Their new modem/router doesn’t support opening ports in the ipv6 firewall, so if you want to open ports, they recommend disabling ipv6 entirely. For ipv4, they no longer support forwarding ports from only specific source addresses either, which is way less secure. You can only forward ports from all source addresses. You also have to use their crappy app to add port forward rules, it’s no longer available in the web ui. You can completely disable the ipv6 firewall in the web ui, but that wouldn’t be safe.

Old motorola modem/routers could do all of the above.

It says it can do bridge mode at least, but it seems silly to need 2 devices just to open ipv6 ports.

How are routers being made now in 2023 that don’t have proper ipv6 support? It seems crazy to me.

  • mo_ztt ✅@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    2 years ago

    At least the last I was aware, you could just use your own hardware which I always found preferable. I don’t think it’s a secret that Xfinity sucks bad :-(.

  • adlr@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    My view on this, at least for higher end devices like laptops, tablets, phones, etc, is that the OS must be secure to threats already because they all support cellular connections, where you will not have a home router to block incoming connections. IOT is, of course, a different story.

    The other thing we should all hopefully know is that a lot of threat vectors don’t involve incoming connections. Browser zero days, for example.

    BTW, all that said, I still don’t see why Xfinity can’t just provide a better set of knobs on the firewall.

  • TCB13@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 years ago

    You don’t need port forwarding for IPv6 because, unlike IPv4, it doesn’t use NAT. It is expected that an IPv6 device will not show up on the “Port Forward” page that was specifically designed to handle IPv4’s NAT port rules.

    Try to see if there’s some dedicated firewall page on the router and there you should be able to “poke a hole” to allow an incoming IPv6 request to reach a device in your network.

    • Scoopta@programming.dev
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 years ago

      I believe OP is already aware of this. At least based on the wording in his post. He specifically says “opening ports in the IPv6 firewall.” Could be mistaken though.

      • iwasgodonce@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        2 years ago

        Yup, I’m aware.

        There’s no page for anything to do with ports for ipv6, and the documentation specifically says it’s not available to open ports on ipv6.

        The only options for configuring the ipv6 firewall are things like blocking ping, and disabling the ipv6 firewall entirely. There were 5 checkboxes, I forget what the other 3 were. It was at a relatives house I was helping so I can’t check right now.

        • Scoopta@programming.dev
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 years ago

          IMO if you have to put “you can’t do xyz with IPv6” in your documentation…then you need to not ship that product…but Comcast is Comcast…sooo

  • Scoopta@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    2 years ago

    IMO if you’re serious about IPv6 you should probably have your own router running OpenWRT or the like. That’s not to say consumer routers don’t exist with good v6 support. AT&T provided routers have very good v6 support including full firewall rules for both v4 and v6 on top of the v4 port forwarding for NAT. We’ll ignore their PD issues lol. Sounds like Xfinity might just be behind the times. I’d put OpenWRT on a router and use that instead of the ISP router anyway.