Quick Questions [ICMP (Firewall), IPv6 (DHCP), SYN Cookies (Queue)]

Discussion in 'Tomato Firmware' started by Quad5Ny, Jun 22, 2014.

  1. Quad5Ny

    Quad5Ny Networkin' Nut Member

    • My understanding is IPv6 relies heavily on ICMP, if so why are ICMP requests limited to 1 per second by default? Or is the checkbox named wrong and it only applies to ICMP Echo requests?
    • Without unchecking Limit PPS (again, named wrong?) what would be a reasonable value for the ICMP & Traceroute requests per second?

    • Is it possible to set the IPv6 DHCP lease time? Because it doesn't seem to respect the v4 lease time (ex: if the lease time is set to 1440min, v6 IP's will still only show 720min).
    • With IPv6 (IPv6-PD, RA from WAN) enabled, should I double the 'Maximum active DHCP leases' assuming each client will grab 2 IP's?

    • Are SYN cookies only used when the SYN queue is almost full or are they used all the time? As a SOHO user I really don't need them enabled if it's going to eat up bits from the TCP header.
    Last edited: Jun 22, 2014
  2. koitsu

    koitsu Network Guru Member

    1a. IPv6 relies on ICMPv6 (IPv6). The ICMP limiting in question applies to only ICMP (IPv4).

    1b. The iptables rules added apply to all ICMP packets, not just ICMP ECHO. See thread for rule details. The netfilter limit module basically limits how often the rest of the IP stack actually honours/receives said ICMPv4 packets. The limit applies only to inbound packets destined to the router (e.g. WAN IP) despite the rules not explicitly specifying direction or interface.

    2. There is no value that works for every person, nor for every tool. For example, tools like mtr / WinMTR / PingPlotter generate a lot more ICMP (if using that mode) or UDP traffic than standard ping / traceroute do.

    3. DHCPv6 (IPv6) has nothing to do with DHCP (IPv4) and many features of DHCP have been revamped or removed entirely from DHCPv6 (for example, default gateway is no longer provided as part of DHCPv6 and is instead accomplished via ICMPv6 RAs).

    That said, your question is vague -- are you referring to DHCPv6 lease time for machines on your local network, or are you referring to DHCPv6 lease time as advertised by your ISP? (It partially depends on what kind of IPv6 connectivity you've configured under Basic / IPv6)

    If LAN -- this may be possibly controlled using dnsmasq configuration directives. There is little-to-no GUI support for IPv6 at this time, aside from the Dnsmasq Custom Configuration section. DHCPv6 lease times are controlled within the DUID portion of the response packet. If there are features missing from dnsmasq which you want, or you feel you've found a bug / have issues with dnsmasq / have questions, please refer to the dnsmasq mailing list or contact the author.

    4. Why would you assume a client would get two IPv6 addresses?

    5. The Enable SYN cookies feature is disabled by default, and to answer the question directly: they are used all the time/unconditionally. I would not enable this setting. Chances are people online who are going to want to DoS or DDoS you are simply going to fill your pipe with traffic, regardless of what type of attack (it really doesn't matter -- many these days just send tons of UDP traffic directed at random UDP ports, with the sole goal being to fill the pipe) -- there is no protection from this. Furthermore, SYN cookies result in a major performance hit, specifically the inhibition of TCP options (ex. RFC 1323 window scaling). The version of the Linux kernel used by TomatoUSB is 2.6.22; note this is older than 2.6.26 as mentioned in the linked Wikipedia article.

    About IPv6 -- when it comes to TomatoUSB, if you see any "settings" that relate to any part of the networking layer, if they are not explicitly shown as being for IPv6, assume they only work with/apply to IPv4.
    Quad5Ny likes this.
  3. Quad5Ny

    Quad5Ny Networkin' Nut Member

    Damn, you have to be the most helpful person on the planet. I sent you a PM it is not spam or another question.

    I know, for some reason I was thinking since there was no lease time option in the UI for (local) IPv6 addresses that… nevermind I don't know what I was thinking. :oops:

    Local, I have no control over my ISP's lease times. (DHCPv6 with Prefix Delegation, Prefix Length is 64 and Accept RA form WAN is checked)
    1 v4 and 1 v6.
    ^This right here will save me so much searching in the future. Thank-you!
  4. Spyros

    Spyros LI Guru Member

    Advanced->DHCP/DNS-> Disable Announce IPv6 on LAN->add this to custom

    dhcp-range=::1, ::FFFF:FFFF, constructor:br0, ra-names, infinite
    you can change "infinite" to your liking (eg 50m,2h etc)

    hit SAVE
    Quad5Ny and koitsu like this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice