to find the keys out of your firmware.
- Copy Link
- Report Inappropriate Content
@sickplanet Thanks. Could you do a tutorial on how to get these keys?
- Copy Link
- Report Inappropriate Content
@JeanRodrigues on linux: extract firmware with "binwalk -e yourCurrentFirmware.bin" and you should find your KEY and IV in [extracted firmware folder]/usr/lib/lua/luci/model/crypto.lua. if you cannot make it, tell me your firmware version and i will help you.
- Copy Link
- Report Inappropriate Content
@sickplanet I couldn't do it with that command. The firmware version is 1.2.2 Build 20210223 rel.78164 (5553).
- Copy Link
- Report Inappropriate Content
Information
Helpful: 10
Views: 15677
Replies: 32