10
Votes

Archer AX10/1500 Blocks ALL incoming IPv6 connections

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
 
10
Votes

Archer AX10/1500 Blocks ALL incoming IPv6 connections

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Archer AX10/1500 Blocks ALL incoming IPv6 connections
Archer AX10/1500 Blocks ALL incoming IPv6 connections
2020-08-07 03:26:02 - last edited 2021-12-02 11:34:09
Model: Archer AX10  
Hardware Version: V1
Firmware Version: 1.0.8 Build 20200706 Rel. 7658(4555)

Hello guys,

I'm using archer ax10 since March and I have some problems with IPv6. At home, I have a personal web server/cloud, sometimes I need to use it over IPV6 but ax10 blocks all ipv6 incoming connections, I tried all available firmware builds, I disabled the SPI firewall but nothing happens. In traceroute last ip accessible is always the ax 10 and then nothing. My server can connect to ipv6 servers so outgoing works. I tried another old ASUS router with openwrt installed and ipv6 incoming connections works so my ISP isn't blocking any ports.

Why a IPv6 advertised router has no settings for ipv6 port forwarding, ipv6 subnet config, (ipv6 local ip does not appear in lan connected devices) or any in depth settings for ipv6? Looks like ipv6 is just a side project on this router...

Anyone has any ideas, maybe in the next update, I mean is the new generation of routers so incompatible with next gen internet??

I understand that in some situations allowing incoming ipv6 is a security problem, but all I need is a check box somewhere in the menu with "allow incoming ipv6, I understand the risk".

#1
Options
2 Accepted Solutions
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections-Solution
2021-02-06 12:16:28 - last edited 2021-12-02 11:34:09

Fist of all you need a linux enviroment.

You can also use linux subsystem on windows. open terminal or ssh and:

1. sudo apt update && sudo apt install golang

2. download this somewhere on your linux. link https://github.com/knownunown/tpl-c900-openwrt-install

3. download your router config and save it as "backup.bin"

4. backup.bin put it in the folder "tpl-c900-openwrt-install-master"

5. rename .encryption_params.sample into .encryption_params. Paste the key and the IV in .encryption_params

(export KEY="2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836" export IV="360028C9064242F81074F4C127D299F6")

6.run extract.sh from that folder. now you sould have a new created by the script "data" folder. open that folder.

7. open config.xml, go to firewall tag and add your custom ipv6 rules inside firewall tags. example to open port 80 on ipv6:

<rule>
<proto>tcp</proto>
<dest_port>80</dest_port>
<name>Forward-IPv6-80</name>
<target>ACCEPT</target>
<dest>lan</dest>
<family>ipv6</family>
<src>wan</src>
</rule>

8. save modified config.xml

9. run package.sh

10. now you have a new file created "backup_final.bin"

11. restore that config file done. now your router supports ipv6 incoming traffic.

 

if you want to gain root access, you can edit the dropbear section to look like this

<dropbear>
<dropbear>
<RootPasswordAuth>on</RootPasswordAuth>
<SysAccountLogin>on</SysAccountLogin>
<Port>22</Port>
<PasswordAuth>on</PasswordAuth>
</dropbear>
</dropbear>

and after you can connect with putty with user root and your router interface password and you can add firewall rules directly via ssh, no need to edit the config for every change.

 

 

Recommended Solution
#5
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections-Solution
2021-03-26 07:57:29 - last edited 2022-06-01 02:27:22

@Bitterman @JeanRodrigues 

 

Thank you for posting on the TP-Link Community.

 

We TP-Link understand that you want to have the network permission to access the local IPv6 server/service from outside, that is currently not supported on the Archer AX10 and AX1500 routers. We have confirmed this with the dev team there will be new firmware in the near future to add the support for IPv6 firewall on/off, you will then be able to access the local IPv6 server by disabling the IPv6 firewall on the router. There is currently no estimated time for the new firmware for the AX10, please pay attention on your router web or on the official website for any new firmware updates in the future.

