Hi Michiel,

My IPv6 will be down for a little bit. I decided to replace my aging router setup with this fancy Orbi WiFi 6 mesh system. I was doing a lot of research, and of course one the boxes to tick was "IPv6 Support".

While this Orbi DOES support IPv6, what it DOESN'T support is IPv6 port opening/forwarding like my old OnHub did.

I'm impressed with the router otherwise, so this was kind of disappointing to find out after getting everything all setup. I'm still deciding whether to take this back and maybe try the Eero Pro 6 instead.


Jay

--- Mystic BBS v1.12 A47 2021/01/26 (Raspberry Pi/32)
* Origin: Northern Realms (1:229/664)

Dear Jay,

30 Jan 21 20:20, you wrote to Michiel van der Vlist:

My IPv6 will be down for a little bit. I decided to replace my aging router setup with this fancy Orbi WiFi 6 mesh system. I was doing a
lot of research, and of course one the boxes to tick was "IPv6
Support".

While this Orbi DOES support IPv6, what it DOESN'T support is IPv6
port opening/forwarding like my old OnHub did.

I have been always of the opinion that port forwarding is never needed in IPv6 because no NAT is ever involved (and port forwarding is part of the destination NAT technology). If you had IPv6 port forwarding (in the IPv4 way) on some device, please surprise me!

It is also difficult to believe that a fancy router does not have a built-in IPv6 firewall (if a firewall is meant by "port opening").

I'm impressed with the router otherwise, so this was kind of
disappointing to find out after getting everything all setup. I'm
still deciding whether to take this back and maybe try the Eero Pro 6 instead.

My home MikroTik hAP ac3 does not support NAT or port forwarding in IPv6 (which is expected) but has a nice IPv6 stateful firewall with connection tracking (in fact it's iptables inside). I have eventually moved all my IPv6 tunneling to MikroTik and I'm very happy about it's performance.

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

Dear Tony,

31 Jan 21 19:01, you wrote to me:

[dd]

My router does speak of IPv6 port forwarding, but it's actually controlling the firewall's packet filter.

Funny!

Victor Sudakov, VAS4-RIPE, VAS47-RIPN
--- GoldED+/BSD 1.1.5-b20170303-b20170303
* Origin: Ulthar (2:5005/49)

On 31 Jan 2021, Victor Sudakov said the following...

I have been always of the opinion that port forwarding is never needed
in IPv6 because no NAT is ever involved (and port forwarding is part of the destination NAT technology). If you had IPv6 port forwarding (in the VS> IPv4 way) on some device, please surprise me!

That's how the settings were worded on my old Google OnHubs. It was port "port forwarding" for IPv4 and "port opening" for IPv6. Everything unsolicited for incoming IPv6 is blocked unless you "opened" the port.

It is also difficult to believe that a fancy router does not have a built-in IPv6 firewall (if a firewall is meant by "port opening").

I agree! There are no firewall rules to be found on this interface and any "port forwarding" or "port triggering" settings are for IPv4 only. It would appear that the router is blocking all unsolicited incoming IPv6 traffic, which is actually a good thing, but I'm surprised there's no way to allow certain ports on this router yet.


Jay

--- Mystic BBS v1.12 A47 2021/01/30 (Raspberry Pi/32)
* Origin: Northern Realms (1:229/664)

Hello Jay,

On Sunday January 31 2021 08:52, you wrote to Victor Sudakov:

It would appear that the router is blocking all unsolicited
incoming IPv6 traffic, which is actually a good thing,

Blocking all incoming IPv6 /by default/ is indeed good. But...

but I'm surprised there's no way to allow certain ports on this router yet.

... if there really is no way to open ports for incoming IPv6 that would be a show stopper for me. I'd want my money back...


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: he.net certified sage (2:280/5555)

On 01 Feb 2021, Michiel van der Vlist said the following...

Blocking all incoming IPv6 /by default/ is indeed good. But...

but I'm surprised there's no way to allow certain ports on this route yet.

... if there really is no way to open ports for incoming IPv6 that
would be a show stopper for me. I'd want my money back...

Yup, for $499 plus tax (on sale) it just doesn't seem to be worth the money.

Of course Best Buy is not taking returns (in store) right now due to covid, so I'll have to call and figure out how to return this via mail.

P.S: IPV6 is working otherwise, so I can indeed still poll for mail via IPv6 just not accept incoming connections.


Jay

--- Mystic BBS v1.12 A47 2021/01/30 (Raspberry Pi/32)
* Origin: Northern Realms (1:229/664)

Michiel wrote (2021-02-01):

MvdV> *) Coming to think of it... Full IPv6 connectivity is better of course,
MvdV> but when having to choose between "OO" and "IO", Outgoing only is better.
MvdV> While in the near future we will see nodes that are connectable via IPv6
MvdV> but no longer can accept incoming IPv4 (INO4), alll these nodes will stay
MvdV> have outgoing IPv4 for a long time. So your "OO" node can still have full
MvdV> two way connectivity with those "INO4" nodes. An "IO" node only has one
MvdV> way connectivity with "INO4" nodes.

If you only have IPv4 connectivity you can still use a Tor proxy (or some other proxy/way) to connect to IPv6 nodes. Adding incoming IPv6 is much harder.

Btw, what's the point of OO only nodes in the list? I'm sure many more nodes can connect over IPv6 nowadays.

---
* Origin: . (2:280/464.47)