ER605 IPv6 ACL not working when adopted to controller

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 IPv6 ACL not working when adopted to controller

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 IPv6 ACL not working when adopted to controller
ER605 IPv6 ACL not working when adopted to controller
2023-11-04 13:00:18 - last edited 2024-08-15 01:48:21
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.2

I am unable to get IPv6 ACL's to allow [WAN] IN traffic to one of my hosts.

 

I have configured the ACL using an IPv6-port Group specific to the /128 address for this host, and the ports specific to the service I need to expose, however no external hosts are able to connect to this.

 

I have also tried with an IPv6 Group to this hosts /128 IP allowing all protocols, and the built in IPv6 Any group, however none of these allow external hosts access to my exposed IP.

 

I should note that I am able to browse IPv6 content, and I am able to connect to this devices IPv6 address from other local VLAN's, just anything from WAN to LAN does not work.

 

This has historically worked when the ER 605 was in standalone mode, however once I adopted to my software controller IPv6 inbound is not working. I am running version 5.12.7 of the software controller in docker, using the images provided by https://hub.docker.com/r/mbentley/omada-controller

  0      
  0      
#1
Options
1 Accepted Solution
Re:ER605 IPv6 ACL not working when adopted to controller-Solution
2023-12-29 12:58:11 - last edited 2024-08-15 01:48:21

 Support provided me a beta firmware which resolved the issue, this appears to have been fully released now as I can see it as a bug fix in 2.2.3 which has appeared in my conroller, though I have not yet tested this to confirm the issue is still resolved

 

Recommended Solution
  0  
  0  
#10
Options
8 Reply
Re:ER605 IPv6 ACL not working when adopted to controller
2023-11-06 02:43:08

Hi @cakemix 

Thanks for posting in our business forum.

Any incoming traffic is blocked by default settings when you upgrade to V2.2.2 or V2.1.5 beta. This was a security risk before so the dev patched this.

If you initiate an IPv6 connection, that should not be blocked at all.

 

So now you are talking about the IPv6 ACL is not effective for your device. I need you to tell me if you allow all the IPv6 addresses to access the LAN, will it work? I am verifying whether the ACL is working or not which also seems to be your concern.

I am inclined to believe that this is a config issue.

 

Try this DST with this and your own range. I need to see your verification results.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:ER605 IPv6 ACL not working when adopted to controller
2023-11-08 11:38:27 - last edited 2023-11-08 11:42:12

Hi  @Clive_A ,

I am aware of the changes to implicit deny on IPv6 traffic, I was not using the ER605 to perform firewalling until this was the case. I have since removed my hardware firewall and am trying to get the ports I require opening towards my LAN devices, however this does not appear to work.

 

When communicating between LAN VLANs I am able to connect to this server on the IPv6 address as expected.

 

The WAN In rule is configured to permit IPv6 towards this host - whether I use the IPv6 group and allow all TCP (or even all protocols as per the screenshot below) or us an IPv6-Port group limiting access to only the ports I require, I still see these as closed/ filtered when trying to connect from external addresses.

 

 

The below screenshot was taken from ipv6scanner (dot) com when the ACL was configured using the haos_v6 IPv6 Group.

 

When I run nmap against this host from thge LAN side, I see ports open as expected:

 

EDIT:
I have tried this with the IPv6 Group_Any as the destination and receive the same output from the external port scan

  0  
  0  
#3
Options
Re:ER605 IPv6 ACL not working when adopted to controller
2023-11-08 12:59:06

  @cakemix 

It appears that you're facing an issue where your IPv6 Access Control Lists (ACLs) are not allowing WAN to LAN traffic to a specific host on your network after adopting the ER 605 into your software controller setup. Since IPv6 connectivity is functioning correctly within local VLANs and when browsing IPv6 content, this suggests the issue lies with the ACL configuration or the firewall settings within your network controller software.

Given that the setup was previously working when the ER 605 was in standalone mode, the problem likely stems from the changes in how the device interacts with the network now that it's being managed through the software controller.

  0  
  0  
#5
Options
Re:ER605 IPv6 ACL not working when adopted to controller
2023-11-08 13:22:50

Hi  @aceventura12345 ,

 

I beleive you misunderstand my previous configuration - this did not work in standalone mode as there was no IPv6 ACL available on the previous firmware, I was previously allowing all IPv6 traffic through (as there was no option) and using a FortiGate 60E connected to the LAN to perform IPv6 filtering.

 

I have only just started using the ER605 on the new firmware and adopted this to my controller to perform ACL functionality on the ER605/ software controller rather than a separate hardware device.

  0  
  0  
#6
Options
Re:ER605 IPv6 ACL not working when adopted to controller
2023-11-09 08:36:29 - last edited 2023-11-09 08:36:42

Hi @cakemix 

Thanks for posting in our business forum.

Do you have any Deny IPv6 ACL rules?

Show me the whole GW ACL list you have.

 

Wireshark on WAN and LAN one at a time and do the remote access from the IPv6. Don't use the server. Use your device. Which you should know your IPv6 address so it would be easier to filter.

How to capture packets using Wireshark on SMB router or switch

How to Use Port Mirror to Capture Packets in the Controller

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#7
Options
Re:ER605 IPv6 ACL not working when adopted to controller
2023-11-09 10:28:58

Hi  @Clive_A ,

 

I can see the ingress packets when mirroring the WAN port to my laptop, but the only egress packets for this IPv6 address are ones sourced from this server.

 

Likewise, I could not see any egress packets towards the server when I packet captured on the LAN. I can provide these captures if you wish, however I am not comfertable with uploading them to a publically accessible forum, as these include my publically routable IP details.

 

At present, I do not have any other ACL's configured

 

Kind regards,

Keith Summers

  0  
  0  
#8
Options
Re:ER605 IPv6 ACL not working when adopted to controller
2023-11-10 03:37:26 - last edited 2023-11-10 08:26:03

Hi @cakemix 

Thanks for posting in our business forum.

cakemix wrote

Hi  @Clive_A ,

 

I can see the ingress packets when mirroring the WAN port to my laptop, but the only egress packets for this IPv6 address are ones sourced from this server.

 

Likewise, I could not see any egress packets towards the server when I packet captured on the LAN. I can provide these captures if you wish, however I am not comfertable with uploading them to a publically accessible forum, as these include my publically routable IP details.

 

At present, I do not have any other ACL's configured
 

 

Kind regards,

Keith Summers

 

 

Edit:

Can you export your backup for our test team? You will receive an email to notify you that you have an open case with the TKID. TKID231117427

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#9
Options
Re:ER605 IPv6 ACL not working when adopted to controller-Solution
2023-12-29 12:58:11 - last edited 2024-08-15 01:48:21

 Support provided me a beta firmware which resolved the issue, this appears to have been fully released now as I can see it as a bug fix in 2.2.3 which has appeared in my conroller, though I have not yet tested this to confirm the issue is still resolved

 

Recommended Solution
  0  
  0  
#10
Options