 

One more important note, we understand that @sickplanet wants to provide guide and help others who want to access their local IPv6 server, however, we do also consider this as a great risk that some "hackers" may make config file that ruin your device or even hijack the network. TP-Link will not be able to help those who install this kind software on your device and suffer from any loss for your personal info or property.  So we strongly suggest our customer DON'T install this kind of software on your router to protect your network security.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
Recommended Solution
#19
Options
32 Reply
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2020-08-07 06:27:31 - last edited 2021-12-02 11:34:09

@sickplanet 

 

Hello,

 

As far as I know, there is an IPv6 firewall on the AX10 router which blocks the external access to the server automatically to protect your internal network and ensure its security.

Currently, there is no way to disable that firewall. We will see how to improve this in the future.

 

Thanks for your understanding.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
#2
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2021-02-04 19:55:26 - last edited 2021-12-02 11:34:09

@Kevin_Z

Is there anything planned in the near future of fixing this? It was advertised as an ipv6 router, so I thought it's capable of basic ipv6 related stuffs

#3
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2021-02-04 20:56:51 - last edited 2021-12-02 11:34:09

@bmrk 

Yes it's possible. I can make a tutorial how to decrypt the config file and gain root access via ssh.heart

#4
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections-Solution
2021-02-06 12:16:28 - last edited 2021-12-02 11:34:09

Fist of all you need a linux enviroment.

You can also use linux subsystem on windows. open terminal or ssh and:

1. sudo apt update && sudo apt install golang

2. download this somewhere on your linux. link https://github.com/knownunown/tpl-c900-openwrt-install

3. download your router config and save it as "backup.bin"

4. backup.bin put it in the folder "tpl-c900-openwrt-install-master"

5. rename .encryption_params.sample into .encryption_params. Paste the key and the IV in .encryption_params

(export KEY="2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836" export IV="360028C9064242F81074F4C127D299F6")

6.run extract.sh from that folder. now you sould have a new created by the script "data" folder. open that folder.

7. open config.xml, go to firewall tag and add your custom ipv6 rules inside firewall tags. example to open port 80 on ipv6:

<rule>
<proto>tcp</proto>
<dest_port>80</dest_port>
<name>Forward-IPv6-80</name>
<target>ACCEPT</target>
<dest>lan</dest>
<family>ipv6</family>
<src>wan</src>
</rule>

8. save modified config.xml

9. run package.sh

10. now you have a new file created "backup_final.bin"

11. restore that config file done. now your router supports ipv6 incoming traffic.

 

if you want to gain root access, you can edit the dropbear section to look like this

<dropbear>
<dropbear>
<RootPasswordAuth>on</RootPasswordAuth>
<SysAccountLogin>on</SysAccountLogin>
<Port>22</Port>
<PasswordAuth>on</PasswordAuth>
</dropbear>
</dropbear>

and after you can connect with putty with user root and your router interface password and you can add firewall rules directly via ssh, no need to edit the config for every change.

 

 

Recommended Solution
#5
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2021-02-06 12:23:43 - last edited 2021-12-02 11:34:09

@Kevin_Z  What do you think Kevin ? Apparently there's a way :))) #tplinksecurity

#6
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2021-03-21 15:46:41 - last edited 2021-12-02 11:34:09

@sickplanet How can I do this on the TP-Link AX6000?

#7
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2021-03-22 11:05:26 - last edited 2021-12-02 11:34:09

@JeanRodrigues Yes you can, just change the KEY and IV accordingly to your router. you can use binwalk on ubuntu/linux to find the keys out of your firmware.

#8
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2021-03-22 13:10:08 - last edited 2021-12-02 11:34:09

@sickplanet Thanks. Could you do a tutorial on how to get these keys?

#9
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2021-03-22 13:17:48 - last edited 2021-12-02 11:34:09

@JeanRodrigues on linux: extract firmware with "binwalk -e yourCurrentFirmware.bin" and you should find your KEY and IV in [extracted firmware folder]/usr/lib/lua/luci/model/crypto.lua. if you cannot make it, tell me your firmware version and i will help you.

#10
Options
Re:Archer AX10/1500 Blocks ALL incoming IPv6 connections
2021-03-22 13:51:12 - last edited 2021-12-02 11:34:09

@sickplanet I couldn't do it with that command. The firmware version is 1.2.2 Build 20210223 rel.78164 (5553).

#11
Options