cancel
Showing results for 
Search instead for 
Did you mean: 

Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

michaelpod
I've been here awhile

I was shocked to realize that now with acquiring of Hitron modem all my IPv6 devices are open to direct attacks from outside, as there is no old good NAT for IPv6. 

I looked for an option in Hitron to disable IPv6 in my LAN but with no success.

Any help with this?

 

If it is not possible, do I have any option other than turning Hitron to a bridge mode and buying another router? Any recomendation for such a router with IPv6 support turnable off and/or with a reasonable built-in firewall?

 

Thank you!

 

53 REPLIES 53

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

Hey, can you explain me how could I proceed to use another router where I can turn-off IPV6 and use my roger one as a bridge? The fact is that I live in a common house where the central router has IPV4 and IPV6. I'd like to use my xbox one and to play fifa online. But as fifa doesn't support IPV6, I can't. Thanks, Ben. 


@gp-se wrote:

@an0811 if you go third party for a router I would suggest either of these:

TP-Link C3150

Asus RT-AC1900P (Bestbuy Exclusive)

 

I have had both, the TP-Link has excellent coverage, it's also MU-MIMO Compatible, and is very fast. Over WiFi it's the only router I've ever been able to speed test over 800mb/s. The Rogers gateway and the Asus were both similiar maxing out around 550-600mb/s over WiFi.

 


 

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

@BenoitVIALE, there are three ways to do what you want to do.  

 

  1.  The first is to convince the owner/operator of the Central Router to disable IPV6.  It is possible to live without it, however, there are good reasons to run IPV6 for some XBox games to avoid NAT issues.  

 

I'm not exactly sure at this point if you are referring to the modem, or follow-on router when you refer to the "Central Router".

 

  1.  Failing the attempt to run the Central Router in IPV4 mode only, you can run a secondary router as an ethernet and wifi access point off of the Central Router.  In your particular case, that secondary router could be set for IPV4 mode only.  If you had a printer connected to the Central Router, you would have access to that printer through the secondary router.  

 

  1.  If you are referring to a modem - router combination as the Central Router, then the modem should be running in Bridge mode with the router in full router mode.  You can run a secondary router as an access point off of the existing router, as indicated above.  You can also simply plug in a secondary router into the modem and set that router to operate in full router mode.  The modem will supply a second IPV4 and IPV6 address to that added router and you can simply disable IPV4 in the router for your purposes.  In this particular configuration, there is two independent networks running, so, sharing files and printers across the networks would not be possible.  

 

In terms of wifi it gets a little interesting.  You should have a look at your wifi settings and the existing wifi environment to see what channels are occupied and which might be unoccupied.  I would expect all 2.4 Ghz channels to be occupied.  The 5 Ghz channels may or may not be totally occupied.  Your preference should be to use the upper channels, 149 to 161 as the power output from a device is allowed to run at 1 watt max.  The lower channels are restricted to 50 or 200 mw, depending on when the device was approved by Industry Canada.  200 mw is the newer limit.  

 

check/set the following 2.4 Ghz wifi parameters:

 

Wireless Mode:  802.11 n

Channel Bandwidth:  20/40 Mhz, although, for test puposes you could set this to 20 Mhz.  In a crowded wifi environment, I would set this for 20 Mhz.  

Wireless channel:  AUTO or, to an open channel if one existed, or to the channel that offers the least interference from neighboring routers and modems

WPS Enabled:  OFF

Security Mode:  WPA-Personal

Auth Mode:  WPA2-PSK

Encrypt Mode:  AES only

 

TKIP is no longer secure and will cause the wifi data rates to cap at 54 Mb/s which is the g rate.

 

Check/set the following 5 Ghz wifi parameters:

 

Wireless Mode:  802.11 a/n/ac mixed

Channel Bandwidth:  80 Mhz, although, for test puposes you could set this to 40 Mhz

Wireless channel:  149 to 161

WPS Enabled:  OFF

Security Mode:  WPA-Personal

Auth Mode:  WPA2-PSK

Encrypt Mode:  AES only

 

 

Look at your wifi environment using one of the following applications:

 

 

http://www.techspot.com/downloads/5936-inssider.html

 

https://www.acrylicwifi.com/en/wlan-software/wlan-scanner-acrylic-wifi-free/

 

http://www.nirsoft.net/utils/wifi_information_view.html

 

Or,

 

For IOS

 

https://itunes.apple.com/us/app/network-analyzer-lite-wifi/id562315041?mt=8

 

For Android

 

https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en

 

In the modem itself, if you have a white CODA-4582, there is a wifi Site Survey under ADMIN .... DIAGNOSTICS.  Since it uses all three of the 2.4 Ghz antenna and all four of the 5 Ghz antenna, its fairly sensitive compared to a laptop or phone.  The user interface isn't great, but, you can copy all of the data in one go and dump it into something like MS Excel, where you can sort it any way you want.

