ICMPv6 not working ipv6-test.com



  • I have just set up a new box and cannot get ICMPv6 fully working without enabling the "default allow lan ipv6 to any".
    I currently have in place the following, which do not work by themselves:

    LAN IPv6 ICMP Any subtype / any source / any destination
    WAN IPv6 ICMP Any subtype / any source / any destination (have also tried LAN net, which also works fine when the default LAN rule is enabled)

    What I say by "fully" working is for it to show up on ipv6-test.com. Right now, with the current rules, I just get a "not tested."
    If I enable the default LAN IPv6 rule, it works without an issue.

    Is there something the default rule allows that I'm somehow missing? I can ping, access IPv6 sites just fine and the rest of ipv6-test.com shows working. Any help is appreciated.



  • Hi,

    This is the one I have on WAN :

    0_1536645728306_dedb8b7f-3f98-4893-89c6-8c7f51338bbd-image.png

    Rule number 4 is the typical : IPv6 ICMP accept all rule.

    Nothing special the LAN interface :

    0_1536645826507_f7b1b8e2-3da4-4fb9-8a06-07638be55436-image.png

    This gives me a :

    0_1536645882973_ac0fe67b-7d54-412c-a187-26b6febbb98d-image.png



  • That test just needs ICMPv6 Echo Requests to be passed. Any other critical ICMPv6 packets (which I personally don’t consider Ping to be among) are already allowed behind-the-scenes by pfSense.

    Allowing all ICMPv6 could actually pose a security threat because of some of its uses within a network as far as neighbor discovery and whatnot.



  • @virgiliomi said in ICMPv6 not working ipv6-test.com:

    That test just needs ICMPv6 Echo Requests to be passed

    Thanks - Changed "ICMPv6 Echo any" for "ICMPv6 Echo Requests" - http://ipv6-test.com/ is still happy.



  • @virgiliomi

    Right, which is the ultimate goal. However, if I can’t get it working with allowing all ICMPv6, how is it going to work with just that? Again, I have to actually allow all lan to wan ipv6 for it to fully work. Does the built in bogon rule cause this by chance? That and the private networks rule are the only other ones in place.



  • If I'm reading things correctly, according to your first post, the only thing you're allowing out from LAN IPv6-wise is ICMP. I'm assuming that based on the fact that you've disabled the default ANY/ANY rule, and the only rule mentioned is IPv6 ICMP.

    The IPv6 test site tests a number of things, including accessing HTTP/S via IPv6, IPv6 DNS resolution, and ICMP, among other things. If you're only allowing ICMP through, that's why IPv6 isn't being tested for you. You do need to also allow at a minimum ANY IPv6 TCP, so that the HTTP/S components can load, which will also give the site your IPv6 address so it can try to ping you (and thus pass the ICMP test).

    If I'm not understanding things right, please post a screenshot of the test site (with addresses appropriately obscured) along with a screenshot of your LAN firewall rules.

    You can make your WAN rule to only allow incoming IPv6 ICMP Echo Request... the Echo Reply on LAN is already covered by your "All ICMP" rule.



  • @virgiliomi

    I’ll do that as soon as I get the chance, as I’ve done a poor job in explaining what I’ve already done/tried. Sorry about that.



  • All you need for the test to work is echo-request. However, ipv6-test.com is very unreliable, due to their ISP and/or server host. Sometimes it works properly for months, then becomes unreliable for months. Lately for me, ipv6-test.com fails completely almost of the time (i.e., all ipv6 tests fail). (I know my ipv6 is working, because test-ipv6.com reports 10/10. test-ipv6.com isn't quite as thorough, but it practically always works and if it doesn't, the guy who runs it actually reads and replies to any emails you send him.) On rare occasions iptv-test.com mostly works, except for icmpv6. In this case, running the speed test and ping test, the problem seems to be with their server in Roubaix, France. I think that's the main server where the general tests are hosted. I've tried emailing them about this, but they don't ever reply. If you are having continual problems, send them an email including your ipv6 address. Maybe they will do something if enough people complain.



  • @bimmerdriver : Interessting.
    I'm using both tests rather often. My ISP (in France) doesn't know what IPv6 yet. Not a big deal, as I'm using he.net.
    I guess my IPS (Orange) has a direct POP to OVH ^^
    Both ipv6-test.com test-ipv6.com are "full green" for me.



