11-22-2016 12:18 AM - last edited on 11-22-2016 10:37 AM by RogersCorey
I was shocked to realize that now with acquiring of Hitron modem all my IPv6 devices are open to direct attacks from outside, as there is no old good NAT for IPv6.
I looked for an option in Hitron to disable IPv6 in my LAN but with no success.
Any help with this?
If it is not possible, do I have any option other than turning Hitron to a bridge mode and buying another router? Any recomendation for such a router with IPv6 support turnable off and/or with a reasonable built-in firewall?
Solved! Solved! Go to Solution.
05-11-2017 08:53 PM
@roy86, that might have been included in firmware version 22.214.171.124 for the CGN3ACSMR. That was due for release in March but a wifi problem was detected very shortly after it was released, and as a result, that version was not released to the rest of the network. Any modems with that version loaded were rolled back to the latest production firmware that preceded .29
From the update list:
Improvement: First release of IPv6 firewall
I'm not sure if the IPV6 enable/disable was included or not, just speculating at this point as the release list doesn't specifically mention it.
Are you on an unlimited plan? If so, then the easiest way to get to where you want to be is to swap your current modem for a CODA-4582 and request the current trial version, 126.96.36.199, which includes an IPV6 enable/disable.
11-22-2016 12:25 AM - edited 11-22-2016 12:25 AM
There is no facility on the Hitron modems for the user to enable/disable IPV6. I believe that it might be possible for tech support to do that, but that would depend on the firmware version on the modem. @RogersDave can confirm if that is possible at all, or will be with future firmware versions.
In the event that IPV6 cannot be disabled, I personally recommend Asus routers. Asus router do handle IPV6 properly, at least from what it appears, and IPV6 can be enabled or disabled, as determined by the user.
11-22-2016 01:18 AM - edited 11-22-2016 01:25 AM
Apart from discussing the technical problem, I'd like to leave some general comments on the situation. I think it is highly irresponsible to provide "out of the box" solutions like Hitron modem which silently break usual long-established user's expectations of security. And as Hitron's own firewall has very limited set of settings, I am just not sure if Hitron alone, without yet another router, can provide both useful and secure mode of work even with some reconfiguration available to the end user. But first of all - why would anyone ever allow to release a product which opens customers' networks for attacks?
11-22-2016 08:58 AM
Generally these devices are desgined as just BASIC out of the box devices.. for your 75% of the users out there who just want basic internet access.
I bet you 75+% of all rogers users, have never ever been into the gateway settings, let alone the large number of them who probably have never changed the wireless name/password from what it came with.
Most people dont REALIZE what potential security holes there are out there.
11-22-2016 12:22 PM
I have had a long understanding of IPv4 as I have been at it for a year or two.
I have been out of the game as IPv6 was implemented.
Could anyone clarify any of risks and actions that can be taken (keep in mind I am talking about home usage and although I am not a basic out of the box user, there will be some that are who read this).
I know that in Enterprise environments we never relied on NAT alone, we always set a managed firewall on a dedicated hardware firewall. The modem was nothing more than a bridge.
At home, I have relied strictly on the NAT and software firewall solutions on my devices. I have never thought about the implications of the movement to IPv6 and security.
11-23-2016 12:00 AM - edited 11-23-2016 12:22 AM
Some discussion on the topic is here: https://www.reddit.com/r/homelab/comments/4xgf1n/rogers_hitron_routers_are_routing_ipv6/
IMO, to estimate the risks one needs to analyze what services may have ports open for ipv6 connection on particuar user computer and what may be a target for attacks - which is a long story. AFAIK, common practice is not to allow open ports unless neccessary.
Possible alternatives to fix the problem IMO are
1. disabling ipv6 on users computers tablets phones and other devices
2. using software firewalls on users computers etc
3. turning hitron into a bridge mode and using an additional router which disables ipv6 stuff.
4. Just ignoring the threat - which may probably be an option for smartphones at least.
As for me personally, I am going to put hitron into a bridge mode and have an additional router.
