I'm able to SSH into my internal servers. Configuring OpenStack now to provision the addresses for instances as well.
I have an Asus RT-AC66U. Tried to flash with OpenWRT and a few others and failed a few months ago. It would appear it DOES NOT have a firewall enabled, so I'm wide open, so to speak.
Yeah, I think this is an issue with the router (I have it too). I was using a tunnel and had to turn it off because you can't get it to go through the firewall.
I think you can fix it if you telnet into it and manually set up iptables properly, but it overwrites the configuration on update.
Pretty poor form that ASUS haven't fixed that yet... It's annoying because otherwise it's a very nice router.
Ooh, that's not good. I would suggest you put up a firewall directly on as many devices as you can. Then, try to get a router upgrade, or a router that can handle an IPv6 firewall. I think I know the router you have and I believe TomatoUSB can run on it, which has ip6tables installed.
I know it seems like it's not good, but I was thinking about it and even with Comcast's /64 aggregate, I have a billion BILLION addresses available inside my network. If you could scan at a billion addresses a second, it would take 30 years to scan all of Comcast's IPV6 addresses. That's crazy.
Well, not really. The first 64 bits are not all possible. They are subdivided, since some addresses are link-local, some are multicast, etc. Then, Comcast only has a certain allocation of that. On top of that, could one find a patter in how they allocate their addresses?
The second 64 bits are also not quite random. Most of your devices will autoconfigure using radvd. This means that the second 64 bits depend on their MAC address. Now, if I knew of an exploit to, say, a printer or a NAS device, I would know the MAC address range. My guess is that I could probably reduce the 128 bit address space to something like 100 or even 90 bits.
Second, and this makes it all the above a moot point, don't your devices connect to the internet? Any time they connect to a site, that site knows the IP address and that data may be used either explicitly or leaked and used by someone else. Everyone between you and the site also knows the address.
Lastly, if you ever set up a DNS record for any of these addresses, they are then visible to others even with some scanning if you don't ever publish the actual names.
Long story short, there is hoping you don't get hacked and there is knowing you have a firewall that only allows what you want in.
I have an Asus RT-AC66U. Tried to flash with OpenWRT and a few others and failed a few months ago. It would appear it DOES NOT have a firewall enabled, so I'm wide open, so to speak.