Hi,

In the readme notes for the Vigor 2850 firmware 3.6.8.2 it says:

[Notes]
The [Firewall]-[General Setup] menu now has an option to block or allow routed IPv4 and IPv6 packets:
If the firmware of the router is upgraded from 3.6.6(or before) to 3.6.8 firmware, .all and .rst firmwares will have different default settings for the incoming packets.
1) .all --> keep the routing settings in 3.6.6(or before), which allows both IPv4 and IPv6 routed traffic.
2) .rst --> block IPv4 and IPv6 routing packets from the WAN by default.

I do not understand what this means - and any significance. :oops:
Could someone just clarify this please, maybe with an example?

Thanks

Here is what the manual has to say: -

Block routing packet from WAN
Usually, IPv6 network sessions/traffic from WAN to LAN will
be accepted by IPv6 firewall in default.

IPv6 - To prevent remote client accessing into the PCs on
LAN, check the box to make the packets (routed from WAN to
LAN) via IPv6 being blocked by such router. It is effective
only for the packets routed but not for packets translated by
NAT.

IPv4 - To prevent remote client accessing into the PCs on
LAN, check the box to make the incoming packets via IPv4
being blocked by such router. It is effective only for the
packets routed but not for packets translated by NAT.

Now really that needs to be translated from the gibberish into english... I'll have a go.

IPv4
When used in the normal (old) IPv4 NAT mode, which most people use, the router does not truly route packets in to/from the internet, what it does is pull them apart and put them back together again making them look like they routed. This is because you only have one public IPv4 address and you are sharing it between all your internal devices.

The router is however, capable of doing full routing if you have multiple public addresses. If you are only using NAT (you have only one public IPv4 address from your ISP) then the IPv4 checkbox here is not really going to do anything but leave it on if you want to be safe.

IPv6
IPv6 is different - with v6 you are normally supplied with a (huge) number of v6 addresses by your ISP. Normally IPv6 fully routes everything, meaning that all your internal devices can have public addresses. But, if you do not want everyone to see your internal devices (and maybe hack into them) you should check this box to stop routing into your network by default.

For IPv6 you can still allow accessing of specific devices by adding firewall rules for them. Turning te default off means that you are effectively fire-walling all the internal devices in your internal network.

No idea why there are differences in the fw defaults but I had another instance like it on the LAN/DMZ Port IPv6 settings which got turned on by fw upgrade and caused havoc.

Hope this helps.

jedi98 wrote: Here is what the manual has to say: -

Block routing packet from WAN
Usually, IPv6 network sessions/traffic from WAN to LAN will
be accepted by IPv6 firewall in default.

IPv6 - To prevent remote client accessing into the PCs on
LAN, check the box...............


..............No idea why there are differences in the fw defaults but I had another instance like it on the LAN/DMZ Port IPv6 settings which got turned on by fw upgrade and caused havoc.

Hope this helps.

Great Jedi98!
That's a good help to getting my thought processes started.
Thanks!