12-28-2016 05:27 PM - last edited on 12-28-2016 05:40 PM by RogersMaude
No IPv6 Firewall on the Hitron CGN3ACSMR and no way to disable IPv6
I tried to contact Rogers via Facebook, but kept being told to try the community forums.
I am currently visiting my parents and was shocked to discover that they were getting IPv6 addresses on their computers, but were not firewalled off from the internet via IPv6.
This is completely irresponsible of Rogers to push out IPv6 and not provide at least the basic level of security.
I've already switched their Hitron device to bridge mode and purchased a third party router, but thousands of other customers are probably exposed.
I've already reached out to the media.
12-29-2016 01:06 AM - edited 12-29-2016 01:40 AM
Hello everybody - I continue to research the question of NAT IPV4 and IPV6 security.
What I have found is that NAT beyond providing a private network behind the router address coming from your ISP, it also provided what is known as a stateful network firewall, which I already knew was the basic principle of what provides firewall security.
I have found that there are NAT solutions for IPv6, but they are not out of the box, as IPv4 routers were, they need to be configured and I am not sure that a stateful firewall configuration for IPv6 can be done on out of the box routers, nor would I even know how to set it up at this time.
I was speaking to the owner of a security and networking company that I used in a previous job and he said, they have never put corporate networks behind a NAT to provide security, that there were known ways of getting through if you had the tools and nohow - They have always put hardware firewalls between the modem/router and the network - they have always used a unix driven, internationally respected firewall, and for the VPN services to secure between sites. I and my staff never touched that box - it was completely beyond our knowledge of how to configure it, but we did use the monitoring tools for being aware of network and internet usage within the corporation, as well as to catch unusual patterns, say like a trogan, spamming, and to automatically shut down on a DOS attack.
Basic out of the box solutions of this style run for about 1000.00 with no VPN, and higher with a VPN at each site at around 500.00 and the basic ones are pretty straight foward for configuring, if all you are doing is a home solution where you aren't sharing and communicating and routing traffic within your various network sectors in your home - not something most will do - that is corporate and enterprise needs, not that many just go with a NAT IPv4 solution, but not overly smart when client information is on their servers.
So what made NAT common is that it was a simple out of the box, no configuration required solution - just plug it in and go, and provided more than enough security for over 75% of users. Myself, I keep a software firewall between my NAT router and my devices, and they are locked down pretty tightly as I know how to do this, although you can use any on the market (free or at cost, and even the Rogers freebie solution which I have never used as it requires that you be connected to their network to keep it authorized - if you take your laptop on say a 60 day trip, you are going to lose the activation and be out of luck) We travel away from home, and use them at work offices and so forth, so we can be off the Rogers network often.
Even Microsoft provides a reasonably good firewall at the stateful and program permission level, along with malware and virus detection, but I go beyond that with an enterprise level product - I was comfortable with it and I trust it. It is just the more expensive Symantec, not the basic home user ones. Just more options and requires a bit higher knowledge of how to configure, but the public home market Symantec or any of the free ones are pretty good, or hardware firewalls that are configurable, plus provide control of access and use are not that expensive either - if you understand unix/linux, there is lots of instruction on how to set up an old computer as a firewall, and the 3rd party flashable firmware that goes on many market routers - can't remember the names. DD WRT is a solution, with many tutorials on setting up tables for security routing, and advanced logging beyonnd the basic tools on most middle and lower end routers or on the Hitrons and other Internet provider devices.
So what I have read so far is that IPv6 through a router is that there are public addresses that will require stateful verification in order to connect - i.e., you sent the header out, it comes back and the system authorizes it as a return message, same as it has always done, but internally, there is a dedicated IPv6 address that is defaulting to internal only for communication within your network behind the router, and basically works as the same principle as the IPv4 NAT model - private addresses are available internally and not visible to past the router, but let's be honest, there is other information like MAC addresses, and other information that can be used if you know how, but for most homes, no one is going to both. There are simpler ways, say like hacking your router if you used a simple password, and then if you used the same password and user internally, it was open game once they got in there - a software solution may solve for this risk, as will an internal dedicated firewall/router.
