Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN IPv6 UDP traffic to fe80:/10 rule?

    Scheduled Pinned Locked Moved
    IPv6
    2
    2
    233
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      haraldinho
      last edited by

      I was revisiting my IPv6 settings and came across a tutorial for pfSense and my provider KPN in the Netherlands. In the WAN firewall rules, I saw this section:

      260b0897-dbb7-49ae-aaa4-2cc593a9859b-image.png https://eigenrouter.nl/images/kpn/pfsense-ipv6/fwwan.png

      I really don't understand what the UDP rule should do. Does anybody have a clue why this rule should be included.

      Also: would you guys pass the echoreq (IPv4 or IPv6)? I know you need it to score a perfect 20/20 on https://ipv6-test.com, but is it really needed?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @haraldinho
        last edited by johnpoz

        @haraldinho have no idea why they would setup a rule for fe80/10, also pfsense by default setups up hidden rules for all things needed for IPv6 to work..

        # IPv6 ICMP is not auxiliary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state
pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state
pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state
pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state
pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state
pass in  quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state

        But there nothing saying that some rando IPv6 address out on the public net needs to be able to ping you.. Allowing that would be up to you - say if you want to get a 20 on your test ;) They also want your IP to resolve for PTR if you want a 20, most of the time that would be out of the users control..

        edit:
        I take it this is the 20/20 score your shooting for ;)

        test.jpg

        Since I am using HE for my IPv6, they allow for setting up PTRs - which allows for that hostname part of the test to work.. And if you allow ping on your pfsense to whatever IPv6 your testing from behind pfsense, and it answers ping as well.. Some host firewalls might also block that you should be rocking your 20/20

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 1
        • First post
          Last post