Hi Michiel,

My IPv6 will be down for a little bit. I decided to replace my aging router setup with this fancy Orbi WiFi 6 mesh system. I was doing a lot of research, and of course one the boxes to tick was "IPv6 Support".

While this Orbi DOES support IPv6, what it DOESN'T support is IPv6 port opening/forwarding like my old OnHub did.

I'm impressed with the router otherwise, so this was kind of disappointing to find out after getting everything all setup. I'm still deciding whether to take this back and maybe try the Eero Pro 6 instead.


Jay

--- Mystic BBS v1.12 A47 2021/01/26 (Raspberry Pi/32)
* Origin: Northern Realms (1:229/664)

Dear Jay,

30 Jan 21 20:20, you wrote to Michiel van der Vlist:

My IPv6 will be down for a little bit. I decided to replace my aging router setup with this fancy Orbi WiFi 6 mesh system. I was doing a
lot of research, and of course one the boxes to tick was "IPv6
Support".

While this Orbi DOES support IPv6, what it DOESN'T support is IPv6
port opening/forwarding like my old OnHub did.

I have been always of the opinion that port forwarding is never needed in IPv6 because no NAT is ever involved (and port forwarding is part of the destination NAT technology). If you had IPv6 port forwarding (in the IPv4 way) on some device, please surprise me!

It is also difficult to believe that a fancy router does not have a built-in IPv6 firewall (if a firewall is meant by "port opening").

I'm impressed with the router otherwise, so this was kind of
disappointing to find out after getting everything all setup. I'm
still deciding whether to take this back and maybe try the Eero Pro 6 instead.

My home MikroTik hAP ac3 does not support NAT or port forwarding in IPv6 (which is expected) but has a nice IPv6 stateful firewall with connection tracking (in fact it's iptables inside). I have eventually moved all my IPv6 tunneling to MikroTik and I'm very happy about it's performance.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

On 01-31-21 11:53, Victor Sudakov wrote to Jay Harris <=-

I have been always of the opinion that port forwarding is never needed
in IPv6 because no NAT is ever involved (and port forwarding is part of the destination NAT technology). If you had IPv6 port forwarding (in
the IPv4 way) on some device, please surprise me!

Some consumer routers mislabel IPb6 firewall opening as "port forwarding", mine included. Mine came with all inblund IPv6 traffic blocked by default (good!), but to open a port to a specific host, I have to go into "IPv6 port forwarding" (sic) and specify the port(s) that I want to open and the interface host ID (last 64 bits of the IPv6 address) to allow traffic for. Or I can specify that host as an "exposed host", which of course, disables the firewall for that specific IPv6 address.

It is also difficult to believe that a fancy router does not have a built-in IPv6 firewall (if a firewall is meant by "port opening").

One would hope it does, and that there's a mechanism to open ports to specific hosts in the firewal config.

My home MikroTik hAP ac3 does not support NAT or port forwarding in
IPv6 (which is expected) but has a nice IPv6 stateful firewall with connection tracking (in fact it's iptables inside). I have eventually moved all my IPv6 tunneling to MikroTik and I'm very happy about it's performance.

My router does speak of IPv6 port forwarding, but it's actually controlling the firewall's packet filter.


... Is fire supposed to shoot out of it like that!?
=== MultiMail/Win v0.52
--- SBBSecho 3.10-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Hello Jay,

On Saturday January 30 2021 20:20, you wrote to me:

My IPv6 will be down for a little bit. I decided to replace my aging router setup with this fancy Orbi WiFi 6 mesh system. I was doing a
lot of research, and of course one the boxes to tick was "IPv6
Support".

Of course. It was already ten years ago that I decided not to buy any new network equipment that does not support IPv6.

While this Orbi DOES support IPv6, what it DOESN'T support is IPv6
port opening/forwarding like my old OnHub did.

Oh... Are you sure? I would be very surprised if your router does not have an IPv6 firewall that is configurable to have servers in the netwok accept incoming IPv6 calls.

But sometimes it is a bit difficult to find. Some route manufacturer put it om the same page as the port forwarding for IPv4. Easy to find but calling it port forwarding for IPv6 is technically incorrect. Some router manufaturers put it somewhere else.

My router has a page marked "Port Forwarding". That is IPv4 only. There is another page called "IP and Port filtering" That page has an IPv4 and and IPv6 section.

Oddly enough the IPv6 part is where I have to open an IPv6 port. Even more confusing is that I can specify ingoing and outgoing addresses and ports. I have not tried but it looks like I can actually do NAT on IPv6. It should not.. Anyway this is where I open a port by marking it as "allow". Very confusing.

What I am trying to say is that your router most likely has a way to open an Iv6 port in the IPv6 firewall, but that it is hidden in the noise somewhere. Does the manufacturer not offer support?


I see that you have removed the AAAA record from your listed hostname. So I have marked you as "6DWN in the list of IPv6 nodes. If you can still make outgoing IPv6 calls, I could change that to "OO". Try polling my system, so we can see...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Dear Tony,

31 Jan 21 19:01, you wrote to me:

[dd]

My router does speak of IPv6 port forwarding, but it's actually controlling the firewall's packet filter.

Funny!

