Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound ping blocked

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 3 Posters 109 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      revengineer
      last edited by

      Hello,
      I noticed this mornign that my IPV6 gateway is marked as down. In the gateway setup I use cloudflare dns as the monitoring address. I see in the firewall many of the following entries:
      Untitled.png
      It seems that the ICMPv6 pings to access the monitor address are blocked by the firewall. This seems strange because I do not need any rules to make ping work for IPv4. Can anyone from this little information tell what is going on?

      I am using pfSense CE 2.8.0.

      Thank you.

      johnpozJ S 2 Replies Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @revengineer
        last edited by johnpoz

        @revengineer can tell you that is not blocked by default.. There are specific rules to allow IPv6 to work.. There are also rules to allow traffic from pfsense itself to go anywhere it wants.

        # IPv6 ICMP is not auxiliary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state

        # let out anything from the firewall host itself and decrypted IPsec traffic
pass out  inet all keep state allow-opts ridentifier 1000015165 label "let out anything IPv4 from firewall host itself"
pass out  inet6 all keep state allow-opts ridentifier 1000015166 label "let out anything IPv6 from firewall host itself"

        So you have a rule on your floating for outbound blocking icmp that is not pfsense own address? You hid the source IP - is that pfsense IP.. Out of the box there are no floating rules.. So since that is an outbound rule (the little arrow) it must be a rule you created? Or maye you unchecked allow ipv6 in advanced which creates specific block rules?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • S Offline
          SteveITS Rebel Alliance @revengineer
          last edited by

          @revengineer the reply would be allowed by the open state. What’s the right column?
          https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
          Upvote 👍 helpful posts!

          R 1 Reply Last reply Reply Quote 0
          • R Offline
            revengineer
            last edited by

            @johnpoz I checked the WAN and Floating rules and they are all for IPv4; there are no IPv6 rules.

            I have rebooted the firewall and the problem went away. The gateway shows green/online in the dashboard, and the block errors in the firewall log stopped showing. I have changed nothing else so perhaps it is not rule related?

            I can report that this has occurred to me multiple times since upgrading to v2.8.0. That is, the IPv6 gateway will sometimes show red upon booting, and a reboot fixes the problem and makes it green again. It will then stay green until the next reboot.

            Perhaps 2.8.1 will magically fix the issue, but I will want to wait until this version goes from beta to stable before I test this.

            1 Reply Last reply Reply Quote 0
            • R Offline
              revengineer @SteveITS
              last edited by

              @SteveITS No sure what you mean. The image above shows right column as "ICMPv6" and per the web page you linked this column is labeled "Protocol"

              I should have stated before the the source IPv6, which I obscured, is that of my pfsense box.

              johnpozJ S 2 Replies Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @revengineer
                last edited by johnpoz

                @revengineer what specific rule blocked it.. If you move your mouse over the X it would give you the rid, or if you click the x you will get more info.

                Or if you in the log settings tell it to show the rule as a column it will tell which rule blocked.. For example on that block its my scan deny rule..

                rulethatblock.jpg

                Its quite possible you got blocked by this rule - because you had no valid IPv6 address?

                block out  inet6 all ridentifier 1000000106 label "Default deny rule IPv6"

                But we need to see the details of which specific rule is blocking your traffic to help figure out what is going on.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07 | Lab VMs 2.8, 25.07

                1 Reply Last reply Reply Quote 0
                • S Offline
                  SteveITS Rebel Alliance @revengineer
                  last edited by

                  @revengineer Yeah my bad, sorry. Hadn't had much coffee yet yesterday.

                  @revengineer said in Outbound ping blocked:

                  rebooted the firewall and the problem went away

                  Did you WAN IPv6 address change at that point?

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • R Offline
                    revengineer
                    last edited by

                    @johnpoz Thank you for the tips on how to find the associated blocking rule. Unfortunately, there have been so many blocks that all my filter.log.* files only go back several hours but not to yesterday morning. So I will have to wait until the problem reoccurs. I may need to the weekend to play with this.

                    @SteveITS The next time this occurs, I will check for a change of the IPv6 address. I believe that I checked the last for letters and there was no change. But this is preliminary and I certainly did not check the entire address.

                    I will post back here when I have an update. In the meantime, I appreciate the troubleshooting tips described above.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.