Incoming v6 traceroutes are blocked at pfsense box.
-
I have a working native v6 setup (pfsense v2.2.6). I'm not a stranger to firewall rules with v6.
I've enabled ICMPv6 (any) to pass through pfsense so i can ping any of my v6 computers on my LAN from the outside internet.
When i do a traceroute6 from inside my LAN, pfsense is the first hop. this is normal.
When i do a traceroute6 from the internet, to a v6 address inside my LAN, the last hop it shows is the hop before my pfsense box. The pfsense box and the target v6 address dont show up.
I'm at a loss here. What am i missing?
-
For future reference, Windows uses ICMP, but Unix based systems default to UDP.
So unblocking ports 33434 to 33534 over UDP is the answer.
-
If I recall the formula is something like
33434 + (max-ttl * numberofprobes - 1)
Since each port going to use a different port, where 33434 is the base port.. So for example ding a sniff while doing a traceroute to something behind pfsense I get attached. So yeah opening up the ports should allow your trace to work when using udp.