So I am feeling more comfortable that IPv6 is quite secure and as risks are identified, that companies will push security methods down quickly. IPv6 has been in place in a limited manner since 2010 if I recall, and they have not reported many concerns, but given the belief that NAT is the majic cure for security (which on a simple way, it can be), there is a market growing to add NAT to IPv6. Tons of debate on it, but personally, I am not concerned.
The greatest risk for security still remains the user - spamming emails, social engineering, going to risky sites, opening emails you don't expect or don't recognize, not having a firewall or router configured well for security, turning your software firewalls off while still connected to the internet - air gap it - bring down the software install to your computer, or to a safe computer, and install it on an airgapped computer - you can do the same by disabiling your software firewall and airgap it (unplug it from the Internet).
Always having a solid backup routine in place incase you do get hacked.
Weak passwords, putting them on stickers on your computers - yes I have personally seen this so many times, both corporately and in homes).
Here is a link on a discussion of security http://www.itweapons.com/security-awareness-training-blog/
Mostly talking about the user. Feel free to use the support teams at Rogers, a private company, or here on the forum for support if you do get nailed by a security breach, and stay on top of these issues.
But in closing, at this point, noone has convinced me that IPv6 is any greater risk than IPv4 NAT.
Without NAT on, if you have prevent inbound traffic turned on, you have security that will cover most that would ever try to hack your home network - it means that your router will only let a packet in, if it contains a header requesting it from your inside computers. You could assign fixed addresses in the public network address subnets (most commonly known one is the 192.168.xxx with subnet 255.xxx.xxx.xxx
One other thing to note, if you aren't comfortable, Rogers is still on IPv4 at this time, the modem'router still supports NAT, and you just need to turn off IPv6 at the device level on your network adapters. If unsure, someone can answer how to do that on this site - just ask - they will just need to know the details of your device and OS. It is pretty basic, you just remove or disable the IPv6 protocols.
Plus, if you decide to turn off IPv4, you won't have Internet access, as by default, you are accessing DNS from Rogers or other sites via IPv4 at this point over most routers and the modems. Unless we hear otherwise.
So if you want to stay with NAT for now, just turn off IPv6 at the device level, and use IPv4 exclusively.
Beyond that, that is all I know at this point. I have been away from this side of the business for too long, and IPv6 was nothing but a recommendation and unapproved by the Internet Standards Association. Be assured that they look at all the security risks as they begin to approve implementation. Companies don't just go out and put protocols without a lot of research and approvals and beta testing by ISA.
12-29-2016 01:55 AM
Read one other discussion about NAT - many IT specialists have said that NAT provided a false sense of security to many users, when there were so many other things that had to also be considered such as,
did you change your password from the company default - do you realize that someone in your home can just reset the router and use the default user and password and wander in. I have been able to do that in my neigborhood on default Dlink routers. I find where they live and advise them, and I have found my fair share of wide open WI-FI connections - one person said, I thought my network was secure because I had the ISP modem/router in place - nope, I showed her how I wandered in not only to her network, use the default gateway login, and got in with the standard password - at least Rogers does scan and request you to change default passwords. But I got in via her WIFI and also showed her how I got to her shared files - cleaned it all up and made it secure - and charged her because that was my business at the time. She was more than willing to pay for it, she was an at home lawyer.
Bottom line, your most secure option is to bridge to a high end router with high level firewall capabilities, or to a dedicated hardware firewall - great if you are the type that want secure DMZ zones, port routing, managing access to sites and other higher end security and control methods (if you understand these terms, you know what I am talking about, if you don't, search it, and you probably don't need it anyway).
