Default settings for ipv6 caused me a problem I just discovered

  • 2
  • Question
  • Updated 2 years ago
  • Answered
Has anyone else experienced this?  By default my ZD1106 has ipv6 disabled which is what I want in my environment. However also by default the system default AP group configures all AP's to use ipv4 and ipv6. I always thought since it was disabled on the ZD it wasn't a problem. That is not the case. I found that guest traffic on the isolated guest WLAN was in fact passing to devices on the work network over ipv6. The automatic firewall rules put in place on the guest network for restricted subnet access to the LAN subnets DO NOT restrict ipv6 traffic and thus it needs to be disabled on the AP by changing those group settings to ipv4 only. That SHOULD BE the default don't you think to match the ZD and prevent this problem?
Photo of galbicka

galbicka

  • 8 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 2
Photo of JS

JS

  • 9 Posts
  • 1 Reply Like

galbicka,

     Interesting scenario.  What is your overall query, and what end result(s) are you looking to achieve?

Photo of galbicka

galbicka

  • 8 Posts
  • 0 Reply Likes
I am asking if others have experienced the same scenario and suggesting that the default settings be fixed if this is the case. Otherwise ipv4 networks are open to guest wireless intrusion instead of being isolated as claimed if this isn't caught by the user. A lot of users I know do not yet understand the implications of ipv6 and do not VLAN their guest network but rather rely on ipv4 firewall rules.
Photo of JS

JS

  • 9 Posts
  • 1 Reply Like
I see your point.  I have not experienced this before; however, I usually configure my APs individually in an attempt to avoid instances such as what you have described; because Ruckus APs are able to be configured individually in order to accommodate being placed in odd places and support a variety of wifi enabled devices, having all APs inherit default IPv4 and IPv6 settings from ZD could pose a problem. 
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Specifying IPv4 and/or IPv6 on the ZoneDirector applies to ZD/AP communications.  Even if only using IPv4, mis-behaving client NICs may be sending IPv6  floods in their VLANs. 
https://support.ruckuswireless.com/answers/000003275

Unfortunately, APs see/inspect these packets too, even if they only ignore/drop them.
Photo of galbicka

galbicka

  • 8 Posts
  • 0 Reply Likes
Thanks for the reply Michael but I don't see how that is relevant to this post.
Photo of JS

JS

  • 9 Posts
  • 1 Reply Like
galbicka,
     Michael is confirming your thought(s) that your ZD setting should be inherited by your AP(s).  But also suggesting that verifying IPv4 and IPv6 settings in the AP or AP group might be a good idea, in order to achieve the performance you desire in your environment. 
Photo of galbicka

galbicka

  • 8 Posts
  • 0 Reply Likes
Ruckus support has confirmed my suspicions but their suggestion on how to get it fixed left me shaking my head. I can confirm the work arounds do the trick though.

"I have verified it. By default the IPv4 is enabled for ZD in the Setup wizard and for APs it is IPv4&IPv6. I agree with your point that the default settings need to be changed. You can contact your local SE to raise an FR(Future Request) so that it may get fixed in the future firmware releases or if you want I can forward your contact details to the SE. For now,the work around is to manually change the IP version as IPv4 only for the APs or to enable IPv6 support for ZD to restrict the IPv6 Clients."

Photo of galbicka

galbicka

  • 8 Posts
  • 0 Reply Likes
Finally the original support tech passed my concern up the chain to a senior engineer who understands and is pursuing getting some changes made. Will see how that progresses. At the least both the ZD and the AP default group should only be configured for ipv4 out of the box so users don't have to be concerned with this for the next couple of years until ipv6 becomes more mainstream.
Photo of idxman01

idxman01

  • 2 Posts
  • 0 Reply Likes
I was looking at that setting this week and thought the same. Thanks for bring it up, it's. Helpful post.

Now am mainly concerned with getting our zd1125 back online after a firmware upgrade failed and hung. ..
Photo of galbicka

galbicka

  • 8 Posts
  • 0 Reply Likes
Did you try rebooting it? That works sometimes.
Photo of idxman01

idxman01

  • 2 Posts
  • 0 Reply Likes
I appreciate it. Yeah, that's what typically works. Was trying to not drive into the location this weekend if I could help it. :)
Photo of Preston Roberts

Preston Roberts

  • 2 Posts
  • 0 Reply Likes
idxman01- Just throwing this out there, may or may not help. I had that happen to me a month and a half ago. ZD1100 would hang up on upgrade. Went over it with tech support and they said its bad RAM. I cant upgrade the firmware anymore. However i can configure it all i want and those settings will be kept. ZD still works. Although I haven't tested out every feature to know its working 100%. We decided to go with the next line up, ZD1200.