Improve Default IPv6 ACL/Firewall Policy

The current default eero IP ACL policy for IPv6 permits inbound ICMP6 echo requests to individual internal/global IPs.  As a result after determining the IPv6 address of given users specific devices low traffic persistent network scans can undermine privacy by creating a map of when specific household members are at home, etc.

Either defaulting to filtering inbound ICMP6 echo requests on the WAN to anything other than the eero gateway node itself, or enabling an option for such filtering would solve this problem.

Should more advanced pinholes/ACL management be possible in the future for TCP and UDP ports this could then possibly be a part of that.  In the meantime preventing this information leakage would be helpful and not require much effort.

ICMP6 network floods can also be sent and instead of just occupying WAN bandwidth, consume in-home air time for radios, despite being unsolicited.  The nature of NAT for IPv4 users prevents both of these scenarios by default until IPv6 is enabled.

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Vote2 Follow
  • 2 Votes
  • 6 mths agoLast active
  • 45Views
  • 1 Following

Need Help? We're here for you!

We're big on support, and we want to make sure you always have the best eero experience possible. Here are several resources you can use if you ever need our help!

Quick links

Community Guidelines

Help Center

Contact eero support