Keep the discussion going, don't know if this will make people more comfortable, but certainly be confident that Rogers/Intel/hitron and others are taking this whole issue seriously, and aren't just opening your networks wide open. If you home computer is at risk, so is their whole network. This is why ISP's often give free firewall software - they are fully aware that NAT alone isn't the do all and end all of good security.
By the way, I am not a Roger's employee, have no association to Rogers other than being a user who likes to help on this forum. But please be assured, that I am not belittling your concerns in anyway, they are valid concerns being asked by many, but as I said, I am becoming more comfortable as I research more that it is not an issue. No more than any other security system that someone may decide that they want to get in - but we are home users, we are not targets that most are interested in - those who do it want to disrupt govenements companies, large networks and finance, or big companies like Yahoo. It increases the risk that they will get caught, but the fun for them is getting in and showing that it can be done, and often get caught because they brag, or left electronic trails. We home users really are generally of no risk, other than our WIFI's with wifi sniffers and poor passwords.
Good night all and if you are concerned about a change in technology, this is a great place to ask.
If it hasn't been looked at, you have raised it as a concern that will be considered, and if it has been considered, the information will get to you.
12-29-2016 08:07 AM
The discussion about NAT, DMZ, IPv4, IPv6, etc is not one that I want to have with my 70 year old father. Rogers started pushing down IPv6 addresses to their customers with ZERO security on the Rogers supplied gateway equipment and this is totally unacceptable.
My parents computers have the basic level of security software and get patched by the Windows update as updates are pushed out. The problem becomes that some hacker finds a zero-day exploit on Windows and creates an exploit tool that scans for unprotected computers and then infects them. The infected computers then start to scan for other non protected computers and while doing that encrypts the contents of the hard drive. The demand to unencrypt the hard drive is small (a few hundred dollars), however for the hacker it is economies of scale. Attacking one home user for $200 is not worth it, but automate the attack and hit 10,000 or more home users, each for $200, the enterprise becomes very profitable.
Since Rogers has decided to open up a vast majority of their home users to the entire IPv6 internet without warning and without security they should be held accountable.
The words that ring in my head when ever I describe this issue are "Trust me, I'm a Network Engineer". I play daily in IPv4, IPv6, MPLS, etc. I've given classes to Rogers employees at their Brampton Office.
12-29-2016 01:10 PM
I have little more to say other than what I have already said.
I agree about absense of communication from Rogers, but this is not new - you will find that concern all over the forum threads.
I can only suggest that you contact them directly and express this concern, as this board is user to user support, not run by Rogers and does not deal with individual concerns - for that you have to communicate directly with Rogers.
I too wouldn't try to explain any of this to my 82 year old father-in-law either. He has higher level purchased firewalls at the software level in place and beyond that he asked me and I said, I see no concern at this time, but feel free to contact the store that supports you with their techs.
You will soon find that you cannot turn off IPv6 (well over the next 10 years anyway) off. But for now, if your device allows for it, you can turn it off at the device level, or purchase one of the recommended ASUS routers and bridge the gateway to the router and turn it off there.
So I just wanted to finish by saying, limited communication is not that uncommon for Rogers, that they have Engineering experts working with the Hitron router and beta testers here dealing with a number of questions with performance, and some questions on IPv6 too.
I am at my limits of knowledge, but if you are concerned, keep researching, keep asking, and communicate your concerns directly to Rogers. It is ok to express them here, but as a user board, what you are saying may not make it to Rogers.
All the best in feeling secure, Bruce
02-23-2017 06:32 AM
Good morning Community,
You are absolutely right in your observations regarding the operation of IPv6 in our gateway. It is the normal practice for major ISPs and carriers around the world and carriers around the world.
Each modem is allocated a 64 bits prefix out of a 128 bits address space. This means that each modem has 18,446,744,073,709,551,616 IPv6 addresses to allocate to the local network and a computer or device gets a single one out of this pool, randomly allocated. For an attacker, it would require them to scan all the possible addresses in that space to find a target and this would take a very long time (longer than the address is valid for). Furthermore, most modern operating system implement security at the host level.
