> There are also still a lot of misconceptions from network administrators who are scared of or don’t properly understand IPv6
Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
That's more proof that TP-Link should not be trusted than that there is a problem with IPv6, really. Even cheap $20 Aliexpress routers have a firewall enabled by default.
Agreed.
I believe that was more a bug in the firmware that's been fixed for a while now.
In case of the ER7212PC, it’s only fixed in the v2 hardware revision.
No free upgrade.
A bug that was implemented, because ipv6 is more complex to secure.
> Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.
Now, if the ER7212PC was a firewall that would be something else.
(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)
Routers and access points are also typically separate device classes. Yet the market has figured out that most consumers prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
What firewall do you recommend a typical user couple their ER7212PC (which BTW is already tripling as VPN gateway and cloud-controller) with?
The problem is that TP-link does not give two cents to security in their products.
> And no, I'm not being pedantic
You very much are.
> Yet the market has figured out that most consumers prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
Except the ER7212PC, nor anything else under the Omada (sub-)brand, is not a consumer / household device. The tagline of Omada is "Networks Empower Business":
* https://www.omadanetworks.com
If you want to haul your boat buy an F-150 pickup and don't complain that your Golf doesn't have enough towing capacity: buy the tool that you need for the problem/job you have. If you want an all-in-one then buy an AiO and not a router.
>> And no, I'm not being pedantic
> You very much are.
Expecting a router to not-route IPv6 is the unreasonable thought.
Are you suggesting that people should buy both a router and a firewall for their home networks? I suppose they should buy a separate Wi-Fi AP as well, and a switch or two, in your opinion?
> Are you suggesting that people should buy both a router and a firewall for their home networks?
I am suggesting the ER7212PC is not a home network device, and thus having the two functions glommed together is an anti-feature in its design. The tagline of Omada is "Networks Empower Business":
* https://www.omadanetworks.com
Expecting that a router to not-route IPv6 by default is to misunderstand its purpose.
You are of course correct, but most people will disagree because the world we live in is a lot messier than what we should do and people expect a base line. You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
> You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
Then buy a device that does default NATing and other consumer-y if you want that. Don't complain that a generic routing system routes IP—whether IPv4 or IPv6—by default.
If you want a firewall buy a firewall. If you want an all-in-one firewall/gateway/AP/whatever, buy it.
In this particular case the "problem" is not in the device but in purchasing the wrong tool for the job at hand. If you want to haul lumber buy a cargo van or pickup truck, not a VW Golf.
'firewall' is just a colloquial term for packet filtering, which is a term for a class of functionality that could be provided by a router.
Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).
> Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).
The ER7212PC, nor anything else in the Omada line, is not for residential consumers which is what RFC 6092—"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"—refers to.
And RFC 7084 has two instances of the word "firewall", one (§3.1) in reference to IPv4 NAT:
and the other (§4.5) to tunnelling: I agree that a consumer all-in-one firewall/gateway/AP/whatever should ("MUST"?) have a default-deny rule on incoming connections. But the original complaint that kicked off this sub-thread is about a particular device, which is not a consumer device but a more generic routing system and not a "firewall" as such.People expect their router to act as a firewall too, via NAT. If you take this away and force people to buy an additional piece of hardware to restore the expected functionality, they won't switch. Simple as that.
All modern NAT routers include a firewall. They don't "act as a firewall too, via NAT", they have both NAT and firewall functionality, even for IPv4. It has been like this for a long time now.
> All modern NAT routers include a firewall.
AFAICT the ER7212PC is not a "NAT router" but just a "router".
Even some switches have ACL functionality for the IP layer, but they're sold as switches and not as firewalls.
Sure, but people still use NAT as a way to secure their internal network, so it's effectively acting as a firewall.