IPv6 incoming not working.

jtl · Dec 10, 2016, 10:05 PM

Hi

New to IPv6. I have Telus internet. Recently got IPv6 working with my new pfSense box. I can use the IPv6 internet normally, browse to sites, ping things, but anything incoming seems to be blocked and I would like to allow ICMP incoming, as well as other hosted services.

I am testing from a remote DigitalOcean box with IPv6 and Nmap for port scanning. Just using netcat to listen to ports, etc.

Running pfSense 2.4.0.b.20161118.1539.

Here is test-ipv6.com results.

https://i.imgur.com/icX93Ac.png

Here are my firewall rules for WAN and LAN

https://imgur.com/a/Q3js8

As I test I used```
nc -6 -l 8088


Here's an example

[root@router ~]# tcpdump -i em4 port 8088
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:20:17.354647 IP6 [REDACTED TESTING BOX].49448 > [REDACTED OS X MACHINE].8088: Flags [s], seq 3266173327, win 1024, options [mss 1460], length 0
14:20:18.355437 IP6 [REDACTED TESTING BOX].49449 > [REDACTED OS X MACHINE].8088: Flags [s], seq 3266107790, win 1024, options [mss 1460], length 0
14:20:35.622367 IP6 [REDACTED TESTING BOX].39544 > [REDACTED OS X MACHINE].8088: Flags [s], seq 2563870279, win 1024, options [mss 1460], length 0
14:20:36.622538 IP6 [REDACTED TESTING BOX].39545 > [REDACTED OS X MACHINE].8088: Flags [s], seq 2563804742, win 1024, options [mss 1460], length 0
14:20:41.631231 IP6 [REDACTED TESTING BOX].51385 > [REDACTED OS X MACHINE].8088: Flags [s], seq 2305422004, win 1024, options [mss 1460], length 0
14:20:42.631624 IP6 [REDACTED TESTING BOX].51386 > [REDACTED OS X MACHINE].8088: Flags [s], seq 2305356469, win 1024, options [mss 1460], length 0

(Sorry for the somewhat abrupt and ad-hoc writeup of this, have a headache)

Thanks[/s][/s][/s][/s][/s][/s]

hda · Dec 10, 2016, 10:11 PM

Hosting services to the internet works just as IPv4 but no NATting to a private space.
You specify a LAN host with an IPv6 IP and open the WAN port for that destination.

jtl · Dec 10, 2016, 10:19 PM

@hda:

Hosting services to the internet works just as IPv4 but no NATting to a private space.
You specify a LAN host with an IPv6 IP and open the WAN port for that destination.

I know, but first I'm trying to get ICMPv6 pings working, as a sanity test.

doktornotor · Dec 10, 2016, 10:22 PM

Uh huh, so you allow ICMPv6 only and are wondering why you cannot reach some port 8088 inside?

hda · Dec 10, 2016, 10:23 PM

Put a rule in Floating anywhere anywhere (input/output) for ICMPv6

doktornotor · Dec 10, 2016, 10:26 PM

Floating or not won't matter, a rule for ICMPv6 won't ever match his internal machine listening on port 8088.

@jtl:

As I test I used```
nc -6 -l 8088

jtl · Dec 10, 2016, 10:31 PM

@hda:

Put a rule in Floating anywhere anywhere (input/output) for ICMPv6

Worked

jtl · Dec 10, 2016, 10:32 PM

@doktornotor:

Floating or not won't matter, a rule for ICMPv6 won't ever match his internal machine listening on port 8088.

@jtl:
As I test I used```
nc -6 -l 8088

I created another rule for port 8088 and that works. Here's a bit of a cluttered screenshot showing it. Left window is remote server, and right is netcat.

https://i.imgur.com/xGUavMh.png

Need to read up more on IPv6 sometime.