That being said, we have heard concerns from our customers and have started implementing IPv6 firewalls in accordance to RFC 6092 (https://tools.ietf.org/html/rfc6092). There is a first version of this firewall available in firmware version 188.8.131.52 of the CODA-4582. This version provides filtering but limited flexibility for user control. The full scale of RFC6092 should be implemented in a subsequent firmware release.
We are also working with Hitron to implement the same changes in all other Hitron modems in the next firmware release which should be available in the March / April timeframe this year.
02-23-2017 10:25 AM
Yes the large pool of addresses provided makes scanning the range impractical. However there are other ways to find IPv6 addresses that are in use.
04-03-2017 12:09 PM - last edited on 04-03-2017 12:24 PM by RogersMoin
Any way to disable IPV6 for Xbox?
I need to disable IPV6 for my Xbox because FIFA 17 does not work online using that option, I used to use IPV4 with my last ISP and it worked fine but since switching to Rogers IPV6 it does not anymore, I have been told the Hitron router supports both IPV4 and 6. If I assign my Xbox a static IP and DNS that are IPV4 IP and DNS will that force the console to use IPV4.
If this is not possible I will need to buy a new router and use my Rogers one as a bridge, so can you suggest some third party routers that are IPV4 or have the option to turn of IPV6?
04-03-2017 08:23 PM
@an0811 if you go third party for a router I would suggest either of these:
Asus RT-AC1900P (Bestbuy Exclusive)
I have had both, the TP-Link has excellent coverage, it's also MU-MIMO Compatible, and is very fast. Over WiFi it's the only router I've ever been able to speed test over 800mb/s. The Rogers gateway and the Asus were both similiar maxing out around 550-600mb/s over WiFi.
04-15-2017 09:12 PM
Any update on this? When would this be coming to CGN3ACR routers?
04-17-2017 02:26 PM
Any update on this? When would this be coming to CGN3ACR routers?
It is included in the next firmware on both the CODA and the "AC" series routers.
This firmware will be made available as part of the trial firmware program at first and eventually will be rolled out to production. You can register for the firmware trial program by sending a private message to @CommunityHelps including your modem MAC address and serial number.
04-19-2017 06:25 AM
I have been doing a little more reasearch regarding FIFA and would like more information.
Can anybody confirm if this is happening only on XBOX or it is also happening on other platforms?
I have seen reports of this on CGN3ACR and I believe on CODA. In the case of CODA, the production firmware has an IPv6 firewall but for other modems, it really depends on the version of firmware. So to help me investigate this further, would it be possible to provide the Rogers modem model you are using and the firmware version.
04-19-2017 09:33 AM
04-23-2017 10:52 AM
I am having the same issue but wih a different game, Mass Effect Andromeda. Using a Hitron CGN3ACR and Xbox One.
The multiplayer cannot handle IPv6 P2P connections so I can't play a single game. This is an EA Games problem, yet they continue to blame ISP providers.
Is there any way to disable IPv6 in my router settings? Seems like the only way to make the game work is if I force an IPv4 connection, or create some sort of conflict, but there is't any option to do that throught the xbox.
The online community has a work around for this, here's a link http://answers.ea.com/t5/Technical-Issues/You-have-lost-connection-to-the-host-I-can-not-play-a-sing...
Seems like a lot of work every time I want to play online, and honestly I don't trust myself not to mess up my settings and break the internet for everyone else in my household.
04-25-2017 09:13 AM
I am also having the problem with IPv6 causing issues (read: completely preventing) playing games (specifically Mass Effect: Andromeda MP).
Gaming console: Xbox One
Modem Type: CODA-4582
Modem Firmware: 184.108.40.206T2 ("Software Version" in the System Information seciton)
Do you have any kind of a timeline for when this firmware update will be released? It's been over a month since I got ME:A, and I'm really anxious to actually play the multiplayer portion of the game.