  • @gertjan Lately for me, since the past month or so, ipv6-test.com has gone into an unreliable phase. I have three systems connected through my isp, two pfsense, one another and all three are having the same problem. When I use a vpn, it works. I posted about this here a long time ago and I believe the problem seemed to be in OVH's network. I think I found that using trace route.

    test-ipv6.com is rock solid almost 100% of the time. Once it wasn't working, due to a routing issue and when I contacted the guy who runs the site, he was helpful, unlike the people who run ipv6-test.com. Too bad...



  • Another difference between the two sites... test-ipv6.com has actually worked with a number of companies around the world to have mirrors of the test site (as opposed to just providing a speed test, like the other site). It will usually redirect to a mirror automatically if it's able to determine where you're coming from. For example, it will always redirect me to a Comcast server since that's my ISP.

    See http://test-ipv6.com/mirrors.html.en_US for more info on the mirrors available.

    I'm also not fond of ipv6-test.com because in order to get a perfect score, they want you to have a reverse DNS entry (aside from having ping reply). Nearly every ISP that supports IPv6 doesn't have reverse DNS available for their IPv6 blocks, and I don't think I'd ever expect them to have it available, given the volume of addresses. But reverse DNS has absolutely no bearing on IPv6 working or not.



  • @virgiliomi said in ICMPv6 not working ipv6-test.com:

    Nearly every ISP that supports IPv6 doesn't have reverse DNS available for their IPv6 blocks, and I don't think I'd ever expect them to have it available, given the volume of addresses.

    There's a bit more to it than that. While those addresses may be part of the ISP block, what host names would be used? I have my own domain, which has nothing to do with my ISP. It's the customer who controls domain and host names, not the ISP.



  • @jknott My ISP, Telus, uses auto-generated hostnames. The ipv4 address is d<XXX-XXX-XXX-XXX>.bchsia.telus.net, where XXX-XX-XXX-XXX is the ipv4 address. The ipv6 address is node-<X...X>.ipv6.telus.net, where X...X is a random looking sequence of alpha-numeric characters, maybe a hash of the ipv6 address. So it's possible for an ISP to generate both hostnames.



  • @bimmerdriver

    I also have host names on the WAN interface from Rogers. However, they do not assign host names to addresses within my /56 prefix, as they have no way of knowing what names I give to them. I have my own domain where I select the host names. Also, with privacy addresses, even if you assign a host name to a device, outgoing connections could use virtually any of 18.4 billion, billion addresses within the /64. There's no way you can map a host name to all those addresses.



  • There are conditions where host names are needed. They should resolving using the reverse DNS test.

    Using IPv6 while visiting a web site is one thing, sending mails is another. With "sending mails" I do not mean the deposit of a mail using web mail or fat-client as Office Outlook at our mail server, but the real sending : from "my" mail server "to the other one, the "destination".
    To name just one : Google mail (gmail) uses IPv6 by default. So does my mail server. The reverse of my IPv6 (mail server) should better point to my host name, or else : game over.

    Btw : I manage my own domain names using bind on a master DNS server and couple of slave DNS.
    My IPv6 ISP is "he.net", they offer reverse DNS delegation.

    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host mail.test-domaine                                                        .fr
    mail.test-domaine.fr has address 5.196.43.182
    mail.test-domaine.fr has IPv6 address 2001:41d0:2:927b::15
    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host 2001:41d0:2:927b::15
    5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.7.2.9.2.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa domain name pointer mail.test-domaine.fr.
    


  • @jknott I would be very surprised if any ISP would assign host names, autogenerated or othewise, to ipv6 addresses if it could not be done uniquely.

    In the case of Telus, the unique part consists of 24 alphanumeric characters using 0...9 and a...z. I suspect they are using a secure hash algorithm to generate it. Algorithms like this are the foundation of cryptography and they are used heavily in cryptocoins.



  • @bimmerdriver said in ICMPv6 not working ipv6-test.com:

    In the case of Telus, the unique part consists of 24 alphanumeric characters using 0...9 and a...z.

    On Rogers, the IPv4 host name is based on the cable modem MAC address and WAN MAC and ends with .cpe.net.cable.rogers.com On IPv6, it's based on the cable modem MAC and the LAN MAC and ends with .cpe.net6.cable.rogers.com. I have absolutely no idea why the LAN MAC is used.