 

 

That;s the last freebie version of inSSIDer and at this point in time is getting a little old.  Its fine for 2.4 Ghz application and does work for 802.11n 5 Ghz networks.  It does display 802.11ac networks but not as well as it should.  This has become a licenced application now for $20 US and works very well for both frequency bands, 2.4 and 5 Ghz.  

 

The other applications are fine for 802.11ac.  Acrylic is graphical, WifiInfoView is text only.  

 

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?


@Datalink wrote:

@BenoitVIALE, there are three ways to do what you want to do.  

 

  1.  The first is to convince the owner/operator of the Central Router to disable IPV6.  It is possible to live without it, however, there are good reasons to run IPV6 for some XBox games to avoid NAT issues.  

 

I'm not exactly sure at this point if you are referring to the modem, or follow-on router when you refer to the "Central Router".

 

  1.  Failing the attempt to run the Central Router in IPV4 mode only, you can run a secondary router as an ethernet and wifi access point off of the Central Router.  In your particular case, that secondary router could be set for IPV4 mode only.  If you had a printer connected to the Central Router, you would have access to that printer through the secondary router.  

 

  1.  If you are referring to a modem - router combination as the Central Router, then the modem should be running in Bridge mode with the router in full router mode.  You can run a secondary router as an access point off of the existing router, as indicated above.  You can also simply plug in a secondary router into the modem and set that router to operate in full router mode.  The modem will supply a second IPV4 and IPV6 address to that added router and you can simply disable IPV4 in the router for your purposes.  In this particular configuration, there is two independent networks running, so, sharing files and printers across the networks would not be possible.  

 

In terms of wifi it gets a little interesting.  You should have a look at your wifi settings and the existing wifi environment to see what channels are occupied and which might be unoccupied.  I would expect all 2.4 Ghz channels to be occupied.  The 5 Ghz channels may or may not be totally occupied.  Your preference should be to use the upper channels, 149 to 161 as the power output from a device is allowed to run at 1 watt max.  The lower channels are restricted to 50 or 200 mw, depending on when the device was approved by Industry Canada.  200 mw is the newer limit.  

 

check/set the following 2.4 Ghz wifi parameters:

 

Wireless Mode:  802.11 n

Channel Bandwidth:  20/40 Mhz, although, for test puposes you could set this to 20 Mhz.  In a crowded wifi environment, I would set this for 20 Mhz.  

Wireless channel:  AUTO or, to an open channel if one existed, or to the channel that offers the least interference from neighboring routers and modems

WPS Enabled:  OFF

Security Mode:  WPA-Personal

Auth Mode:  WPA2-PSK

Encrypt Mode:  AES only

 

TKIP is no longer secure and will cause the wifi data rates to cap at 54 Mb/s which is the g rate.

 

Check/set the following 5 Ghz wifi parameters:

 

Wireless Mode:  802.11 a/n/ac mixed

Channel Bandwidth:  80 Mhz, although, for test puposes you could set this to 40 Mhz

Wireless channel:  149 to 161

WPS Enabled:  OFF

Security Mode:  WPA-Personal

Auth Mode:  WPA2-PSK

Encrypt Mode:  AES only

 

 

Look at your wifi environment using one of the following applications:

 

 

http://www.techspot.com/downloads/5936-inssider.html

 

https://www.acrylicwifi.com/en/wlan-software/wlan-scanner-acrylic-wifi-free/

 

http://www.nirsoft.net/utils/wifi_information_view.html

 

Or,

 

For IOS

 

https://itunes.apple.com/us/app/network-analyzer-lite-wifi/id562315041?mt=8

 

For Android

 

https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en

 

In the modem itself, if you have a white CODA-4582, there is a wifi Site Survey under ADMIN .... DIAGNOSTICS.  Since it uses all three of the 2.4 Ghz antenna and all four of the 5 Ghz antenna, its fairly sensitive compared to a laptop or phone.  The user interface isn't great, but, you can copy all of the data in one go and dump it into something like MS Excel, where you can sort it any way you want.

