Making IPv6 clients pingable from outside world

Krellan · Sep 25, 2015, 9:53 AM

I'm running pfSense 2.2.4.

I seem to have IPv6 working (from Comcast), however, my IPv6 clients are not pingable from the outside world.

What's the recommended firewall rule to enable this, and where should it be added?

Also, would be nice to also have traceroute6 working from the outside world, is that covered under the same rule or does it need another?

Thanks!

Josh

MikeV7896 · Sep 25, 2015, 5:13 PM

Add a rule on your WAN interface allowing IPv6 ICMP Echo request from * (or if you only want a specific address range, then specify that) to LAN Network (or whatever host(s)/network(s) you want to be ping-able from the internet).

Krellan · Sep 26, 2015, 8:46 AM

Thanks, it worked!

Is there a similar rule that will work to fix incoming traceroute6?

Outgoing traceroute6 already works fine.

Josh

Derelict · Sep 26, 2015, 8:52 AM

ICMP is a lot more important to IPv6. It relies on ICMPv6 for things like MTU discovery.

Is there a generally-accepted subset of ICMPv6 types that should be allowed into a typical outside WAN IPv6 interface and passed to all inside IPv6 hosts?

echo request, toobig?

any?

My gut would say destination unreachable, packet too big, time exceeded, parameter problem, and echo request.

doktornotor · Sep 26, 2015, 12:05 PM

This is what's in default ruleset:


# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state
pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker {$increment_tracker($tracker)} keep state

That said, just allow any and move on. This ICMP blocking madness does really nothing useful for security, just breaks things. Certainly much more with IPv6.

Fehler21 · Oct 6, 2015, 8:19 AM

I do strongly disagree with you: https://en.wikipedia.org/wiki/ICMP_tunnel
http://code.gerade.org/hans/

You thould think about every open port in your network carefully. (Yes, I allowed ICMP in my network, but only with a DPI-Filter).

doktornotor · Oct 6, 2015, 8:21 AM

@Fehler21:

I do strongly disagree with you: https://en.wikipedia.org/wiki/ICMP_tunnel

Yaaawn.

Fehler21 · Oct 6, 2015, 8:30 AM

I have seen people using this, trying to circumvent our firewall.
And if someone asks a rather basic question a little bit more information should be provided than "ALLOW ALL".

Btw. why not allowing all incoming traffic??? In a perfect world, the clients should be perfectly secured itself, right ;). (All services should only listen to the local network addresses etc.)

doktornotor · Oct 6, 2015, 8:32 AM

Well, enjoy breaking your IPv6 by blocking ICMP. Not really sure what to say.l