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

On 31 Jan 2021, Victor Sudakov said the following...

I have been always of the opinion that port forwarding is never needed
in IPv6 because no NAT is ever involved (and port forwarding is part of the destination NAT technology). If you had IPv6 port forwarding (in the VS> IPv4 way) on some device, please surprise me!

That's how the settings were worded on my old Google OnHubs. It was port "port forwarding" for IPv4 and "port opening" for IPv6. Everything unsolicited for incoming IPv6 is blocked unless you "opened" the port.

It is also difficult to believe that a fancy router does not have a built-in IPv6 firewall (if a firewall is meant by "port opening").

I agree! There are no firewall rules to be found on this interface and any "port forwarding" or "port triggering" settings are for IPv4 only. It would appear that the router is blocking all unsolicited incoming IPv6 traffic, which is actually a good thing, but I'm surprised there's no way to allow certain ports on this router yet.


Jay

--- Mystic BBS v1.12 A47 2021/01/30 (Raspberry Pi/32)
* Origin: Northern Realms (1:229/664)

Hello Jay,

On Sunday January 31 2021 08:52, you wrote to Victor Sudakov:

It would appear that the router is blocking all unsolicited
incoming IPv6 traffic, which is actually a good thing,

Blocking all incoming IPv6 /by default/ is indeed good. But...

but I'm surprised there's no way to allow certain ports on this router yet.

... if there really is no way to open ports for incoming IPv6 that would be a show stopper for me. I'd want my money back...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

On 01 Feb 2021, Michiel van der Vlist said the following...

Blocking all incoming IPv6 /by default/ is indeed good. But...

but I'm surprised there's no way to allow certain ports on this route yet.

... if there really is no way to open ports for incoming IPv6 that
would be a show stopper for me. I'd want my money back...

Yup, for $499 plus tax (on sale) it just doesn't seem to be worth the money.

Of course Best Buy is not taking returns (in store) right now due to covid, so I'll have to call and figure out how to return this via mail.

P.S: IPV6 is working otherwise, so I can indeed still poll for mail via IPv6 just not accept incoming connections.


Jay

--- Mystic BBS v1.12 A47 2021/01/30 (Raspberry Pi/32)
* Origin: Northern Realms (1:229/664)

On 01-31-21 18:05, Victor Sudakov wrote to Tony Langdon <=-

Dear Tony,

31 Jan 21 19:01, you wrote to me:

[dd]

My router does speak of IPv6 port forwarding, but it's actually controlling the firewall's packet filter.

Funny!

Yeah the dumhing down of consumer gear. :)


... You're from the planet Earth, aren't you?
=== MultiMail/Win v0.52
--- SBBSecho 3.10-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Hello Jay,

On Sunday January 31 2021 19:58, you wrote to me:

... if there really is no way to open ports for incoming IPv6
that would be a show stopper for me. I'd want my money back...

Yup, for $499 plus tax (on sale) it just doesn't seem to be worth the money.

That's a lot of money... Are you sure there is no way to open an IPv6 port? Have you contacted the manufacturer?

P.S: IPV6 is working otherwise, so I can indeed still poll for mail
via IPv6 just not accept incoming connections.

OK, I will flag your listing as "OO" then. It is better than nothing. *)


*) Coming to think of it... Full IPv6 connectivity is better of course, but when having to choose between "OO" and "IO", Outgoing only is better. While in the near future we will see nodes that are connectable via IPv6 but no longer can accept incoming IPv4 (INO4), alll these nodes will stay have outgoing IPv4 for a long time. So your "OO" node can still have full two way connectivity with those "INO4" nodes. An "IO" node only has one way connectivity with "INO4" nodes.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

Michiel wrote (2021-02-01):

MvdV> *) Coming to think of it... Full IPv6 connectivity is better of course,
MvdV> but when having to choose between "OO" and "IO", Outgoing only is better.
MvdV> While in the near future we will see nodes that are connectable via IPv6
MvdV> but no longer can accept incoming IPv4 (INO4), alll these nodes will stay
MvdV> have outgoing IPv4 for a long time. So your "OO" node can still have full
MvdV> two way connectivity with those "INO4" nodes. An "IO" node only has one
MvdV> way connectivity with "INO4" nodes.

If you only have IPv4 connectivity you can still use a Tor proxy (or some other proxy/way) to connect to IPv6 nodes. Adding incoming IPv6 is much harder.

Btw, what's the point of OO only nodes in the list? I'm sure many more nodes can connect over IPv6 nowadays.

---
* Origin: . (2:280/464.47)

Hello Oliver,

On Monday February 01 2021 13:29, you wrote to me:

MvdV>> An "IO" node only has one way connectivity with "INO4" nodes.

If you only have IPv4 connectivity you can still use a Tor proxy (or
some other proxy/way) to connect to IPv6 nodes. Adding incoming IPv6
is much harder.

So how about writing a Fidonews article about it?

Btw, what's the point of OO only nodes in the list?

Should there be a point? How about recognising efforts of those sysops and encouraging them to implement full IPv6 connectivity?

I'm sure many more nodes can connect over IPv6 nowadays.

Well, if you are sure, it should be no problem to help me with the list and give me a list of those many more nodes. If they check out, I will add them to the list.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)