 

 

That;s the last freebie version of inSSIDer and at this point in time is getting a little old.  Its fine for 2.4 Ghz application and does work for 802.11n 5 Ghz networks.  It does display 802.11ac networks but not as well as it should.  This has become a licenced application now for $20 US and works very well for both frequency bands, 2.4 and 5 Ghz.  

 

The other applications are fine for 802.11ac.  Acrylic is graphical, WifiInfoView is text only.  

 


First of all, thank you for answering me that fast.

Then if I well understand, it would be possible for me to buy a third party router and to disable IPV6 on it. I saw earlier in this post that a good choice would be the Asus RT 1900p. This option would be easier for me I think. The biggest problem with it is more, how could I set it to be a third party router. I don't really know anything about this subject. Is it hard to do? 

Thanks, Ben.

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

The actual settings wouldn't be a problem.  I can send you a list to follow which details all of the settings.  The 1900P would be a good choice.  There are other forum members who have bought that router and as far as I know to date, they are satisfied with the 1900P's performance. 

 

When you indicated the "Central Router", does that indicate the Rogers modem, or does it indicate a router that is already connected to the modem?

 

Depending on what is already installed the end result might look like one of the following:

 

1. Modem - 1900P         The 1900P operates in full router mode

 

2.  Modem - Existing Router - 1900P   The 1900P connects to one of the Existing

                                                                    Router ports and is set to run in Access

                                                                    Point mode

 

2.  Modem Port 1 - Existing Router     This router operates in full router mode

                     Port 2 - 1900P                    The 1900P operates in full router mode

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?


@Datalink wrote:

The actual settings wouldn't be a problem.  I can send you a list to follow which details all of the settings.  The 1900P would be a good choice.  There are other forum members who have bought that router and as far as I know to date, they are satisfied with the 1900P's performance. 

 

When you indicated the "Central Router", does that indicate the Rogers modem, or does it indicate a router that is already connected to the modem?

 

Depending on what is already installed the end result might look like one of the following:

 

1. Modem - 1900P

 

2.  Modem - Existing Router - 1900P   The 1900P connects to one

                                                                    of the Existing Router ports

 

2.  Modem Port 1 - Existing Router 

                     Port 2 - 1900P


Yes by "central router" I meant the modem, sorry for my language which is approximate.

And how would I link the 1900p to the modem, is it good by wifi?

Thanks, Ben

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

Normally the router is connected via Ethernet cable to the modem.  You would then connect to the router via ethernet or wifi.  

 

The router has three operating modes;

 

1. Router mode:  The router provides Firewall, IP addresses, wifi services, etc, etc. 

 

This is connected as follows:   Modem - ethernet cable - 1900P - ethernet cable or wifi - XBox and/or other devices using IPV4 only.

 

2.  Access Point mode:  The router is used as an ethernet and wifi Access Point, but, it relies on the upstream modem or router for firewall and IP Addresses.  

 

This is connected as follows:   Modem - ethernet cable - 1900P - ethernet cable or wifi - XBox and/or other devices using IPV4 only.

 

3.  Bridge mode:  This is not the same as the modem's Bridge mode.  In this mode, the router connects to the modem via wifi and relies on the modem for firewall and IP addresses.  You would  then connect to the router via ethernet connection.  What I don't know at this point is whether IPV6 is enabled when you enable this mode.  I suspect that its not as IPV6 on the router is enabled via a second tab.  All of the devices connected to the router via ethernet should be running IPV4 only.  If you used wifi from the modem as the connection, that would still be running IPV6, but, the IPV6 addressing should stop at the router and not go beyond it.  So, this brings up the question of what you really want, an ethernet connection that provides IPV4 only, or both ethernet and wifi that runs IPV4 only.  It also depends to some degree on where the modem is located and where the router will be located.  

