IPv6 LAN to WAN Difficulties
-
I have a new related question now. Testing at http://test-ipv6.com/ now gives me a 10/10 score. However http://ipv6-test.com/ reports ICMP "Filtered". I don't see anything in my config that should filter ICMP. Is there something I can do to eliminate the filtering?
-
Apparently that site wants to be able to use ICMP to reach all the way to the host. This is news to me that not being able to receive ICMP might be bad.
I was able to get this site to report "Reachable" by changing my IPv6 ICMP Echo Request from any to WAN address. Changed it to IPv6 ICMP any from any to any.
Anyone know what ICMPv6 is safe to allow and what isn't?
-
Anyone know what ICMPv6 is safe to allow and what isn't?
There is no clear set of IPv6 security guidelines. A lot of security experts do not understand IPv6 themselves, and their advice is, ‘turn IPv6 off.’
If you find a good article on ICMPv6 firewalling, please share with the rest of us.
-
Yep - Allowing the ICMP hasn't caused me any issues.
And its required for GIF and for native ipv6 also.
Your box can be pinged, but thats not the end of the world.
I prefer GIF (tunnel broker) to what most ISPs are offering.
-
I'm still having this problem.
I do have the "IPv6 ICMP any from any to any" rule for WAN. Testing whit http://ipv6-test.com/ it returns ICMP Filtered (Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.)
So… yeah any new options out there?
-
Make sure your computer (or whatever device you're testing from) doesn't have a firewall that is filtering ICMPv6 as well. Windows Firewall does, by default, except from the LAN (at least in home/work networks; public might filter it in all cases).
For example, I can run the test on my Windows PC and it will show filtered, but I can run it on my iPhone and it will pass.
There is an advanced rule you can create to allow Windows Firewall to respond to ICMPv6. Steps are detailed in this Technet article. Note that instead of opening Group Policy Management Console, you would go to Control Panel > Windows Firewall > Advanced Settings. Also, this may not be available on non-professional versions of Windows (i.e. Home Premium).
-
It works. thx
-
Hey dudes my turn to reboot this thread
i need a little help
i set up my pfsense so i get an ipv6 on my client but i can't ping google dns the set up is as follow ,i get an ip range from my isp 2001:878::xxx/64
i setup wan as dhcp delegation size 64
lan as static 2001:878::1/64
and i set up "DHCPv6" router advertisements unmanaged
Allow ipv6 is checked
i have set up the default allow in the firewall as the only thing in there except the ipv4 defaulti was thinking the problem is because i have ipv4 enable and running but that should be possible right?? having ipv6 and ipv4 on the same pfsense
-
Usually if you're getting your prefix from your ISP via DHCP+PD, you wouldn't set the LAN as static. On the LAN interface you should select Track Interface, then under the IPv6 section, you should select WAN as the interface to track.
The WAN and LAN addresses should be from different address ranges, not the same subnet. so if your WAN is getting 2001:878::xxx, your LAN should not be using 2001:878::1.
IPv4 is not the problem. IPv4 and IPv6 can co-exist just fine.
-
i tried the track interface thing but it don't work.
i was think that it wouldn't work if you had the same subnets on both sides of pfsense but then again it is ipv6could it be something the ISP have to do?? an error in there setup??
-
i was think that it wouldn't work if you had the same subnets on both sides of pfsense …
Right. So first your ISP should supply, native IPv6, at least prefix /63 or lower size-value.
I think a /64 prefix won't work for creating a LAN. -
i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)
-
i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)
Well, WAN - LAN on pfSense needs routing. WAN subnetvalue is not equal to LAN subnetvalue.
-
@hda:
i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)
Well, WAN - LAN on pfSense needs routing. WAN subnetvalue is not LAN subnetvalue.
the "routing" is that not what the track interface is for??
-
the "routing" is that not what the track interface is for??
I think Track Interface is in case of renewal of WAN.
Now, suppose you want more than one LAN routed & firewalled, what do you think is needed in such case ?
-
@hda:
the "routing" is that not what the track interface is for??
I think tracking is case renewal of WAN.
Now, suppose you want more than one LAN routed & firewalled, what do you think is needed in such case ?
i am not sure… the way i understand ipv6 is that everyone device get and ipv6 address and the way you limit the access from the wan to your lan and the other way is by firewall.
but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..
-
i am not sure…
but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..
I recommend to study IPv6 RFC's for how IPv6 is supposed to work, before activating pfSense-IPv6 parallel to IPv4.
You want to be secure to control IPv6 streams by understanding what is going on, don't you ?See also http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat-2.htm case subnetvalue. You are a site-administrator :)
Reference to my thread-reply #18
-
@hda:
i am not sure…
but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..
I recommend to study IPv6 RFC's for how IPv6 is supposed to work, before activating pfSense-IPv6 parallel to IPv4.
You want to be secure to control IPv6 streams by understanding what is going on, don't you ?See also http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat-2.htm case subnetvalue. You are a site-administrator :)
Reference to my thread-reply #18
that one is on me i gave you the wrong addresses i got from my isp it is more like 2001:878:989::xxx/64 my isp is only giving me the interface addresses to play with the prefix and subnet is chosen for me so what i get from my isp is only one subnet it might not be possible to do what i wanner do… as you say having the same subnet on the wan as the lan site should be a problem.. but i was hoping there was a way
-
.. but i was hoping there was a way
There is. :) Demand at least a prefix /63 (or smaller like /62 or /60).
That way pfSense-WAN can occupy subnet 'xxx0' and enable your pfSense-LAN to take subnet 'xxx1'. Then your LAN has address prefix 2001:878:989:xxx1:/64 so a host on that LAN can make a public (no NAT) /128 number by adding its 64-bit ID to that LAN-prefix.
-
@hda:
There is. :) Demand at least a prefix /63 (or smaller like /62 or /60).
That way pfSense-WAN can occupy subnet 'xxx0' and enable your pfSense-LAN to take subnet 'xxx1'. Then your LAN has address prefix 2001:878:989:xxx1:/64 so a host on that LAN can make a public (no NAT) /128 number by adding its 64-bit ID to that LAN-prefix.
i tried that and it just don't do what it should… i can ping google from the wan and local host on pfsense but any thing on the other side of pfsense just don't work.... what ever is wrong is beyond me
