ER605 IPv6 ACL not working when adopted to controller
I am unable to get IPv6 ACL's to allow [WAN] IN traffic to one of my hosts.
I have configured the ACL using an IPv6-port Group specific to the /128 address for this host, and the ports specific to the service I need to expose, however no external hosts are able to connect to this.
I have also tried with an IPv6 Group to this hosts /128 IP allowing all protocols, and the built in IPv6 Any group, however none of these allow external hosts access to my exposed IP.
I should note that I am able to browse IPv6 content, and I am able to connect to this devices IPv6 address from other local VLAN's, just anything from WAN to LAN does not work.
This has historically worked when the ER 605 was in standalone mode, however once I adopted to my software controller IPv6 inbound is not working. I am running version 5.12.7 of the software controller in docker, using the images provided by https://hub.docker.com/r/mbentley/omada-controller
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Support provided me a beta firmware which resolved the issue, this appears to have been fully released now as I can see it as a bug fix in 2.2.3 which has appeared in my conroller, though I have not yet tested this to confirm the issue is still resolved
- Copy Link
- Report Inappropriate Content
Hi @cakemix
Thanks for posting in our business forum.
Any incoming traffic is blocked by default settings when you upgrade to V2.2.2 or V2.1.5 beta. This was a security risk before so the dev patched this.
If you initiate an IPv6 connection, that should not be blocked at all.
So now you are talking about the IPv6 ACL is not effective for your device. I need you to tell me if you allow all the IPv6 addresses to access the LAN, will it work? I am verifying whether the ACL is working or not which also seems to be your concern.
I am inclined to believe that this is a config issue.
Try this DST with this and your own range. I need to see your verification results.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A ,
I am aware of the changes to implicit deny on IPv6 traffic, I was not using the ER605 to perform firewalling until this was the case. I have since removed my hardware firewall and am trying to get the ports I require opening towards my LAN devices, however this does not appear to work.
When communicating between LAN VLANs I am able to connect to this server on the IPv6 address as expected.
The WAN In rule is configured to permit IPv6 towards this host - whether I use the IPv6 group and allow all TCP (or even all protocols as per the screenshot below) or us an IPv6-Port group limiting access to only the ports I require, I still see these as closed/ filtered when trying to connect from external addresses.
The below screenshot was taken from ipv6scanner (dot) com when the ACL was configured using the haos_v6 IPv6 Group.
When I run nmap against this host from thge LAN side, I see ports open as expected:
EDIT:
I have tried this with the IPv6 Group_Any as the destination and receive the same output from the external port scan
- Copy Link
- Report Inappropriate Content
It appears that you're facing an issue where your IPv6 Access Control Lists (ACLs) are not allowing WAN to LAN traffic to a specific host on your network after adopting the ER 605 into your software controller setup. Since IPv6 connectivity is functioning correctly within local VLANs and when browsing IPv6 content, this suggests the issue lies with the ACL configuration or the firewall settings within your network controller software.
Given that the setup was previously working when the ER 605 was in standalone mode, the problem likely stems from the changes in how the device interacts with the network now that it's being managed through the software controller.
- Copy Link
- Report Inappropriate Content
Hi @aceventura12345 ,
I beleive you misunderstand my previous configuration - this did not work in standalone mode as there was no IPv6 ACL available on the previous firmware, I was previously allowing all IPv6 traffic through (as there was no option) and using a FortiGate 60E connected to the LAN to perform IPv6 filtering.
I have only just started using the ER605 on the new firmware and adopted this to my controller to perform ACL functionality on the ER605/ software controller rather than a separate hardware device.
- Copy Link
- Report Inappropriate Content
Hi @cakemix
Thanks for posting in our business forum.
Do you have any Deny IPv6 ACL rules?
Show me the whole GW ACL list you have.
Wireshark on WAN and LAN one at a time and do the remote access from the IPv6. Don't use the server. Use your device. Which you should know your IPv6 address so it would be easier to filter.
How to capture packets using Wireshark on SMB router or switch
- Copy Link
- Report Inappropriate Content
Hi @Clive_A ,
I can see the ingress packets when mirroring the WAN port to my laptop, but the only egress packets for this IPv6 address are ones sourced from this server.
Likewise, I could not see any egress packets towards the server when I packet captured on the LAN. I can provide these captures if you wish, however I am not comfertable with uploading them to a publically accessible forum, as these include my publically routable IP details.
At present, I do not have any other ACL's configured
Kind regards,
Keith Summers
- Copy Link
- Report Inappropriate Content
Hi @cakemix
Thanks for posting in our business forum.
cakemix wrote
Hi @Clive_A ,
I can see the ingress packets when mirroring the WAN port to my laptop, but the only egress packets for this IPv6 address are ones sourced from this server.
Likewise, I could not see any egress packets towards the server when I packet captured on the LAN. I can provide these captures if you wish, however I am not comfertable with uploading them to a publically accessible forum, as these include my publically routable IP details.
At present, I do not have any other ACL's configured
Kind regards,
Keith Summers
Edit:
Can you export your backup for our test team? You will receive an email to notify you that you have an open case with the TKID. TKID231117427
- Copy Link
- Report Inappropriate Content
Support provided me a beta firmware which resolved the issue, this appears to have been fully released now as I can see it as a bug fix in 2.2.3 which has appeared in my conroller, though I have not yet tested this to confirm the issue is still resolved
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 994
Replies: 8
Voters 0
No one has voted for it yet.