 

This is connected as follows:   Modem - wifi connection - 1900P - ethernet cable only - XBox and/or other devices using IPV4 only

 

At the same time, for your wifi devices, you would connect as follows: 

 

Modem - wifi connection - other devices using IPV4 and IPV6

 

If you intend to connect to the modem via wifi, then you have to consider the network that is currently operating and you would want to ensure that the modem's wifi network is set to run as efficiently as possible and that the router is connecting at the highest possible data rate.  That would probably mean that your first choice would be a 5 Ghz wifi connection, but, that depends on the existing wifi environment, so, you would have to look at that and see what the best operating channel might be.  That could be a 2.4 or 5 Ghz channel but I would bet that the 5 Ghz channel would be the best choice. 

 

 

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

Hello, I've read a number of the posts in this thread about using IPv6 with the Hitron modem / gateway(s). The last post is dated and I don't know it this thread is still being followed.

I am a new user who has been provided with a Hitron model CGNM-3552. The firmware version on this Rogers provided modem is 4.5.8.39T6.

I can see that this modem/gateway allows one to switch off IPv6 using IPv4 only. Or it will allow me to run both. I understand, please advise if I am wrong, that the Firewall on this modem works with both IPv4 and IPv6 to protect against intrusion attempts.

Under the "Security Tab" on this modem's GUI there is an option to Allow or Deny 'ICMPv6 Inbound to Hosts'. The Help tab for this function does not illuminate what this means?

I'd appreciate expert users advice and feedback on the advantages or not of allowing IPv6 as well as IPv4 addressing. I do not run gaming or use P2P. However I have read that IPv6 can run end-to-end encryption.

What are the advantages in running both IPv6 and IPv4 at this time? And would running IPv6 be any less secure as I understand that IPv6 addresses within one's LAN are publically visible?

Thanks

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

Hey @GoodData,

 

I can totally appreciate wanting to be in the know when it comes to your modem's settings and security capabilities! I'll be happy to provide what information I can and perhaps some members of our community may also be able to share their insights as well.

 

Regarding advantages of having IPv6 enabled, there's a few general notable ones such as increased packet processing and routing efficiency as well as support for new services. By eliminating NAT there's also a true end to end connectivity at the IP layer so not just P2P connections but VOIP and QoS are improved as well. All of this essentially just means a more fluid/consistent browsing and device utilization experience.

 

As for the setting "ICMPv6 Inbound to Hosts", this covers a necessary selection of ICMPv6 requests. As ICMPv6 handles a variety of necessary features for IPv6 functionality leaving this enabled is recommended. Regarding your security query, IPv6 does have several security improvements over IPv4 so having both enabled would be optimal. I will note however that while it is common practice for the firewall to disable IPv4 echo requests to protect against things like denial of service attacks, port scanning via IPv6 is not nearly as common and ICMPv6 is necessary for IPv6 to function. Filtering specific ICMPv6 traffic would not be available through our current modems.

I hope this helps in answering your questions!


RogersAndy

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

Thank you @RogersAndy for the comprehensive reply! Very helpful.

You mentioned that "filtering ICMPv6" traffic is not possible with current Rogers provided modems. As I am on a learning curve could you please provide examples of ICMPv6 traffic that a user might want to filter, and why?

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

Hi @GoodData,

 

I'll be sure to forward your feedback to RogersAndy ðŸ™‚.

 

To my personal knowledge there's no common reason a residential consumer would need to filter any of the ICMPv6 requests as doing so would likely cause visible usability issues, such as websites taking longer to load or not loading at all. Filtering can be a complex task that does involve a wide depth of understanding in both what your security requirements are and how best to filter unidentified packets without impacting the user experience.

 

That said, ICMPv6 packet filtering can be done in an effort to gain protection from denial of service, probing or redirection attacks among others but these are not common over ICMPv6 and know that our network is scanned continuously to track any traffic that may be conceived as malicious. These kind of filters are typically set in place via firewalls for businesses.

 

 

 

 

RogersZia

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

Many thanks @RogersZia for answering my query. Most appreciated!

Re: Any way to disable IPv6 on Hitron CGN3AMR or other ways to prevent IPv6 attacks?

TprontoDave
I've been around

What I do, is statically assign a IPV4 address to the MAC of the device. I find SOME devices when given a choice, will use IPV6, and not get an address by DHCP. This causes all kinds of issues with the many sites that have bad, or non existent AAAA records.

Topic Stats