We're going to fully test the IPv6 Firewall of an entry-level small business IPv6 Router : Cisco Small Business RV110W
Where the DLink DIR-626L is a very neat, 40$/€ full featured IPv6 Router, with NAS and media streamming functions, great for IPv6 learners and consummers, the Cisco Small Business RV110W belongs to another category :
Its price tag for a beginning : 80$/€.
Its features : RIPng, PPTP/IPSEC VPN Server, SNMPv3, ...
It belongs to the RV serie, which is professionnal-oriented, although its inner hardware is not at the same level as its greater sibblings ( RV220W, .. ).
We're going to fully test here its Ipv6 Firewall.
RV110W IPv6 Firewall first contact
The CISCO RV110W Firewall is very different from the DLink DIR-626L.
First, the firewall management is common to both IPv4 and IPv6, they are not managed in separate zones.
Here is the main management page :
Here is the Access Rules tab :
Secondly, it is very 'Service Oriented'. In the Service Management tab, we have a set of preset services ( HTTP, FTP, ... ) defined by name / protocol / ports. We can add some custome services ( Secure_POP and ICMP here ) :
We then use these defined services in the Access Rules tab, granting or denying accesses :
To diferenciate IPv4 and IPv6 traffic rules, IP Addresses or scopes need to be used in Access Rules.
RV110W IPv6 Firewall functionning in details
The RV110W is a classic Statefull Firewall.
First, the default Outbound policy can be choosen between ' ALLOW ' and ' DENY '.
The default Inbound policy is ' DENY ' and can't be changed :
Here are the results of the tests :
The outbound policy behaves in a very logical and predictible way :
. If ' Default Outbound : Allow ' mode is used, all outgoing traffic is allowed, except if some specific deny out rules have been defined.
. If ' Default Outbound : Deny ' mode is used, all outgoing traffic is dropped, except is some specific allow out rules have been defined.
The inbound policy, to my surprise, is quite confusing.
Nor is an ' allow in ' rule usefull or needed to allow incomming traffic ( a web server as an exemple ).
Curiously, all is needed and compulsory for incomming traffic is a port forwarding. Two questions arise to my mind then :
. A port forwarding rule to allow an IPv6 Incomming connection ? Or is it a Sheldon Cooper joke ?
. Why then tempting you with the option to create an 'allow in rule' if it is useless, unneeded, and without any effect ?
I'll try to investigate this and post more informations here later.
It seems that ICMPv6 Filtering triggers a great bug, openning the inbound firewall.
Here is a screenshot of the bug triggering config. First, we need to setup an ICMP service :
We then use this ICMP service in a rule :
The result : The Inbound IPv6 TCP Firewall gets wide open, letting any IPv6 TCP packet in.
This happens, wether the Default Outbound Mode is Allow or Deny, and wether the Connectiontype is Outbound or Inbound.
This pretty ends here the ICMPv6 testing part.
Ingress / Egress Filtering :
There is no IPv6 Ingress or Egress Filtering performed by the RV110W.
IPv6 dropped packets are logged both in the RV110W logs or to an external Syslog Server.
The RV110W logging option allow to setup different logging levels for internal log and Syslog Server.
While integrating the IPv4 and IPv6 sides of the firewall kinds of brightens up the firewall management, it is to a cost of idependence lost for this functions. Beside that, the IPv6 Integration is very complete, with IPv6 packets logging.
Still, two quirks ( Inboud rules / IPv6 port forwarding and ICMPv6 ) need more study, before the picture can be complete.