> Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.

A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.

Now, if the ER7212PC was a firewall that would be something else.

(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)

▲ baobun a day ago | parent | next [-]

Routers and access points are also typically separate device classes. Yet the market has figured out that most consumers prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.

What firewall do you recommend a typical user couple their ER7212PC (which BTW is already tripling as VPN gateway and cloud-controller) with?

The problem is that TP-link does not give two cents to security in their products.

> And no, I'm not being pedantic

You very much are.

	▲	throw0101c 17 hours ago \| parent [-]
		> Yet the market has figured out that most consumers prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous. Except the ER7212PC, nor anything else under the Omada (sub-)brand, is not a consumer / household device. The tagline of Omada is "Networks Empower Business": * https://www.omadanetworks.com If you want to haul your boat buy an F-150 pickup and don't complain that your Golf doesn't have enough towing capacity: buy the tool that you need for the problem/job you have. If you want an all-in-one then buy an AiO and not a router. >> And no, I'm not being pedantic > You very much are. Expecting a router to not-route IPv6 is the unreasonable thought.

▲ tsimionescu a day ago | parent | prev | next [-]

Are you suggesting that people should buy both a router and a firewall for their home networks? I suppose they should buy a separate Wi-Fi AP as well, and a switch or two, in your opinion?

	▲	throw0101c 17 hours ago \| parent [-]
		> Are you suggesting that people should buy both a router and a firewall for their home networks? I am suggesting the ER7212PC is not a home network device, and thus having the two functions glommed together is an anti-feature in its design. The tagline of Omada is "Networks Empower Business": * https://www.omadanetworks.com Expecting that a router to not-route IPv6 by default is to misunderstand its purpose.

▲ flumpcakes a day ago | parent | prev | next [-]

You are of course correct, but most people will disagree because the world we live in is a lot messier than what we should do and people expect a base line. You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.

	▲	throw0101c 15 hours ago \| parent [-]
		> You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is. Then buy a device that does default NATing and other consumer-y if you want that. Don't complain that a generic routing system routes IP—whether IPv4 or IPv6—by default. If you want a firewall buy a firewall. If you want an all-in-one firewall/gateway/AP/whatever, buy it. In this particular case the "problem" is not in the device but in purchasing the wrong tool for the job at hand. If you want to haul lumber buy a cargo van or pickup truck, not a VW Golf.

▲ 15 hours ago | parent | prev | next [-]

[deleted]

▲ zajio1am a day ago | parent | prev | next [-]

'firewall' is just a colloquial term for packet filtering, which is a term for a class of functionality that could be provided by a router.

Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).

	▲	throw0101c 15 hours ago \| parent [-]
		> Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092). The ER7212PC, nor anything else in the Omada line, is not for residential consumers which is what RFC 6092—"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"—refers to. And RFC 7084 has two instances of the word "firewall", one (§3.1) in reference to IPv4 NAT: `A typical IPv4 NAT deployment by default blocks all incoming connections. Opening of ports is typically allowed using a Universal Plug and Play Internet Gateway Device (UPnP IGD) [UPnP-IGD] or some other firewall control protocol.` and the other (§4.5) to tunnelling: `S-3: If the IPv6 CE router firewall is configured to filter incoming tunneled data, the firewall SHOULD provide the capability to filter decapsulated packets from a tunnel.` I agree that a consumer all-in-one firewall/gateway/AP/whatever should ("MUST"?) have a default-deny rule on incoming connections. But the original complaint that kicked off this sub-thread is about a particular device, which is not a consumer device but a more generic routing system and not a "firewall" as such.

▲ shrx a day ago | parent | prev [-]

People expect their router to act as a firewall too, via NAT. If you take this away and force people to buy an additional piece of hardware to restore the expected functionality, they won't switch. Simple as that.

▲

tsimionescu a day ago | parent [-]

All modern NAT routers include a firewall. They don't "act as a firewall too, via NAT", they have both NAT and firewall functionality, even for IPv4. It has been like this for a long time now.

	▲	throw0101c 17 hours ago \| parent \| next [-]
		> All modern NAT routers include a firewall. AFAICT the ER7212PC is not a "NAT router" but just a "router". Even some switches have ACL functionality for the IP layer, but they're sold as switches and not as firewalls.
	▲	shrx a day ago \| parent \| prev [-]
		Sure, but people still use NAT as a way to secure their internal network, so it's effectively acting as a firewall.