TP-Link cannot get IPv6 firewall right (opens in new tab)

I believe this is covered by RFC 6092's REC-49 from 2013.

           Internet gateways with IPv6 simple security capabilities MUST
           provide an easily selected configuration option that permits
           a "transparent mode" of operation that forwards all
           unsolicited flows regardless of forwarding direction, i.e.,
           not to use the IPv6 simple security capabilities of the
           gateway.  The transparent mode of operation MAY be the
           default configuration.

I don't think I agree with the author here. While if I was shipping a home router I would probably include a stateful firewall by default to match expectations from NAT I think the choice not to is pretty defensible.

1. The average consumer will take most of their devices to the coffee shop or other public WiFi with no thought. So their threat model already includes access from untrusted devices to some degree.

2. Network level security is pretty weak. Most people will give their WiFi password to their friends, do this a couple of times and it is likely that someone with an infected machine enters your network, such that it should no longer be trusted.

3. Users will benefit from direct connections for things like video calls and file transfers.

So you are basically picking between a weak security layer and functionality. I think either choice is reasonable.

That being said I am quite surprised that a stateful firewall isn't an option. But I guess this way their packet rewriting hardware only needs to support IPv4?

I always thought part of the advantage of IPv6 was that each device is accessible to the internet for functionality of things that normally would need port forwarding, without requiring any config on your gateway.

Devices have their own firewalls already, and most people will be on public WiFi at some point too where even IPv4 would be exposed to random people.

I'm more concerned that the Synology NAS mentioned just exposes itself to the global internet by default from the sounds of it. Surely it should deny access except from internet IPv6 subnets until specifically told otherwise?

Router companies in general can’t seem to get any security right. Between hardcoded backdoors and allow all In rules it’s clear that you can’t trust them.

I’d rather do a custom device with opnsense. Not guaranteed either but at least people contributing care about firewalls so slightly higher sanity levels

I think the only way to get a firewall that is truly worth a damn is to install OpenBSD on a machine with multiple NICs, then RTFM. I have been through so many vendors—commercial and retail—and found them all lacking.