Firmware Version : 3.8.4
Build Date/Time : Dec 15 2016 17:26:01

Due to this router not having a way to assign certain IPv6 addresses to certain clients using its very limited DHCPv6 functionality, I wanted to block connections initiated from WAN on IPv6 for anything assigned within the DHCP range, and allow it for anything statically configured outside of that range.

That way, all regular devices in the building will be able to leverage the stateful firewall to allow inbound IPv6 connections as needed, while any servers that are statically configured outside of this range won't have the same block, and can respond to requests from the WAN.

To do this I created an inverted IPv6 object of the DHCPv6 address range, which should be an object that includes everything outside of the DHCP range.

The firewall page says:

Packets are filtered by firewall functions in the following order:
1.Data Filter Sets and Rules 2.Block connections initiated from WAN 3.Default Rule

So I created a Data Filter rule that would "Pass immediately" anything with a destination as the "Not DHCP range" IPv6 object.

I then checked the box to "Block connections initiated from WAN [IPv6]", so that the addresses not covered by that Filter rule (step 1)— so that's anything assigned by DHCP—would then have inbound traffic blocked, unless allowed by the stateful firewall (step 2).

Configuring the router this way causes it to crash every couple of minutes. It dies before it has chance to dump anything to the error log.

Can anyone else replicate this crash?

BONUS BUG:

In creating the IPv6 Range Object, and using a 128bit match, it doesn't seem to recognise "0 suppression" notation, so you have to type the address in full. If you save that, and open the object back up for editing, it loads it with the 0's suppressed, and when you try to save changes (even without having made any), it complains about there being an invalid IP.

It feels like IPv6 is a tacked on afterthought with this thing. Sky have rolled it out, and BT are weeks away from fully rolling it out also, but a premium router craps itself over extremely basic IPv6 things that have been set in stone for almost 2 decades.

I managed to stop it crashing by removing the "NOT DHCPv6" IPv6 object from a group that had some other exceptions in it, and changing the firewall rule to use only the IPv6 object, and not the group.

Now I have a new problem. When using DHCPv6(stateful) mode, hosts on the network get issued a /128 address, and are unable to ping each other. This is the same whether using the DrayTek's own DHCP server, or an external ISC one, which makes sense as to my knowledge the prefix information is sent out in a Router Advertisement.

I'm on a native PPP IPv6 connection with a /48 allocation. On the WAN side, the DrayTek seems to be using a /128 address. On the LAN side, it has given itself a /64 global address.

A different ISP offering PPP IPv6 /56 on a DrayTek 2860 also shows as having a /128 address on the WAN side.


EDIT: The /128 thing seems to be fine. I sniffed the Router Announcement messages earlier, and the correct Prefix information is there EXCEPT that the OnLink flag isn't set in the Flags, so the Hosts don't add the subnet to their routing table as ONLINK.

In SLAAC mode the L bit (OnLink) in the prefix option it gives out is set. That way the hosts can add the network to their routing tables. When the router is set to DHCPv6(stateful), the L bit in the (for some reason duplicated) prefix option(s) is left cleared. Considering ND only works on Link Local addresses, this is a bug and should be set, or there should at least be an option to set/unset it if you want it broken.

At the moment, hosts configured via DHCPv6(stateful) mode by a DrayTek 2925 are unable to ping each other on their DHCP assigned addresses, unless you manually add routing information to each host telling them the network is OnLink.

There are lots of bugs and limitations to do with IPv6 on this IPv6 ready router, but the L bit not being set breaks the whole network.