TP-Link cannot get IPv6 firewall right

August 24, 2024

2024   ·   networking   security

What led to two of my recent posts is TP-Link’s inability to get IPv6 firewall right on their routers.

Allowing all incoming IPv6 traffic

For a long time my home NAS was publically accessible from the internet under my own subdomain. Although risky, I did my best to secure things. First, in my TP-Link router I had forwarded to my NAS only a handful of ports for the Synology DSM and Home Assistant. Second, both of these used HTTPS using Let’s Encrypt certificates using Synology built-in functionality.

As I was removing all the port forwarding, I noticed something odd: I had never forwarded port 80 to my NAS, yet my Synology had been renewing Let’s Encrypt certificates for years using its HTTP-01 validation1, which requires port 80 to be exposed. Moreover, even after removing all the port forwarding, those ports were still accessible from the internet (e.g., a DigitalOcean VPS). I hadn’t DMZ-ed the NAS in the TP-Link router, so how is this even possible?

To my absolute horror, I eventually realized that my TP-Link Archer C6 v2.02 simply allows all incoming IPv6 traffic to all LAN devices. While IPv4 uses NAT, the port forwarding (or the lack of it) forms a firewall, TP-Link must’ve been thinking that IPv6 not needing NAT means that there’s no need for any kind of firewall whatsoever. This is unbelievably insecure because non-expert (but also quite advanced) users would never realize this. Furthermore, there’s no way to change it other than disabling IPv6 altogether. So much for IPv6 adoption…

Some deep digging reveals, that this massive security flaw has been noticed a few times on TP-Link Community forums and Reddit before. Some other Reddit posts don’t mention the allow-all behavior explicitly, but just wonder about an IPv6 firewall of any sort.

Blocking all incoming IPv6 traffic

Luckily (not for me), someone at TP-Link must’ve realized their stupidity at some point but only for some newer router models — no firmware updates are available for mine. More often, people on TP-Link Community forums and various Reddit posts have complained about their TP-Link routers blocking all incoming IPv6 traffic without any configurability (unlike IPv4). At least this is secure enough to not expose everything to the internet, but it doesn’t help IPv6 adoption either…

Providing non-functional IPv6 firewall configuration

For some even newer router models, it seems that TP-Link tried to also solve that problem by making the IPv6 firewall finally configurable. Judging by posts on TP-Link Community forums, however, this configurability doesn’t seem to actually work and all incoming IPv6 traffic is still blocked.

  1. Synology only supports HTTP-01 for custom domains. 

  2. Using firmware “1.3.6 Build 20200902 rel.65591(4555)” which happens to be the latest for this router.