IPv6 incoming not working.



  • Hi

    New to IPv6. I have Telus internet. Recently got IPv6 working with my new pfSense box. I can use the IPv6 internet normally, browse to sites, ping things, but anything incoming seems to be blocked and I would like to allow ICMP incoming, as well as other hosted services.

    I am testing from a remote DigitalOcean box with IPv6 and Nmap for port scanning. Just using netcat to listen to ports, etc.

    Running pfSense 2.4.0.b.20161118.1539.

    Here is test-ipv6.com results.

    https://i.imgur.com/icX93Ac.png

    Here are my firewall rules for WAN and LAN

    https://imgur.com/a/Q3js8

    As I test I used```
    nc -6 -l 8088

    
    Here's an example
    
    

    [root@router ~]# tcpdump -i em4 port 8088
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on em4, link-type EN10MB (Ethernet), capture size 262144 bytes
    14:20:17.354647 IP6 [REDACTED TESTING BOX].49448 > [REDACTED OS X MACHINE].8088: Flags [s], seq 3266173327, win 1024, options [mss 1460], length 0
    14:20:18.355437 IP6 [REDACTED TESTING BOX].49449 > [REDACTED OS X MACHINE].8088: Flags [s], seq 3266107790, win 1024, options [mss 1460], length 0
    14:20:35.622367 IP6 [REDACTED TESTING BOX].39544 > [REDACTED OS X MACHINE].8088: Flags [s], seq 2563870279, win 1024, options [mss 1460], length 0
    14:20:36.622538 IP6 [REDACTED TESTING BOX].39545 > [REDACTED OS X MACHINE].8088: Flags [s], seq 2563804742, win 1024, options [mss 1460], length 0
    14:20:41.631231 IP6 [REDACTED TESTING BOX].51385 > [REDACTED OS X MACHINE].8088: Flags [s], seq 2305422004, win 1024, options [mss 1460], length 0
    14:20:42.631624 IP6 [REDACTED TESTING BOX].51386 > [REDACTED OS X MACHINE].8088: Flags [s], seq 2305356469, win 1024, options [mss 1460], length 0

    (Sorry for the somewhat abrupt and ad-hoc writeup of this, have a headache)

    Thanks[/s][/s][/s][/s][/s][/s]



  • Hosting services to the internet works just as IPv4 but no NATting to a private space.
    You specify a LAN host with an IPv6 IP and open the WAN port for that destination.



  • @hda:

    Hosting services to the internet works just as IPv4 but no NATting to a private space.
    You specify a LAN host with an IPv6 IP and open the WAN port for that destination.

    I know, but first I'm trying to get ICMPv6 pings working, as a sanity test.


  • Banned

    Uh huh, so you allow ICMPv6 only and are wondering why you cannot reach some port 8088 inside?



  • Put a rule in Floating anywhere anywhere (input/output) for ICMPv6


  • Banned

    Floating or not won't matter, a rule for ICMPv6 won't ever match his internal machine listening on port 8088.

    @jtl:

    As I test I used```
    nc -6 -l 8088



  • @hda:

    Put a rule in Floating anywhere anywhere (input/output) for ICMPv6

    Worked



  • @doktornotor:

    Floating or not won't matter, a rule for ICMPv6 won't ever match his internal machine listening on port 8088.

    @jtl:

    As I test I used```
    nc -6 -l 8088

    I created another rule for port 8088 and that works. Here's a bit of a cluttered screenshot showing it. Left window is remote server, and right is netcat.

    https://i.imgur.com/xGUavMh.png

    Need to read up more on IPv6 sometime.