ICMPv6 firewall rules for interfaces
-
Greetings.
Netgate page on firewall rules states that
traffic need only be permitted on the interface where it enters the firewall
So, in my ipv6 interfaces I have a rule allowing icmpv6 traffic from interface subnets to the firewall (self): source interface subnets, destination this firewall.
Do I need a rule somewhere to pass icmpv6 traffic from the firewall (self) to interface subnets?
I am asking because I get some funky ipv6 behaviour with slaac (failing routers etc.), and I have started to wonder whether my firewall rules are to blame.
While I am at it, two additional quick questions just in case someone would know:
- Is there an online list of all hidden firewall rules?
- Can someone recommend a good book on ipv6? There is too much trial and error and too little understanding in my attempts.
-
@jarmo said in ICMPv6 firewall rules for interfaces:
Do I need a rule somewhere to pass icmpv6 traffic from the firewall (self) to interface subnets?
No, the firewall can reach any destination ootb, no rules needed.
-
@jarmo said in ICMPv6 firewall rules for interfaces:
So, in my ipv6 interfaces I have a rule allowing icmpv6 traffic from interface subnets to the firewall (self): source interface subnets, destination this firewall
That is all you need, you could even narrow it down to just the Echo Request ICMP type, allow your subnet clients to ping the firewall.
I am asking because I get some funky ipv6 behaviour with slaac (failing routers etc.), and I have started to wonder whether my firewall rules are to blame.
No addtional rules are needed. I'm not sure if the rules get added when you enable the Router Advertisement service or if they are always enabled, works for me out of the box.
is there an online list of all hidden firewall rules?
The running ruleset is in /tmp/rules.debug on the pfSense
Can someone recommend a good book on ipv6?
I did like IPv6 Essentials: Integrating IPv6 into Your IPv4 Network,
https://www.goodreads.com/book/show/23966976-ipv6-essentials -
@Bob.Dig said in ICMPv6 firewall rules for interfaces:
@jarmo said in ICMPv6 firewall rules for interfaces:
Do I need a rule somewhere to pass icmpv6 traffic from the firewall (self) to interface subnets?
No, the firewall can reach any destination ootb, no rules needed.
Thanks!
@patient0 said in ICMPv6 firewall rules for interfaces:
@jarmo said in ICMPv6 firewall rules for interfaces:
So, in my ipv6 interfaces I have a rule allowing icmpv6 traffic from interface subnets to the firewall (self): source interface subnets, destination this firewall
That is all you need, you could even narrow it down to just the Echo Request ICMP type, allow your subnet clients to ping the firewall.
I am asking because I get some funky ipv6 behaviour with slaac (failing routers etc.), and I have started to wonder whether my firewall rules are to blame.
No addtional rules are needed. I'm not sure if the rules get added when you enable the Router Advertisement service or if they are always enabled, works for me out of the box.
is there an online list of all hidden firewall rules?
The running ruleset is in /tmp/rules.debug on the pfSense
Can someone recommend a good book on ipv6?
I did like IPv6 Essentials: Integrating IPv6 into Your IPv4 Network,
https://www.goodreads.com/book/show/23966976-ipv6-essentialsThanks for the confirmation. The book looks promising, I will order a copy and check it out.
Can't upvote your replies, not enough rep yet.
(So... my problem is not in firewall rules. I do see that my ISP seems to change the prefix quite often. In any case, for some reason dhcpv6 seems to be able to cope with my setup, while slaac attempts have resulted only in ipv6 loss after some connection time.)
-
@jarmo pfSense and dynamic IPv6 don't go to well together, sad but true. Other routers (for example Fritz Box) can do a much better job out of the box.
